STE WILLIAMS

Recently we’ve been writing about LastPass more than seems healthy.

March saw two rounds of serious flaws made public by Google’s Tavis Ormandy (quickly fixed), which seemed like a lot for a single week. Days ago, news emerged of a new issue (also fixed) in the company’s two-factor/two-step authentication (2FA) security.

To coin a phrase, all serious flaws are serious – but some are more serious than others.

This one matters for two reasons, only one of which will sound flippant: it wasn’t discovered by Tavis Ormandy, who at times has seemed to be writing a novella on flaw-hunting with the company’s name on it. That’s fine – researching vulnerabilities is his day job, after all.

Another researcher with a taste for LastPass, researcher Martin Vigo, uncovered the latest issue, and it’s the 2FA bit of the story that explains the angst.

Two-factor authentication (a term that also refers to more convenient but less secure two-step verification) matters because it is the crown jewels of everyday security, especially for password managers such as LastPass.

It represents a safety blanket that stops an attacker gaining access to the vault even if they get hold of the master password. While it’s possible to use LastPass without 2FA enabled it’s not recommended, indeed the wide variety of two-factor and two-step options is one of the service’s best features.

The flaws are explained by Vigo in a slightly confusing way (one compromise was subsequently shown not to be exploitable) but cover overlapping weaknesses that might under specific circumstances allow 2FA to be bypassed when using Google’s Authenticator and QR codes.

The detail here is less relevant than the fact that Vigo found chinks in the armour of something highly sensitive to even the tiniest compromise.

LastPass’s response was to point out the conditions necessary for a successful attack:

First, the attacker would have had to lure a user to a nefarious website.

True, but hardly an impossible undertaking for someone already armed with the user’s master password.

Second, the user would have to be logged in to LastPass at the time of visiting the malicious site. This combination of factors decreases the likelihood that a user might be impacted.

Again a user being logged into LastPass at the time of an attack is entirely possible.

Significantly, LastPass quickly stopped using the login hash (used to authenticate the master password without having to know it) to retrieve Authenticator’s QR codes, and now sets a Cross-Site Request Forgery (CSRF) token to plug another weakness.

We still don’t know why LastPass has been plagued by so many issues in such a short space of time – perhaps it’s just a big-name target worth researching – but some of these weaknesses appear to be in its design, the result of decisions to do things in a certain way, probably some years in the past.

Vigo has been paid a bug bounty and, for now at least, LastPass’s 2FA design is back in equilibrium. It’s just the nerves of its users that are a bit shot.

Follow @NakedSecurity
Follow @JohnEDunn

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Nq6GTdTXtyg/

A lot of smart people in the security world say it’s old news. Nothing more to see here, move along. And yet ransomware is a topic that won’t go away.

It has dominated our coverage here at Naked Security in recent months and was a major focus of RSA Conference 2017 in February. Today and tomorrow, it’ll be on the agenda at SOURCE Boston 2017.

The reason is simple: the bad guys continue to claim countless victims daily, many of whom pay the ransom because they feel they have no choice.

SOURCE Boston 2017

Andrew Hay, co-founder and CTO of LEO Cyber Security, will give a talk today at 1:15 pm ET called “The Not-So-Improbable Future of Ransomware”. It’s a subject he’s spent a lot of time on. During RSA, he helped run a day-long seminar on it.

During today’s presentation, he’ll outline the evolving parallels between ransomware and traditional kidnap and ransom tactics (KR) and doctrine:

As a perpetual student of history, I immediately noticed similarities between KR and ransomware methodologies and the rate at which common tactics were appearing in ransomware campaigns. Ransomware campaign operators are simply taking what has worked before and applied it to the computerized world.

Old but persistent

Ransomware is indeed an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. Some might expect that most people are well aware of the threat by now and that they’re taking the appropriate precautions. It’s therefore reasonable to assume that online thieves have moved on to new tactics.

