STE WILLIAMS

Practical steps municipal governments can take to better prevent and respond to ransomware infections.

There’s only one road in and out of Valdez, Alaska. The nearest city is Anchorage, a 300-mile drive away, and not a direct one. So the 3,976 citizens of Valdez — that’s “Val-deez” with a long “e” — are used to handling emergencies on their own. According to police chief Bart Hinkle, the city was just about founded on disaster, famously hit by the Good Friday earthquake of ’64 and the Exxon Valdez oil spill. But Valdez had never experienced a disaster quite like this one. 

July 26, 2018, while the town’s new IT director Matt Osburn was out of town and his second-in-command was running a routine update, the Hermes 2.1 ransomware took hold of Valdez in the dead of night.

All records (including police), city administration, finance, planning and zoning, the port and harbor authorities, and “basically the entire city network” was locked down, Hinkle says.

And even though this small town was more prepared than most of the hundreds of others that have been felled by ransomware recently, and even though municipal leaders ultimately decided to pay the ransomware operators, there was no quick fix. The recovery process rolled into weeks, then months.

“Government is a different animal certainly than private industry,” says Reg Harnish, executive vice president of security services for the Center for Internet Security. “Because they’re spending taxpayer dollars, [municipal governments] have a lot of bosses.”

Not only is funding generally short, cybersecurity has stiff competition for those funds with other essential services.

“You have to have conversations like, ‘We can have cybersecurity or we can fix a bridge,'” Harnish says. How does a municipality translate the value of a firewall into the value of some addition to K-12 education, he says. “Politics plays a role … introduces a lot of different pressure,” Harnish says.

Ransomware can impact the availability of any one of these essential services, from court systems to payroll to water.

Omri Admon, cybersecurity expert from SOSA (the firm selected to create the Global Cyber Center in New York City), points out how ransomware can add insult to injury for cities that are already strapped for cash.

“It’s an additional loss of funding if they can’t process property taxes” and other sources of income, he says. “It’s another layer of complexity that puts them in a chokehold.

So here’s some realistic advice on how to avoid ransomware infections and what to do when one happens, courtesy of Valdez leadership and others who have witnessed municipal government ransomware infections up close. {Continued on Next Page}

(Image Source: stnazkul via Adobe Stock)

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/it-saved-our-community-16-realistic-ransomware-defenses-for-cities/b/d-id/1335685?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The recently discovered campaign sends stolen data out of the network as part of a DNS query.

A new credential-theft attack campaign is using DNS to exfiltrate data. The campaign, which uses an illicit SSH client to gather the credentials, sends the purloined data to a pair of command-and-control (C2) servers.

Researchers at Alert Logic have found activity from this campaign dating back to August 9. In the attack, the malicious SSH client captures login credentials and sends the data to the C2 server as part of a DNS query, not likely to be automatically stopped by standard network protection systems.

According to the blog post announcing the discovery, the attack’s hashes are not yet recognized by standard endpoint protection packages. The researcher recommends blocking all traffic to 164[.]132[.]181[.]85 and 194[.]99[.]23[.]199. to protect against the campaign.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘It Saved Our Community’: 16 Realistic Ransomware Defenses for Cities.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-credential-theft-attack-weaponizes-dns/d/d-id/1335702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Twitter CEO Jack Dorsey’s Twitter account was, apparently, hijacked for roughly 20 minutes and used for racist rant.

The Twitter account of Twitter CEO Jack Dorsey, well-known by his handle @jack, was apparently hijacked, today.

Over the course of roughly 20 minutes, the account was used to tweet and retweet dozens of racist and incendiary posts, many tagged with the name #ChucklingSquad, a group that’s been credited with several account takeover attacks recently. 

One suspected method of the account takeover is a SIM swap, which enables an attacker to intercept any two-factor authentication that uses SMS as the second factor. In a SIM swap, the number associated with one SIM card is changed to be associated with a different device.

For more, see here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/-jack-got-hacked----twitter-ceos-tweets-hijacked/d/d-id/1335703?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We are “disturbed” to learn that thousands of children using Facebook’s Messenger Kids chat app were able to join group chats with strangers, senators told Facebook earlier this month.

Oops, Facebook said.

In a reply letter this week, dated Tuesday, 27 August, and addressed to Senators Edward J. Markey and Richard Blumenthal, Facebook Vice President Kevin Martin called the foul-up a “technical error”, Reuters reports.

