Monthly Archives: June 2018

Why Using a VPN is a Smart Move

A VPN is a Virtual Private Network, and it is used to protect your Internet traffic from anyone who wants to intercept your data and monetize your personal information. The ubiquity of online transactions processing today is such that everyday folks cannot afford to be without a VPN. Most every payment, and online communication is conducted over the Internet. This is rapidly gaining momentum in developing countries too.

The Internet is peppered with security challenges, not least of which are cyber criminals and government snooping around in your personal data. Privacy is being challenged on every level, and it behooves folks to take all necessary precautions to guard against such activity. This type of nefarious activity is easily achieved when users do not take the necessary precautions against third parties. Antivirus software is one thing, but that does not shield your online browsing activity against hackers who are trying to intercept your personal data.

Your online footprint is something that can be masked from prying eyes. If there are no traces of where you have been, it’s virtually impossible to identify you personally. VPNs create what is known as an encrypted tunnel whereby all your online communications are masked by remote servers and VPN services. Think of the tunnel as a shield against anyone seeing what you’re doing. When you use a VPN service to mask your traffic, your computer assumes the identity of the VPN server.

In other words, you could redirect your traffic flow from your current location in position X to another location with a VPN server located in position Z. Your data connects with the VPN server somewhere else around the world, and when it exits that VPN server, your IP address is cloaked by the IP address of the VPN server. While you’re still using your computer and its IP address to connect to the VPN server, the only traffic that will be ‘seen’ will be coming from the VPN server address.

Why Is a VPN Service Essential to Your Online Browsing Activity?

One of the most obvious benefits of using a VPN service is when you are utilizing public Wi-Fi at the airport, a hotel, a library, coffee shop, on an airplane etc. Anyone on that public network can easily intercept your communications and steal sensitive personal information. It’s impossible to know what the intentions are of everyone using public Wi-Fi – there are nefarious actors in the mix. Sometimes, it’s difficult to know if the Wi-Fi network that is being provided is a legitimate Wi-Fi network, or simply one created by a cybercriminal designed to hack into your personal information.

Another issue to take into account is the sensitivity of your information – login data, browsing history, files, folders, bank records etc. With a VPN service, nobody can intercept that information since they don’t know what your IP address is. Anyone can name a Wi-Fi network anything that they want to – this doesn’t legitimize it in any sense of the word. For example, JFK Airport Internet or Hilton Hotels Internet, or Holiday Inn Express Wi-Fi may not the de facto Wi-Fi networks for these places – they could be fake names created to trick you. And then there’s the issue of why a VPN service is especially beneficial to your browsing activity. A great place to start on your VPN quest is an aggregator site that reviews the pros and cons of each service. For example, this HMA VPN review lists all the attributes of Hide My Ass, one of the most popular pay-to-use VPN services on the market today.

HMA is a user-friendly service that you can use to access content that is only available outside of your country. Maybe you’re looking for the latest rugby or cricket broadcast from a domestic competition, and you are based outside of the UK, in the US. You could reroute your Internet traffic through a UK server and access that information free, such as live streaming news updates, live sports broadcasts etc. In countries like China the Internet is severely limited, and this necessitates the use of VPN services to access information. Since VPNs are designed to encrypt traffic, they are identity protecting tools. The VPN you choose to use may be designed expressly for Mac operating systems or Windows Operating Systems, and often there are differences between them. When it comes to mobile Internet security, VPNs work a little differently, and a greater level of sophistication is needed to encrypt your data.

Who Is Spying on Our Data?

It’s hard to say who is or isn’t actively spying on data, recording data, or monitoring online communications. One thing is certain – your online browsing activity is always more readily accessible when you don’t use a VPN service. Whether the NSA, FBI, CIA, Secret Service, local law enforcement, or criminals are viewing your data is less important than the fact that they can snoop around in your private business if they want to. However, if you use a VPN service that does not maintain logs, your Internet traffic is encrypted against all advances.

