STE WILLIAMS

A ‘critical’ security vulnerability has been discovered in the Exim mail server that requires admins’ urgent attention.

Affecting all versions from 4.80 up to and including 4.92.1, Exim’s maintainers have offered a general description of the flaw (CVE-2019-15846) discovered in July 2019 by a researcher identified as ‘Zerons’.

Subsequently confirmed by engineers working for Qualys, the flaw is a buffer overflow in the part of the TLS negotiation connected to Server Name Indication (SNI). SNI is a way web hosts present the certificates for multiple HTTPS-secured TLS servers sitting behind the same IP address so that incoming connections are directed to the correct one.

It’s as serious a flaw as it’s possible to imagine in a mail server because an attacker could exploit it either locally or from the internet with no special privileges by:

Sending an SNI ending in a backslash-null sequence during the initial TLS handshake.

Alternatively, attackers could attempt the same thing – achieving root on the target – using a crafted client TLS certificate.

Currently, there are no reported exploits for the flaw, which is believed to exist right now only as a proof of concept.  Nevertheless:

If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS library, so both GnuTLS and OpenSSL are affected.

What to do

Exim is easily the most popular open-source mail server on the internet, accounting for almost 60% of those which are visible according to estimates.

An unwise few might not have TLS turned on but Exim admins are still advised to update to 4.92.2, which fixes the issue (disabling TLS resolves the problem but is not recommended).

Exim servers running versions prior to the vulnerability’s appearance in v4.80 (2012) are not at risk but will nevertheless be vulnerable to a number of others such as the CVE-2018-6789 remote code execution flaw from last year.

More recent Exim vulnerabilities include CVE-2019-10149 and a Linux worm later discovered by Microsoft to be targeting that flaw.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2NLa6N1e3Bk/

Be strong, gentle reader, for change is coming: soon, the name Sophos will blink out and disappear from your Chrome omnibar, like so:

Just kidding! If you’re like many people, you have never, ever noticed that Sophos, and plenty of other brands, plunked down money to get its trusted name up there in that combined address/search bar, and there’s a very good chance that you haven’t changed your browsing behavior just because that name was missing.

According to research from Google’s Chrome Security UX team, you’ve gone right ahead and input your credit card or password even if that badge was missing. So just to keep things simple, and streamlined, and to save precious real estate in the omnibar that’s now being squatted on by names like Sophos, or, say, PayPal, Chrome is going to tuck that badge away under Page Info, which is accessed by clicking the lock icon (which is staying put).

This will happen starting in Chrome Version 77, released today.

Some background: that badge indicates that a company has ponied up for what’s known as an Extended Validation (EV) certificate, which can be displayed in Chrome, in Firefox or in other browsers. When you go to paypal.com, you’ll see that “PayPal, Inc.” text displayed next to the lock, to the left of the site’s address in Chrome’s omnibox.

An EV certification is one of three types of Transport Layer Security (TLS) certificates: domain-validated, organization-validated and extended validation. The difference between them is that, from left to right, there’s more rigorous, and more expensive, checking to see that you are who the certificate says you are.

But in order for EV certificates to deliver that extra security, users have to actually recognize what the presence of the EV badge means, and therefore what the absence of the EV badge means …and then to actually change their behavior if the badge is missing.

But no, that’s not what happens. Google user testing says that users don’t make different decisions in the absence of an EV certificate.

As Google’s Devon O’Brien explained in a Chromium forum post on Sunday:

The Chrome Security UX team has determined that the EV UI does not protect users as intended.

Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.

The EV badge not only takes up valuable screen real estate, he said. Sometimes, it also prominently displays “actively confusing” company names. All of that gets in the way of Google’s push toward “neutral, rather than positive, display for secure connections,” O’Brien said.

In other words, this is another one of the small browser changes that’s going to re-frame security for users, similar to how Google has been re-framing HTTPS from exception to norm by switching its UI from saying HTTPS is “secure” to saying HTTP is “insecure”. With this move, it’s taking aim one level deeper, at the TLS certificates required for HTTPS to work.

Not that EV certificates are going away, mind you. They’re just being tucked down:

Because of these problems and its limited utility, we believe it belongs better in Page Info.