From the letter:

Based on our review, we have determined that the technical error you have inquired above arose in October 2018. The fix we implemented is designed to prevent the issue from happening again.

In other words, the “technical error” has been affecting kids’ privacy for about 10 months. Facebook first introduced Messenger Kids in December 2017. According to The Next Web, Facebook has said that it discovered the flaw two months ago, on 12 June 2019, and that it fixed it the next day. Facebook didn’t tell parents until a month later, on 15 July, but not before identifying the affected chat threads and disabling them, TNW reports.

This all came to light last month when Facebook was forced to apologize to parents after finding that a hole in the supposed closed-loop messaging system allowed children to join group chats with people their parents hadn’t approved.

It’s going on two years ago now that Facebook decided it would be a swell idea to bring Messenger to kids aged as young as six.

And kept it going, in spite of children’s health advocates quickly begging it to torch Messenger Kids for plenty of reasons, including the increased incidence of depression, suicidal tendencies, and sleep deprivation seen in kids that are online a lot.

Hey, we’re parents, too, Facebook had initially said. We’ll take good care of your tots.

Designed to be compliant with the Children’s Online Privacy Protection Act (COPPA), Messenger Kids would obediently, law-abidingly protect children’s privacy while they’re online, Facebook said, obeying COPPA guidelines that prohibit developers of child-focused apps, or any third parties working with such app developers, from obtaining the personal information of children aged 12 and younger without first obtaining verifiable parental consent.

Not only would it have no advertising, it would be a godsend for parents, Facebook said: A messaging app that lets children “connect with people they love” but which also “has the level of control parents want”!

So much goodness! What could possibly go wrong?

The senators’ questions

Messenger Kids is an Android and iOS app designed for users as young as six years old. The service, which doesn’t allow ads, must be installed by parents, who must approve the child’s contacts. It’s impossible to search for individual children on the service. Individuals can video chat and message with children using the regular Messenger app, but only if the child’s parent approves them…

…well, that’s how it’s supposed to work, at any rate.

In their letter, Senators Blumenthal and Markey had questioned whether there was a “worrying pattern” of poor privacy protection for children using Messenger Kids. Looking for transparency, they posed these questions:

• When did Facebook first become aware of the Messenger Kids design flaw that allowed children to engage in chats with unapproved users?
• How long has this design flaw existed within the Messenger Kids app?
• Are parents able to review the unapproved group chats their children were a part of or otherwise learn what information was shared in these interactions? If not, why not?
• Has Facebook initiated a review of the Messenger Kids app to identify other flaws that present similar children’s privacy concerns? If not, will Facebook commit to doing so?
• Does Facebook consider itself released from liability from any COPPA violations related to this design flaw because of its 24 July 2019 settlement with the Federal Trade Commission (FTC)?

Right, about that settlement… Facebook said in the letter to the senators that it’s regularly chatting with the FTC, which gave it a $5 billion wrist slap in July for losing control of users’ data.

We are in regular contact with the FTC on many issues and products, including Messenger Kids.

On Wednesday, the senators said they weren’t very impressed by Facebook’s reply:

We are particularly disappointed that Facebook did not commit to undertaking a comprehensive review of Messenger Kids to identify additional bugs or privacy issues.

How to keep your children safe on their phones

If you’re concerned about what your kids can get at on their smartphones, then good – you should be. It’s scary out there. In this video, Matt Boddy explains how you can restrict what they can access.

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/A2XiqyuYDg4/

Not for the first time, cybercriminals are targeting an important part of Android’s core software called the Android Debug Bridge (ADB).

Normally the only people who pay any attention to the ADB are developers and device makers who use it as a terminal for debugging purposes.

It’s supposed to be deactivated after the debugging is done. Unfortunately, it seems that ADB is being left active on some set-top boxes (STBs) and TVs built around a stripped-down version of Android called the Android OS (as distinct from the flavour of Android that runs smartphones, the Wear OS used by Android watches, and unrelated Chrome OS used by Google’s Chromecast and assorted Chromebooks).

According to cybersecurity company WootCloud, a new botnet called Ares has noticed the misconfiguration and is trying to exploit it to infect Android OS set-top boxes with bot malware while scanning for other vulnerable boxes to target for infection.

It’s not hard to understand why an active ADB might invite unwanted attention – it can be used to control the device and install software after bringing up a remote command shell on port 5555, for instance.

While it appears that some exposed ADB interfaces are protected with passwords, Ares comes equipped with a password-cracking component to beat these.

