Monthly Archives: October 2017

DDoS Attacks Cause Train Delays Across Sweden

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases.

The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week.

The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack.

Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed.

Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website.

Three Swedish transportation agencies targeted

Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services.

Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations.

While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden.

Cyber-warfare implications

In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime.

The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region.

In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015.

 

via:  bleepingcomputer

Microsoft Quietly Patched the Krack WPA2 Vulnerability Last Week

Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week’s Patch Tuesday.

While Windows users were dutifully installing October 10th’s Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn’t provide any useful info until you visited the associated knowledge basic article.

Windows 10 October Cumulative Update

Windows 10 October Cumulative Update

Even if you were bored enough to actually click on the More info button, you would have had to be REALLY bored to even spot a reference to a vague mention of a wireless security update in the last bullet item of the knowledge base article.

Reference to Wireless Networking Security Update

Reference to Wireless Networking Security Update

 

A Microsoft spokesperson told BleepingComputer that “Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

While, I am not typically a fan of sneaky updates, I understand why it was necessary to fix the vulnerability while keeping information about it secret until it was officially disclosed.

Did Microsoft do the right thing quietly patching the update or is full disclosure the only way to go? I will let you decide.

 

The researcher who found the flaws doesn’t appear to think silent patches are a good idea. OpenBSD did the same thing and here is what he said in the FAQ on the KRACK website:

“Why did OpenBSD silently release a patch before the embargo?

OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.”

 

via:  bleepingcomputer

WPA2: Broken with KRACK. What now?

On social media right now, strong rumors are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.

The current name I’m seeing for this is “KRACK”: Key Reinstallation Attack. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

This has happened before with WiFi: who remembers WEP passwords? However, what is different this time around: there is no obvious, easy, replacement ready and waiting. This is suddenly a very big deal.

In truth, WPA2 has been suspect for some time now. A number of attacks against WPA2-PSK have been shown to be successful to a limited degree, WPA2-Enterprise has shown itself to be slightly more resilient (but doesn’t protect you from these problems).

This is a story that is unfolding as I write. Please be aware:

  • I’m not one of the researchers here: credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, who have a great track record of discovering problems here. I want to be clear about this as I’ve be quoted incorrectly in a couple of places!
  • www.krackattacks.com is now up! There is a list of vendor announcements being written, but remember all vendors are potentially affected. Few vendors appear to have updates ready
  • Attacks against Android Phones are very easy! Oh dear Best to turn off wifi on these devices until fixes are applied.
  • Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming
  • For the very technical, the CVE list is at the bottom of this post.
  • The main attack is against clients, not access points. So, updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated
  • Correction: I’ve highlighted specifically that WPA2-Enterprise is vulnerable.
  • If you have some great advice to share or corrections to this, please let me know!

Information here is good as of 2017-10-16 16:00 UTC.

So, this is going to be a horrible Monday morning for IT admins across the world. The practical question is: what now?

Keep Calm

Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.

So, we’re alright?

In a word, No. There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad – again, they won’t be able to pretend to be a secure site like your bank on the wifi, but they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security.

You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other devices from talking on your network (the security otherwise has been a bit suspect for a while). If that no longer works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk to them.

Story for your boss

Keep it simple, and ideally get ahead of the game by communicating now. Re-iterate:

  • this won’t let people who are not physically present into your networks;
    (Mobile phones with WiFI are an attack vector (that does not require physical presence)
  • it’s unlikely any data is protected by the encryption WPA2 provides; in particular, accessing secure websites is still fine;
  • think about increasing the level of security of the nodes on your network if possible – make sure your AV is up-to-date, firewalls turned on, etc.;
  • if you’re paranoid about certain data or systems, turn off WiFi and switch to one of an internal VPN, a wired ethernet connection or mobile data (for WAN access);
  • that you are on top of the situation and monitoring the best next steps.

In terms of what to do, in many ways, we’re at the behest of our vendors. If you have a high quality vendor (I would include companies like Ruckus and Cisco in this bracket, for example) I expect new firmware to be available very shortly to mitigate these problems. This may well result in incompatibility with existing devices: as a business, you will need to make a decision in that case (unless you need compliance with PCI-DSS or similar, in which case you likely have little choice).

Story for friends / family

This is where it gets really sucky. Lots of us have old routers at home, which have no chance of a firmware upgrade, and lots of WiFi equipment that may well not get a protocol upgrade if one is required. Right now, it sounds like all this stuff is going to be worthless from the perspective of encryption.

Reiterate the same points as above:

  • secure websites are still secure, even over WiFi;
  • think about setting your computers to “Public Network” mode – that increases the level of security on the device relative to “Private / Home Network” modes. Remember, if third parties can get onto our home networks, they’re no longer any safer than an internet café;
  • if you’re paranoid about your mobile, turn off WiFi and use mobile data when necessary;
  • it sounds like no similar attack against ethernet-over-mains power line is possible, so home networks based on mains plugs are problem still ok;
  • keep computers and devices patched and up-to-date.

What for the future?

