Monthly Archives: June 2016

A Canadian university has paid a ransom fee of $20,000 CDN following a ransomware attack against its computer systems.

Linda Dalgetty, Vice-President of Finance and Services at the University of Calgary, announced the ransom payment on Tuesday in a statement posted to the school’s website:

“As part of efforts to maintain all options to address these systems issues, the university has paid a ransom totalling about $20,000 CDN that was demanded as part of this ‘ransomware’ attack…. Ransomware attacks and the payment of ransoms are becoming increasingly common around the world. The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”

The trouble began on May 28, when the university first began receiving complaints of issues affecting its email for faculty and staff, Skype, wireless servers, and other systems.

UCalgary’s IT teams successfully restored access to many of the school’s networks and applications after a few days, though some of its servers, Skype service, and faculty email system remained affected for longer periods of time.

On Monday, the IT department made email once again available for faculty and staff.

University officials at this time do not know who caused the ransomware attack, but Dalgetty told CBC News they do have some basic information about the attacker(s):

“What we do know is that when we first identified the encryption, we did get a ransom note. So that’s how we knew it was ransomware. And we also knew that it was likely someone external who had likely planted that ransomware.

While the University of Calgary begins its analysis of the decryption keys, the Calgary police continues its investigation of the attack.

This is not the only time an organization has decided to pay tens of thousands of dollars following a ransomware attack. Back in February, administrators at the Hollywood Presbyterian Medical Center in southern California paid attackers $17,000 USD to reclaim access to their computer system.

Via: tripwire

The world came to know about massive data breaches in some of the most popular social media websites including LinkedIn, MySpace, Tumblr, Fling, Netflix and VK.com when an unknown Russian hacker published the data dumps for sale on the underground black marketplace.

However, these are only data breaches that have been publicly disclosed by the hacker.

I wonder how much more stolen data sets this Russian, or other hackers are holding that have yet to be released.

The answer is still unknown, but the same hacker is now claiming another major data breach, this time, in Twitter.

Login credentials of more than 32 Million Twitter users are now being sold on the dark web marketplace for 10 Bitcoins (over $5,800).

LeakedSource, a search engine site that indexes leaked login credentials from data breaches, noted in a blog post that it received a copy of the Twitter database from Tessa88, the same alias used by the hacker who provided it hacked data from Russian social network VK.com last week.

The database includes usernames, email addresses, sometimes second email addresses, and plain-text passwords for more than 32 Million Twitter accounts.

Twitter strongly denied the claims by saying that “these usernames and credentials were not obtained by a Twitter data breach” – their “systems have not been breached,” but LeakedSource believed that the data leak was the result of malware.

“Tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” LeakedSource wrote in its blog post.

But, do you remember how Facebook CEO Mark Zuckerberg Twitter account was compromised?

The hackers obtained Zuck’s account credentials from the recent LinkedIn data breach, then broke his SHA1-hashed password string, tried on his several social media accounts and successfully hacked Zuckerberg’s Twitter and Pinterest account.

So, one possibility could also be that the alleged Twitter database dump of over 32 Million users is made up of already available records from the previous LinkedIn, MySpace and Tumblr data breaches.

The hacker might just have published already leaked data from other sites and services as a new hack against Twitter that actually never happened.

Whatever the reason is, the fact remain that hackers may have had their hands on your personal data, including your online credentials.

So, it’s high time you changed your passwords for all social media sites as well as other online sites if you are using the same password.

Via: thehackernews

Following breaches at LinkedIn, Tumblr, and Myspace, Netflix is requiring users whose passwords may have been compromised to change their login credentials.

Despite not being breached itself, Netflix sent a notification letter to its users, last week, informing them that their information may have been included in one of the older breaches, according to a copy of the email obtained by Krebs on Security.

“Just to be safe, we’ve reset your password as a precautionary measure,” it said.

Users are then urged to visit the Netflix website and to click the “forgot your email or password” link to reset their credentials.

Netflix is making the move as a proactive measure to thwart attempts from bad guys looking to use the stolen credentials on third party sites, including Netflix, that may share the same login information, Krebs said in his blog.

Reddit has already taken similar action.

Via: scmagazine

Developers today recognize the importance of secure software development. Indeed, security was one of the key topics at the DeveloperWeek conference in San Francisco. This level of focus should be applauded.

At the same time, however, we must recognize that planning for secure software development is not the same thing as implementing it. In fact, some software development organizations have yet to fully integrate security into their development process. Time and money constraints are a common obstacle for organizations, but developer mistakes can just as readily delay or mislead attempts at integration.

