STE WILLIAMS

Expect plenty of talk about the ongoing ransomware scourge and threats against the Internet of Things (IoT) during RSA Conference 2017, which begins a week from today at the Moscone Center in San Francisco.

The conference will include 15 keynotes, including talks by RSA CTO Zulfikar Ramzan, Microsoft president Brad Smith, and Alphabet CEO Eric Schmidt. The popular cryptographers’ panel will feature Whitfield Diffie (of Diffie-Hellman exchange fame), Ronald Rivest and Adi Shamir (the R and S in RSA encryption), and Susan Landau (creator of Landau’s Algorithm). Paul Kocher, who developed attacks that can break RSA, and Diffie-Hellman, will moderate the panel.

Sophos talks

Sophos global head of security research James Lyne will speak on both ransomware and IoT in a talk called Reversing the Year: Let’s Hack IoT, Ransomware and Evasive Payloads. He said he’ll “deconstruct funny ransomware fails/wins, bypass security controls and more”. The talk, scheduled for Feb. 16 from 1:30-2:15 p.m. at the Marriott Marquis, will include a security assessment of a couple IoT devices. “We’ll find bugs and exploit them to gain an insight into the common industry faults,” Lyne said. “Expect debugging, reversing and practical tips.”

Lyne will also give a talk called Demystifying Debugging and Disassembling Applications. He’ll give that talk twice: first on February 14 from 2:30-3:15pm at Moscone South room 308, and then again on February 15, 1:30- 2:15pm at Moscone West room 2001.

Mark Loman, director of engineering for next-generation tech at Sophos, will give a talk called How Nation-States and Criminal Syndicates Use Exploits to Bypass Security, which will delve into how nation-state attackers meticulously craft their attack code to evade the most advanced security products.

Ransomware

Emphasizing the severity of ransomware and how pervasive it continues to be, RSA will hold an all-day seminar focused exclusively on the topic. The RSA Conference website describes the event:

Explosive growth demands focused understanding, so we’ve developed this new seminar to give attendees a full day all about ransomware, and its multifaceted implications across technical, policy, compliance and financial response. Sessions will discuss innovative research, present case studies on response and recovery to ransomware, explore combatting ransomware and debate if—and when—you should pay the ransom.

The event will take place in Moscone West room 2014.

Ransomware has been a heavy focus for Naked Security and Sophos as a whole. Notable attacks we’ve covered include Texas police losing eight years of digital evidence after refusing to pay ransom in a December attack, and Los Angeles Valley College (LAVC) paying $28,000 (£22,500) in Bitcoins to extortionists after ransomware encrypted hundreds of thousands of files held on its servers.

To combat the problem, we continue to offer the following resources:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To protect against VBA malware, tell Office not to allow macros in documents from the internet.
• To learn more about ransomware, listen to our Techknow podcast.

IoT attacks

IoT threats have been discussed at RSA conference for years now, but in largely theoretical terms. This past year, the theoretical turned into reality when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

For 2017, Sophos predicts a rise in threats against devices that are part of the IoT. Lyne recently discussed the threat in a recent interview that aired on CNBC’s On the Money. “The sharks have smelled the blood in the water and they’re now circling to use your IoT device for further attacks,” he said at the time.

In addition to Lyne’s talk, security luminary Bruce Schneier will give two presentations about regulating IoT devices. “Licenses, certifications, approvals and liabilities are all coming,” he said in one of his session descriptions. “We need to think about smart regulations now, before a disaster, or stupid regulations will be foisted on us.”

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C1IUWQ-RUqs/

Polish banks are investigating a massive systems hack after malware was discovered on several companies’ workstations.

The source of the executables? The sector’s own financial regulator, the Polish Financial Supervision Authority (KNF).

A spokesman for the KNF confirmed that their internal systems had been compromised by someone “from another country”. But when it was discovered that the regulator’s servers were hosting malicious files that were then infecting banks’ systems, the decision was made to take down the KNF’s entire system “in order to secure evidence.”

According to one cyber security site that spoke to a number of banks and carried out a preliminary analysis, a number of banks confirmed that they had seen unusual network traffic and found encrypted executables on several servers. The details were rapidly shared between the group of roughly 20 commercial banks in the country and other banks started reporting the same issues.