As I said before, this is a big problem, but not one that was unexpected. A number of encryption protocols have been problematic over the years; many of the implementations of those protocols have been even worse.

It’s clear to me that “Internet of Things” type devices will be the hardest hit. Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates. As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter – it’s a difficult problem to weigh.

I would love to say there’s an easy answer. I think it’s important that networks become increasingly software-defined, and that it makes sense that future standards focus on that runtime rather than the protocol itself. We cannot rely on vendors to keep devices up-to-date either (for many reasons), but previous attempts at standardizing a runtime (like UEFI) aren’t promising, either technically or security-wise.

As consumers, we have to continually question the security credentials of devices we buy, and demand the best evidence of their security. This is a tough ask; even in the IT world, buying “secure” is difficult. In tech we must strive for better.

CVEs involved

If you don’t know what these are, don’t worry – they are the “official notifications” of a problem, if you like. If you have a vendor of WiFi equipment, you will want to ask them if they’re affected by any of these, and if so, what the solutions are:

  • CWE-323
  • CVE-2017-13077
  • CVE-2017-13078
  • CVE-2017-13079
  • CVE-2017-13080
  • CVE-2017-13081
  • CVE-2017-13082
  • CVE-2017-13083
  • CVE-2017-13084
  • CVE-2017-13085
  • CVE-2017-13086
  • CVE-2017-13087

 

via:  alexhudson

Pizza Hut Notifies Customers of Data Breach

American restaurant chain Pizza Hut has notified customers of a data breach that might have exposed some of their personal and financial information.

On October 14, the Italian-American cuisine franchise wrote to a portion of its customer base about an “unauthorized third party intrusion” involving its website. Pizza Hut thinks that the incident might have affected individuals who placed an order using the company’s website or mobile application during the 28-hour period stretching from the morning of October 1st to around midday on October 2nd.

If that’s the case, it’s possible the event exposed customers’ personal and financial information including their names, street addresses, email addresses, and payment card details.

The food chain goes on to say in its letter that it’s since terminated the instance of unauthorized access:

“Pizza Hut identified the security intrusion quickly and took immediate action to halt it. The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected. That said, we regret to say that we believe your information is among that impacted group.”

A portion of Pizza Hut’s letter sent to affected customers. (Source: Bleeping Computer)

 

A Pizza Hut call center operator confirmed that the intrusion is believed to have affected 60,000 customers, reports The Sacramento Bee.

Upon learning of the incident, more than a few of these consumers took to social media. Many vented their frustration about having learned of the data breach two weeks after it occurred.

image

Such a delay isn’t necessarily a bad thing, however. Pizza Hut could have waited to notify customers to prevent other hackers from learning of the data breach. It could also have decided to forestall disclosure until it knew exactly how many customers were involved and what kinds of information the incident might have compromised.

Anyone who has received a notice from Pizza Hut should watch their bank accounts and credit statements for suspicious activity. If any unauthorized transactions pop up, they should notify their card issuer immediately.

News of this incident follows several months after Arby’s Restaurant Group, Inc. confirmed a breach of its payment systems at its corporate restaurant locations.

 

via:  tripwire

 

 

Cryptocurrency mining affects over 500 million people. And they have no idea it is happening.

This autumn the news spread that some websites had been making money by mining cryptocurrencies in their users’ browsers. AdGuard has been among the first to add protection from this hidden activity. AdGuard users now receive warnings if a website has been trying to mine, and the users are given the option to let it continue or to block the mining script from running.

They decided to research the issue more so that we could understand its scale and impact. On the Alexa list of the top one hundred thousand websites, they looked for the codes for CoinHive and JSEcoin, the most popular solutions for browser mining in use now.

We found 220 sites that launch mining when a user opens their main page, with an aggregated audience of 500 million people. These people live all over the world; there are sites with users from the USA, China, South American and European countries, Russia, India, Iran… and the list goes on.

220 sites may not seem like a lot. But CoinHive was launched less than one month ago, on the 14th of September.

How much money have these websites made? We estimate their joint profit at over US $43,000. Again, right now it’s not millions, but this money has been made in three weeks at almost zero cost.

Examining the website list more closely, we discovered that many of them are from the “gray zone”, mostly pirate TV and video sites, Torrent trackers and porn websites. Judging from these characteristics, we begin to wonder if browser mining is a bad thing and if it should be banned from the Internet.

There may be a further explanation for the fact that browser mining is found mostly on websites with a shady reputation. These sites traditionally have trouble making money through advertising, so they are open to experiments and innovation. Porn sites have always been early adopters; a lot of new tech solutions were actually invented by porn site developers and later copied by other webmasters.

In fact, it was the largest torrent search engine, The Pirate Bay, that made CoinHive famous by being caught using it. But among the “early adopters” of CoinHive were the Web properties of CBS’s Showtime network, Showtime.com and Showmeanytime.com. CoinHive disappeared from the CBS sites shortly after media coverage of this activity began to break out. The assumption was made that the mining had been a private initiative of some adventurous Webmaster within the Showtime network.

The company’s video streaming platforms are the exact type of websites that are good for mining: They boast a huge audience that keeps their site open in their browsers for a long time.

