Monthly Archives: February 2016

Half of American Ransomware Victims Have Paid the Ransom

Exactly half of all Americans who have fallen victim to ransomware have fulfilled the attackers’ demands and paid the ransom.

This is just one of the findings of Ransomware. A Victim’s Perspective: A study on US and European Internet Users (PDF), a report conducted by Bitdefender in November of last year.

For its study, the security firm spoke with just over 3,000 web users located in the United States, France, Germany, Denmark, the United Kingdom, and Romania in an attempt to understand how a victim of crypto-ransomware responds to an infection session.

Bitdefender found that more than a fifth (21.21 percent) of all phishing emails laced with crypto-ransomware target the United States, making Americans the most sought-after targets for malware sample like Cryptolocker2 and CryptoWall 4.0.

This might explain why half of U.S. respondents answered that they have paid the ransom, whereas 40 percent said they would meet the attackers’ demands were their files to be encrypted.

Source: Bitdefender

Overall, 50 percent of respondents everywhere said that they would pay for the return of their files. The British were willing to pay the most at $568 per each infection session, the study found.

When they were willing to pay, respondents said they were interested in recovering their personal documents first and foremost, Bitdefender determined, followed by personal photos and job-related documents.

Last year, the FBI stated that paying the ransom was sometimes the easiest way for a victim to regain access to their files.

This sentiment notwithstanding, payment in no way guarantees that the attackers will cooperate and provide victims with a decryption key. (This assumes that the encryption process works properly and that coding errors have not already rendered a victim’s files irretrievable.)

“The ransomware phenomenon has been hitting internet users and generating huge profit for cyber-criminals for years,” Catalin Cosoi, chief security strategist at Bitdefender, told SCMagazine. “While victims are usually inclined to pay the ransom, we encourage them not to engage in such actions as it only serves to financially support the malware’s developers.”

With that in mind, it is important that users regularly back up their data. These backups could help a victim recover from a ransomware attack without requiring them to pay the ransom fee.

For more information on how you can respond to and even prevent a ransomware infection, please click here.

Via: tripwire

Researchers Reveal Easily Exploitable Flaw in Nissan’s LEAF Electric Car

Security researchers have disclosed a vulnerability in Nissan LEAF cars that could potentially allow hackers to access data on recent trips, as well as tamper with the heating and air-conditioning systems.

The flaw appears when the electric vehicle communicates with its companion app – NissanConnect EV – which drivers can use to view and control certain features, such as checking driving range and state of charge, or adjusting the in-car climate.

However, researchers Troy Hunt and Scott Helme recently discovered the mobile app’s communication with the car is entirely unauthenticated.

With just the Nissan’s VIN (Vehicle Identification Number), an attacker could potentially send the same commands and requests via the Internet.

Even more alarming is the fact that this unique code is usually made visible through the car’s windshield.

Although the issue is not life-threatening, Hunt warns that hackers could still exploit the app to cause mischief like running down the car battery, leaving the heater on for hours or simply compromising the user’s privacy.

“Nissan needs to fix this,” wrote Hunt in a blog post.

“It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” said Hunt.

Hunt says he initially notified Nissan of the vulnerability last month. The car manufacturer reportedly acknowledged the flaw and said the company was “making progress towards a solution.”

“As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought…” said Hunt.

Via: tripwire

22 Sites Where You Should Enable Two Factor Authentication RIGHT NOW

The reason we have passwords is to make it harder for attackers to get to our stuff. Ideally, strong passwords ensure that we’re the only ones who can access our email inboxes, our social media profiles, our bank accounts, and our Amazon shopping carts.

Unfortunately, passwords by themselves aren’t always strong enough to accomplish that goal. Don’t believe me? Just head on over to Pastebin and spend some time searching for pastes that contain user account + password combos. It won’t take long for you to find them. Trust me.