Have I Been Pwned creator Troy Hunt declared EV certificates dead nearly a year ago, right after Apple removed them from Safari on iOS in September 2018 and right before it was about to do the same with Safari on Mojave. Chrome had already stopped displaying it on mobile clients.

Ditto for Firefox. In its own “EV certs are dead” announcement, Mozilla said that starting in desktop Firefox 70, the EV badges will be moved from the identity block (the left-hand side of the URL bar that’s used to display security/privacy information). It will instead be adding additional EV information to the identity panel instead, “effectively reducing the exposure of EV information to users while keeping it easily accessible.”

Mozilla called out the same bad juju that Google did: the same lack of EV cert display effectiveness, as well as “proof of concepts [that] have been pitting EV against domains for phishing.”

This is a reference to work done by Ian Carroll, who spent $100 to register a colliding entity name and got an EV cert for it. Specifically, as Hunt explained, Carroll registered “Stripe Inc” in a different US state than that of the payment processor you’d normally associate the name with. For another $77 to get the EV cert, plus one hour, Carroll set himself up with a convincing company name on a valid, legally obtained EV cert from which to phish were he to be a crook.

Here’s Hunt:

The only proponents of EV seemed to be those selling it or those who didn’t understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WxAmoP9NPKQ/

US Immigration and Customs Enforcement (ICE) is looking into illegal exports of a gun scope, and its investigation includes going after Apple and Google to get them to hand over the names of who’s using an associated gun-scope app.

The Department of Justice (DOJ) on Thursday filed a court order demanding that the two companies turn over data on some 10,000 users of Obsidian 4: an app from American Technologies Network Corp. (ATN) that connects the scope to smartphones or tablets via Wi-Fi so that gun owners can watch a live video stream of their hunt and calibrate their smart scope.

Apple doesn’t release app download numbers, but Google Play says that the app’s been downloaded over 10,000 times. How many of those installs are from actual users is another question, though, given how many recent reviews say that they’re only downloading in protest of the government demanding that Google and Apple hand over a list of the app’s users.

The court order was supposed to be sealed, but Forbes got hold of it before it was hidden from public view.

If the DOJ gets a court to sign off on the demand, Apple and Google will be told to hand over the names of anyone who downloaded the scope app from 1 August 2017 to the present; their telephone numbers and IP addresses, which can be used to determine where the users are located; and session data, such as when users were operating the app.

ATN itself isn’t under investigation in connection to the alleged illegal exports. The court order reportedly describes an intercepted shipment of the company’s scopes, in violation of the International Traffic in Arms Regulation (ITAR). The shipments didn’t hold the required import licenses when they were reportedly found in Hong Kong, Canada and the Netherlands.

According to the court order, the data it’s demanding will help ICE find app users thought to be in violation of the laws. From the document:

This pattern of unlawful, attempted exports of this rifle scope in combination with the manner in which the ATN Obsidian 4 application is paired with this scope manufactured by Company A supports the conclusion that the information requested herein will assist the government in identifying networks engaged in the unlawful export of this rifle scope through identifying end users located in countries to which export of this item is restricted.

Fishing expedition

Privacy experts, such as Tor Ekeland, a privacy-focused lawyer, told Forbes called it a fishing expedition that could ensnare data on thousands of innocents, and then use that information to “go after someone for something else”.

It’s also likely that the government could issue the same type of broad demand to go after user data from other types of apps, such as dating or health apps. Ekeland said:

There’s a more profound issue here with the government able to vacuum up a vast amount of data on people they have no reason to suspect have committed any crime. They don’t have any probable cause to investigate, but they’re getting access to data on them.

Jake Williams, a former NSA analyst and now a cybersecurity consultant at Rendition Infosec, told Forbes that if the request is granted, it could have a “serious chilling effect on how people use the Google and Android app stores.”

The idea that Google could be compelled to turn over, in secret, all of my identifiers and session data in its possession because I downloaded an application for research is such a broad overreach it’s ridiculous.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SKydWWr9YsM/

Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop version of the browser will soon automatically encrypt your website requests using a feature called DNS-over-HTTPS (DoH), it said on Friday.

DoH lets browsers send Domain Name System (DNS) requests over the encrypted version of the HTTP protocol. DNS is the service that takes a human-readable name like nakedsecurity.sophos.com and turns it into an IP address a computer can use.