The problem with in-browser mining is not that it’s a bad thing by itself. There are no good and bad tools and technologies, but there are good and bad ways to use them.

The ethical way for a website to earn money by mining through its audience’s computers is to ask the audience for permission first, and to allow them the possibility to opt out. Actually, such a practice could make mining even more ethical than ads. After all, nobody asks us if we would like to see ads on a website. Mining parasitizes the user’s CPU, where ads parasitize the user’s attention, emotions, bandwidth, and often, their laptop or smartphone battery, and supports an industry of personal data harvesting that is a big headache in of itself.

The CoinHive team has issued a statement calling on website operators to inform their users about the mining operations and to ask for user permission to do this. However, we believe that it is very hard for them to force this recommendation into action; for example, they cannot forbid stealth mining.

But there are other ways to get miners to behave themselves. A popular CDN service called Cloudflare recently started to suspend accounts and deny service to sites that mine without user permission. A number of ad blockers and antivirus programs also added features that block browser mining.

At AdGuard they have also updated their apps in order to restrict mining. But they do not accomplish this by simply silently blocking it. Instead, they offer their users the choice to let a site mine, or to forbid it to launch mining in their browsers. With this approach, they achieve two goals at the same time: prevent hidden mining and expose websites attempts to abuse the technology.

Cryptocurrency mining on websites honestly does promise great possibilities. But these could be lost if abusive practices continue.

Why exactly is it so promising? Experts presently say that only sites with really huge audiences can make even somewhat substantial money on mining. Is this then just a game for a few, who actually don’t need any new monetization tools, since a big audience pays off perfectly with ads?

We see several reasons to believe in a big future for mining on sites:

  1. Cryptocurrencies are growing rapidly; existing currencies grow in value and new ones appear. Mining will eventually become more profitable.
  2. Mining may not promise huge profits, but neither do ads. An audience of a website might be big, but not “expensive” from the marketing point of view.
  3. Any alternative to advertising is a good thing. Ads annoy, so more and more people use ad blockers and simply do not see ads. Ads, after all, abuse users’ device resources — the same thing mining is criticized for. But what do we have besides ads, if we want a non-ecommerce website to feed us or at least to feed itself? We know that ideas like paid subscriptions and donations are truly at the end of the list. Of course, there are vehicles like crowdfunding, investments, and IPOs, but to put it mildly, these sources of capital are not accessible for everyone.

This is why we propose not to relegate cryptocurrency mining to the dark side by blocking it. We should harness this young and vigorous beast for our own common good.

  • UPDATE 1: Initially, the article contained a mistake – 220 of 100k is 0.22%, not 2.2%.
  • UPDATE 2: CTO of the largest website detected, uptobox.com (60M monthly visitors) said that they had removed the CoinHive code.
  • Full infographics image is here.
  • Raw research data.
  • We used SimilarWeb to analyze web traffic for each site.

 

Check out  How to block cryptocurrency mining in web browser with chrome extensions and other free ways.

 

via:  adguard

Commit a crime? Your Fitbit, key fob or pacemaker could snitch on you.

Law enforcement entities are turning to Fitbits and similar internet-connected devices for information regarding criminal investigations.

The firefighter found Richard Dabate on the floor of his kitchen, where he had made a desperate 911 call minutes earlier, court records show. Bleeding and lashed to a chair with zip ties, the man moaned a chilling warning: “They’re still in the house.”

Smoke hung in the air, and a trail of blood led to a darkened basement, as Connecticut State Police swarmed the large home in the Hartford suburbs two days before Christmas in 2015.

Richard, 41, told authorities a masked intruder with a “Vin Diesel” voice killed his wife, Connie, in front of him and tortured him. Police combed the home and town of Ellington but found no suspect.

With no witnesses other than Richard Dabate, detectives turned to the vast array of data and sensors that increasingly surround us. An important bit of evidence came from an unlikely source: the Fitbit tracking Connie’s movements.

Others from the home’s smart alarm systems, Facebook, cellphones, email and a key fob allowed police to re-create a nearly minute-by-minute account of the morning that they said revealed Richard’s story was an elaborately staged fiction.

Undone by his data, Richard was charged with his wife’s murder. He has pleaded not guilty.

The case, which is in pretrial motions, is perhaps the best example to date of how Internet-connected, data-collecting smart devices such as fitness trackers, digital home assistants, thermostats, TVs and even pill bottles are beginning to transform criminal justice.

The ubiquitous devices can serve as a legion of witnesses, capturing our every move, biometrics and what we have ingested. They sometimes listen in or watch us in the privacy of our homes. And police are increasingly looking to the devices for clues.

The prospect has alarmed privacy advocates, who say too many consumers are unaware of the revealing information these devices are harvesting. They also point out there are few laws specifically crafted to guide how law enforcement officials collect smart-device data.

Andrew Ferguson, a University of the District of Columbia law professor, says we are entering an era of “sensorveillance” when we can expect one device or another to be monitoring us much of the time. The title of a law paper on the topic put the prospect this way: “Technology is Killing Our Opportunity to Lie.”