Ironically, it is the KNF that sets cybersecurity standards for Polish banks but it is thought that a modified JS file resulted in visitors to the regulator’s site loading an external JS file which then pulled down malicious payloads.

Both the KNF and the Polish government have since told local Polish media that there is no indication that people’s money was touched and have given tentative assurances that no operations were affected. But they also stressed that investigations were ongoing.

The situation is being seen as the most serious ever attack on the Polish banking industry. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/06/polish_banks_hit_by_malware_sent_through_hacked_financial_regulator/

Investigation reveals payment cards of customers were compromised between August and December.

InterContinental Hotels Group Plc has confirmed there was a malware attack on 12 of its hotels in the US, and payment cards used at the restaurants and bars were compromised, Reuters reports. While it did not release more details of the breach, InterContinental clarified that front desk customers were not victimized.

Properties affected by the breach, which occurred between August and December last year, include InterContinental Chicago Magnificent Mile, the InterContinental San Francisco and Holiday Inn Resort – Aruba. Investigation into other properties continues.

Cybersecurity firms were  hired by the group last December following reports of a possible violation.

Read full report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/intercontinental-confirms-security-breach-at-12-us-hotels/d/d-id/1328058?_mc=RSS_DR_EDT

The No More Ransom project helps those affected by ransomware and works to prevent the problem’s spread.

In the research world, it’s always a bonus when we can go the extra mile and ensure that what we do every day is helping others and having a tangible, positive effect. It’s one thing to beef up the technology our output feeds, but it’s another to be able to cooperate with others in the industry and help provide an extra push on certain issues. In the security industry, there are plenty of opportunities to engage in efforts that aren’t driven by potential profits, but too often we get buried in the day-to-day barrage of work to grasp those opportunities.

For these reasons, I have fully embraced the No More Ransom project. This organization allows security professionals to go beyond our own internal focus and serve the greater good by cooperating with law enforcement and others in the industry to help those who have been affected by ransomware. There is always extra help we can offer the industry as a whole to prevent the impact of ransomware, as well as assist those post-infection where possible. 

The No More Ransom project is even more relevant and necessary today than it was at the time of its launch in July 2016. Every day, we see more variants of existing families of ransomware. Ransomware is not a new threat or phenomenon, but the increased commoditization and ease of entry allow for the explosive proliferation of this problem. In the last few years, the rise in “ransomware as a service” (RaaS) has allowed for those with no coding ability and no experience in the “business” side of malware to succeed in malware-based extortion. Criminals with no technical ability can generate their own variants of Petya/Goldeneye, NemeS1S, and other forms of ransomware.   

NemeS1S is an RaaS offering that popped up in January 2017. As one of the newest examples of the RaaS trend, it illustrates both the need for efforts like No More Ransom as well as the lack of preventive capability within traditional, signature-based antivirus controls.

With such a low barrier to entry, the need for efforts like No More Ransom is amplified. Partners in the project can assist the public by providing assistance in a number of ways. This includes, but is not limited to, extremely high-level technical analysis, custom decryption tools to be given to the public for free, and publicizing indicators of compromise related to ransomware threats and threat campaigns.

The issue is not going away, and, if anything, the barrier of entry is diminishing to nearly nothing. Efforts like No More Ransom are becoming even more necessary to further assist the public and serve the greater good. Disarming the authors of ransomware—that is, through the wide release of decryption keys and open decryption tools and utilities—is key.  

I encourage you to visit the No More Ransom website to learn more about the project. New tools and information are distributed via the site on a regular basis. You can also follow the movement via Twitter using the hashtag #NoMoreRansom.

Stay safe!

Related Content:

• 6 Free Ransomware Decryption Tools
• Why Ransomware Is Only Going To Get Worse
• Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability

Jim Walter is a senior member of Cylance’s SPEAR team. He focuses on next-level attacks, actors, and campaigns as well as ‘underground’ markets and associated criminal activity. Jim is a regular speaker at cybersecurity events and has authored numerous articles, whitepapers … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/fight-back-against-ransomware/a/d-id/1328039?_mc=RSS_DR_EDT

Order follows victim appeal to hold the retailer liable for future identity theft claims stemming from the 2013 breach.

