STE WILLIAMS

18.6 million emails were stolen and leaked from PR firm, including allegedly doctored messages made to damage Beckham’s reputation.

Former England footballer David Beckham has hired cybersecurity expert Marclay Associates to track down hackers responsible for stealing and leaking 18.6 million emails, including messages and documents, to Football Leaks and attempting to ruin his image, reports The Daily Mail. The firm, described as the best in the business, is said to have shut down Football Leaks accounts in the past.

The emails were stolen from the servers of Doyen Global, which is owned by Beckham’s public relations adviser Simon Oliveira. The content portrays a negative image of the ex-footballer as he is seen desperate to achieve knighthood and uses abusive language on being denied it.

A spokesman for Beckham claimed “This story is based on outdated material taken out of context from hacked and doctored private emails from a third-party server and gives a deliberately inaccurate picture.”

Police have launched a probe in Portugal from where the information was stolen, reports the Daily Mail.

Click here to read details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/david-beckham-hires-cybersecurity-expert-to-probe-email-leak/d/d-id/1328081?_mc=RSS_DR_EDT

Seventy-six iOS applications with an accumulated 18 million downloads between them are vulnerable to having their encrypted HTTPS traffic compromised.

That’s the assertion made by Sudo Security’s Will Strafach, who turned up the bugs while developing a scanner to analyse app binaries.

Strafach told The Register the problems arise because app developers are mishandling Transport Layer Security (TLS) certificate validation.

“The issue hinges on incorrect code used during development,” Strafach told us in an e-mail. “The issue boils down to mishandling of the code used for TLS validation. This code should normally not be touched or overridden, but unfortunately some developers have (hopefully accidentally) killed the validation checks in their apps.”

The result of the analysis detailed in Strafach’s blog post: 33 apps with low-risk TLS bugs, 24 medium-risk bugs (“ability to intercept service login credentials and/or session authentication tokens for logged in users”, he writes), and 19 high-risk bugs (“ability to intercept financial or medical service login credentials and/or session authentication tokens for logged in users”).

Without responses from vendors, he told The Register it’s hard to understand why the bugs crept into the apps. In some cases it’s possible that the developers downgraded security during testing and forgot to fix it when the app went live.

There’s two additional details that he highlights: these bugs are not mitigated by iOS’s App Transport Security; and in at least some cases, with custom Wi-Fi hardware (or a modded phone), an attacker only needs to be within range of the victim.

For now, Strafach is withholding the identity of the medium-and-high-risk apps, giving the developers 60 to 90 days to respond. He also notes it’s a class of vulnerability that’s previously affected vendors as diverse as Shoretel, Cisco, Trend, Dell, and PayPal. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/sloppy_ios_apps_expose_encrypted_user_traffic/

Feature The hackers breached the transport operator’s systems and before they knew it had sent a passenger train hurtling into a wall. And the only reason you didn’t read about it in the papers was that the systems were an entirely fictitious network created in 2015 to test just how far snoopers or crims would go in attacking vulnerable transport systems.

“HoneyTrain was also a great experiment to analyze the adversary’s moral limits,” says Lukas Rist (@glaslos), chief research officer with the Honeynet Project, which helped build the fake train system known as the HoneyTrain. “They had attackers derailing a train or running the train at full speed into a dead end.”

Over the course of two weeks, HoneyTrain [PDF], complete with working model trains and real security CCTV camera footage of train stations, suffered a staggering 2.7 million attacks.

Those attacks are a graphic demonstration of “honeypots”, the practice of deliberate deception aimed at observing attackers.

The practice is widely used in information security circles, thanks largely to the Honeynet Project, a non-profit much-respected security initiative that maintains and advocates for honeynets through 23 global chapters. Honeypots and the much larger and more complex honeynets are popular research tools to lure attackers, revealing their tools and tactics, but also operate as a line of defence for corporate networks.

A honeypot works like this: A hacker breaks into what they think is an unpatched and forgotten server on a company’s corporate network, grabbing privileged Active Directory accounts from one place, and watching what looks like traffic indicating user activity. To the hacker, it looks like the entry point into a multi-million dollar enterprise.

But it’s all a mirage. All the servers they have accessed are carefully-prepared fakes, designed by corporate security to make the attacker believe they had broken into the corporate network. The attacker has wasted their time and, worse, revealed their attack techniques. Some even waste a piece of custom malware.