The business research company Gartner estimates 8.4 billion devices were connected to the internet in 2017, a 31 percent increase over the previous year. By 2020, the company estimates there will be roughly three smart devices for every person on the planet.

“Americans are just waking up to the fact that their smart devices are going to snitch on them,” Ferguson said. “And that they are going to reveal intimate details about their lives they did not intend law enforcement to have.”

– – –

The Dabates’ yellow Colonial was festively decorated with wreaths on the windows the morning of Dec. 23, 2015. Richard, Connie and their two boys, ages 6 and 9, bustled around getting ready for the day.

To many of their acquaintances, the family appeared to be an ordinary one in a quiet bedroom community. Richard was a network administrator, and Connie worked as a pharmaceutical sales representative.

Joann Knapp, a former neighbor of the Dabates, fondly recalls Connie popping over to her house to ask her out for walks while Knapp was having a difficult pregnancy. Knapp said Connie and Richard appeared to have a happy – even passionate – marriage.

“They couldn’t keep their eyes off each other,” Knapp said. “It was a look that you would want.”

But behind that public face, Connie’s killing would reveal a darkly tangled relationship and a major secret.

Richard and his attorney did not respond to requests for comment. Richard gave a detailed — but shifting — account of Connie’s killing to detectives over six hours on the day of the slaying. It is contained in his arrest warrant.

On the drive to work that morning, Richard said, he got an alert on his phone that the home’s alarm had been triggered. He said he shot an email to his boss and returned home, arriving there between 8:45 a.m. and 9 a.m.

Richard told police he heard a noise on the second floor and found a hulking intruder wearing camouflage and a mask inside the walk-in closet of the master bedroom. The intruder demanded his wallet at knifepoint.

Soon after, Connie returned home from an exercise class; Richard told investigators he yelled at her to run. Connie fled into the basement, and the intruder followed.

When Richard arrived on the lower level, he made his way through darkness, finding the man pointing a gun at Connie’s head. Richard said that the gun was his own and that Connie must have removed it from a safe to defend herself.

Richard said he charged but heard a deafening blast and fell. When he got up, Connie was slumped on the ground. Police would later determine the gunshot hit her in the back of her head.

The intruder disabled Richard and then zip-tied one of Richard’s arms and one of his legs to a folding chair, according to the account.

The intruder jabbed Richard with a box cutter. The man also started a fire in a cardboard box using a blow torch, which he then turned on Richard’s ankle.

Richard told investigators he saw an opening: He jammed the blow torch in the man’s face and singed it. The intruder ran out.

Richard said he crawled upstairs with the chair still attached, activated the panic alarm, called 911 and collapsed. The firefighter found him soon after.

– – –

The chaotic scene inside the Dabate home had all the hallmarks of a home invasion, but a few details would prompt investigators to take a closer look.

Dogs brought in to track the suspect could find no scent trails leaving the property and circled back to Richard, according to arrest records. Richard also aroused suspicion when detectives asked whether their probe would reveal any problems between him and Connie.

He took a deep breath and offered: “Yes and no.”

Richard told a bizarre story. He said that he had gotten a high school friend pregnant and that it was Connie’s idea. He said the three planned to co-parent the child, since his wife wanted another baby but could not have one for health reasons.

Later, Richard changed his story, saying that the pregnancy was unplanned and that he had a romantic relationship with the friend. Detectives found no evidence Connie knew of the pregnancy.

“This situation popped up like a frickin’ soap opera,” Richard told detectives.

The admission pointed toward a possible motive for Connie’s killing, but it would be the data detectives uncovered that would give them evidence to conclude his story was a lie.

Detectives had noticed Connie was wearing a Fitbit when they found her body.

They requested the device’s data, which showed she had walked 1,217 feet after returning home from the exercise class, far more than the 125 feet it would take her to go from the car in the garage to the basement in Richard’s telling of what happened.

The Fitbit also registered Connie moving roughly an hour after Richard said she was killed before 9:10 a.m. Facebook records also cast doubt on Richard’s timeline, showing Connie had posted as late as 9:46 a.m.

Detectives would also come to doubt that Richard left home that morning, after examining data from his home alarm system and his email account.

Records indicate he used a key fob to activate his home alarm from his basement at 8:50 a.m. and then disabled it at 8:59 a.m. from the same location.

Richard also told investigators he emailed his boss from the road after getting the alert about the alarm. But records from his Microsoft Outlook account showed he sent the email from the IP address associated with his home.

Combined, the data punched major holes in Richard’s story. Police obtained an arrest warrant for him in April.

The high school friend of Richard’s told authorities he had said he planned to serve divorce papers on Connie the week she was killed. Richard had texted her the night before Connie’s death: “I’ll see you tomorrow my little love nugget.”

– – –

The Dabate case is just one of a handful in which law enforcement officials have resorted to smart-device sleuthing.

In September 2016, an Ohio man told authorities he awoke to find his home ablaze, but police quickly suspected he set the fire himself. They filed a search warrant to get data from his pacemaker.