Your browser asks a DNS resolver for this information. In turn, it asks several other DNS servers on your behalf. It then returns the IP address linked to that URL so that a browser like Firefox can contact it to download web pages. Your DNS service provider is usually your ISP, but it doesn’t have to be. There are third party commercial DNS services too.

The problem is that computers normally send DNS requests in the clear. Doing that allows an evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or stationed on any of the computers between you and your DNS resolver, can meddle with your DNS. They can spy on it, to see what sites you’re visiting, or change it, to send you somewhere else.

The Internet Engineering Task Force (IETF) has worried about the privacy implications of DNS for years. In 2018, it attempted to solve them by introducing DoH. It handles all DNS queries over the HTTPS protocol, which is protected by TLS encryption. Not only does this encrypt DNS, but it also uses the same ports that handle HTTPS sessions, which are different to the ports used for DNS queries. That makes DoH requests look the same as regular HTTPS traffic and makes it impossible for ISPs to block the use of DoH without also blocking all web access.

The desktop version of Firefox has provided DoH support since Firefox 62, but it was turned off by default. Mozilla had been experimenting with it before switching it on by default to make sure that it didn’t break anything – such as parental control systems or the safe search capability on some search engines, like Google.

A third thing that Mozilla had to test for was split-horizon DNS resolvers, which companies often use to grant access to both public and non-public web addresses. For example, if you’re working on a company website, you might get the regular public version if you access it from outside the company network, but the split-horizon DNS resolver might show you one that’s in development if you access it from inside the company network.

Mozilla decided that as only 4.3% of users had configured parental control systems or turned on Google Safe Search, it could deal with the issue. It also found only 9.2% of queries handled by split-horizon resolvers. It decided to handle these situations by failing back to regular DNS queries if it detected either of these.

Your DNS queries have to be decrypted at some point by a DNS provider that reads them. In this case, Mozilla’s default provider is Cloudflare, which launched its 1.1.1.1 DNS service in April 2018. Does this present a privacy issue?

Your DNS queries always end up being read by one service provider or another, but Cloudflare has made an agreement with Mozilla to collect what it says is a limited amount of data about the user. The company deletes them from its logs after 24 hours, but will keep anonymous logs aggregating all the domain names requested, it says.

Mozilla also told us:

Any DNS provider that we integrate into Firefox will be required to follow a strict set of policies that prevent them from using DNS request data for anything other than providing the DNS service and that requires them to delete that data after 24 hours.

The Foundation will start rolling out support for US users this month, beginning with a small percentage and ramping up if it goes well. It couldn’t tell us when it might turn it on for people in other countries, and told us by email:

We do not have any current plans to release this feature outside the USA. We’re exploring potential DoH partners in Europe to bring this important security feature to users there. As soon as we have new information to share, we’ll make it available on our Future Releases blog.

Mozilla has drawn flak from the UK Internet Service Providers Association (ISPA), which called it an ‘Internet Villain’ for helping to block internet filtering policies in the UK and interfering with the government’s internet filtering policies.

Users for whom Mozilla enables DoH by default will be able to turn it off.

Or, if it isn’t enabled by default, you can turn it on (only in the desktop version, not on mobile editions. which don’t support it). Go to Preferences Network Settings. Check the Enable DNS over HTTPS box, and set your own provider (here’s a list) or use Cloudflare as the default.

Google is also backing DoH. It says that it’s planning an experiment with the technology in Chrome 78 “followed by a launch if everything goes well”.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/luV2NWDhrqw/

Most cloud data breaches leave only trace signs of malfeasance, so it can be tricky.

Question: What are the first signs of a cloud data leak?

Josh Stella, co-founder and CTO of Fugue: Many cloud breaches are only discovered when data appears on the Dark Web or hackers make mistakes. Unfortunately, this can be extremely challenging. Most cloud data breaches leave only trace signs of malfeasance, such as a handful of API calls in logs that can be found, and many of those API calls look a lot like normal operations on the cloud. Be on the lookout for unusual List and Read operations in your API call logs — particularly for data that isn’t usually directly listed or read during normal production operations. The key to stopping cloud-based data breaches is to prevent cloud misconfiguration in the first place.

