Monthly Archives: June 2017

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS.

 
Dubbed Fireball, the malware is an adware package that takes complete control of victim’s web browsers and turns them into zombies, potentially allowing attackers to spy on victim’s web traffic and potentially steal their data.

 
Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers.

 
While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide.

Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim’s web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com).

“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time.” researchers said. “Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.”

The fake search engine simply redirects the victim’s queries to either Yahoo.com or Google.com and includes tracking pixels that collect the victim’s information.

Far from legitimate purpose, Fireball has the ability to spy on victim’s web traffic, execute any malicious code on the infected computers, install plug-ins, and even perform efficient malware dropping, which creates a massive security hole in targeted systems and networks.

“From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware,” researchers said.

At the current, Fireball adware is hijacking users’ web traffic to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware.

“Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach,” researchers added.

According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:

• 25.3 million infections in India (10.1%)
  
• 24.1 million in Brazil (9.6%)
  
• 16.1 million in Mexico (6.4%)
  
• 13.1 million in Indonesia (5.2%)
  
• 5.5 million In US (2.2%)

“How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more,” researchers warned. “Many threat actors would like to have even a fraction of Rafotech’s power.”

Warning Signs that Your Computer is Fireball-Infected

If the answer to any of the following questions is “NO,” that means your computer is infected with Fireball or a similar adware.
Open your web browser and check:

1. Did you set your homepage?
   
2. Are you able to modify your browser’s homepage?
   
3. Are you familiar with your default search engine and can modify that as well?
   
4. Do you remember installing all of your browser extensions?

To remove the adware, just uninstall the respective application from your computer (or use an adware cleaner software) and then restore/reset your browser configurations to default settings.

 
The primary way to prevent such infections is to be very careful when you agree to install.
You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anything that is unnecessary or unfamiliar.

via:   thehackernews

The U.S. is buttressing its paperwork walls with new requirements for social media disclosures as part of revised visa applications.

Reported by Reuters earlier today, the decision from the U.S. government’s Office of Management and Budget was made over strenuous objections from education and academic groups during a public comment period.

The new questionnaire will ask for social media handles dating back over the last five years and biographical information dating back 15 years.

For critics, the new questionnaire represents yet another obstacle that the government is putting in the path of potential immigrants, would-be students and qualified researchers and teachers that may otherwise want to come to the United States.

Check out the new visa questionnaire here.

Quoting an unnamed State Department official, Reuters reported that the additional information would only be requested when the department determines that “such information is required to confirm identity or conduct more rigorous national security vetting.”

In an earlier Reuters report, the news service quoted an immigration attorney railing against the new procedures:

“What this language effectively does is give the consular posts permission to step away from the focused factors they have spent years developing and revising, and instead broaden the search to large groups based on gross factors such as nationality and religion,” Gairson said.

via:  techcrunch

Plex is doubling down on its support for capturing over-the-air signals from digital antennas this morning, with the announcement that it will now not only let users record TV programs, it will also allow them to watch live TV. The result is a low-cost, do-it-yourself version of a live TV streaming service – a popular new category in the streaming market, which offers a pay-TV live experience over the internet.

To be clear, Plex only offers channels that you can get over the air – that means, broadcast stations like ABC, NBC, CBS, FOX, PBS, CW, Univision, etc.

The company, whose background is in organizing users’ personal media collections, expanded to go after the cord cutter market last fall with the introduction of DVR capabilities for recording over-the-air TV.

At the time, however, Plex required users to buy a digital antenna and an HDHomeRun digital tuner.

Today, with the added support for live TV, Plex is also expanding its lineup of supported vendors for digital tuners beyond the HDHomeRun. Users can now take advantage of USB tuners from Hauppauge and Avermedia, for example, among several other brands. (A full list of supported tuners will be posted here.)

As for the live TV interface itself, you’re able to filter the available programming by channel, genre, year, content rating or even actor. You can also click to see “Shows on Now,” which lets you see which movies, sports, news, or TV series are currently airing.

The results are displayed using large, photo thumbnails of the program, along with other details like channel and how many minutes are left in the program.

(Above: Android TV Watch Now selections)

The Program Guide also helps you find something to watch by making recommendations, based on what else you’ve been watching on Plex, and it will alert you to upcoming movies, sports, and other items of interest – like shows with new episodes or those starting soon.