Authorities said his heart rate and cardiac rhythms indicated the man was awake at the time he claimed he was sleeping. He was charged with arson and insurance fraud.

Prosecutors in a 2015 Arkansas murder case sought recordings from the suspect’s Amazon Echo when a 47-year-old man was found floating in the suspect’s hot tub after a night of partying. Authorities thought the voice-activated assistant may have recorded valuable evidence of the crime.

Amazon.com challenged the search warrant in court, saying that the request was overly broad and that government seizure of such data would chill customers’ First Amendment rights to free speech. But the challenge was eventually dropped because the suspect agreed to allow Amazon to turn over the information.

(Amazon chief executive Jeffrey Bezos is the owner of The Washington Post.)

Virginia State Police Special Agent Robert Brown III of the High Technology Division said the current trickle of such smart-device cases will probably soon become a flood.

“It will definitely be something in five or 10 years, in every case, we will look to see if this information is available,” Brown said.

Amazon and Fitbit said in statements that they won’t release customers’ data to authorities without a valid legal demand, but they declined to say how many such requests they have received from law enforcement.

“Respect for the privacy of our users drives our approach,” Fitbit said in its statement.

Ferguson, the law professor, said a case before the Supreme Court could be key in determining how exposed smart-device data is to searches by law enforcement.

In 2011, investigators in Detroit obtained months of cellphone location data on a suspect in a robbery investigation without a search warrant. Timothy Carpenter was later convicted, in part on this information gleaned from cellphone companies.

Carpenter is arguing in his appeal that such cellphone location data is so powerful it should be covered by the protections of the Fourth Amendment and that police should be required to get a search warrant to obtain it.

Courts have long held that people who voluntarily disclose information to a bank, cellphone company or other third party have no reasonable expectation of privacy. Ferguson said that since many smart devices transfer data to company servers, this third-party doctrine could apply to them, as well.

Ferguson said a ruling against Carpenter might clear the way for authorities to seek smart-device data stored on those servers without a warrant.

“In a world of truly ubiquitous connectivity where we are recording our heartbeat, our steps, our location if all of that data is now available to law enforcement without a warrant, that is a big change,” he said. “And that’s a big invasion of what most of us think our privacy should include.”

 

via: chicagotribune

Hyatt Hotels discovers card data breach at 41 properties

Hyatt Hotels Corp (H.N) said on Thursday it had discovered unauthorized access to payment card information at certain Hyatt-managed locations worldwide between March 18, 2017 and July 2, 2017.

Hyatt said the incident affected payment card information, such as, cardholder name, card number, expiration date and internal verification code, from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. (bit.ly/2yHBSfr)

The owner of Andaz, Park Hyatt and Grand Hyatt chain of hotels said a total of 41 properties were affected in 11 countries, with China accounting for 18 properties, the most among impacted countries.

Seven Hyatt properties were affected at U.S. locations, including three in Hawaii, three in Puerto Rico and one in Guam.

The Chicago, Illinois-based company said its cyber security team discovered signs of the unauthorized access in July and launched an internal investigation, completed on Thursday, that resolved the issue and took steps to prevent this from happening in the future.

This is not the first time Hyatt is facing data breach problem at its hotels.

In late 2015 Hyatt said its payment processing system was infected with credit-card-stealing malware, that had affected 250 hotels in about 50 countries.

 

via:  reuters

Microsoft’s mystery update arouses anger, suspicion among Windows 10 users

Microsoft’s update servers are pushing out a new Photos Add-on app, with no explanation of what it does. Windows 10 users aren’t taking it well.

Microsoft’s update servers began pushing out a mysterious new app recently, and the new arrival is stirring up suspicion and anger among some Windows 10 users.

The new app is called Photos Add-on, and its entry in the Windows Store offers few clues about what it is or does.

photos-add-on-store-listing.jpg

This mystery app has drawn caustic reviews from suspicious Windows 10 users.

On my test systems, the new app appeared as part of Windows updates delivered on October 10. Based on ratings and reviews in the Store, other Windows 10 users saw the update as early as October 1.

More than 70 percent of the early reviews have given the mystery add-on a 1 star rating, with reviewers adding comments like these:

  • Installed without permission
    I didn’t ask for this, I didn’t approve this, I didn’t even know you were planning on installing this. When will you get it that people don’t want YOU to decide what gets installed on MY computer. Stop it already.
  • Forced install
    Not cool, MS.
  • Don’t install without asking
    I have no idea what this even does. Why do I have it and why didn’t I have a choice?

So, what is the mystery app? The answer turns out to be relatively innocuous.

It is indeed an update for the built-in Photos app, included with every copy of Windows 10. Its official name is Photos.DLC.Main (DLC apparently stands for “downloadable content”), and it’s listed in Settings > Apps > Apps & Features. Find the Photos app, click Advanced Options, and look under the App Add-ons & Downloadable Content heading:

photos-add-on-advanced-options.jpg

The Photos add-on can be uninstalled, although there’s no reason to do so.