Unfortunately, that’s hardly the case. Naked Security has continuously followed cases of individuals and companies falling victim to it. Most recent examples include:

• Mole, ransomware that has caused enough concern to spark an advisory from CareCERT, the cybersecurity initiative set up for the UK’s National Health Service (NHS).
• A spam campaign where ransomware is downloaded and run by a macro hidden inside a Word document that is in turn nested within a PDF, like a Russian matryoshka doll. The ransomware in this case appears to be a variant of Locky.
• The increased ease with which someone can build and launch ransomware regardless of skill. All you need is ill intent and access to the dark web. We’ve been calling this trend ransomware as a service.
• Satan, ransomware billed, among other things, as an online crimeware service.
• Filecode ransomware that targets Mac users.

Defensive measures

Ahead of the SOURCE Boston talks, it’s worth passing along our usual resources to combat ransomware.

First, some things people can do to better protect themselves from this sort of thing:

• Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
• Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
• Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.
• Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.

Resources

Other links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To learn more about ransomware, listen to our Techknow podcast.
• To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac.

---

Techknow podcast — Dealing with Ransomware:

LISTEN NOW

(Audio player above not working? Listen on Soundcloud or access via iTunes.)

Follow @NakedSecurity
Follow @katebevan

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ba5dUmNayw8/

A security researcher is complaining that Samsung isn’t making a serious response to a vulnerability in its Smart TVs.

The bug, discovered by pen-test outfit Neseso, concerns the televisions’ implementation of Wi-Fi Direct authentication. An attacker only needs to sniff out the MAC address of a trusted device to connect to the TV. From there they potentially enjoy a jump-off point to a target’s network.

Neseso says it’s published its discovery at Full Disclosure because Samsung doesn’t consider it a security risk.

The Smart TVs have a convenience feature so users don’t have to authenticate every time they turn the TV on: trusted devices are instead whitelisted by MAC address. “The user will get notified about the whitelisted device connecting to the Smart TV, but no authentication [is] required”, the post states.

Since MAC addresses are easily sniffed over Wi-Fi and can also be spoofed, an attacker can impersonate the trusted device, get full access to the TV’s features (including screen mirroring and remote control), and potentially access the network to which the TV is connected.

In the disclosure, Neseso says Wi-Fi Direct is enabled by default on the TVs, and switched on each time the TV is powered up – meaning a user would have to turn it off after each power-up.

Neseso says it first contacted Samsung in March, and was told early this month that the company “concluded that this is not a security threat”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/26/samsung_smart_tv_wifi_direct_security_flaw/

An Interpol investigation has revealed a worrying degree of insecurity in sout-east Asian countries, with even government-operated Web servers infected to operate as command and control systems for bot-herders.

The investigation turned up and shut down 9,000 CC servers across “hundreds” of compromised Websites in Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.

Interpol worked with investigators from all the listed countries, with assistance from China, its announcement says. Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Networks took part in the investigation, Interpol says.

Malware found on the servers included ransomware operations, DDoS operations, and spam distribution, with Trend Micro saying most of the infections resulted from an unnamed WordPress plugin exploit.

The INTERPOL Global Complex for Innovation (ICGI) reckons the operation will help it push back against Asian cybercrime operations.

The attacks spotted by the ICGI operation also uncovered yet-another Nigerian scam.

In March, Interpol estimated that “Nigerian princes” have netted US$3 billion in the last three years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/26/interpol_unplugs_command_and_control_networks_across_asia/

Symantec’s annual Internet Security Report data shows how attacks last year directly targeted end users, and became more efficient and lucrative.

These new stats shed some light on what happens when cyberattackers inch closer to their intended victims: Web attacks dropped by more than 30% last year, and ransomware attack attempts jumped by 36%.