The 8th U.S. Circuit Court of Appeals has directed Minnesota federal Judge Paul Magnuson to review the class-certification approval given to 100 million Target customers who were victims of a 2013 security breach, says StarTribune. The purpose behind the review is to ensure that the retailer’s data breach victims are not subjected to future “rubber-stamp settlements.”

The appeal to the 2015 Target settlement was filed by Leif Olson of Texas, who used payment cards during the breach period. Olson expressed concerns that if his personal data was misused in the future he could not hold Target liable, and asked that cases like his be treated separately.

In the 2013 data breach, roughly 100 million Target customers had credit card and personal data stolen. The 2015 court settlement required Target to compensate those who provided documentation or made claims under an oath but ignored those who suffered no monetary loss yet were still at risk for future identity theft.

Read details on StarTribune.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/appeals-court-orders-review-of-2015-target-breach-settlement/d/d-id/1328059?_mc=RSS_DR_EDT

A popular dark net marketplace hawking drugs and stolen credit cards has opened a security bug bounty offering to pay hackers for reporting vulnerabilities.

The “Hansa” marketplace announced the bounty last week inviting security researchers to disclose vulnerabilities worth up to 10 bitcoins (US$10,170) for bugs that could lead to users, vendors, or administrators.

The payouts are likely measly compared to the cash rewards on offer to hackers taking more conventional routes and exploiting vulnerabilities with blackmail or other evil acts.

Fallen Silk Road boss Ross Ulbricht was forced to pay US$50,000 a week to hackers who learnt how to launch distributed denial of service attacks against the site. He’s also alleged to have paid cash to quiet hackers threatening to reveal his identity.

On Hansa, vulnerabilities that cannot be used to reveal the identities or locations of users, vendors, and administrators attract a one bitcoin ($US1020) payment. Less-intrusive bugs and glitches earn just 0.5 BTC.

Site administrators promise to follow bug bounty best practice and maintain regular contact with vulnerability reporters.

Hackers who drop the bugs before patches are applied, or exploit and impact the market or its users, will have their payouts withheld. Hackers who offer proper proof-of-concepts will earn themselves a higher payout.

Darknet drug sites can hardly call the Police and complain when hacked, so must maintain a high level of security to fend off hackers and blackmailers.

The most popular drug and carder marketplace, Agora, last month fixed a highly critical private key leak vulnerability partially disclosed on Reddit. That flaw allowed its finder to grab 218,000 private messages, the names of buyers and sellers, street addresses, and package tracking identity numbers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/06/hansa_darknet_bug_bounty/

Windows users running the Tor browser can be tricked into uncloaking themselves, with a pretty straightforward trick based on Microsoft’s DRM system.

The discovery was made by Hacker House, which says it’s been researching social engineering attacks made using DRM-protected content.

What the UK-based security outfit found is that a pretty straightforward bit of social engineering – “click on this media file” – can, at the very least, reveal the user’s real IP address.

Here’s what’s going on: DRM-protected media has to fetch its licence key from a server. If it’s not signed properly, Windows raises a dialogue to warn you.

“However, this warning DOES NOT appear if the DRM license has been signed correctly and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile”, the author writes.

Hide this dialogue, capture a Tor user’s IP address

Microsoft sets high barriers to entry for those who want to start signing media: “If you want to build your own Microsoft DRM signing solution the price-tag is around US$10,000,” Hacker House notes.

What they’ve seen in the wild is someone managing to generate signed content, apparently without paying that toll.

“As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning”, they write.

The risk that media files could expose users is known to Tor, which warns users to run Tails if they want to run media files.

It’s not the first time people have seen social engineering attacks based on media files: the old “you need a plug-in to play this file” strategy had a Windows DRM variant back in 2013, according to Virus Total. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/06/microsoft_drm_and_tor/

One of the world’s most famous net menaces, SQL Slammer, has resumed attacking servers some 13 years after it set records by infecting 75,000 servers in 10 minutes, researchers say.

The in-memory worm exploits an ancient flaw in Microsoft SQL server and Desktop Engine triggering denial of service, and at the time of its emergence significantly choking internet traffic.

Researcher Michael Bacarella first raised the alarm to Slammer which was created on the back of public proof-of-concept exploit code published during Black Hat by now Google security boffin David Litchfield.