Better yet, head on over to Google News and do a few searches on password breaches and forced password resets. AmazonComcastLinodeLiveStream,WordPress… even Hello Kitty isn’t safe. HELLO KITTY!

The worst part? Users often find out about these breaches after it’s too late, after the damage has been done. It would really be swell if we had a way to make it even harder for attackers to gain access to our online accounts, wouldn’t it?

Yeah, it would. (Cue the music…)

Ladies and gentlemen, I give you… TWO FACTOR AUTHENTICATION!

The short version: Some of the most popular websites have added another layer of security that makes it a lot harder for attackers to get to your stuff. The cool part is that these same websites have worked really hard to make sure this extra layer of security isn’t a huge hassle for legitimate users.

If you turn on two factor authentication, you’ll be asked to plugin your username, your password, and another factor to prove you really are who you say you are. In many cases, that other factor is a short numeric code texted to your smartphone, a random number generated by an app like Authy or Google Authenticator.

To make it even more convenient, some of the websites will remember your computer as a trusted device, meaning that you don’t have to plug in that second authentication factor every time you login from your home machine.

I HIGHLY recommend that you turn this on wherever possible. Attackers are getting more and more sophisticated, and people who start using two factor authentication now are less likely to be impacted by an account compromise.

If this sounds like something you want to check out, here are links that will help you enable two factor authentication on a number of sites that you’re probably using today.

DDoS Group Claims Responsibility for Xbox Live Outages

A distributed denial-of-service (DDoS) group has claimed responsibility for a series of global outages to Xbox Live, Microsoft’s online gaming network for the Xbox console.

Recently, members of the group, which calls itself the New World Hackers, sat down with Newsweek to explain the motivation behind its alleged attacks.

“Well, didn’t even take as long as I thought,” a member of New World Hackers said. “We attacked Xbox to protest. Major companies like this have massive servers but no real protection. We want Xbox to update the protection they have, which isn’t much.”

Screenshot of Xbox Live Status page taken by Express.co.uk.

Earlier this week, Xbox users globally reported that they were having difficulty accessing some of the network’s services, including buying downloadable items, downloading already-purchased content, creating Xbox Live accounts, signing into those accounts, signing in, and browsing the Xbox Video Store and Xbox Music Store.

This is the second time Xbox Live has experienced an outage this month.

Microsoft has since confirmed the restoration of its network’s core services. As of this writing, all Xbox Live services are running normally.

The Redmond-based tech company has yet to disclose the cause of the outages.

At the beginning of the most recent service interruptions, the New World Hackers tweeted out that it had brought down Xbox Live for half of the United States and all of Europe.

This is not the only time the hacker group has claimed responsibility for an attack against a high-profile target. Back in January, the group allegedly used distributed denial-of-service (DDoS) attacks to bring down the websites of U.S. Republican presidential frontrunner Donald Trump and the BBC.

The group shared a screenshot of the latter offensive, which if legitimate reveals that it employed a tool called BangStresser to launch an attack of up to 602 Gbps – a volume of traffic that well-surpasses the largest attack on record at 334 Gbps, as documented by Arbor Networks in the middle of last year.

ZDNet has investigated this claim further. While attacks of that magnitude do pop up from time to time and are reported privately, no such attack has been recorded in months.

“We can’t find any evidence of a 600Gbps DDoS attack taking place,” said Darren Anstee, chief security technologist at Arbor Networks, in an email toZDNet.

The New World Hackers joins the likes of Lizard Squad in using DDoS attacks to take Xbox Live offline.

Via: tripwire

Netflix Malware, Phishing Attacks Contributing to Rise of Black Market

Netflix malware and phishing attack campaigns are contributing to the rise of a black market built around the sale of stolen credentials.

Lionel Payet, a threat intelligence officer at Symantec Security Response, explains in a blog post how he came across two unique attack campaigns that are targeting users of the popular web streaming platform.

The first involves malicious files posing as Netflix software that, one executed, download the banking Trojan Infostealer.Banload onto victims’ machines.