And that’s just the way honeypot operators like it.

“We are providing a system that looks like a potential target to an adversary while we try to collect as much information about his tactics, techniques, and procedures,” the Project’s Lukas Rist says.

Security researchers love honeypots because they allow them to create networks that look like real-world critical systems in a bid to lure those who would disable or destroy, along with the myriad of harmless curious minds.

HoneyTrain is one of these endeavours, but there are scores more. Researchers have revealed hackers willing to break into medical devices, petrol (gas) stations, SCADA systems, and, of course, hopelessly insecure home routers.

The HoneyTrain honeypot. Image: Sophos.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/honeypots_feature_and_how_to_guide/

Attackers continue to use Office exploits to proliferate malware, and SophosLabs has traced the activity to three popular exploit builders.

We described the first two – Microsoft Word Intruder and Ancalog Builder – in earlier papers. A new paper released today examines the third one: AKBuilder.

AKBuilder generates malicious Word documents, all in Rich Text, according to the paper’s author, SophosLabs principal researcher Gábor Szappanos. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out.

Like its two cousins, AKBuilder uses exploits to deliberately corrupt files that automatically trigger bugs in Office and underlying bugs in Windows itself.

AKBuilder is advertised in YouTube videos and sold in underground forums. The kit usually costs around $550 (payable in electronic currencies like Bitcoin and Perfect Money). Here’s an example (click to enlarge):

AKBuilder anatomy

Szappanos wrote about two variations of the kit, which are differentiated by the Office vulnerabilities they target. The earlier version, AK-1, uses two exploits in the same document: CVE-2012-0158 and CVE-2014-1761. The newer version, AK-2, uses a single exploit: CVE-2015-1641.

Both versions are released as a Python script. Everything is hardcoded and there is no configurable option apart from the file names, Szappanos wrote.

The script takes three parameters. The first parameter is the name of the payload file, the second is the name of the decoy document, and the final is the name of the generated exploit document.

All of the known builders have the same rough structure. The hardcoded exploit block with first- and second-stage shellcodes are stored as a huge data block in the script (click to enlarge):

The encrypted payload and decoy files are appended after the template content. This is a very rigid structure, an update to make any modification. The beginnings of the generated files up to the embedded payload are identical.

This can only serve as the “release build” of the builder. The script contains the entire document as a single block of data. This block is often modified by the author to avoid detection by antivirus engines. The modifications, though they could be done manually, are more likely done by an internal tool owned (and not released) by the author. This internal tool generates the highly obfuscated exploit document, which is then packaged in the Python script.

The kit is used by various cybercrime groups, distributing dozens of different malware families. The most active (or least careful) of these criminals are Nigerian BEC groups.

AK-1- and AK-2-generated documents are detected by Sophos as Troj/20141761-F , Troj/DocDrop-FK or Troj/DocDrop-JK.

Lifecycle

AK-1 was most active between the middle of 2015 and 2016. The emergence of its successor AK-2 seemed to spell the end of the kit’s lifespan. By the summer of 2016, it seemed extinct.

But we recently started to observe a resurrection of AK-1 samples. Szappanos said it’s too early to speculate, but thinks it can be associated with the disappearance of the Ancalog builder.

There was a significant market gap that needed the older Office exploits provided by AK-1, and when there is a need, there is a solution.

AK-2

Szappanos wrote about the characteristics of this kit back in a research paper published on Naked Security last year.

Like its predecessor, we are not aware of other public reports related to this exploit kit, thus, we have no official name for it.

The source code of the builder is based on the AK-1 builder Python script and it shows the same characteristics.

Distributed malware

SophosLabs identified about 760 malicious documents generated by AK-1, which were used to distribute more than 50 different malware families.

In its heyday, the most popular Trojans (Zbot, Chisburg, Fareit, Neurevt) were favored, but with the appearance of AK-2 these variants have slowed down somewhat. It appears a few diehard groups are still using the older version of the kit, but they are mostly deploying the PredatorPain keylogger (which is the most frequent benefiter of the kit) and the NetWiredRC backdoor.

The following chart shows the malware families distributed by AK-1 and AK-2:

Attribution

In case of AKBuilder, it is hard to tell how many individuals or groups are working on it. Because it is a simple Python script, it is very easy to steal the builder and start a new “development branch”. It is quite possible that the work was started by a single individual, and then others jumped in and stole the code, releasing their own versions.