Building off of that last point, Bob Loihl, senior software engineer and secure software development expert for Tripwire, has identified three errors that organizations commonly make when they try to incorporate security into their development process. These are as follows:

MISTAKE #1: BOLTING SECURITY ON AT THE END OF A PROJECT

It is important for organizations to have a security plan in place from the beginning of the development process. Such foresight allows developers to adopt a secure architectural and design approach, which in turn makes it easier for them to safeguard all aspects of the code as it is created.

A well formulated security plan is particularly important to today’s software users, who have come to expect that developers will provide them with secure offerings.

“When you defer crosscutting security work on a subsystem of your project, you will end up reworking and retesting a large part of the system later,” said Loihl. “You can definitely put off something like logging because it is a concern across the codebase, but if you put off implementing access controls in the system because it’s hard and expensive, it’s an indicator that you have missed or downplayed important project requirements.”

MISTAKE #2: FAILING TO TAKE ADVANTAGE OF SECURE SOFTWARE DEVELOPMENT TOOLS AND EXPERTISE

Organizations would be wise to resist the temptation of “rolling their own” security in software, particularly when it comes to authentication models, encryption, and other complex functions. There’s no need to reinvent the wheel. Developers should instead leverage the work of others who have already developed proven, validated secure code and processes. Time has shown that those solutions work, which means that they can help increase developers’ confidence in the security of their projects.

“With so many resources available today–from static code analysis to pen testing–there’s no excuse for not understanding the security profile of a product before it ships,” said Loihl. “In addition, there are good organizations out there like OWASP, SAFECode, BSIMM and others that can help you understand how to build out a security program.”

MISTAKE #3: INHERITING OTHER DEVELOPERS’ SECURITY MISTAKES BY USING FAULTY LIBRARY COMPONENTS

Development teams need to make sure they know the origin of the libraries they use as well as the code they incorporate from other sources. They should also determine what security validation, threat modeling, and other assurances have been applied to any third-party code they leverage in their products.

“Bringing in third-party libraries and frameworks is a risky operation in terms of security and defect exposure,” noted Loihl. “Outsourcing development does not absolve you from due diligence or testing the code you are using. The recent CWE-502 issues with Java RMI deserialization and Apache Commons Collections are good examples of this–having the library on the class path exposed an issue, even if the class that had the issue had never been used.”

Ultimately, Loihl and other Tripwire experts believe developers should not rely on “security through obscurity.” Some developers either hide their implementations of security or believe that a very complex implementation will help make their products more secure. In fact, the opposite is true. Effective security implementations that are built on proven approaches will stand up better to peer review–a cornerstone of good security that increases the likelihood of discovering and addressing security weaknesses before software is shipped out to customers.

“Unfortunately, many software development teams are still trying to address security at the end of their process,” said Dwayne Melancon, chief technology officer and vice president of research and development for Tripwire. “This approach doesn’t work. To be effective, security needs to be baked into the entire process, from planning through deployment to usage.”

Loihl added: “Anyone who has lived through a breach or received surprising results from penetration tests right before a product is scheduled to ship knows how painful it is to add security in at the end of the development cycle. Today, developers face increased pressure to understand security issues and how they apply in their environments because of Internet of Things devices and pervasive computing environments. This can seem like a big investment, but the costs of doing it right the first time are much lower than responding to crises.”

To learn more about secure software development, including what you can do to clearly highlight its benefits to senior leadership, please click here.

Via: tripwire

The FBI’s Internet Crime Complaint Center (IC3) has issued an alert, warning users of a spike in reported extortion email attempts connected to recent high-profile data breaches.

According to the advisory, targeted individuals are told that their personal information—such as their name, phone number, address, credit card information, and other personal details—will be released to their social media contacts, family and friends if the ransom is not paid.

“The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transaction,” explained the alert. “The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200.”

The alert detailed several examples of the extortion emails sent by fraudsters, one of which read:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

Another message seen threatening to release the victim’s personal details read:

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Based on variations seen in the extortion emails, the FBI suspects multiple individuals are involved in these extortion campaigns.

“Fraudsters quickly use the news release of a high-profile data breach to initiate an extortion campaigns,” said the IC3.

In the past month alone, millions of user accounts from popular sites like LinkedIn,MySpace and Tumblr have been found for sale on underground marketplaces.

Users who believe they have been a victim of this scam are advised to contact their local FBI field office and file a complaint with the IC3 at www.ic3.gov.