Be advised that not all VPN services are cut from the same cloth. Most of these are profit-seeking organizations that will willingly cooperate with the authorities if required. That means they will hand over logs if subpoenaed. Certain VPN servers are operational in countries where the long arm of the law does not have any reach, such as Panama. VPNs are not failsafe since they don’t remove cookies from Web services – but that’s a story for another day.

 

via:  404techsupport.

WhatsApp users targeted by homoglyph attack peddling free tickets to theme park

WhatsApp users targeted by homoglyph attack peddling free tickets to theme park

Do you see anything suspicious in the message displayed above in this article’s featured image?

Alton Towers is giving away 5 free tickets to 500 families

Many WhatsApp users would probably view it as innocent enough, appearing to offer free tickets to a British theme park. Indeed, some might be so convinced that the message is legitimate that they forward it on to their own friends and family via WhatsApp, hoping to increase the chances of their loved ones enjoying a free day out at Alton Towers.

But the truth is that clicking or sharing the link could put you, or your nearest and dearest, at risk of being scammed by internet fraudsters.

The message should not only be treated with caution because it seems too good to be true but also because when examined closely there’s evidence that the message isn’t all it claims to be.

The clue is in the URL, reported The Sun.

Do you see the dot above the “o” in altontowers.com? The “o” is in fact an “ȯ” – a regular “o” with a dot, or diacritic mark, placed above it.

It’s not a character that many of us are used to seeing, but it is used in some central European languages, and for that reason, it’s supported by Unicode. Unfortunately, technology’s admirable ability to handle a wide variety of languages comes at a price – fraudsters are able to abuse the feature to trick you into believing that you are reading something different from what is being shown.

This is known as a homoglyph attack in that it exploits the close similarity between two different characters. For years, scammers have been duping unsuspecting internet users into clicking on dangerous links by using the simple technique.

Most users will never notice the dot, especially if it’s displayed on a screen as small as a smartphone, and so may think it is perfectly safe to click through to the website where they will be encouraged to take an online survey and forward the message to 20 of their friends.

And once on the bogus website, they may believe that they are on the real altontowers.com and think nothing of entering personal information for the empty chance to win a family day our on the rollercoasters.

Scam website

It’s not a new method of attack, but it’s a remarkably effective one. And until messaging apps like WhatsApp begin to apply some of the methods that desktop browser users can use to protect against homoglyph attacks, we’re likely to see more and more of them.

Users should also familiarize themselves with common phishing attack types so that they are less likely to click on a suspicious link, email attachment or text message.

 

via:  tripwire

Facebook Says Bug Automatically Suggested Public Visibility for New User Posts

Facebook said it’s discovered a bug that automatically suggested public visibility for whenever some users created new posts.

On 7 June, Chief Privacy Officer Erin Egan said in a statement that Facebook found the bug in its audience selector. This feature lets users choose with whom they want to share their posts. For the sake of convenience, it’s supposed to auto-select the last audience with which users submitted a post, meaning it should display “Friends” if they last shared something with their friends list.

That didn’t happen between 18-27 May. During that time period, Egan explained that the audience selector suggested “Public” for new posts. This means that as many as 14 million users could have shared content publicly when they intended to only have a smaller group of people view it based upon their previous posting history.

Egan provided more information about the technical error in her statement:

This bug occurred as we were building a new way to share featured items on your profile, like a photo. Since these featured items are public, the suggested audience for all new posts – not just these items – was set to public. The problem has been fixed, and for anyone affected, we changed the audience back to what they’d been using before.

Facebook’s notification about the incident. (Source: Facebook)

In response to this flaw, Egan said that Facebook will be notifying everyone affected. Additionally, she said the social media giant will be displaying a notification to all users who posted publicly during the time frame when the bug was active. The notification directs users to a page that helps them learn more about how to protect their privacy on the platform. It can be found here.

News of this bug follows less than three months after news emerged of a data privacy scandal in which political brokerage firm Cambridge Analytica harvested the information off 87 million Facebook users’ profiles.

 

via:  tripwire

 

The Value of Capture the Flag Competitions

If you’ve ever attended an infosec or hacker conference, you’re sure to have seen the Capture the Flag or CTF. As with anything in this industry, there are ebbs and flows in the debate of the value of the competitions. Some argue that they are unrealistic. Others champion them for the skills required and the creative thinking.

Let’s be real for a moment. When is the last time that a penetration tester found the output of /etc/passwd in the comments section of a website? I know there may be fringe cases, but this is not the “norm.”

The reality is that many are thematic and fun. Traditional Capture the Flag competitions typically have some of the same elements:

  • Scanning and Enumeration
  • Web Application
  • Cryptography
  • Steganography
  • Exploitation
  • Scripting
  • Reverse Engineering

It’s kind of ironic that scanning and enumeration and exploitation are in bold. Why? They are parts of the “Ethical Hacking process,” as shown below:

Ethical Hacking Process

As time progressed, we have moved from basic CTFs to several varieties:

  • Network King of the Hill (NetKOH)
  • Social Engineering (SECTF) [Note: I may know a thing or two about these, especially the 2017 DerbyCon SECTF.]
  • OSINT CTF
  • Forensics CTF

The Value and the Series

So, what am I getting at? They are not precise mirrors of real life. That is not what they are meant to be. They are meant to be challenges to both your technical skill and creativity. Some are more “fun,” and others are more about “street cred.”

In this series, I will be discussing how Capture the Flag exercises work and some common tools and techniques used in them. For starters and a sneak preview, here are my planned topics:

  • (Theoretical Ideas) ARP Scanning with netdiscover and arp-scan
  • NMAP
  • Nikto
  • Dirbuster and dirb
  • Burp Suite
  • Vulnerability scanners
  • wp-scan
  • Reverse Shells
  • Wireless
  • A wrap-up post to tie it all together.

This is not meant to be an all-inclusive series about CTFs but rather a story of my experiences in participating in the CTFs and what I have found that works. I have recently been turned on to CTFs in helping to build one for BSides Knoxville and a Forensics CTF for my local Defcon chapter dc865.

I also accidentally discovered a vulnerability in a home router after doing a CTF because I had not reverted back to my non-CTF configuration. Here are some links regarding that vulnerability and the associated CVE:

 

via:  tripwire

Three Rhode Island State Agencies Affected by Malware Attack

A malware attack affected computing devices owned and operated by three state agencies in Rhode Island, confirmed the State’s digital security teams.

According to Call 12 for Action, the infection became noticeable on 31 May at the Department of Children, Youth and Families (DCYF), Department of Human Services (DHS) and Department of Behavioral Healthcare, Developmental Disabilities and Hospitals (BHDDH). The incident persisted into the day on 1 June when smaller PCs and hardware devices unexpectedly crashed. Officials observed nothing else that would raise their suspicions.

IT and security teams looked into the matter and confirmed that malware was to blame for the device disruptions. Chief Digital Officer Bijay Kumar said those personnel even discovered the probable delivery vector.

“In this case, we believe this could be through a generic phishing attack, clicking on a link in an email, just an external site which is clicked,” Kumar explained to Call 12 for Action. “We did some proactive upgrades and have since mitigated the issue.”

The attack is believed to have affected 400 out of the state’s 10,000 devices. Kumar confirmed that the infection didn’t compromise any information. Even so, he said the State would continue to investigate the matter further.

We take security very seriously, so we always like to err on the safer side of security so we talked to the National Guard, state police, as well as EMA to make sure we don’t leave any stone unturned to keep our system secure.

Brenna McCabe, spokeswoman for the Rhode Island Department of Administration, released a statement about the incident on 3 June. In it, she explained that the team had implemented a “technical solution” to help affected devices return to their normal functioning. She went on to say that first-of-the-month payments weren’t affected by the attack and that minimal service disruptions might occur as the three departments prepared for normal business hours on 4 June, reported The Providence Journal.

News of this attack came a few days after Atlanta’s city government disclosed that a March ransomware attack against its systems wiped out years of police dashcam footage. Since then, Atlanta officials said they will probably need another $9.5 million on top of the $5 million they already spent to further their recovery efforts.

 

via:  tripwire

Atlanta Ransomware Attack Wiped Out Years of Police Dashcam Footage

A ransomware attack targeting the city of Atlanta wiped out years of dashcam footage generated by the Atlanta Police Department.

In an exclusive interview with The Atlanta Journal-Constitution and Channel 2 Action News, Atlanta Police Chief Erika Shields revealed that a March ransomware attack against the city cost the Department years of dashcam footage. She said the impact of this data loss is minimal, however. As quoted by The Atlanta Journal-Constitution:

I’m not overly concerned, I’m really not, because that’s a tool, a useful tool, for us. But the dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer. There will be other pieces of evidence. It’s not something that makes or breaks cases for us.

Others weren’t so optimistic about this revelation. Atlanta police union official Ken Allens said that the absence of dashcam footage “hurts that relationship that is already strained” between officers and what he calls an “anti-police” public. Meanwhile, Georgia State law professor Jessica Gabel Cino said that data loss was significant as “…cases are broken or they’re made on dashcam footage.”

News of the attack first emerged in late-March. City officials quickly determined that ransomware had taken down several customer-facing systems employed by the city, including bill payment applications, and had instituted a ransom of six Bitcoins (at the time worth $51,000) for the recovery of the entire system. Atlanta Mayor Keisha Lance Bottoms refused to pay the attackers and has thus far spent millions on emergency tech contracts for rebuilding the affected IT system.

At the time of this writing, recovery was ongoing.

Matthew Condland, an investigator with the Atlanta Police Department, said the attack affected more than just dashcam footage.

“As a result, last month or the month before last of the cyberattack against the city, all of my files, all 105,000 files, were corrupted,” investigator Condland testified, as quoted by WSBTV.

Shields said “we have recovered all of our criminal investigative files” and that she hasn’t heard of any impact against ongoing criminal cases.

The ransomware attack against Atlanta is a reminder to municipalities to boost their defenses against digital threats. This should include implementing some common ransomware prevention techniques.

 

via:  tripwire

Scammers Targeting Booking.com Users with Phishing Messages

Scammers recently targeted Booking.com customers with phishing messages designed to steal their sensitive financial information.

According to The Sun, criminals sent out WhatsApp messages and text messages to customers claiming that a security breach had occurred and that recipients needed to change their passwords. The attack correspondence came with a link that, when clicked, gave bad actors access to bookings. These malefactors then followed up with a second message specifying that they needed customers’ banking information to process full payment in advance of the bookings.

Marketing manager David Watts of Newcastle received one of the attack messages, staing “It looked very believable and I can believe people fell for it.”

Booking.com told The Sun that it’s aware of these attack messages. It also clarified that it had not suffered a data breach and that attackers had likely compromised the systems of hotels with which it works on a separate portal. Those criminals, it said, made off with typical booking information like customers’ names, addresses, phone numbers, dates and prices of bookings and reference numbers. The attackers then used that information to send out phishing messages, which incorporated those pieces of information to enhance their appearance of legitimacy, it explained.

This isn’t the first time scammers have targeted Booking.com users. Back in November 2014, news emerged of phishers preying on thousands of users, some of whom fell for the phish and paid the attackers. Booking.com stated that it had not suffered a breach and that criminals had hacked as many as eight hotels, but a spokesperson for one of the affected hotels denied having suffered an incident and recommended that the travel e-commerce company “ensure their investigation is thorough and appropriate action is taken.”

No doubt phishers will continue to target the travel industry in an attempt to steal customers financial data. With that said, users should make an effort to familiarize themselves with some of the most common types of phishing attacks. This resource is a good place to start.

 

via:  tripwire

Microsoft has acquired GitHub for $7.5B in stock

After a week of rumors, Microsoft today confirmed that it has acquired GitHub, the popular Git-based code sharing and collaboration service. The price of the acquisition was $7.5 billion in Microsoft stock. GitHub raised $350 million and we know that the company was valued at about $2 billion in 2015.

Former Xamarin CEO Nat Friedman (and now Microsoft corporate vice president) will become GitHub’s CEO. GitHub founder and former CEO Chris Wanstrath will become a Microsoft technical fellow and work on strategic software initiatives. Wanstrath had retaken his CEO role after his co-founder Tom Preston-Werner resigned following a harassment investigation in 2014.

The fact that Microsoft is installing a new CEO for GitHub is a clear sign that the company’s approach to integrating GitHub will be similar to hit it is working with LinkedIn. “GitHub will retain its developer-first ethos and will operate independently to provide an open platform for all developers in all industries,” a Microsoft spokesperson told us.

GitHub says that as of March 2018, there were 28 million developers in its community, and 85 million code repositories, making it the largest host of source code globally and a cornerstone of how many in the tech world build software.

But despite its popularity with enterprise users, individual developers and open source projects, GitHub has never turned a profit and chances are that the company decided that an acquisition was preferable over trying to IPO.

GitHub’s main revenue source today is paid accounts, which allows for private repositories and a number of other features that enterprises need, with pricing ranging from $7 per user per month to $21/user/month. Those building public and open source projects can use it for free.

While numerous large enterprises use GitHub as their code sharing service of choice, it also faces quite a bit of competition in this space thanks to products like GitLab and Atlassian’s Bitbucket, as well as a wide range of other enterprise-centric code hosting tools.

Microsoft is acquiring GitHub because it’s a perfect fit for its own ambitions to be the go-to platform for every developer, and every developer need, no matter the platform.

Microsoft has long embraced the Git protocol and is using it in its current Visual Studio Team Services product, which itself used to compete with GitHub’s enterprise service. Knowing GitHub’s position with developers, Microsoft has also leaned on the service quite a bit itself, too and some in the company already claim it is the biggest contributor to GitHub today.

Yet while Microsoft’s stance toward open source has changed over the last few years, many open source developers will keep a very close look at what the company will do with GitHub after the acquisition . That’s because there is a lot of distrust of Microsoft in this cohort, which is understandable given Microsoft’s history.

In fact, TechCrunch received a tip on Friday, which noted not only that the deal had already closed, but that open source software maintainers were already eyeing up alternatives and looking potentially to abandon GitHub in the wake of the deal. Some developers (not just those working in open source) were not wasting timeeven to wait for a confirmation of the deal before migrating.

While GitHub is home to more than just open source software, if such a migration came to pass, it would be a very bad look both for GitHub and Microsoft. And, it would a particularly ironic turn, given the very origins of Git: the versioning control system was created by Linus Torvalds in 2005 when he was working on development of the Linux kernel, in part as a response to a previous system, BitKeeper, changing its terms away from being free to use.

The new Microsoft under CEO Satya Nadella strikes us as a very different company from the Microsoft of ten years ago — especially given that the new Microsoft has embraced open source — but it’s hard to forget its earlier history of trying to suppress Linux.

“Microsoft is a developer-first company, and by joining forces with GitHub we strengthen our commitment to developer freedom, openness and innovation,” said Nadella in today’s announcement. “We recognize the community responsibility we take on with this agreement and will do our best work to empower every developer to build, innovate and solve the world’s most pressing challenges.”

Yet at the same time, it’s worth remembering that Microsoft is now a member of the Linux Foundation and regularly backs a number of open source projects. And Windows now has the Linux subsystem while VS Code, the company’s free code editing tool is open source and available on GitHub, as are .NET Core and numerous other Microsoft-led projects.

And many in the company were defending Microsoft’s commitment to GitHub and its principles, even before the deal was announced.

image

 

Still, you can’t help but wonder how Microsoft might leverage GitHub within its wider business strategy, which could see the company build stronger bridges between GitHub and Azure, its cloud hosting service, and its wide array of software and collaboration products. Microsoft is no stranger to ingesting huge companies. One of them, LinkedIn, might be another area where Microsoft might explore synergies, specifically around areas like recruitment and online tutorials and education.

 

via:  techcrunch

Microsoft discounts the Xbox One X for its E3 week sale

‘PUBG’ and ‘Sea of Thieves’ also get their first price cuts..

Microsoft is cutting the price of the 4K-friendly Xbox One X for the first time in what the company is calling its biggest Xbox sale of the year. All Xbox One models are dropping by $50, so the Xbox One X will set you back $449, while the Xbox One S costs $199 for the 500GB version, and $249 for 1TB. If you’ve been looking for a new controller, you can pick one up for $10 less.

There are discounts on a bunch of games too, with PlayerUnknown’s Battlegrounds, Sea of Thieves and Monster Hunter: World all sliding into the sale section for the first time; Microsoft is cutting the prices of some other games by up to 75 percent. Meanwhile, if you want to play those games online with your shiny new Xbox One X, you’ll need Xbox Live Gold, which you can get for $1 for a month. The same deal applies to Xbox Game Pass. All of these offers are available starting Thursday.

The Xbox One sale comes just as Microsoft prepares for an onslaught of news and game announcements at the E3 convention next week — Sony is running a big sale too, with a limited-edition blue console on offer. While not Xbox exclusive games, we’ll find out more about Fallout: 76 and Assassin’s Creed: Odyssey at E3. Who knows, though? Microsoft might try to get in on the battle royale craze with a winner-takes-all-style Gears of War.

 

via:  engadget

How to set up 2FA on eBay – go do it now!

A little under two years ago, I looked into how one might go about securing an eBay account using two-factor authentication (2FA).

At the time, it wasn’t clear if 2FA was supported on eBay officially or not, and I found a number of dead-end paths when trying to actually set up my account with 2FA – old documentation pages about 2FA appeared to be buried or completely deprecated, many links were completely dead. Calls to customer service didn’t help much, as the reps I spoke to had no idea what I was talking about or why I was asking.

There were legacy documentation pages about using a third-party time-based token authentication service, but these were mostly dead-ends as well and I had, to put it mildly, an extraordinarily difficult time trying to set things up.

By the end of it all, I had tried (and tried!) to set up 2FA on my account, but really to no avail. I concluded my piece with a plea for readers to let me know if I’d missed something obvious in trying to secure my account, or at the very least to ask eBay nicely to make this process easier.

Over time, many of our Naked Security readers chimed in on my story saying that either they’d had similar processes, or they’d discovered a workaround entirely.

As more time passed, the comments started to change tone entirely, that actually the 2FA process was super simple and easy to do now. Based on what readers like you had commented, it sounded like something had changed for the better. Clearly, it was past time for me to revisit this story.

I’m quite relieved and thankful to report that since I first wrote this the eBay 2FA story, eBay has not only binned its previous byzantine 2FA procedure, but it’s replaced it with something that’s both easy to find and easy to use.

Now, happily, this is how you can easily set up 2FA on your eBay account.

  • Log in to your account.
  • Go to your account settings by clicking on your name in the upper left (where it says “Hi [your name]!”) and clicking Account settings in the dropdown.
  • In the My Account menu on the left that now appears, click Personal information.
  • Scroll to the bottom of the Personal Information screen, and you’ll now see a field that says Security Information, with the 2 step verification option underneath it. If it is switched to “off”, click the Edit option on the right.
  • Follow the instructions on the screen. eBay 2FA supports voice and SMS factors (no support for time-based token authentication, like Google Authenticator or Duo, as far as I can tell).
  • You’ll get a confirmation once it’s set up. Easy peasy!

I’m relieved that eBay has now made this much easier for users, and hope if you’re an eBay user you’ll take a quick moment to get this set up on your account.

 

via:  sophos