It is clear though that the known builder versions come from the same origin and could be considered as belonging to the same development branch even though there are multiple email accounts connected to it.

Some of the distributors (including the most persistent one) are seemingly from the Arabic regions. There is no proof that there is any connection between them, though.

But apart from them, there are a handful of other, seemingly unrelated developers/distributors who sell versions of this kit. We suspect that most of them work independently, purchasing one version of the kit, then modifying and distributing it on their own. Some of them distribute only this kit, others seem to be involved in selling a wide range of malicious software builders.

This is possible because the release version of the kit is written in Python which makes it easy to understand and modify.

SophosLabs believes there are about half a dozen individuals who are involved in developing and distributing AKBuilder, but the exact connections between them is less clear.

Conclusion and defensive measures

Cyber-criminals find Office documents useful for delivering malicious programs to their targets. They’ve been using this method steadily over the past two years, and there is no sign that they intend to give up.

The availability of black-market tools makes it possible for a wide range of criminals to generate the exploited documents. After the disappearance of the Ancalog builder, AKBuilder took over as the most popular choice of these tools.

The rigid hard-coded structure of AKBuilder means that for any change in the generated samples, a new version must be released. That information helps the defenders: even if the first few samples go undetected, a quick signature update can protect the users for days or even weeks.

The dependence of criminals on the commercial offerings has a disadvantage for them: the builder doesn’t use zero-day exploits or even exploits that could be considered as new.

AKBuilder shows a moderate progressiveness: new exploits like CVE-2014-1761 and CVE-2015-1641 are supported relatively fast after their first availability. But the kit is far from using zero-day exploits, in both cases the first use of the exploit was months after the vulnerability was disclosed and the patch made available.

In the final analysis, it shouldn’t be difficult to protect against these kinds of activities: just applying recent patches for Microsoft Office should disarm the attack.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z3Iu4FjuOhU/

Someone using the Anonymous tag has torn a gaping hole in a major Tor dark web host accused of being a home for thousands of child abuse websites.

At the weekend, visitors to websites hosted by the Freedom Hosting II service were reportedly greeted by a blunt defacement: “Hello, Freedom Hosting II, you have been hacked. We are disappointed,” it began before getting to the point: “We have a zero tolerance policy to child pornography – but what we found while searching through your server is more than 50% child porn…”

The attackers claimed to have compromised 75GB of data from 10,613 sites that were being hosted by Freedom Hosting II, plus a further 2.2GB MySQL database of user data. They initially asked for a token 0.1 Bitcoins ($105) in ransom, before leaking the data anyway, complete with a 21-point explanation of how they executed the attack

Within hours, researchers were trying to work out whether any of the data revealed the identities of site owners or users.

According to tweeted comments by Troy Hunt of Have I Been Pwned?, the cache contained 381,000 email addresses, many apparently genuine. Some 21% were already in the site’s pwned database, which means they were leaked in previous breaches: “Law enforcement will absolutely have this data, it’s *very* public. It also obviously has many real email addresses in it.”

As for the content of the sites, researcher Chris Monteiro summarises it as lots of child abuse in English and Russian, plus fraud sites, “fetish sites which might not even be illegal” and some botnets. Monteiro provides instructions on the resources you’ll need if you want to examine the data yourself, but please remember: this data might contain images of child sex abuse. Leave the examination of that data to law enforcement.

How important is Freedom Hosting II? Last October, researcher Sarah Jamie Lewis used OnionScan (a tool used to probe the dark web’s structure) to estimate that the service was being used by between 15% and 20% of dark web sites routed through Tor.

Even so, takedowns of this size are not unprecedented. In 2013, the alleged operator of the site’s forerunner, Freedom Hosting I, was arrested in Ireland after a major FBI operation that included hacking its servers to plant malware designed to unmask users’ PCs.

That incarnation was believed to account for a great deal of the child abuse images hosted on the dark web and yet new services quickly sprang up to fill the gap. Depressingly, the same will probably happen now that its successor has disappeared.

The latest compromise at least reminds the world that the dark web is not a supernatural zone beyond mortal ken. It remains an incredibly small place by internet standards and the services that run there – both unpleasant and well-intentioned – can be put at risk by the lack of diversity of hosting options on the dark web. Increasingly, when that happens, police, intelligence services and Internet vigilantes are quickly on hand to pour through the walls.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hB0moKRb-x8/

American television manufacturer Vizio has had its knuckles rapped and been forced to pay $2.2m in an agreement with the Federal Trade Commission after collecting data including IP addresses and demographic information on 11m users.