(Above: iPad program guide)

Plex’s plan in venturing the live TV space is to offer consumers interested in cutting the cord a way to complement their Netflix or Amazon Prime Video subscriptions with access to the sort of television they would otherwise miss – especially local news and sports.

Plex is not exactly a full alternative to the higher-priced live TV streaming services like Sling TV, DirecTV Now, Hulu’s live TV service, YouTube TV, and PlayStation Vue. Those services bundle cable TV channels into packages and offer premium channels like HBO, while also, in many cases, include DVR recording functions.

But many consumers are tempted to subscribe to these services not for specific content, but because they miss the “always on” and passive nature of browsing live, linear TV for something to watch. In that case, Plex could fill their needs.

Plex also wants to target cord cutters because of that market’s potential for growth, the company says. 25 percent of U.S. homes are opting not to subscribe to traditional pay TV, a 2016 study found. And many who haven’t cut the cord are hanging on because they would miss their local broadcast stations – an area where Plex is poised to help.

The company tells us it now has 13 million registered users, though the active number is lower. The recent DVR feature was adopted by tens of thousands of subscribers, and, with support for live TV, Plex aims to grow its cord cutter audience to the hundreds of thousands.

Live TV, like the DVR recording option, isn’t offered at additional charge. It’s still covered by the usual Plex Pass subscription price of $4.99 per month. Plex also offers its subscription at discounted rates for yearly ($39.99) or lifetime ($119.99) subscribers.

The new feature will first be supported on Plex on any iOS or Android TV platform, including Nvidia Shield’s, with Android mobile and Apple TV to follow. Support for Plex’s additional platforms will roll out soon after, the company says.

If your thinking of using Plex as your own server / service something to keep in mind is if your a Movie pirate? Don’t trust Plex Cloud.

via: techcrunch

CyberWar Games Highlight the Increasing Danger from and to an Interconnected World.

“The next significant cyber attack will likely involve targeting the connected ecosystem of a major business, municipality or nation state, setting off, whether on accident or on purpose, the ‘domino effect’ that forces a change in global power.”

This is the conclusion of the latest annual Symantec CyberWar Games excercise.

Each year Symantec builds a full kinetic representation of a new and emerging technology, and invites its 11,000-strong global workforce to attack it. Five years ago, it was ‘nation states’. This was followed by oil and gas and SCADA systems; then finserv; and then healthcare. This year the chosen target was the global supply chain; bringing together the various technologies that enable it (mobile devices, digital currencies, SCADA, autonomous vehicles, and commodities).

Samir Kapuria, SVP and GM of Symantec’s cyber security services, explained the multiple purposes of the CyberWar Games. The first is effectively a massive staff training session — a way of honing the threat IQ of its people and the collective IQ of the company. The second is to uncover new and emerging threat vectors and existing vulnerabilities; and the third is to feed that knowledge back to the industry and into its own products.

The CyberWar Games are open to all Symantec employees, and there are no restrictions on what skills can be used. “Everyone — from Accounts, HR, Marketing, Technical — is invited to take part in the first phase, which is online. From this, the top ten teams from around the world are flown into Mountain View where we have this large kinetic representation of real industry. Our technical staff would use their technical skills, but marketing and HR people might explore methods of social engineering since that’s more in line with their own expertise.”

The teams are given a goal. This year they were asked to examine the insider threat, extortion and what could happen if SCADA controlling an agricultural watering systems was breached, forcing over-watering and destroying entire crops. “Then we moved to ‘siege’, said Kapuria. “What happens if all of the autonomous vehicles and IOT devices are taken over in a command and control type manner, so that everything could be forced to stop at a certain time? What action could the government take, and what should it be?” The purpose is to examine how today’s technology could become tomorrow’s threat, and to learn how to prevent it.

(Image Credit: Symantec)

But this is not some massive simulation, like the flight simulators used to train pilots. “What we’ve done is create a safe physical environment for people to explore — explore and learn. We have no idea how each of these teams are going to do anything. This is one of the only industries where you have an active adversary changing the whole spectrum of the environment on a daily basis. The ground is always changing and evolving at a rapid pace. Because of that, we don’t create a fictitious simulator like a pilot’s simulation that has rules and parameters, where people have to fly within those rules.”

Doing similar within the CyberWar Games would introduce cognitive bias — would limit attack vectors to those already known to the games designers. “Instead, we build a planet; and say, here’s a planet, you figure out how to fly. We give them a task — but because it’s a complete kinetic environment, there is no imposed bias on how they might achieve that task.”