The trojan, which has been disproportionately used in attacks centered in Brazil, is not dropped by drive-by downloads. Users must install it onto their computers. They can be tricked into doing so by attackers who link the malicious executables to ads offering Netflix access at a discount rate.

The second attack campaign involves the use of phishing emails.

“Netflix subscriptions allow between one and four users on the same account,” Payet observes. “This means that an attacker could piggyback on a user’s subscription without their knowledge.”

The researcher identifies one phishing campaign in particular that warned Danish users of an incorrect processing of their monthly payment and urged them to log in to their accounts. A link provided in the email redirected victims to a fake login page.

Source: Security Response

In both the malware and phishing campaigns, attackers steal Netflix users’ account credentials, which in turn end up on black market sites. Most of these sell access to the compromised accounts, which in a way assumes the function of an underground streaming service. Others, however, involve tools that use stolen subscriptions or payment card details to create new Netflix accounts, which can be sold on other black market websites.

Acknowledging these threats, Payet urges users to not click on any ads offering cheap Netflix access. Users should also exercise caution around suspicious email links, and they should always review their monthly credit card bills for suspicious transactions.

This news follows on the heels of Netflix’s announcement that it would crack down on the use of proxies among its members.

Via: tripwire

Kingston’s ‘Unhackable’ DataTraveler USB Drive Self-destructs With Incorrect PIN Entry


Image | Kingston

Kingston Digital, one of the world leaders in memory products, has released DataTraveler 2000 encrypted USB Flash drive. This portable memory device offers best-in-class security features like hardware encryption and PIN protection with an onboard keypad. The device is expected to ship in Q1 in 16GB, 32GB and 64GB capacities.

At CES 2016, Kingston has announced a new USB drive that’ll make the life easier for the privacy concerned users. This secure DataTraveler 2000 encrypted USB Flash drive is created to provide the best possible security measures to the IT professionals for carrying sensitive documents.

The USB drive looks impressive right from the outside. As you pull out the outer aluminum cover, a built-in keypad will be there to surprise you. When inserted into a computer, you’ll have to unlock the device by entering the correct PIN. Failing to do so in 10 attempts, the USB will self-destruct — sounds just like the pen drive from Hollywood flicks like Mission Impossible, right?

This USB 3.1 compatible thumb drive offers speeds of up to 135MBps read and 40MBps write. On the security front, DataTraveler 2000 comes with hardware-based full disk AES 256-bit encryption in XTS mode. The drive also protects your data from bruteforce attacks.


Kingston DataTraveler 2000 USB — PIN protection, AES 256-bit data encryption, resists bruteforce attacks.

For additional protection, Kingston’s super-secure USB drive features the option of auto-locking the drive by deleting key and password files after 10 invalid login attempts.

“We are excited to add DataTraveler 2000 to our existing lineup of fast and encrypted USB Flash drives for organizations and SMBs,” said Ken Campbell, Flash business manager, Kingston. “It is the perfect option to deploy in the workforce where a uniform encrypted data storage solution that works on many different OS’ are in use.”

This OS independent USB drive works with all popular operating systems, even Android and ChromeOS. The DataTraveler 2000 is available in 16GB, 32GB and 64GB capacities.

The DataTraveler 2000 is expected to hit the markets in the end of 2016 Q1.

Are you excited about this upcoming USB drive from Kingston? Tell us in the comments below.

Via: fossbytes

Hackers of two Ukrainian utilities probably hit mining and railroad targets, too

The attacks may have been test runs for the devastating power-company hacks.

The attackers who crippled Ukrainian power operators in December probably committed attacks shortly before against a mining company and a railway operator, Trend Micro said Thursday.

The security company said its latest technical research shows that the same malware — dubbed BlackEnergy and KillDisk — were probably used in the earlier actions. It didn’t name the targets of those attacks, which took place in November and December.