There is no suggestion that the company was retaining individuals’ information. The initial complaint, upheld unanimously by theNew Jersey Division of Consumer Affairs, said that the TV contained a “smart interactivity” feature containing technology that “enables program offers and suggestions”. This entailed collecting data but users were not informed about this.

The company’s Facebook page states that it has reached an agreement with the FTC on what it may and may not do with customer data, and the statement to which it links it stressed that it was aggregating data rather than using it in any contentious manner.

The statement doesn’t mention the financial settlement, although the FTC’s own announcement makes the payment explicit, breaking it down as $1.5m to the FTC and $1m to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended. A number of hostile comments on the Facebook page have met with a simple direction to the company’s statement.

Arguably it would be difficult to direct people to programming they want to view without collecting data on their viewing habits and doing some sort of aggregation; the issue is that this wasn’t made explicit. Daniel Nesbitt, research director of Big Brother Watch, said:

In too many cases citizens simply have no idea what they’re handing over about themselves. All too often the vital information about how their personal data will be used is buried in jargon filled terms and conditions, which are all but unreadable to the average person. Companies have to start being much clearer about what they’re asking for.

Citizens should always be asked before their data is collected, they have to be able to understand how their information is being used and say no to it if they don’t feel comfortable.

Big Brother Watch has put together a paper on deciphering terms and conditions here.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M4KkcH0aU5I/

Your daily round-up of some of the other stories in the news

IoT devices to outnumber human beings

There will be more “Internet of Things” devices than human beings on the planet this year, according to Gartner. The analyst firm is predicting that there will be 8.4bn connected devices this year, outstripping the number of actual humans by more than 1bn: the world’s population is about 7.5m people.

That’s 31% more IoT devices than last year, when Gartner estimated that there were 6.4bn devices, with spending on those devices set to reach $2tn. Those devices include a huge range of things, from smart fridges and TVs to a smart bed, a smart litterbox for your kitty and even a tweeting catflap.

The explosive growth in IoT devices has fuelled a range of security concerns, not least the ease with which so many have been co-opted on to the Mirai botnet that took down the Dyn DNS provider last year. With Gartner forecasting a jump to some 20.4bn IoT devices by 2020, we can only hope that the next generation of “things” will be a lot more secure.

FBI takes backwards step on transparency

The FBI, not known for its friendly approach to FOIA requests, is doubling down on making it difficult for people to make requests by removing its email facility.

From the beginning of next month, if you want to see papers from the FBI you have a choice of submitting your request by fax, by snail mail and via its web portal.

The FBI, along with other agencies including the CIA and the Defense Advanced Research Projects Agency (DARPA), eschews reasonably modern technologies in favour of fax and snail mail – deliberately so, according to critics, who point to the fact that the FBI uses ancient software, which significantly slows down and even frustrates requests.

Michael Morisy of MuckRock, which helps people file FOIA requests, told the Daily Dot: “It’s a huge step backwards for the FBI to switch from a proven, ubiquitous, user-friendly technology like email to a portal that has consistently shown problems … [including] legitimate privacy concerns.”

Railways could switch to iris scans

Rail passengers in the UK could pay for tickets via an iris scan or fingerprints, and open ticket gates with their mobile phones, the group tasked with identifying and delivering new technology for the network said on Tuesday.

Paul Plummer, the Rail Delivery Group’s chief executive, said that the group already has an app in development to buy and manage tickets that will eventually replace the old orange paper tickets.

Privacy-watchers will note, however, that managing tickets and touching in and out through barriers by smartphone is yet another set of datapoints by which passengers can be tracked. And, as we’ve reported in the past, people aren’t keen on biometrics for authentication – and given the issues with Britain’s railways, it may be a while before passengers will be ready to trust biometrics and smartphone-based ticketing.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_-elzGqZyTg/

Naked Security was back on Facebook Live earlier this afternoon, because today is Safer Internet Day, and we thought we’d join in with some advice of our own.

This time, instead of offering you a short list of tips to try, we decided to focus on just one thing in your internet life: the one component where we think you can reap the biggest onlone security and safety rewards.