That’s just one of the findings in Symantec’s newly published Internet Security Report for 2016, which also shows a continued dip in the total number of data breaches to 1,209 in 2016, from 1,211 in 2015, and 1,523 in 2014. This trend demonstrates how attackers have become more seasoned in automating their attacks – and more efficient, according to Michael Fey, CTO of Symantec. That also dovetails with attackers targeting the endpoint directly rather than waiting for users to visit a compromised website, he says.

“It’s so much easier to make a direct connection with your target. You used to have to be tigers waiting around the watering hole, but now they go find their prey and don’t just wait for them,” Fey says. “Thanks to social media and the way we scream to the world who we are and what we care about that can be mined, the need to sit on a Web platform is reduced. [Website attacks] still work, but there are alternate ways to a more deliberate path.”

The dip in total breaches is a combination of organizations doing a better job of reducing the amount of data that’s at risk, and the fact that attackers have more automated methods of stealing information, he says. They can wage more focused and deliberate attack campaigns and be relatively confident that users will indeed click on malicious attachments, for example.

Web attacks are not dead, however: Symantec says there was an average of some 229,000 such attack attempts detected each day last year, and 76% of websites had bugs, 9% of which were critical.

But 2016 was ransomware’s coming-out party: while it’s been around for a while, the method of locking victims out of their data until they paid a ransom now has become a popular and lucrative way for criminals to make money. Symantec detected 463,000 cases of ransomware last year, up from 340,000 in 2015; the daily average hit 1,539 detections per day, up from 846. And the average ransom surged from $294 in 2015 to a whopping $1,077 last year.

Cybercriminals are cranking out new variants of ransomware at a rapid clip. Symantec counted 101 ransomware families in 2016, up from 30 in 2015 and 2014. According to Symantec, that means more attackers are employing ransomware and creating new families or modifying existing ones. Consumers still represent about 70% of all ransomware infections, but businesses increasingly are becoming targets.

“We’ve seen government institutions condone paying [ransom], and we’ve seen government leaders talk about how that’s a bad thing. So there are mixed messages all over the place,” which makes it more confusing and difficult for victims to properly respond and defend from ransomware attacks, Fey says.

Ransomware victims paying their attackers isn’t helping, either, but the situation is fraught: “If you pay $29,000 to unlock your data, are you feeding a bigger problem?” Fey says. “If an organization sent money directly to terrorists we’d all condemn them and shut them down. But when a hospital’s patients’ critical data is held for ransom, I’m not sure I have the same opinion anymore” against paying the ransom like in a terrorist scenario, he says.

Meantime, 15 breaches in 2016 exposed more than 10 million identities, a slight increase from 13 in 2015, and 11 in 2014. Overall in the past eight years, some 7.1 billion identities have been exposed worldwide, the report shows.

Fey says that’s another data point that demonstrates how attackers are becoming more efficient. “And they are getting to the outcome faster,” he says.

Speaking of efficiency, it now takes attackers just two minutes to attack an Internet of Things device – a feat that was achieved by the Mirai botnet last year, according to the Symantec ISTR report. The IoT-borne distributed denial-of-service (DDoS) attack (mainly waged by Mirai) on French hosting firm OVH last year was the largest DDoS attack ever, with a peak of 1 Tbps.

“We have misunderstood the IoT problem,” Fey says of the industry. “What people don’t fully appreciate about IoT security is how many of these devices are orphaned devices” sitting on the Net and vulnerable, he says.

Related Content:

• 7 Ways Hackers Target Your Employees
• INTERPOL Operation Sweeps Up Thousands of Cybercrime Servers Used for Ransomware, DDoS, Spam
• xDedic Marketplace Data Spells Danger for Businesses
• Nearly 40% of Ransomware Victims Pay Attackers

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/web-attacks-decline-ransomware-attacks-surge/d/d-id/1328726?_mc=RSS_DR_EDT

A Brit biz selling surveillance tools that can be installed on phones to spy on spouses, kids, mates or employees has been comprehensively pwned by hackers – who promise similar stalkerware peddlers are next.