“The FBI does not condone the payment of extortion demands as the funds will facilitate continued criminal activity, including potential organized crime activity and associated violent crimes,” the alert concluded.

Via: tripwire

Researchers have unveiled a new family of malware, dubbed “FastPOS,” that is capable of instantly exfiltrating stolen credit card information.

Unlike other POS threats, FastPOS focuses on transferring harvested data as soon as possible to its command and control (C&C) server, as opposed to collecting the data and uploading it periodically in an effort to stay hidden.

According to security experts at Trend Micro, the malware leverages a keylogger and a memory scraper for information theft purposes.

“FastPOS captures keystrokes and sends back the entire string to the C&C server once the return key is pressed,” read a detailed report by Trend Micro.

Meanwhile, the RAM scraper relies on a custom algorithm that checks for valid credit card numbers. Specifically, the malware looks for international credit cards that do not require PINs.

“FastPOS’s design sets it apart from other POS malware families,” says Trend Micro. “It appears to be designed to operate in situations where a large, enterprise-scale network may not be present: instead, it is designed for environments with a much smaller footprint.”

Researchers noted FastPOS-related infections have been seen across the globe in the last five months, including the United States, France, Brazil, Hong Kong, Japan and Taiwan.

Trend Micro noted attack vectors for the malware have been identified as a real-time file sharing service, compromised medical sites and brute-force attacks by cybercriminals.

Researchers say FastPOS is currently offered for sale on several underground forums, and believe the actors behind it are also advertising and selling the stolen payment card credentials.

For more information, read Trend Micro’s full report (PDF) here.

Via: tripwire

If I were a Chess piece to protect my organization, which piece would I be and why?

It’s too easy to choose the big player piece like the King but King’s rule the Kingdom and are protected by those around them, so in my mind, they don’t do very much. So, I choose to be a Knight. In Chess, I like playing the piece. It has so many unique qualities that it’s hard to defend against it in an attack, and it plays a very important role in protecting the King and Queen.

Let’s talk about a slightly different Knight, though. The author George R. R. Martin wrote a book “A Knight of the Seven Kingdoms,” which is more fondly known as the Game of Thrones TV series. I like the title, “A Knight of the Seven Kingdoms.”

In my fantasy world, the Knight plays an important part to defend his Seven Kingdoms, just as a Chess piece plays in a game of chess. What sort of threats would he be defending against, though?

INSIDER THREATS

Insider threats are a constant threat to every organization. How does the Knight defend against such attacks?

The truth is, we won’t be able to stop these attacks completely but we can detect, help prevent, and respond to these attacks. We can do so by having simple measures in place, such as integrity monitoring; configuration management; vulnerability assessments and aggregating logs into one central location, as well as applying intelligence to these logs to help spot the anomalies.

RANSOMWARE

It’s been around for some time now, but in recent years, ransomware has been popping up on all platforms, targeting some very high-profile organizations. Some analysts believe 2016 will be the year of ransomware.

The Knight should be adopting some good perimeter controls around the Kingdom, which will help prevent some of these attacks. The Knight will also be talking to their people and making them aware of the different types of attacks there are and how to defend against it. But our Knight will also be relying on technology to help detect these cryptographic threats.

Using integrity monitoring tools will help detect the change to files that are encrypted and help drive a work-flow to stop the spread of this attack.

VULNERABLE ASSETS

How about those old relics inside the kingdom? They can’t fight or defend properly and have weaker controls. They have to rely on the Knights to protect them from being attacked.

You could say the same for your critical assets within your perimeter. What controls are in place today that help defend these assets and have they been hardened? Have the controls or the systems that manage these controls been patched to the latest updates to prevent attackers compromising these assets?

Using a good vulnerability management tool will help you identify these systems that are weak. And, if you integrate an integrity management tool with it, you have a solution where once a system has been found vulnerable, you can have the integrity monitoring tool keep an eye on it whilst it’s being fixed.

POLICES AND REGULATORY REQUIREMENTS

Every Kingdom should have their own rules and procedures. It’s down to the Knight to ensure these rules are enforced, otherwise, chaos occurs and everyone will make up their own rules.

Our Knight will have technology to help him enforce these rules. Using a configuration management tool, the Knight can ensure each system in each of the Kingdoms adhere to one set of rules, and keep a watchful eye on those systems to ensure they don’t fall out of line.

And, let’s not forget the policies that, if broken, carry a hefty fine from certain regulators!