The CyberWar Games tap into the collective IQ of one of the world’s largest security firms — and what comes out is often a new and fresh look at possible attack vectors and the discovery of new 0-day vulnerabilities within that environment.

The results from the Games are best seen from last year’s event, since those have already been resolved. The Symantec wargames against the healthcare industry discovered 20 0-days in a three-day period — effectively two-fifths of all the 0-days discovered by the rest of the industry in the entire year. “When we discovered the 20 0-days in various healthcare technologies, from EMR systems to diffusion pumps and POS in pharmacies,” explained Kapuria, “the first thing we did was to engage all the different vendors, and the users we knew about through our managed services. Since we had the teams that discovered the attacks, we could also design the solutions — which we gave back to the industry.”

This year, the result of the games has highlighted what Kapuria calls the ‘digital domino effect’ enabled by the increasingly interconnected nature of society and commerce — the effect of a successful cyber-attack can ripple through supply chains. “While devastating to a business,” he explains in an associated blog, “the ‘digital domino effect’ could have a greater societal impact by escalating a seemingly small cyber attack to an exchange of global power and influence by targeting the production and trade of important commodities like oil, metals and agricultural products.”

During this year’s CyberWar Games, he continues, “teams were able to infiltrate multiple entry points within a business targeting the fabric of connected devices. They were also able to use these smart systems to string together a series of attacks creating that ‘digital domino effect’, leading to an ultimate shift in the global power and influence scale through commodities trading. Given these results, we can conclude the next significant cyber attack will likely involve targeting the connected ecosystem of a major business, municipality or nation state, setting off, whether on accident or on purpose, the ‘domino effect’ that forces a change in global power.”

via:  securityweek

A security research firm discovered that there’s an anonymous database containing more than 560 million passwords. The database is accessible on the Dark Web, and it is a compilation of information exposed by all major leaks over the last five years. It includes stolen account information from security breaches of LinkedIn, DropBox, LastFM, MySpace, Adobe, Neopets, Tumblr, Yahoo, etc. It contains more than 240 million unique email addresses. The leak consists of various sources of personal information such as emails, passwords, physical addresses, usernames, website activity, password hints, IP addresses and full names.esta

Have you been affected?

The best way to check if your details have been compromised is by visiting ‘Have I been Pwned.’ The site hides your private information but gives you a hint if your email has ever been compromised in a known data breach.

Even if you are not pwned, there are a few things we recommend you to do before you continue with your day;

Change your password

If you’ve followed our suggestions and changed your passwords frequently, you should not worry. The database contains passwords and information from data breaches that happened years ago. However, if you’ve been pwned and you haven’t changed your passwords lately now is a good time to do so.

Create new password hints

Please note that passwords are not the only sensitive information that has been exposed. We strongly recommend you to change your password hints and security questions and answers. Better safe than sorry!

Do not use the same password

Data breaches happen and no one, including tech giants such as Yahoo, LinkedIn, Microsoft and Google is insured against cyber threats. It is vital not to use the same password over and over again. You may be tempted to do so as it is easier to remember, but once one of these tech giants lose a battle with the hackers, your end up being the collateral damage as your personal information usually end up in the wrong hands.

Use a Password Manager

There are great security solutions that offer a larger degree of protection and include a password manager… all you need is a master password to access all of your favourite internet services. This way, you will only have to remember one password and, as you don’t have to memorize all of them, you can set different, more complex passwords for each service. It maintains your online privacy… at all times!

I like LastPass.

Keep your guard up

Experts suggest an average person should change their passwords at least once every three months. Add a quarterly reminder to your calendar to spend 30 minutes changing your login details. It’s a total of 2 hours per year! If you can’t find time, next time just skip watching that Adam Sandler movie you’ve been thinking about.

Install anti-virus software

The ransomware attack earlier this week affected more than 200,000 people from all over the world. It is a well-known fact that damages caused by cyber attacks cost more than a billion US dollars per year. And now information about 240 million email addresses is up for grabs on the dark web. It’s time to get antivirus software installed on your cell phone, PC, Mac, and tablet.