What do you advise? Let us know in the Comments section, below.

Do you have questions you’d like answered? Send them to [email protected].

 

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-are-the-first-signs-of-a-cloud-data-leak/b/d-id/1335770?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

VIdeo Telegram has fixed a bug that broke one of its chat app’s key privacy features: the ability to fully delete your sensitive messages on recipients’ phones.

The software claimed it could effectively recall messages you sent to your friends: recalled chats were said to be deleted from their devices.

However, bug-bounty hunter Dhiraj Mishra told The Register today that while the text content of messages would be removed, any attached images would inadvertently remain on the handset.

And while it’s fair to assume that, generally speaking, once you send data to someone on the internet, that information is effectively out of your hands and virtually impossible to recall, bear in mind this remote-delete mechanism is a feature of Telegram, and was expected to worked.

“Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as ‘Also delete for Alice’ which would essentially delete the message for Alice,” Mishra, who found the bug and privately reported it to Telegram, explained.

“Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window.”

Below is a video demonstrating the programming oversight:

Youtube Video

“I have tried this with the latest stable version (5.10.0 (1684)) of Telegram for Android,” Mishra added. “I haven’t tried this with Telegram for iOS and Telegram for Windows but assuming this issue would exist on other these platforms.”

While this could be embarrassing enough in a 1-to-1 chat, the flaw is particularly dangerous in large group chats. Mishra noted that in some cases Telegram groups will include thousands of people and, should the person mistakenly attach an image with private or confidential information, there would essentially be no way to make sure the image was deleted.

No Telegram today, protestors: Chinese boxes DDoS chat app amid Hong Kong protest

READ MORE

“You’re relying on a functionality that is broken since your file would still be present in storage for all users,” noted Mishra. “Aside from this, I found that since Telegram takes `read/write/modify` permission of the USB storage which technically means the confidential photo should have been deleted from Alice’s device or storage.”

This, says Mishra, is a serious security shortcoming for Telegram, an app that offers end-to-end encryption and prides itself on allowing users tight control over when and how their communications are seen.

“This issue could have a bigger impact and I am not sure how [long] this was in place,” Mishra noted, “the word privacy of Telegram fails here again, and users trust against the Telegram is at risk.”

Telegram seems to agree. The messaging app’s developers awarded Mishra a tidy €2,300 ($2,542) reward for the find and has pushed out an update to address the flaw. Folks are advised to update to the latest version of the app (version 5.11 or higher) or opt to use the “New Secret Chat” feature, where images are deleted for both parties. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/09/telegram_messaging_bug/

It’s been a year since hapless credit-monitoring company Equifax admitted hackers gained access to the personal details of some 175 million people on its servers – and it has marked the anniversary with an extra legal hurdle for those seeking compensation.

The credit-history collectors lost control of details, included the names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers, of about half the US population. Despite America’s trade watchdog, the FTC, strong-arming the biz into coughing up at least $575m for bungling its database security, it’s looking more and more likely that those affected will get little or no compensation.

Not only are those folks unlikely to get the $125 they were publicly promised – thanks to the FTC agreeing to a fixed cash fund for all victims – Equifax is now forcing those who applied for the dosh to jump through additional hoops. And if you don’t do what the company wants, within its deadline, you can kiss that money goodbye.

“Validate or amend your claim,” is the heading of an email that millions of claimants received on Friday and over the weekend. In it, Equifax explains that even though you found out about its settlement, and found the online address where you had to apply, and even though you inputted in all the details you were asked for, and even though you selected to take the cash option, you now need to provide it with more information.

“Your claim will not be received by the Settlement Administrator until you click the submit button after your electronic signature. For security reasons, once you hit submit, you will not be able to make any changes to your claim form,” the email notes.

How much red tape does $125 buy?

You’ve got until October 15 to (re)confirm that you already have a credit monitoring service. If you don’t, you don’t get the money. And you have to provide the details of that service to Equifax. If you don’t, you don’t get the money.

If you do both those things before the deadline, you should still expect to get another email at some point in future asking you to provide evidence of that credit monitoring service or, you guessed it, you don’t get the money.

“I understand that I may be asked to provide more information by the Settlement Administrator before my claim is complete,” is one of the “options” that you are obliged to agree to.