MALICIOUS MALWARE AND VIRUSES

From time to time, the occasional threat will penetrate the kingdom. When it does, it spreads its viral contents throughout the Kingdom, destroying it from the inside out. The Knight will play an important part to look for those unusual characters.

Using his integrity monitoring tool, the Knight will be alerted to a change in the Kingdom. With integration to third-party threat providers, the Knight will be able to validate the potential threat that has just walked through the gates to determine if they are a threat or not.

If the third-parties state it is a known threat, the Knight can take immediate action against that threat, eradicating it from the Kingdom before the pandemic can spread.

These are just some of the things our Knight will be defending against. There are many more different threats out there where technology plays a significant part.

The Knight plays a very important part in defending their Kingdom in Chess, and as you can see from the examples above, an important role in information security. That is why I chose to be a Knight.

Having a good strategy is important in a game of Chess – it’s the same in the world of information security… at the end of the day, it’s about protecting your King, “your critical data.”

Via: tripwire

A security researcher has released a tool that allows victims of the BadBlock ransomware to decrypt their encrypted files for free.

On Thursday, Lawrence Abrams of Bleeping Computer published an article about the crypto-ransomware variant.

In it, he does not withhold his disgust for the malware. He describes BadBlock as “poorly coded and horribly designed” because it not only encrypts a user’s files but also adversely affects a user’s machine:

“Unlike almost all other ransomware infections, BadBlock will not only encrypt your data files, but it will also encrypt the executables on your computer, including important Windows system files…. This means that if you reboot your computer after BadBlock encrypts your machine, you will find that the computer… no longer starts. This is because required executables have been encrypted….”

That’s not the only difference separating BadBlock from other crypto-malware variants.

As soon as ransomware begins encrypting a user’s files, it will display a message notifying them that their computer has been infected. Users can leverage that information to access the Task Manager and terminate “badransom.exe,” which shuts down the encryption process before it has time to finish. Doing so does not restore access to any files encrypted by the ransomware, however.

Fortunately, for those users with encrypted files, there is now hope.

Security researcher Fabian Wosar of Emisoft has released a tool that allows victims affected by BadBlock to decrypt their files for free.

After downloading the decryptor (available here), a user needs to drag an encrypted file and an unencrypted version of that same file (or of a file with the exact same format) onto the utility.

The decryptor will use those files to create a decryption key, which the victim can then use to decrypt all of their remaining files.

To avoid a ransomware infection at the hands of BadBlock and other variants, users should avoid clicking on suspicious links and email attachments, install an anti-virus solution on their computers, and implement software patches as soon as they become available.

For more ransomware prevention tips, please click here.

You can also learn more about ransomware in general here.

Via: tripwire

Facebook announced in recent weeks that they’re expanding their advertising empire. With that change, came a stealthy new privacy setting for users — one that all of us are opted-in to by default.

Instead of just selling ads on Facebook, or on Facebook platforms (like WhatsApp and Instagram), Facebook is now selling ads everywhere, to everyone, whether or not you have a Facebook account. If you do have a Facebook account, though — like 1.6 billion other humans do — Facebook will also use your Facebook data to sell those ads.

Here’s where the privacy settings come in: Facebook has long had opt-outs for collecting and using your behavioral data in advertising to you. But they added or re-worded one when they broadened their advertising business this week, and every member of Facebook is set to participate in this new one unless you specifically go and opt out.

So here’s a step-by-step guide to doing that:

Step 1: Click the little lock in the top-right corner of your screen, and select “See More Settings”

That’s for web Facebook. If you’re on the Android app, go to the three-bar “hamburger” menu icon on the right and then scroll all the way down until you see “Account Settings” near the bottom. If you’re on the iOS app, choose “More” on the bottom right and then scroll until you see “Account Settings” there.
Step 2: Down the left-hand side of the screen (or in your app settings), go to “Ads” near the bottom:

Step 3: You can set any of these to “yes” or “no” as you wish, but the new option that you’ll find yourself automatically signed up for is under “Ads on apps and websites off of the Facebook Companies.” The full setting looks like this, and you can turn that “yes” to “no” to opt out:

If you click to read all about the new setting, here’s what it says in full:

You cannot, however, opt out of being advertised to, nor out of having your data collected and aggregated. This setting just treats you as a non-FB user for the purpose of having advertising selected for you on non-FB sites.

Via: consumerist

When you travel internationally for business, you’re likely headed to a country that utilizes drastically different cybersecurity laws. In the U.S., you can expect a reasonable amount of privacy for your data and devices. Even with the uproar about the National Security Agency (NSA) and security violations in recent years, Americans still enjoy a higher degree of privacy than many countries.