The miscreants, supposedly Brazilian and dubbing themselves the Decepticons, have explained how they, allegedly, easily infiltrated FlexiSpy before snatching its source code and other files, and wiping as many servers as they could. That code has now leaked online, and the gang say they are on the warpath.

“We’re just, like, this group of guys, you know? We can hack these people, and we can expose their secrets, but it’s up to everyone to make a difference,” the team said on Monday.

“If you’re a spouseware vendor, we’re coming for you. Stop, rethink your life, kill your company, and be a better person.”

FlexiSpy is one of a number of creepy outfits making a living selling borderline-legal code to people who are paranoid that their significant other is cheating on them, or that their kids or staff are up to no good.

Judging by an analysis of the source obtained by the hackers, once quietly slipped onto a victim’s mobe, the FlexiSpy software silently records incoming and outgoing calls, rifles through text messages, tracks the device’s location, and records interactions with apps like WhatsApp and Tinder. This intelligence is then beamed back to the suspicious spouse or boss.

Basically, it’s a total privacy and psychological nightmare. FlexiSpy offers spyware that runs on Android, iOS, Windows PCs and Apple Macs.

To infiltrate the developer’s servers, the hackers exploited one of the oldest tricks in the book: poor password security. After trying a SQL injection against the company’s website they came up empty-handed, but found that the username “test” and the password “test” gave them access to an account on a development box.

Once into that user account, they wriggled through the internal network, eventually stumbling across and accessing FlexiSpy’s customer database. Next, they found a few boxes running SSH servers, a Microsoft Exchange server, and some RDP-accessible systems, along with a bunch of web servers, and one CRM instance. They also found a reference to a password – tcpip123 – which worked on the CRM server and granted access to an administrator’s account.

Game over, man

Once inside that vault, they decided to hold fire for a bit and observe how FlexiSpy’s IT managers responded to the intrusion. After there was no action, the crew went to work and started checking to see if passwords were being reused, so checked root:tcpip123, admin:tcpip123, and Administrator:tcpip123, and so on, on FlexiSpy’s various systems.

That got them into three of FlexiSpy’s NAS servers, where they found source code backups, HR documents, corporate files, some SSH keys, password backups, and internal network diagrams, as well as access codes for several servers. They also dropped in some malware that harvested the login details for the head of IT for the spy shop.

“By this point, we realized that FlexiSpy didn’t give a crap about security, and in order to give us as many different points of access as possible, we deployed Tor across the Linux infrastructure, setting up each server’s SSHd as a Hidden Service,” the hackers wrote.

“We siphoned out as much as we could, stopping for a few weeks to attempt to transfer the EDB files from the Exchange Server, which were over 100GB in size.”

Having grabbed the data, the destruction began, it is claimed. FlexiSpy’s RAID systems were wiped and the stolen credentials were used to log into Cloudflare, Rackspace, and Amazon accounts and destroy everything that could be found. Finally, they redirected FlexiSpy’s domains to Privacy International.

This is all according to the hackers – whatever self-deserved hell the IT staff went through, the biz’s website right now seems to be working.

FlexiSpy hasn’t responded to requests for comment on the matter, but it did post an apology to customers on its Facebook page on April 16 apologizing for “a temporary technical issue affecting the portal.”

Meanwhile, another stalkerware vendor, Retina-X, has also apparently been similarly hacked. As many as 130,000 customer records at Retina-X and FlexiSpy have been accessed by the intruders, yet no warning of any security breach has been sent out by either developer, it is claimed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/hackers_attack_stalkerware_flexispy/

An ex-Expedia IT admin has been fined and jailed for 15 months after he spied on the emails of the travel giant’s top brass to make insider trades.

According to documents filed in the US district court of Seattle, Washington, Jonathan Ly was hired by Expedia in March 2013 as a mid-level tech support bod. Within three months, the then-23-year-old started poking around the corp’s servers. He found a passwords file in an account belonging to an IT department boss, which opened every corporate email inbox to the greedy geek.