Yep, you are really going to have to work for that $125. And the truth is that even if you do jump through all the hoops Equifax has put in the way, you are still unlikely to get the $125 promised.

What is going on? Put simply, Equifax and the FTC are embarrassed that their smoke-and-mirrors approach to settling a massive data breach has been exposed as such.

In July, the FTC proudly announced its $575m settlement as a way to bring an end to a slew of lawsuits and promised $125 to those affected. But behind those headline figures was a different reality: the FTC had agreed to just $31m in a fixed-sum punishment; a pot of money that would be split equally between applicants.

The FTC had assumed that only 250,000 of the 175 million people affected would go to the trouble of applying, based on previous take-up rates for such agreements – giving a $125 per person figure.

But thanks to widespread coverage of the super-hack and subsequent punishment, the sheer number of people affected, and the fact that $125 seemed worth people’s while, the FTC was inundated with applications. It won’t say how many, but it was forced to put out an official announcement just one week after the deal asking people not to take the money but to go for the free credit monitoring service instead.

Money, money, imaginary money

Now Equifax has joined the FTC is doing its utmost to force people to take the credit monitoring service over the cash. But rather than simply ask people to do so, Equifax has decided that red tape and easily missed emails is the best to reduce the number of active applicants.

The hope, presumably, is that through bureaucracy Equifax can get the number of claimants down to, say, one million – at which point it and the FTC can pay out $31 a head and claim that all is well. Incidentally, if everyone eligible applies for the cash, they will receive just 21 cents apiece.

How did the FTC arrive at a $575m figure when Equifax only promised to pay out $31m? Two ways: first, it decided to count the paper value of a 10-year credit monitoring service as part of the deal.

The deal is four years of monitoring through Experian (one of the three main credit agencies) and then a further six through Equifax. But there are two big problems with that: first, Equifax will only be paying a fraction of that claimed cost of a monitoring service – if, indeed, it has to pay anything at all; and second, huge numbers of people already have credit monitoring services given to them for free in previous data breaches.

Credit monitoring is a bit like car sales: no one ever pays full price. And in many cases financial organizations provide credit monitoring to their customers for free, or at very low cost, because of a deal struck with the credit agencies. As such the bulk of that $575m FTC settlement doesn’t exist in any real sense.

The rest of the money is made up of citizens being allowed to claim “up to $20,000” in reimbursement for the costs of fixing or protecting their credit. There are going to be very few people who actively spent thousands of dollars protecting their financial welfare in response to the breach and even fewer of them will have documented it and sent it in an additional request for reimbursement to Equifax. Everyone knows this, but the FTC pretended otherwise and inflated the value of its settlement in response.

Some good out of it?

The whole sorry affair has highlighted several useful things however. For one, the FTC is clearly not equipped to deal with the realities of the internet era where hundreds of millions of people are affected at once.

Equifax to world+dog: If we give you this $700m, can you pleeeeease stop suing us about that mega-hack thing?

READ MORE

The situation has also created greater public awareness of just how toothless the FTC is. For years, the watchdog has relied on large headline fines and settlements to maintain the illusion that it is a hard-hitting regulator when the truth is companies persistently ride roughshod over the federal regulator, which is itself tightly constrained by weak consumer protection laws.

The FTC’s weak powers and willingness to pretend otherwise in public is going to be of significant interest now that it is expected to carry out a much-anticipated investigation into tech giants’ market abuse.

That fact is likely behind the news that 50 states announced on Monday that they would carry out their own antitrust investigation of Google. The federal government just can’t be relied upon to resist corporate America’s worst excesses and so states have stepped in.

Ideally, the Equifax saga will also put a spotlight on the enormous power that credit agencies have over American citizens. But don’t hold your breath. Take the free credit monitoring America – you know you want to. Here, it’s free! Just don’t ask for cash. Or accountability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/09/equifax_breach_fine/

On Friday, Mozilla said it plans to implement the DNS-over-HTTPS (DoH) protocol by default in its Firefox browser, with a slow rollout starting in late September.

Under development since 2017, DoH transfers domain name system queries – which try to match domain names with server IP addresses – over an encrypted HTTPS connection rather than an unprotected HTTP one. This prevents third-parties like network service providers from seeing the websites internet users visit. Though DoH provides more privacy than the status quo, it’s controversial where lack of privacy is assumed or required, such as monitored environments that insist on content filtering, among other reasons.