Ad far as I can tell, this is the first public release of a feature that was announced 18 months ago, as part of a Windows 10 preview build delivered in April 2016:

You will also be able manage app add-ons and downloadable content [in Settings] if the app supports this capability as discussed at Build 2016. While there are currently no apps that support add-ons or downloadable content in the Store, please stay tuned for availability of apps that do once they are released.

The add-on model is documented in this reference page for the Universal Windows Platform API. A source with knowledge of this add-on told me that it’s part of an architectural change that will allow Microsoft to deliver new functionality and content updates to the Photos app, including 3D effects, filters, and text.

It’s also yet another example of an unforced error on Microsoft’s part. Even a tiny amount of documentation in the listing for this add-on would have tamped down the suspicion. Instead, it’s fresh fuel for conspiracy theorists.

 

via: zdnet

Equifax website borked again, this time to redirect to fake Flash update

In May credit reporting service Equifax’s website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by only three of 65 antivirus providers.

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info that looked like this:

 

He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the influence of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same centerbluray.info page.

 

 

The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes flagged the centerbluray.info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults.com.

 

Malvertising?

It’s not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that’s responsible for the redirects. In that case, the breach, technically speaking, isn’t on the Equifax website. But even if that’s true, the net result is that the site is arguably compromised in some way, since administrators can’t control the pages visitors see when they’re trying to use key functions, some which require visitors to enter Social Security numbers.

Several hours after this post went live, an Ars reader e-mailed to say he recently encountered a sketchy ad when putting a temporary fraud alert on his Equifax file. The reader wrote:

When I clicked it (from Gmail on Android) I was redirected to a spam page shortly after seeing the Equifax credit file form. I thought maybe it was an anomaly because it didn’t happen again. But after reading your article about how sometimes hacks will redirect randomly I tried the link again just now and sure enough I got a spam page again (lucksupply.club saying I won an iPhone X). This is Chrome-in-a-tab from Gmail so i don’t believe there’s any extensions or other malware on my device that could have caused this redirect.

 

 

In the hour this post was being reported and written, Abrams was unable to reproduce the redirects leading to the malicious download, but he said they returned early Thursday morning. Shortly after that, a section of the site was taken down. In an e-mail sent mid Thursday morning, an Equifax representative wrote:

We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.

Post updated at several times on the morning of 10/12/2017 Pacific time to discuss ad networks and add details of ad served on reader. The word “hacked” was removed from the headline to reflect the possibility the redirects are the result of a third-party malvertising campaign.

 

via:  arstechnica

How Cybercriminals Change Tactics During Their Cyber Attacks

Here’s how online criminals use the surprise factor to spread malware.

Cyber attacks continue to rise and impact both organizations and home users worldwide. Despite all the efforts and prevention measures taken by everyone, these attacks keep wreaking havoc, with no signs of slowing downs.

Why are these online threats still spreading? How do cyber criminals manage to change tactics during their attacks?

With these questions in mind, we will look into the threat landscape to see how malware authors have switched to more sophisticated attack vectors. They are now using more advanced and complex technology to find their next targets, infect various devices, and get access to users’ sensitive data.

Have you noticed that cyber criminals became ingenious during attacks and use a surprise factor?

This year, WannaCry was the largest global ransomware attack in the Internet history.

Why was this cyber attack a success for cyber criminals? What was different from the rest of attacks? It had a low detection rate. Attackers exploited a vulnerability in Windows system that allowed it to move laterally within networks and infect hundreds of computers. They used a leaked NSA exploit called EternalBlue, for quickly spreading malware and infecting a large number of computers.

This is just one of the examples that we’ll discuss in this article, so you can understand how online criminals are changing their ways.

How cyber attacks have evolved in 2017

So far, 2017 has proved to be a productive year for cybercriminals, as we witnessed a large number of new cyber attacks hitting the malware market. From the massive WannaCry ransomware of “unprecedented level” to the (non)Petya outbreak, from the historical Equifax data breach to the recent CCleaner incident; they come in all shapes and sizes, are difficult to be anticipated and cause a lot of damage.

It seems that this year cyber attacks are happening at a higher frequency than previous years, and still have a high impact rate. Everyone has been (and is) suffering from these large-scale attacks, whether they lose their valuable data or businesses are being disrupted. Everyone is vulnerable, but we can always learn to become more resilient to such attacks and take cyber security more seriously.

For example, the mid-year CheckPoint Research for 2017 found that most global regions have been hit by ransomware, already a mainstream and a widespread security threat.

The ransomware invasion has increased significantly this year with a big impact and causing data leakage/important financial loss for both organizations and home users. It continues to dominate the threat landscape and also affect important sectors such as hospitals, banks, universities, Government, law firms, mobile users.

The financial consequences of the cyber attacks don’t seem to be on a positive note, as the global average costs of cybercrime continue to increase. A recent “Cost of CyberCrime” Study conducted by Ponemon Institute and jointly developed by Accenture, has shown that cost of cybercrime is now 23 percent more than last year and is costing organizations, on average, US$11.7 million.

Source: Accenture

Inside the mind of cybercriminals

You might wonder: what’s inside the mind of a cyber criminal? What motivates these bad guys to take malicious actions and steal other people’s sensitive information? Is it just money or are they looking to show off?