Check Point researchers detected re-emergent attacks in early December, noting that most targeted machines in the US.

“More than a decade later, Slammer is hitting again,” researchers say.

“The attack attempts detected by Check Point were directed to a large variety of destination countries with 26 percent of the attacks being towards networks in the United States.

“This indicates a wide wave of attacks rather than a targeted one.”

The attacks peaked between 28 November, 2016, and 4 December, 2016, and were some of the biggest by volume over those days.

Slammer attack traffic came from IP addresses in China, Vietnam, and Mexico.

This new batch of Slammer-wielders must be optimists, given that the worm targeted a now-ancient SQL Server 2000 buffer overflow vulnerability that DBAs have had 13 years to fix.

Still, application of even important patches can be slow. Microsoft last year found that the then vulnerability (CVE-2010-2568) exploited by the six-year-old Stuxnet worm, arguably the most famous information security threat, was the most common means to compromise users. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/05/sql_slammer_back/

US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar.

“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure,” the security organization said. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”

The vulnerability was initially rated 10 out of 10 in terms of severity, but has since been downgraded to 7.8. To make use of the vulnerability, an attacker would have to get the Windows system to connect to a malicious SMB share.

This can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server and getting the mark to visit the site using Internet Explorer, for example. The result is a blue-screen-of-death system crash out of nowhere for the poor user.

Security researcher Laurent Gaffié in an email told The Register that the bug involves a null-pointer dereference. He said that both Microsoft and he consider it a potential means to conduct a remote denial of service attack, but not a means to execute code remotely.

He said the bug can be used to make a target reboot either locally, via Netbios or LLMNR poisoning, or remotely via a UNC link.

“It’s important to note that this trivial bug should have been caught immediately by [Microsoft’s] SDLC process, but surprisingly it was not,” Gaffié said. “This mean that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems.”

Gaffié said he submitted the bug to Microsoft on September 25, 2016, and that Microsoft had a patch ready for its December patch cycle. The company pushed the fix back to February, he explained, because it made more sense to them to released several SMB fixes at once rather than a single one in December.

As other security researchers have done, Gaffié said he decided to release the bug a week before the patch because this isn’t the first time Microsoft has sat on vulnerabilities he’s reported, enough though he’s doing work to help the company for free.

“When they sit on a bug like this one, they’re not helping their users but doing marketing damage control, and opportunistic patch release,” he said. “This attitude is wrong for their users, and for the security community at large.”

Gaffié has released a proof-of-concept exploit through GitHub. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/04/windows_flaw_adds_crashing_as_a_service/

The US Department of Justice will be happy campers after a court ruled that Google can’t avoid complying with domestic search warrants for data held overseas.

Last month, Microsoft won a crucial legal battle in the Second Circuit on just this point when a court ruled that police couldn’t grab data from foreign servers with just a Stored Communications Act warrant, but instead needed to go through existing data sharing agreements with other governments. The DoJ has appealed and it’s likely to go to the Supreme Court.

But in a similar case against Google, the district court of Eastern Pennsylvania ruled that the Chocolate Factory had to cough up emails stored overseas after it was served with a search warrant. The judge ruled [PDF] that there were enough differences between the two cases for the Microsoft ruling not to apply.

“Google regularly transfers user data from one data center to another without the customer’s knowledge,” said Magistrate Judge Thomas Rueter.

“Such transfers do not interfere with the customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner’s control over his information, this interference is de minimis and temporary.”

The judge ruled that the two search warrants must be obeyed by Google, since it routinely stores such data overseas and the files would only be opened in the US – so it wasn’t, in his opinion, a foreign search. Also, unlike the Microsoft case, the search warrant was served against a US citizen, not a foreigner.

“The court suggests that bringing a file back to the United States is not a seizure because Google moves data around all the time and ‘this interference is de minimis and temporary’,” said Professor Orin Kerr of the George Washington University Law School.

“I don’t think that works. Google is a private company not regulated by the Fourth Amendment, so whether it moves around data is irrelevant. And I don’t see what is ‘de minimis and temporary’ about the government ordering Google to make a copy of your email pursuant to a court order.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/04/google_must_provide_emails_held_overseas/