Back in July, the UK Internet Services Providers’ Association nominated Mozilla for its “internet villain of the year” award because DoH breaks DNS-based content filters put in place to deny access to explicit, obscene or otherwise objectionable websites. A few days later, the trade group reversed itself after online blowback.

The UK ISPA didn’t immediately respond to a request for comment. The UK’s Digital Economy Act 2017 has an explicit content filtering requirement for websites but that’s been delayed until later this year. It’s been claimed that DoH will make it easier for people to avoid network-based content filtering; Mozilla maintains that DoH improves overall internet security.

Selena Deckelmann, senior director of engineering for Mozilla, said in a blog post that more than 70,000 Firefox users have already enabled DoH in Firefox and that the browser maker is getting ready to release DoH for general usage.

Firefox’s DoH service will be provided through Cloudflare’s 1.1.1.1 DNS service, although the list of supported service providers may grow over time. The system will deny third parties access to DNS queries, but in so doing it will give that data to Cloudflare, a decision some people dislike because it amplifies the power of large service providers.

Mozilla says Firefox won’t defang ad blockers – unlike a certain ad-giant browser

READ MORE

Cloudflare, for its part, has made a privacy commitment (separate from its regular privacy policy) to only use Firefox DNS resolution data “solely to improve the performance of Cloudflare Resolver for Firefox and to assist us in debugging efforts if an issue arises.”

DoH won’t be everywhere immediately however. The secure query system will be made the default for “a small percentage of users” in the US later this month and will become more widespread over time if all goes well. And when it’s activated, Firefox users (if they haven’t already set the preference manually) will be notified of the change and asked if they want to opt out.

For users who accept DoH as the default, network service providers and network admins will be allowed to signal that certain capabilities like content filtering would be adversely affected by DoH.

When Firefox receives such signals, it will disable DoH for the rest of the network session, unless the user has manually set the “DoH always” preference.

According to Deckelmann, Mozilla’s plan is to respect the choices of users who have opted-in to parental controls and of enterprise administrators and to fallback to operating system DNS defaults when unusual network configurations cause lookup failures.

Mozilla, she said, intends to work with organizations that offer network-based parental controls to add a “canary domain” to their blocklists. “If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically,” said Deckelmann. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/09/mozilla_firefox_dns/

Research highlights how most criminals exploit human curiosity and trust to click, download, install, open, and send money or information.

Most cybercriminals target people, not infrastructure: More than 99% of emails distributing malware from 2018 into 2019 required human interaction to click links, open documents, accept security warnings, or complete other tasks to effectively compromise an organization. Instead of targeting systems, criminals focus on people, their roles, and data they can access.

The data comes from Proofpoint, where for 18 months researchers observed attack trends to compile the “Human Factor 2019” report. What they found was an increasing sophistication and prevalence of social engineering across businesses as attackers shift from smash-and-grab ransomware campaigns to well-crafted business email compromise schemes and domain fraud.

“The vast majority of threats we see rely on some sort of human interaction,” says Chris Dawson, threat intelligence lead at Proofpoint. “We are still seeing, and occasionally will see, a spike in the use of a hardware or software vulnerability, but it still ends up being embedded in a malicious document.” Even with the use of an exploit and macros, human interaction is essential to follow links, open documents, accept security warnings, or complete other actions.

Generic email harvesting made up nearly 25% of all phishing schemes in 2018, Proofpoint reports. Credential collection remains a strong focus this year, with techniques pivoting to Microsoft Office 365 phishing schemes and impostor attacks. Cloud storage, DocuSign, and Microsoft cloud service phishing are this year’s hottest phishing lures, replacing last year’s trend of “Brain Food,” a botnet used to distribute diet-related spam to capture victims’ credit cards.

Attackers know companies are moving to the cloud, Dawson says, and if employees see something that looks familiar, they’ll click it, even if the sender is unfamiliar. People are used to seeing Office 365 and Dropbox links; the instinct to click precedes the instinct to think twice.