Source: Recordedfuture.com

Often, technology is being used against us, and not to our benefit, as expected. This happens with skilled people who are tech-savvy and know how to operate efficiently.They can reach these days further than before, into our private lives, our homes or work offices. And most of the time, we can’t do nothing about it.

Here’s how hackers approach an attack:

Source: MIT Sloan Management Review

Putting yourself in the shoes of cybercriminals gives you more insights of their behaviour and the way they think. They tend to be intelligent and creative individuals who enjoy taking risks, have a keen interest in computer science and are often labeled as geeks. Good social and communications skills are also required, as they might use them to easily manipulate victims or to better perform various critical actions. Sometimes they operate alone, sometimes they are organized in a group.

Cybercriminals now change tactics during attacks

As we live in an interconnected world, cyber attacks seem to become a cliche in today’s society. Without any doubts, we are more and more addicted to our smart devices and apps/software programs that should make our lives easier. While they are designed to help us better communicate and interact, they are vulnerable to online threats.

The vulnerability issue of our devices is linked with the fact that software isn’t 100% secure or perfect. It might have small flaws and fail at some point. Despite the engineers’ efforts of covering all the technical aspects and trying to make software better, computers become easy targets for the bad guys. What matters is to build quality software.

Having a world with less software is not an option. The software is actually doing stuff that is helping us. So this should not be an excuse for deploying vulnerable software, but an incentive to make software better.” said Walter Belgers in an interview for DefCamp.

As expected, in many cases, cyber criminals take advantage of the vulnerable software, exploit flaws and start spreading malware. But they aim to do this in ways that are difficult to anticipate and, consequently, challenging to stop.

Cyber attacks have been happening for years, as malicious hackers focus on stealing money, financial data, intellectual property or simply disrupting the a company’s operations. What has changed is the modus operandi of cyber criminals. They’ve become more skilled and use new workarounds to help them avoid the usual security tactics employed by organizations worldwide. They seem to know which tactics (will) work.

The following examples are proof of the cyber criminals’ level of ingenuity.

1. Leveraging vulnerabilities that affect widely used types of software

During the massive WannaCry ransomware, cyber criminals used theEternalBlue method for quickly spreading malware and infecting a large number of computers. The reason why this particular malicious campaign became so extensive is that it exploited a vulnerability in Windows system that allowed it to move laterally within networks and infect other computers.

It’s the same type of ransomware that hasn’t changed, but cybercriminals decided to use a different tactic: exploiting an unpatched vulnerability found in a piece of software used on a global scale. This ransomware outbreak was different because of its self-replicating abilities that enabled it to spread fast and affect many companies and public institutions worldwide.

2. Changing the type of malware delivered during the same cyber attack

Petya (Petya.A, Petya.D, or PetrWrap) was another ransomware outbreak similar to WannaCry, that spread fast, but changed the type of malware from ransomware to wiper. Unlike WannaCry, it used multiple attack vectors and dropped a malware cocktail meant to encrypt and then take in and exfiltrate as much confidential data as possible. The purpose of a wiper is to destroy and damage, while ransomware is mainly focused on making money.

Using a different type of malware during cyber attacks is another surprise factor from cyber criminals. Malware cocktails proved to have a high rate of success with the Cerber ransomware campaign where they injected malicious scripts to drive infection rates.

In another malicious campaigns, attackers used GootKit and Godzilla info stealers to collect and steal victims’ financial information. These types of banking Trojans are part of a more complex malware cocktail, that can include rootkits, worms or other malware that enslave a computer to a botnet. Cyber criminals used these info stealers to compromise users of various online banking solutions.

This type of malware with a low detection rate was also used during the (non)Petya ransomware outbreak. Attackers decided to change the type of malware from ransomware to wiper, and they also dropped a malware cocktail to encrypt users’ files.

3. Changing ransomware extensions to delay strain detection

Not only are spam campaigns more frequent, but they’re also larger in scale and use new infection vectors. Locky ransomware made its appearance again and the most recent campaign used a new extension called .lukitus to encrypt files.

Locky stands out from the pack, because of its frequent attacks, but other ransomware strains have applied the same tactic in the past years as well.

Each time a new extension pops up, victims wonder how they can retrieve their data and it usually takes a few days, depending on the strain’s complexity, to figure out what the type of malware really is.

4. Using auto-updating elements to automate new payload delivery

Attackers also turned to auto-updating links in malicious emails, which is a fairly new tactic. This approach was different because “the file exploits a Microsoft Word feature that can make files automatically update links included in them as soon as they are opened”.

The same attack can thus be used to deliver multiple types of malware, depending on the attacker’s objectives.

We recommend keeping an eye on these malicious spam emails!

Source: Helpnet Security

5. The matrioshka social engineering attack

For the malware threat discovered via Facebook Messenger, cyber criminals used a slightly different form of social engineering.

The unusual factor comes from the various angles used in the same attack. Online criminals employed a malicious browser extension for Chrome and Firefox and a binary package that installed adware on users’ computers.