IoT backdoor

Another way of understanding exposed ADB is to see it as the latest instalment of the growing security headache of the Internet of Things.

As long as these devices turn on and off when required, everything looks good and nobody need pay much attention to what might be going on behind the scenes.

The immediate issue is how Android OS device owners can tell whether their boxes are affected and what they can do about it if they are.

What to do

WootCloud’s advisory only names models from three set-top box makers – HiSilicon, Cubetek, and QezyMedia – but warns that other makers might also be affected. And it’s not only set-top boxes that are at risk:

Looking at threat and inherent capabilities, it seems that the attackers will be targeting more android-based devices such as phones.

The obvious defence is to manually disable the ADB interface but that’s not always possible – and when it is, it’s not always easy.

You could try blocking port 5555 using your internet router’s firewall, if you have one and know how to configure it. However, ADB isn’t the only software that uses port 5555 so be aware this might stop other services from working too.

The most sensible course of action for most users will be to wait for vendor updates.

While they may be concerning, ADB-targeting botnets certainly aren’t new – almost a year ago, researchers spotted two, Fbot and Trinity, attempting to exploit the same weakness.

Earlier that summer, researchers spotted thousands of vulnerable devices and a big chunk of traffic hitting port 5555.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YVYbkKJr18k/

Imagine that an iPhone could be turned into a surveillance tool capable of sending hackers a record of its owner’s entire digital life, including their location in real time, all their emails, chats, contacts, photos and saved passwords.

A showstopper of a compromise, and yet according to Google Project Zero researcher Ian Beer this is exactly what’s been happening to thousands of iPhone users, for more than two years.

It’s a revelation that had some commentators cracking open the hyperbole emergency glass, so let’s cover the important facts of the story before jumping to any alarming conclusions.

The story starts with a discovery by Google’s Threat Analysis Group (TAG):

… [we] discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.

The first hint that something was up came on 7 February when Apple released an urgent out-of-band update that took iOS to version 12.1.4.

At the time, the main flaw patched by this appeared to be the FaceTime app call snooping bug (CVE-2019-6223). However, further down the same advisory two other flaws (CVE-2019-7287 and CVE-2019-7286) that attackers could use to gain elevated and/or kernel privileges were briefly described.

Kernel panic

In a blog this week Beer has offered the more alarming backstory to their discovery and its potential threat.

Several months of analysis later and it seems these flaws were part of a haul of fourteen vulnerabilities abused by the group behind the attacks discovered by Google.

Affecting iOS 10.x, 11.x, and 12.x, seven related to the Safari browser, five the iOS kernel, plus two sandbox escapes. Most of these had been patched over time but the two reported to Apple above were zero days, hence the company’s rush to get 12.1.4 out only days after Google told them about the issue.

Google isolated five unique exploit chains – campaigns run over time using different combinations of flaws – one of which dated back to late 2016.

The exploit chains were used against visitors to a small group of websites hacked as part of a ‘watering hole’ campaign (where sites frequented by target individuals are hacked to serve exploits).

Writes Beer:

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

Although this group of campaigns has been disrupted, Beer thinks there are “almost certainly others that are yet to be seen.”

What this means

Victims’ iPhones would have had malware installed in the form of a powerful monitoring implant capable of stealing chat messages (including WhatsApp, Telegram and iMessage), photos, tracking users’ locations in real time, and even accessing the Keychain password store.

If you set out to design a compromise of a mobile device, it’d be hard to imagine a more complete one than this, excepting that this campaign was eventually detected.

Two caveats to hold on to for encouragement – for attackers to take control of iPhones they still had to tempt victims to specific websites. The malware installed on the phones via the exploit chains stopped working when users rebooted their iPhones, in which case the attackers would have to start infection over again.

Beer’s write-up hints that the attack may be the work of a nation state group trying to gather intel on specific groups of people for political reasons. We can’t verify if that’s true but if it is, it wouldn’t be the first.

Even if the average iPhone user wasn’t the target of the campaigns described by Google, that’s little comfort. We don’t know what other campaigns the group behind them may have been running or who else knew about these exploits.

However, one major strength of Apple’s platform is that the process of deploying updates is very smooth – a big difference from Android where updates aren’t available for some handsets and can take months to become available for others.

iOS has been secure against the exploit chains used in these attacks since version 12.1.4. To check what version you’re using, go to Settings General Software Update. This will tell you what version of iOS you’re using and if a newer version is available.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JJ6DBKwnpaM/

Kaspersky Lab reckons the number one reason its customers call them for emergency help is because of ransomware – with Wannacry still playing a large part in detections picked up by the Russian company.