“There is remarkable overlap between the malware used, infrastructure, naming conventions, and to some degree, the timing of use for this malware,” wrote Kyle Wilhoit, a senior threat researcher.

The cyberattacks against the two utilities, Prykarpattyaoblenergo and Kyivoblenergo, have caused widespread concern in the security community, which has warned that attacks against industrial control systems could cause great damage.

Kyivoblenergo said 80,000 customers lost power for six hours after 30 substations went offline. Service was restored after operators took manual control and closed circuit breakers.

The malware used in the attacks, known as Black Energy, has been linked by the security firm iSight Partners to a group nicknamed the Sandworm Team, which is suspected to be from Russia. Relations between Ukraine and Russia have been tense since Russia annexed Crimea in 2014.

BlackEnergy probably infected the large mining company, according to Wilhoit. The malware in the earlier attack communicated with the same command-and-control servers as the tools that infected the two utilities, he wrote.

The mining company also was infected with several versions of KillDisk, which is designed to make a computer unusable by overwriting the Master Boot Record (MBR), the first sector of a PC’s hard drive. KillDisk also overwrites files with junk data.

“While none of the exact samples in the prior utility attacks appear to have been used against the mining organization, the specific samples witnessed perform the same exact functionality as those witnessed at the Ukrainian power utilities, with very little difference,” Wilhoit wrote.

There also are indications that KillDisk affected the railway operator. Trend Micro believes that BlackEnergy was probably on the railroad’s systems, too.

“The infections in the mining and train companies may have just been preliminary infections where the attackers are just attempting to test the code base,” Wilhoit wrote.

Via: csoonline

Here’s Why Apple Is Going To War Over FBI ‘Backdoor’ Order

“The implications of the government’s demands are chilling.”

Apple CEO Tim Cook said his company will fight a court order, granted to the FBI that would compel the manufacturer to build what it calls a “master key” for the data held on iPhones.

The case couldn’t be more emotive: It involves the iPhone 5C that belonged to San Bernardino shooter Syed Rizwaan Farook. The FBI can’t guess Farook’s PIN code, and if they try too many incorrect codes, the phone may wipe itself. Each time they make a guess, the iOS operating system also adds a delay before they can try another one. Hence, they can’t comb it for evidence.

On Tuesday, a federal judge in Riverside, California ordered Apple to help the FBI by creating a special version of the iPhone firmware that investigators could load onto the handset, allowing them to bypass the phone’s security mechanisms.

This special firmware would bypass or disable the auto-erase function, remove the artificial delays between guess attempts, and make it possible to automatically make those guesses via Wi-Fi or some other means that avoids someone having to physically type each one. (Ars Technica has posted a copy of the order.)

As it happens, if the iPhone 5C sported the TouchID feature, then it would also include a special piece of hardware called the Secure Enclave. This feature is meant to make sure only the fingerprint-reading home button gets access to the owner’s fingerprint data, and it also handles other encryption keys on the iPhone. This would probably stop Apple from being able to help the FBI at all — but the iPhone 5C doesn’t have this feature.

In a letter to Apple’s customers, Cook all but admitted that it was technically possible for the firm to cooperate with investigators. However, he said, the special version of the iPhone firmware was “something we consider too dangerous to create.”

Here’s how he described the risk:

In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control…

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

The application for the court order invoked a 1789 piece of legislation called the All Writs Act, which essentially lets courts order people or companies to do something. Cook described the proposed use of the All Writs Act in this case as “unprecedented,” though that’s debatable — it was already used a couple years back to help investigators force an unnamed phone manufacturer to bypass a phone’s lock screen.

Cook again:

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

The Apple chief said the firm didn’t take the decision to oppose the order lightly, but “we must speak up in the face of what we see as an overreach by the U.S. government.”

Cook and Apple have been very vocal in the past about the importance of encryption and their opposition to government-mandated backdoors. However, the debate has now moved past arguments over proposed legislation — it just became a very real legal battle.