We’d still love to take your questions and hear your comments, either under the video on Facebook, or by posting right here on Naked Security (you may post anonymously).

(Just in case you don’t watch to the end – because of the questions we received, the video is fairly long at 30 minutes – we’ll tell you that you can buy your own T-shirts like the one in the video in the Sophos Store.)

If you’d like to see our Safer Internet Day advice from recent years, you’ll find it here:

• SID2016 – 6 tips for your kids (and for you, too!)
• SID2015 – 3 questions you should be asking on Safer Internet Day
• SID2014 – Safer Internet Day: don’t be an online sheep

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/scI5wM49X_o/

Ransomware attacks are increasingly focusing on organisations that are more likely to pay up, such as healthcare, government, critical infrastructure, education, and small businesses.

Phishing volume grew by an average of more than 33 per cent across the five most-targeted industries, according to a study by PhishLabs out Tuesday. File-encrypting ransomware has become the predominant type of malware distributed via phishing, essentially because the type of crime is both straightforward and profitable.

Phishing volume peaked mid-year due to the influence of major global events, such as Brexit, and a spike in virtual web server compromises.

Attacks targeting government tax authorities have grown more than fourfold since 2014. There were more IRS phishing attacks in January 2016 than there were in all of 2015, according to PhishLabs.

Although 59 per cent of phishing sites were hosted in the United States, there was a significant increase in the number of phishing sites hosted in Eastern Europe.

Broad acceptance of email addresses instead of unique usernames is being heavily exploited by crooks to harvest credentials on an industrial scale. The trend is making it easier to run secondary attacks via credential reuse and other methods. Cloud storage sites will likely overtake financial institutions as the top targets of phishing attacks, marking a major evolution in target selection processes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/07/phishing_trends/

London-based payment processing firm GoCardless is warning customers that their personal information might have been exposed following the theft of 19 laptops from its offices last month.

The “password protected” (not encrypted) laptops contained a file with customer personal data including email address, passport number, date of birth, and name. Leak of the data into the wrong hands might lead onto follow-up phishing scams or other potential malfeasance, such as identity theft. Payment data was not exposed.

GoCardless is nonetheless offering exposed parties credit card monitoring services, as a breach notification advisory (extract below) explains.

We wanted to let you know that on the 7 January 2017, our premises were the victim of a burglary which affected our office and another company in the building. Despite CCTV surveillance, locked doors, and a 24/7 security guard, nineteen password protected GoCardless staff laptops were stolen.

All of our payment processing systems are secure, remain uncompromised and were unaffected by the burglary. There has been no impact on our day to day business and we continue to process payments as normal.

We have already informed the police, the Financial Conduct Authority and the Information Commissioner’s Office of this burglary. We have also conducted an exhaustive internal investigation so that we can communicate to you any potential risks from this burglary.

Our investigation has concluded that the stolen laptops may contain a file with personal data provided when setting up an account with us. This information is stored by GoCardless to ensure we can evidence checks we needed to perform on you when you signed up with us. The file contains the following personal details of the person that verified your GoCardless account: email address, passport number, date of birth, and name.

There is a very low risk that this burglary will affect you as none of your financial data was involved, all the laptops were password protected, there is no firm evidence that any of the data was available on any stolen laptop, and the burglars appear to have been targeting high value electronics rather than our data. However, we believe in transparency and so wanted to inform you of this burglary anyway.

Despite the above, we take even this small risk seriously. We are therefore offering to organise and pay for a web alert monitoring service from Experian for a period of 12 months.

The incident illustrates that data breaches can result from causes other than hacking attacks, the most publicised cause. Lost and stolen laptops also pose a risk.

A GoCardless spokeswoman confirmed the thefts, adding that police and other relevant authorities had been informed.

“I can confirm that on the 7th January 2017, we were the victim of a burglary which affected our office and another company in the building. Despite CCTV surveillance and a 24/7 security guard, 19 password protected GoCardless staff laptops were stolen,” the spokeswoman told El Reg.

“All of our payment processing systems, remain secure and uncompromised and were unaffected by the burglary.

“We have informed the police, the Financial Conduct Authority and the Information Commissioner’s’ Office. We have also conducted an exhaustive internal investigation and, despite the very low risk, have contacted all our partners and merchants,” she added.

GoCardless offers an internet-based direct service to its enterprise clients. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/07/gocardless_breach/