They tried to trick people by convincing they access a legitimate link from one of their Facebook friends, so they can click on the malicious link. The message included a BIT.LY link which had a video with the person’s name.

Although this approach to luring victims with malicious links in social media messages is not new, it still works to the dismay of many home users.

6. Spoofing gets more difficult to identify

Spoofing attacks have changed and became more difficult to be spotted. During an email spoofing attack, the malicious hackers disguise and sent a fake email which looks similar to the original one. Cyber criminals aim at making victims believe they receive a genuine email from the real sender, while it is quite difficult for the untrained user to spot the suspicious elements.

During a new Locky spam campaign, cyber attackers used these tactics to spoof Dropbox, and here’s how a misleading email looks like as opposed to the legitimateone:

As you can see, attackers are getting better and better at impersonating legitimate entities. With so many online accounts, it’s becoming increasingly difficult to identify spoofing or phishing, which leads to more users getting compromised.

Filtering this kind of threats and educating users to identify them proactively is an uphill battle that will certainly continue in the next years.

7. Proof of concept attacks targeting widespread vulnerabilities get scarier

Last month, researchers warned about a new attack vector – known as “Blueborne” – can potentially enable cyber attackers to spread malware through thin air and potentially infect all devices that include Bluetooth wireless technology. This method of operation was different from two points of view: zero human interaction and no Internet connection. The result? More than 5.3 billion devices across Android, Windows, iOS, or Linux were found vulnerable to BlueBorne!

These are proof of concept attacks and similar to car hacking that happened a few years ago.  We could anticipate that such attacks might become a reality showing us how easily attackers can take advantage of vulnerabilities in software or hardware to compromise our devices.

Source: Google Play

8. Everyone’s data is (now) leaked

Data breaches have reached catastrophic proportions. The recent Equifax data breach has potentially impacted 145.5 million US consumers who might have had their sensitive personal information exposed. During this attack, cyber criminals took advantage of a security hole in the Apache Struts web application framework (CVE-2017-5638), the one supporting the Equifax online dispute portal web application. Failing to install the security updates can lead to massive business disruption and many other negative effects.

This only gives cyber criminals a massive amount of confidential information about potential victims that they won’t shy away from using in the next months.

9. Spambots on steroids

Emails are still an easy target for cyber criminals and the recent (yet biggest) data dump confirms it. Over 700 million of email addresses (and passwords) were exposed online with the help of a spambot operation, which sent out emails en masse to people hoping they’ll be tricked into clicking on them.

This massive spam operation showed us how vulnerable our inboxes are, and why attackers can easily plan a spam campaign to spread malicious code and infect as many users as possible.

I found out that cyber criminals use the surprise factor during cyber attacks

CLICK TO TWEET

10. Sophisticated supply-chain attacks with deeper geopolitical implications

Supply-chain attacks that involve exploiting vulnerabilities in the supply network used by a specific organization are not new. But the way cyber criminals used the backdoor tactic and managed to infiltrate malware into two versions of CCleaner, the popular PC cleaner software application, is. Not only did they potentially impact millions of devices and their users, but they also affected IT infrastructure and led to severe business disruption.

But the story doesn’t end here, as investigations are still under way, the geopolitical implications of this attack seem to ramificate.

At the recent Virus Bulletin 2017 conference, Jakub Kroustek and Jiri Bracek shared technical details on the attack and said there are more than three stages of this attack.

“This suggests it was very targeted and used only against a specific group of users,” Bracek said.

Protection guide against malware threats

In the context of the sophisticated nature of modern cybercriminals, both organizations and home users should acknowledge this threat and understand the importance of software patching. This is why we need to prioritize things by proactively changing our behaviors in a way that will enhance our security online.

Knowing that the online landscape isn’t safe anymore, securing our valuable data should be on top of everyone’s list of priorities.

Here are some useful ways to maximize your protection against these attacks:

  • Keep all your software up to date, and install  the latest updates, as soon as possible. Having the system up to date and protected with multiple layers of security decrease the chances of being infected with malware.
  • Use unique and strong passwords with the help of a password manager program.It’s worth reminding not use the same password for all your email/social accounts, as it gets easier to be hacked and every account will be vulnerable.
  • Secure your data and have at least two backups for them: an external hard drive and another one in a cloud system. Also, check to see if your backups are intact and can be restored if needed.
  • When cyber criminals launch a new attack, they use various tactics and businesses with an outdated infrastructure or software are the most vulnerable to such online threats. This is why it is essential for businesses to keep their infrastructure up to date and actively defend it by closing potential holes in cyber security.
  • To enhance protection, it is recommended to use an antivirus program and aproactive cyber security software solution (together).
  • Users need to change their “it can’t happen to me” mindset and focus on education themselves to stay safe online. Cyber security education is essential for everyone to have minimum cyber security knowledge, so they can easily discern the good from the bad, and be safer in the online landscape.

What can we learn from cyber criminals’ malicious actions so we can have the best defense against their criminal tactics? We have to keep on investigating what makes them tick and always have a proactive behavior and react to attacks in a timely manner.

 

via:  heimdalsecurity