Ly told the court that, as the son of poor immigrants, he was fascinated by the lives of the rich, and thus began spying on the email of senior executives such as the chief financial officer and Expedia’s head of investor relations. Then he used their files and messages to launch trades of company stock using this insider information.

At the time, Ly lived in San Francisco, California. He claimed he needed the dirty money because he had split up with his girlfriend and was forced into the city’s staggeringly expensive rental market. Now rent is stupidly high here, but the $348,515.72 Ly netted over roughly two years seems a little excessive.

The crooked nerd made a series of trades in Expedia stock, mainly utilizing foreknowledge of the company’s quarterly earnings statements. His first trade in July 2013 netted him $57,549.22, and from then on, he averaged $44,632 in illicit profits per quarter. He also netted $18,718.50 and $17,375.14 thanks to foreknowledge of a deal with Travelocity, and Expedia’s takeover of Orbitz, respectively. To put that into context, the average salary of an Expedia IT support technician is around $52,000, according to Glassdoor.

In April 2015, Ly quit Seattle-based Expedia and moved to a similar job at Adobe in the Bay Area, but he kept his work laptop with the passwords file – and continued his email monitoring and trading. He made his last trade the week before the FBI came knocking on his door.

Ly was fired by Adobe after he admitted securities fraud. On Tuesday this week, he was sent down. On the plus side, the 28-year-old won’t have to worry about rent any more, since Uncle Sam picks up the tab during his stay.

Once he gets out, however, Ly will probably have to move home, since he has some serious bills to pay. The Washington state judge ordered him to cough up $375,907 to America’s financial watchdog, the SEC, and pay his former employer $81,592 to cover the costs of its investigation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/expedia_it_admin_insider_trading/

Hyundai has patched its Blue Link smartphone app to stop it blabbing private info that could, it is claimed, be used to break into and steal people’s cars.

The now-updated software, available for iOS and Android, leaked sensitive personal information about registered users and their vehicles, including usernames, passwords, PINs, and GPS location records.

Essentially, versions 3.9.4 and 3.9.5 of the app transmitted this private information back to Hyundai using plain old HTTP albeit encrypted using the fixed key “1986l12Ov09e” – this key can be easily extracted from the application’s code. Any man-in-the-middle attacker eavesdropping on the app’s network connections – such as by snooping on Wi-Fi traffic – can grab this data and decrypt it using the key. Hyundai seemingly collected this information as telemetry for its app usage.

After being alerted to the botched encryption in February, the South Korean automaker quietly updated its software to shut down the disclosures, and offered a new version, 3.9.6, to people’s handsets in early March. Now that folks have had enough time to install the update, the independent security researchers who discovered the design blunder have gone public with their findings.

William Hatzer and Arjun Kumar warn, via Rapid7, that the vulnerabilities could be exploited to find, unlock, and start a victim’s car.

The Blue Link software is available for Hyundai vehicles sold in the US from 2012 onwards. According to Rapid7, the vulnerable features were introduced in version 3.9.4 on December 8, 2016, and fixed by Hyundai on March 6, 2017 with the release of version 3.9.6, which halts data transmissions.

The automaker claims no vehicles were set upon by crooks exploiting the vulnerability. The biz told us in a statement:

Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue.

Hyundai released mandatory updates to the Android and Apple app stores that mitigated the potential effects of the vulnerability. The issue did not have a direct impact on vehicle safety. Hyundai is not aware of any customers being impacted by this potential vulnerability.

The privacy and security of our customers is of the utmost importance to Hyundai. Hyundai continuously seeks to improve its mobile application and system security.

The security research serves to illustrate that basic slip-ups – such as insecure or absent encryption and password insecurity – continue to bedevil connected car as well as other IoT deployments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/hyundai_blink_link_app_security/