The database contains information gathered from previous leaks, so there is no immediate danger. However, this is yet another reminder of the importance of having your personal information safe. To be protected is no longer a luxury, it is a necessity.

via:  pandasecurity

Identity and access management solutions provider OneLogin informed customers on Wednesday that it had detected unauthorized access at its U.S. data center.

OneLogin CISO Alvaro Hoyos said the breach was detected on May 31 and blocked the same day. Law enforcement has been notified and an independent security firm has been called in to assess the impact and cause of the intrusion.

While Hoyos’ statement contains few details, the emails sent to affected customers reveal that all users served by the company’s U.S. data center are impacted and may have had their information compromised.

OneLogin said it can’t provide additional information on the incident due to the ongoing law enforcement investigation, but a support page made available to customers mentions that the exposed information can be used to decrypt encrypted data.

The company, whose services are used by more than 2,000 enterprises in 44 countries, is requiring affected customers to force a OneLogin directory password reset for all their users, generate new certificates for apps that use SAML SSO, generate new API credentials and OAuth tokens, and generate new directory tokens for Active Directory and LDAP connectors.

The list of required actions also includes updating credentials for third-party apps such as G Suite and Workday, generating new Desktop SSO tokens, recycling any secrets stored in Secure Notes, updating credentials for third-party app provisioning, updating admin credentials for apps that use form-based authentication, replacing RADIUS shared secrets, and instructing end-users to update their passwords for form-based authentication apps.

The long list of instructions for IT teams suggests that this was a significant breach that could have serious consequences.

The incident comes less than a year after OneLogin admitted that hackers gained access to Secure Notes data after stealing an employee’s password.

Secure Notes are normally protected using multiple levels of AES-256 encryption, but a bug caused the data to be visible in clear text in the company’s log management system, to which attackers had access for several weeks.

via:  securityweek

Many of the applications installed on enterprise mobile devices expose potentially sensitive data by failing to properly secure the connection between the app and backend servers, enterprise mobile security firm Appthority warned in a report.

An analysis conducted by researchers has shown that the attack vector, dubbed by Appthority “HospitalGown” due to similarities with hospital gowns which typically expose the patient’s backside, affects more than 1,000 iOS and Android apps installed on enterprise devices.

The attack relies on vulnerabilities in the mobile application’s architecture and infrastructure, and it requires finding weaknesses in the communications between the app and server-side components.

Enterprise applications often connect to a backend database that stores user and other information. One of the tools used to analyze and mine the data stored on backend servers is the Elasticsearch engine. Given its popularity in large enterprises, Appthority has decided to focus its investigation on apps that use Elasticsearch.

While the connection between the mobile app, its API and the Elasticsearch data store is typically secure, the Elasticsearch server is often exposed to the Internet. Appthority has identified more than 21,000 open Elasticsearch servers connecting to the 1,000 apps exposed to HospitalGown attacks. These servers exposed a total of 43 terabytes of data.

In addition to allowing access to data via unprotected Elasticsearch servers, the HospitalGown attack can leverage the way apps interact directly with the server. For example, researchers pointed out that an attacker could reverse engineer a mobile app to obtain the IP address of the Elasticsearch server, scan the Internet or the victim’s network for other vulnerable servers, and intercept traffic going to the server.

Appthority’s analysis focused on 39 popular iOS and Android applications found on enterprise mobile devices, such as ones used for agriculture, content management, dating, education, games, news, office productivity, travel, and mobile security and access management.

These apps were found to leak 163 gigabytes of data containing roughly 280 million records, including personally identifiable information (PII) and corporate data. Appthority believes the exposed data can be useful to launch further attacks, conduct fraud, or it can be sold to other malicious actors.

“Weakly secured backends leveraged by mobile app developers create opportunities for big data leaks and a signi cant increase in the risk of data misuse for spear phishing, brute force login, or other types of PII-based attacks for enterprises with employees, partners, or customers that use or have ever used these apps,” Appthority said in its report.

One of the analyzed apps was Pulse Workspace, which is used by enterprises, government agencies and service providers. While the application protected frontend Elasticsearch access using an API, the backend exposed Pulse Workspace customer data, including names, contact information, PIN reset tokens, and device information. The vendor patched the vulnerability after being notified by Appthority.

According to experts, HospitalGown attacks can be highly problematic as they are not easy to detect and prevent without comprehensive security and visibility mechanisms in place, and addressing the underlying vulnerability can prove difficult, especially if the weakness is exclusively on the backend.

via:  securityweek