Impostor emails are shifting away from “Request” subject lines and are increasingly showing “Payment” or “Urgent” messages. Subject lines vary seasonally — W-2-related attacks were popular in late 2018 and early 2019 — and by industry. Education, for example, receives a disproportionate number of “Request” and “Greeting” emails, while attacks on engineering firms typically use “Urgent” and “Request” in the subject line. In keeping with business processes, most impostor emails are sent on Monday and trail off throughout the workweek.

What’s Inside
Unlike broad campaigns that delivered ransomware in droves, today’s attackers leverage more-thoughtful attacks on a smaller scale. Their preference is for malware that can sit on a victim’s computer and remain there for a number of days or months without triggering any red flags. Many have taken to distributing sophisticated backdoors to collect data, Dawson explains.

“All of these things are designed to sit on a victim’s machine, collect data long term, and maybe do something later on,” he says. The industry is seeing a pattern of ransomware attacks in which it appears the organization had been compromised long before the infection began.

The Carbanak group, for example, uses lures and well-crafted file attachments to distribute multiple strains of malware, researchers report. One 2018 campaign included an email, with a file attached, that claimed to be protected with security technology. Instructions to “decrypt” the file enabled macros and installed the Griffon backdoor, which is often used in Carbanak campaigns.

Whose Inboxes Are at Risk?
Today’s campaigns are increasingly targeted; however, attackers are demonstrating variety in the types of people they target and how they craft their campaigns.

“The most attacked are people who are much more readily available,” says Dawson. This group often does not include C-level executives, who generally keep their online identities hidden. It does include salespeople, marketing teams, and human resources professionals, many of whom have publicly available emails. Of the “very attacked people,” or VAPs, identified, 36% of associated identities could be found online via corporate websites, social media, or other sites. In contrast, only 7% of executive email addresses could be found online, researchers report.

Crimes of opportunity, or emails to alias addresses like HR[@]company[.]com, are common. “It’s really quite difficult to secure a shared account,” Dawson says of alias email accounts.

Attackers are finding success in using more than five spoofed identities to target more than five individuals in each organization. “We see this pendulum swinging,” he adds of the switch from one-to-one attacks, to one-to-many attacks, to many-to-many attacks. Attackers may spoof the identities of several executives or senior managers while sending a malicious file to employees, or they could leverage a group of spoofed identities to ask the HR department for W-2 data.

Says Dawson: “They’re finding enough success with this technique that they are dramatically increasing the number of identities they use and the number of people they attack.”

Related Content:

• 7 Steps to Web App Security
• Crimeware: How Criminals Built a Business to Target Businesses
• Phishing Campaign Uses SharePoint to Slip Past Defenses
• 3 Promising Technologies Making an Impact on Cybersecurity

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Phishers’ Latest Tricks for Reeling in New Victims.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/more-than-99--of-cyberattacks-need-victims-help/d/d-id/1335769?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Wikimedia has fingered a massive distributed-denial-of-service attack for outages at Wikipedia across Europe over the weekend.

The encyclopedia’s publisher said the attack hit its sites in several countries making them intermittently inaccessible. At the time of writing, the UK and main European language versions were working.

A statement from the organisation said it, along with other popular sites, suffered occasional attacks from “bad faith actors”.

The statement said: “We operate in an increasingly sophisticated and complex environment where threats are continuously evolving. Because of this, the Wikimedia communities and Wikimedia Foundation have created dedicated systems and staff to regularly monitor and address risks. If a problem occurs, we learn, we improve, and we prepare to be better for next time.

“We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.”

Responsibility for the attack has been claimed by a person using the Twitter account @UKDrillas – which has now been suspended. Other amateur Twitter detectives had also been blaming whoever had been using that account (needless to say, that might not necessarily be its owner) for attacks on gaming servers including World of Warcraft over the weekend.

A new skids band is in town. @UKDrillas claimed they are behind the DDOS attack of Wikipedia.

You’ll never learn… Bragging on Twitter (or elsewhere) is the best way to get caught. I hope you run fast. pic.twitter.com/f97aj6ttwZ

— Elliot Alderson (@fs0c131y) September 6, 2019

Whatever their identity, the real DDoSer might be looking at jail time. Just over a month ago in the US, Austin Thomson, AKA Derp Trolling, got two years in prison for DDoSing gaming servers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/09/wiki_ddos_attack/