Via: fortune

Flaws in smart toy back-end servers puts kids and their families at risk

The vulnerabilities would have given attackers access to children’s names, birth dates, gender and even location.

Over the past two years security researchers have shown that many Internet-connected “smart” devices have not been designed with security in mind. This also seems to be the case for their back-end systems.

The latest example are flaws found in the Web services operated by smart-toy makers which could expose children’s personal information and location.

Researchers from security firm Rapid7 found serious vulnerabilities in the Web application programming interfaces (APIs) used by the Smart Toy line of interactive stuffed animals and the hereO GPS watch for children.

In the case of Smart Toy devices, the researchers found that the manufacturer’s Web service did not properly validate request senders. Through the exposed APIs, they could enumerate all customers and find their toy ID, name, type and associated child profile; they could access all children’s profiles, including their names, birth dates, gender and spoken languages; they could find out when a parent or child is interacting with their toy and could associate someone’s toy with a different account, effectively hijacking it.

“Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about,” Rapid7 researcher Mark Stanislav said in a blog post. “While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers.”

The hereO GPS watch allows members of a family to keep track of each other’s location and activities and to perform other interactions such as messaging. The back-end Web service used by the platform provided an API for inviting a person to an existing family group, but did not perform proper verification.

The vulnerability could have allowed an attacker to add a rogue account to an existing family group and to confirm its addition on the family’s behalf. The attacker would then have access to every family member’s active location, as well as location history, and could abuse other platform features, Stanislav said.

The vulnerabilities found in both the Smart Toy and hereO devices were reported to their respective manufacturers with the help of the CERT Division at Carnegie Mellon University. Since these were server-side issues, they were patched by the manufacturers directly on their servers and did not require firmware updates for the actual devices.

Via: csoonline

IRS Warns of 400% Surge in Email Schemes This Tax Season

The US Internal Revenue Service (IRS) has issued an alert, warning consumers of an influx of tax-related email schemes this filing season.

According to the public advisory, the agency said it received 1,026 reports involving phishing and malware incidents in January alone – a 400 percent increase from the year before.

Furthermore, in February, the reported number of incidents nearly doubled compared to the same time last year. Overall, 363 incidents were reported in the first half of February, compared to 201 incidents reported in the entire month of February 2015.

Less than two months into the new year, the IRS noted that the incidents have already topped the 2014 yearly total of 1,361, and are halfway to matching the 2015 total of 2,748.

“The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies,” said the agency.

The phishing schemes may ask taxpayers about a wide range of topics – such as information related to refunds, filing status, confirming personal information, ordering transcripts or verifying PIN information.

By clicking on malicious email links, consumers are taken to sites designed to imitate an official-looking website like IRS.gov, which asks for Social Security numbers and other personal data.

The sites could also carry malware, used to infect people’s computers and allow criminals to access their files or track their keystrokes to gain more information, including important login credentials.

“Variations of these scams can be seen via text messages, and the communications are being reported in every section of the country,” read the advisory.

IRS Commissioner John Koskinen said the dramatic jump in these phishing and malware scams comes at the busiest time of the tax season.

“Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes,” Koskinen warned. “We urge people not to click on these emails.”

The IRS adds that criminals are likely leveraging the personal tax information to file fraudulent returns.

“While more attention has focused on the continuing IRS phone scams, we are deeply worried this increase in email schemes threatens more taxpayers,” Koskinen said.

“We continue to work cooperatively with our partners on this issue, and we have taken steps to strengthen our processing systems and fraud filters to watch for scam artists trying to use stolen information to file bogus tax returns.”

The IRS said it’s working to address the issue through the Security Summit initiative with state revenue departments, as well as the tax industry.

Taxpayers should be aware that the IRS generally does not initiate contact with citizens by email, text message or social media channels to request personal or financial information.

For more information, read the complete IRS alert here.