However, the situation changes once you come to a border crossing—even in the United States. Your belongings, including your laptop, tablet, smartphone and files, can be searched. Overseas, the rules can be even stricter. Depending on where you travel to, your belongings may be vulnerable not only to searches but also to confiscation and duplication.

Because of the variation in data privacy laws between countries, it’s important to escalate your security practices—they may be the only things that keep your company’s data safe from a breach. The nine tips below will help you do just that.

1. TAKE ONLY THE DATA YOU’LL NEED.

When you travel internationally, you should take only what data you’ll need for business meetings—leave the rest at the office. Store the data you do take on a USB drive or SD card rather than your laptop or tablet. That way, if you get separated from your devices, you’ll still have your data.

A final note on the subject of data: back it up before you go. Even if your devices or external data drive is lost, stolen, or corrupted by a virus, you’ll have a pristine copy waiting for you in the Cloud or at home.

2. TRY TO TAKE “LOANER” DEVICES.

Ask your IT department for a clean “loaner” laptop or smartphone to take on the trip. These devices contain minimal business data, helping to mitigate risk from the beginning of your trip to the end. If the laptop gets lost or stolen, the IT department knows exactly what data to safeguard; if you make it home with the devices, it’s a relatively easy task for IT to scrub them before allowing them to be used inside the business perimeter.

3. UPGRADE FIRMWARE AND SOFTWARE.

Regardless of whether you choose to take a personal device or a company-issued one, it’s wise to look for firmware and software updates prior to leaving. Unpatched devices and platforms are more vulnerable to attacks than patched ones. Make sure to time the updates to complete before you land in your destination country, as you may need the added security in the airport and at customs.

4. KEEP YOUR DEVICES WITH YOU.

You should keep your laptop, smartphone and other gadgets with you at all times. While most people know to avoid leaving devices unattended in an airport or another public venue, few people realize that their hotel room may be equally as vulnerable. Carrying your gadgets with you will help ensure that the data they hold is kept safe from prying eyes.

5. AVOID USING SHARED COMPUTERS.

Shared computers may be convenient but they’re prime targets for keylogging and other malicious activity. It’s best to avoid these public devices at all costs. If you absolutely must use a shared computer, stick to HTTPS web addresses, implement two-factor authentication (2FA) when possible, and stay away from sites that require you to log in or share personally identifying information. It’s an easy hop, skip and jump for hackers to traverse from that information to more critical data.

6. ESCHEW PUBLIC WI-FI.

Another problem area is public Wi-Fi. According to a recent survey, 50 percent of respondents access the internet through a public connection on a weekly basis. But while these hotspot connections are both handy and popular, they’re also extremely dangerous. With a few basic hacking skills, just about anyone can monitor your activity on a public network.

If you do need to use an unsecured hotspot, access the internet through a Virtual Private Network (VPN), which will allow you to mask your IP and encrypt data sent over the connection.

7. ENCRYPT AND PASSWORD-PROTECT EVERYTHING.

Encrypt everything: devices, data, phone calls, social networking and online chats. When you encode your data, however, be aware that some nations consider encryption to be illegal. As such, try to stay abreast of the restrictions in your destination country and be prepared to decrypt your devices upon request at customs.

Even if you can’t encrypt everything, you should practice password safety. Change your passwords before you leave on the trip, and make sure that you follow best password practices on every account. If you don’t already use pin codes or biometric identifiers on your smartphone, now’s the time to start.

8. USE LOW-TECH SOLUTIONS TO COMBAT HIGH-TECH PROBLEMS.

Data security doesn’t always have to be expensive—it’s amazing how easily you can foil a hacker with a piece of tape placed over your laptop’s camera. Equally simple is a privacy screen, a thin screen cover that limits how much of your computer display can be seen from the side.

If you want more high-tech solutions, those are available, too. For example, you can invest in RFID-blocking wallets to keep financial data and personal information secure.

9. BE AWARE OF YOUR SURROUNDINGS.

Finally, the best thing to do is remain vigilant. Anytime you travel internationally, assume you’re already in the defensive position. It’s your responsibility to keep your business’ information safe, so use common sense and stay aware of where you are and who’s around you.

Corporate data breaches can be costly, but your company doesn’t have to be a victim. If you follow the nine tips outlined above, you can help keep your business data secure and safe anywhere you go, be it across town or around the world.

Via: tripwire