In its Incident Response Analytics report for 2018, published this week, Kaspersky said it had seen the infamous malware strain, which KO’d Britain’s National Health Service in May 2017, appearing in 40 per cent of its malware-related callouts from affected corporate customers.

Gandcrab, the other name-grabbing ransomware of note at the moment, accounted for just 5 per cent of callouts, with Cryakl taking the number two spot at seven per cent of observed infections.

“In two out of three cases, investigation of incidents related to the detection of suspicious files or network activity revealed an actual attack on the customer’s infrastructure,” said Kaspersky.

Kaspersky split its corporate customers into three groups: financial institutions, governments and industrial companies. Banks and the like were much more likely to be targeted by advanced persistent threat (APT) actors, meaning well-resourced and highly organised hacking crews likely to be backed by a hostile state, with governments also – unsurprisingly – being targets of similar operations.

In contrast, businesses were most likely to be victims of so-called banker trojans, malware planted to intercept online banking information. As well as intercepting and recording keystrokes, passwords, clipboard pastes and the like, banker trojans can also employ anti-detection techniques.

Interestingly, Kaspersky reckons industrial companies are less likely than banks and governments to be struck with ransomware. While this may be cause for celebration among industry’s security defenders, the Russian antivirus firm also said that a full third of compromises were caused by – you guessed it – “lack of security awareness among employees”.

“Having a plan to defend and quickly respond to such attacks is no longer an option; it’s a must, regardless of business type,” concluded Kaspersky. “Along with a powerful auditing policy and a log retention period of at least six months to one year, developing guided procedures for proper handling of digital evidence will definitely help in faster and more complete analysis of incidents by experts. This results in quicker containment and reduces possible loss of assets, data or reputation.”

The full report can be read on Kaspersky’s Securelist website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/30/kaspersky_warns_wannacry_hasnt_gone_away/

Users of software house Foxit’s free and paid-for products, including its popular PhantomPDF editor, may have fallen victim to a data breach – with stolen data including users’ website passwords.

Foxit admitted to the breach earlier today, stating that “third parties” had gained access to its My Account user data.

That data was comprised of “email addresses, passwords, users’ names, phone numbers, company names and IP addresses” but not payment card information. The Register has asked Foxit’s people whether the passwords were hashed and salted and will update this article when they respond.

The firm has “launched a digital forensics investigation” and forced password resets on all of the affected users. A US company registered in the state of California, Foxit said it had informed local law enforcement and data protection authorities.

Foxit is also enforcing password resets on its users with a hard 20-character length limit, saying this would make new passwords “strong enough”.

Sorry for the inconvenience. Please make sure your password is between 8-20 characters long, include both lower and upper case characters, and include at least one number or special character. Then it will be strong enough.

— Foxit Software (@foxitsoftware) August 30, 2019

Foxit is best known for its PhantomPDF product, which lets users create and, vitally, edit PDF files without needing to buy Adobe’s painfully expensive Acrobat suite. PhantomPDF’s consumer and enterprise versions are free for the first 30 days provided you register an account with Foxit – and hand over all the details that person or persons unknown illegally accessed.

The standard advice after a password breach, aside from resetting the password, is to keep an eye on your bank statements and credit score in case any unauthorised transactions or other sudden changes show up, such things being a key indicator of potential identity theft.

Most important is that any passwords you may have reused on Foxit’s website are immediately reset too. Credential stuffing is an ever-popular account compromise method among cybercrooks and if Foxit’s password cache was indeed neither salted nor hashed, this could be severely problematic for its customers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/30/foxit_data_breach_passwords_stolen/

Stolen fingerprints, fake hands, voice synthetization, and other nefarious techniques show biometrics has plenty of challenges.

Image Source: Adobe Stock (Sergey Nivens)

With the rise of credential stuffing and account takeovers keeping security professionals up at night, many pundits believe that biometric authentication is their answer.

But as any security veteran will tell you, there’s never a simple solution. While biometrics do offer a stronger form of authentication than usernames and passwords, they come with their own risks. Several recent breaches and hacks by researchers exemplify the cracks that can show at the seams of any security model that relies too heavily on biometrics.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/7-breaches-and-hacks-that-throw-shade-on-biometric-security/d/d-id/1335654?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple