Tag Archives: internet

VPNFilter and other neat tricks

The Spectre and Meltdown attacks that came to light at the beginning of the year have been the main focus of this year’s security issues however there has been a lot more going on than that.

On that note though, additional Spectre variations have been found (we’re up to v4 now); as well, the BSD team has alluded to a notice for the end of June potentially regarding Hyper Threading in Intel CPUs which could have far-reaching effects for virtualisation systems.

But on to the main topic of this post: VPNFilter is a modular malware that infects consumer or SOHO routers and can perform a number of malware-related functions. It is thought to be the work of Russian state-sponsored attackers “Fancy Bear” who have been fingered for previous attacks like BlackEnergy.

The attack is split into 3 stages:

  1. exploit router and pull down image from Photobucket website
  2. the metadata in the image is used to determine the IP address for stage 2; open a listener and wait for a trigger packet for direct connection
  3. connect from Command and Control, and engage plugins for stage 3

Some new stage 3 plugins have recently come to light including:

  1. inject malicious content into web traffic as it passes through a network device
  2. remove traces of itself from the device and render the device unusable
  3. perform man in the middle attacks (mitm) to deliver malware and exploits to connected systems
  4. packet sniffer module that monitors data specific to industrial control systems (SCADA)

If this sounds scary, then you’re on the right track. But think bigger, much bigger. Because the attacker is on the device connecting users to the internet, it could potentially both monitor and alter any internet traffic.

From ARSTechnica:

“Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.”

What devices are affected? The full list is in the Cisco Talos blog post on the issue however briefly it includes upwards of 70 models from vendors like TP-Link, Dlink, Netgear, Linksys and Mikrotik, all of which are consumer units that can be expected to be used in SOHO environments.

On to Satori, a more recent botnet based on the formerly impressive Mirai code that caused havoc with denial-of-service attacks in 2016. Satori uses the Mirai code as a foundation for a series of evolving exploits that allows the botnet to control devices with even strong credentials.

The initial attack was targeted at Huawei and Realtek routers, however the botnet controllers have displayed impressive skills by moving on to bitcoin miners and now consumer routers like Dlink’s DSL2750B.

“Attack code exploiting the two-year-old remote code-execution vulnerability was published last month, although Satori’s customized payload delivers a worm. That means infections can spread from device to device with no end-user interaction required.”

Dlink currently has no firmware update for this issue. Which brings me back to a statement that I’ve echoed on this blog numerous times – no one should be using consumer routers, or at least routers that do not have a history of consistent security updates. The internet is littered with hundreds of models of router from many manufacturers that are full of holes that do not have a fix from the manufacturer.

Consumer manufacturers do not have the skill to design secure devices nor do they have the capacity to fix broken and exploitable devices. This leaves a sizeable portion of internet users at the mercy of attackers.

And that is scary.

Facebook, Cambridge Analytica and your digital data

The recent Facebook/CA fiasco should be known to most people by now but here is a brief rundown in case you’re unaware.

Aleksander Kogan, a Russian-American researcher, worked as a lecturer at Cambridge University, which has a Psychometrics Centre. The Centre advises to be able to use data from Facebook (including “likes”) to ascertain people’s personality traits. Cambridge Analytica and one of its founders, Christopher Wylie, attempted to work with the Centre for purposes of vote profiling. It refused, but Kogan accepted the offer in a private/CA capacity.

Kogan did not advise his relationship with CA when asking Facebook (which allows user data to be used for ‘research purposes’) for permission to use the data.  He created an app called ‘thisisyourdigitallife’ which provided a personality prediction.

If this sounds familiar, then yes, many have probably filled in similar ‘tests’ which are available as apps on the Facebook (and other) platform. What most people don’t however know is that these apps are far more insidious than the playful front that they portray. The data collected by these apps can be used for any number of nefarious uses, and as in case, are being used in ways that break the user privacy agreement.

Kogan ended up providing private user data on up to 50 million users to CA, not for academic research but for political profiling purposes. This included not only users that had installed the app, but friends of those users as well. CA then used this data in commercial cases by working with various political parties and people (including Ted Crux and Trump campaigns). The product was called phsychographics.

Anyone who has read Isaac Asimov’s Foundation series may see parallels here with the character Hari Seldon’s phsychohistory which is an algorithmic science that allows him to predict the future in probabilistic terms. This is fairly hard-core Science Fiction …

To see this kind of future-looking large scale profiling occurring in 2015/6 is quite shocking.

Facebook was aware of this information sharing as early as 2015 and had asked Kogan and CA to remove the data. But they never took it further to confirm that this had indeed been done.

This is pretty embarrassing for Facebook and its almost 10% stock drop this week confirms this. The larger concern for Facebook is that the company signed a deal with the US Federal Trade Commission in 2011 that was specifically focused on enforcing user privacy settings. So this saga may be a contravention of that agreement …  and Facebook have more troubles ahead seeing as both US and EU authorities are looking into the matter. Facebook execs have already been before the UK Parliament and are accused now of lying about the facts in this case.

Arstechnica’s take on the story

Christopher Wylie, the brains behind the technology in use, had previously left CA once realising what they were doing, and became the whistleblower that has lead to the furor over the last few weeks.

The Guardian’s article on Christopher Wylie

The NYTimes article

While some will say that they’re not worried about the data that is collected about them, this scenario shows that the issue is much bigger than individuals. Profiling of large groups of people based in individual user data is now a thing.

In the case of Facebook specifically, one can:

This story should be enough for most to rethink their online presence and activity. It’s not necessarily a matter of removing yourself from the Internet but rather being very circumspect about the information your offer up about yourself. Because your information is being bought, sold and used as a weapon against you.

South African Security (Fails)

It’s been a while since my last post but recent events in SA around security have prompted me to write this post.

It starts with an open website containing what is now believed to be upwards of 70 million entries for names, ID numbers, income, addresses and other information on South African citizens/residents including possibly around 12 million children. This data leak was originally exposed by Troy Hunt from HAVEIBEENPWNED fame, and came in the form of a website from (now believed to be) Jigsaw Holdings, an apparent IT partner of ERA, the property group. It took service provider almost 3 days to plug the leak.

The data was also available in the form of a database file seeded through torrents which means there was widespread access to this data. The fallout from this leak is likely to be big and long lasting, and identity theft is a primary result from leak data such as this. Everyone needs to be extra vigilant on their personal data in the coming years.

Ster Kinekor is also on HAVEIBEENPWNED’s list and unfortunately SK have not come forward with details or advised their customers of this breach. I’ve contacted them on 3 occasions in an attempt to get details on the breach but so far they have  remained mum. #sterkinekor #securityfail …

#computicket also remains stubbornly out of touch with web security  and the safety of their customers – their public website has offered non-SSL access to their site/booking system forever and after contacting them 3 times over the last 2 months to advise them as such, nothing has been done. This is a simple matter of putting in a web-redirect from HTTP to HTTPS which should take a seasoned admin all of 30 seconds to do.

Their front-end staff responses to my calls show their utter ignorance on the matter:

Apparently the main login to their site that is used by all customers is not a transactional page …

So let’s take a look at the site as of last week:

 

Yip no padlock, no security …

There are many examples of this kind of incompetence all around the web/world and also here in SA. There are a lot of people without the necessary skills, putting up websites and publicly accessible systems and not securing them properly.

The best advice I can offer on these types of shenanigans is to use a password database (like KeePass) and a unique password for each site. If one of the sites you use is compromised, at least that data can’t be used to access your other sites.

Stay safe!

The NSA and Ransomware. Oh and a bit of HPE on the side.

If ever there was a perfect example of stupidity, the new highly virulent strain of WanaCrypt ransomware that is currently spreading like wildfire, is it. And that stupidity is care of the NSA; who in their infinite wisdom, wrote exploits based on 0-day vulnerabilities that should have been reported to the relevant vendors, but was instead appropriated.

Well the Shadow Brokers have now in turn appropriated this code from the NSA and and someone else has gotten hold of it to create a self-replicating variant of WannaCrypt or Wcry malware, that is currently causing havoc in hospitals, banks, telecom services, utilities and others, by encrypting drives and blocking access to systems.

Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.

The exploit spreads via vulnerabilities in network -accessible Windows subsystems although the exact details are still vague. Microsoft has released a patch in March for the issue however many companies have yet to install the update.

Numerous companies have been affected during the course of today including Telefonica, Vodafone, 16 NHS hospitals across the UK, and many others. The ransomware has been detected in over 74 countries already and the demands include Bitcoin payment of up to $600 per infection. The speed and violence of infection show a highly capable piece of malware with advanced network replication techniques bypassing standard methods of protection.

What can you do to protect yourself?

  • shutdown any non-critical network file access/shares
  • seeing as the malware is probably initiated via email, be especially vigilant for spam emails
  • update all Windows systems with the patch listed above
  • segment sections of your network where possible

And in other news, HP has been including a dodgy Windows audio driver from Conexant for the last 2 years on many HP Laptops which, wait for it … logs all your keystrokes! Yay!

Password Managers

The current mainstream method of authenticating to applications and systems remains a difficult prospect for most people. Password re-use is not a good idea but remembering a separate password for each system is not feasible. Biometrics and 2-factor-authentication are great solutions but not available in all circumstances, and typically the 1st factor is still a password.

My suggestion is to use a password manager. But which one?

PMs are split into 2 primary types: online/cloud and offline/local.

The online type is basically a web service/app that provides a password database along with various features like browser-assisted ( eg. via plugin ) form filling, 2FA, random password generator and more.  Examples include LastPass, Dashlane and Encryptr.

The offline type is a discrete application that you run on your device to provide these services. Examples include KeePass ( and the X variant ), 1Password, Gnome Keyring and KDE Wallet ).

My personal preference is the offline type because even if online apps indicate special protection of your data, no one has to date displayed perfect security. At least with an offline app ( and one that is audited for security issues ), your data is stored locally and protected by you.

Most recently, security flaws have been found in the LastPass browser extensions – although these flaws were patched quickly, the risk remains.

On the whole though, password managers significantly increase overall security, by allowing users to use strong passwords for internet and other services, without having to remember those strong passwords. And that is a win for everyone.

UPDATE:

So my words were barely penned when another LastPass issue came to light:

“on Saturday, Ormandy came up with a new way to perform code execution in LastPass for Chrome 4.1.43 (the current latest version of the extension). He sent the working exploit and bug report immediately to LastPass, and the company acknowledged it.”

“This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”

So it’s quite clear that online password managers are subject to the same vulnerabilities as other software and it’s probably a good idea to stay with discrete apps.

Your TV is being creepy

Of all the points of electronic insecurity one deals with every day, your TV is probably the last you’d expect. Not so, because Vizio has been caught spying on its customers – through approximately 11 million smart TVs in the US and since 2014.

These TVs have automatically tracked consumers’ viewing habits and sent that data back to its servers. Vizio was collecting a selection of pixels on screen that could match a database with movies, series and advertising content. It could also match data from set-top boxes, ISPs, streaming devices, dvd players and  OTT broadcasts resulting in as many as 100 bllion data points per day.

It gets worse – Vizio then sold that data to advertisers and others! Because IP addresses were part of this bundle of data, the data aggregators could match the data with individual consumers or households, and track their viewing and online habits. Privacy much?

Fake news and false information

We live in the information age and information is arguably the most important form of currency now and we’re bombarded with it 24×365. A never ending stream of information, news and data fed through channels like Facebook, YouTube, Twitter and Instagram. And it’s this overload of information that can lead to bad decisions and behaviour. Wikipedia has an excellent quote in their article on information overload:

“Information overload occurs when the amount of input to a system exceeds its processing capacity. Decision makers have fairly limited cognitive processing capacity. Consequently, when information overload occurs, it is likely that a reduction in decision quality will occur.”

This “reduction in decision quality” and ease of information dissemination through social media outlets is leading many to simply forward and repeat information without thought for bias or quality. While on the face of it, the results of this may seem fairly harmless, looking closer shows obvious instances where incorrect information can lead to serious consequences including loss of life.

Cause and Effect. The information we put out can have indirect and direct effects on people. To the point this becomes violent and peoples’ lives and families become targets for hate, violence, criminality.

Cause: we posted false information

Effect: someone believed this and acted

Fake news websites deliberately publish hoaxes, propaganda, and disinformation to drive web traffic inflamed by social media. These sites are distinguished from news satire as fake news articles are usually fabricated to deliberately mislead readers, and profit through clickbait. So the aim here is profit beyond the safety of ordinary people.

There have been numerous instances recently where fake news has had serious ramifications:

  • website purporting to be a news source but with a disclaimer (which it curiously spells “desclaimer”) had Facebook buzzing recently with numerous shares in South Africa and worldwide. It claimed that the United Nations had declared South Africa the most corrupt country in the world, one ahead of North Korea. A quick ( 30 seconds ) trip to Transparency International shows that South Africa is not even in the top 2/3rd’s of corrupt countries.
  • Pizzagate is a debunked conspiracy theory that emerged during the 2016 United States presidential election cycle alleging that John Podesta‘s emails, which were leaked by WikiLeaks, contain coded messages referring to human trafficking and connecting a number of restaurants in the United States and members of the Democratic Party with a child-sex ring. It has been discredited by a wide array of sources across the political spectrum. The result of this fake news was a gunman firing 3 shots in a New York restaurant based on this false information. This case described in detail in this Wikipedia article makes for a fascinating case study on Internet social psychology.
  • The Gamergate controversy concerns issues of sexism and progressivism in video game culture, stemming from a harassment campaign conducted primarily through the use of the Twitter hashtag #GamerGate. Gamergate targeted several women in the video game industry, including game developers Zoë Quinn and Brianna Wu, as well as feminist media critic Anita Sarkeesian. After a former boyfriend of Quinn wrote a lengthy disparaging blog post about her, other people falsely accused her of entering a relationship with a journalist in exchange for positive coverage and threatened her with assault and murder.
  • Marco Chacon created the fake news site RealTrueNews to show his alt-right friends their alleged gullibility. Chacon wrote a fake transcript for Clinton’s leaked speeches in which Clinton explains bronies to Goldman Sachs bankers. Chacon was shocked when his fiction was reported as factual by Fox News and he heard his writings on Megyn Kelly’s The Kelly File. Trace Gallagher repeated Chacon’s fiction and falsely reported Clinton had called Bernie Sanders supporters a “bucket of losers” — a phrase made-up by Chacon. After denials from Clinton staff, Megyn Kelly apologized with a public retraction. Chacon later told Brent Bambury of CBC Radio One program Day 6 that he was so shocked at readers’ ignorance he felt it was like an episode from The Twilight Zone. 
  • Forbes reported that the Russian state-operated newswire Sputnik International reported fake news and fabricated statements by White House Press Secretary Josh Earnest. Sputnik falsely reported on 7 December 2016 that Earnest stated sanctions for Russia were on the table related to Syria, falsely quoting Earnest as saying: “There are a number of things that are to be considered, including some of the financial sanctions that the United States can administer in coordination with our allies. I would definitely not rule that out.”

The list goes on ….

Rumours and false information are not specific to the Internet phenomenon and have been around since the dawn of man. But the Internet has made it very easy to disseminate information, be it true or false. The Spiral of Silence theory comes to mind:

The spiral of silence theory is a political science and mass communication theory proposed by the German political scientist Elisabeth Noelle-Neumann, which stipulates that individuals have a fear of isolation, which results from the idea that a social group or the society in general might isolate, neglect, or exclude members due to the members’ opinions. This fear of isolation consequently leads to remaining silent instead of voicing opinions. Media is an important factor that relates to both the dominant idea and people’s perception of the dominant idea. The assessment of one’s social environment may not always correlate with reality.

And that last statement says it all – social environment vs reality. The Social Internet has turbo-charged our ability to both disseminate false information and repeat it, as opposed to reality. And based on a sample of shared stories on Facebook, we’re pretty good at it.

So what’s with all this philosophy in a tech blog? Because false information can have a direct bearing on our online and real security. It’s in our interests to assume information is false before acting on it. We need to be scrutinising news and information published through social media in the same way we need to be suspicious of a phishing email. There are numerous online resources for determining the quality and validity of information so there is no excuse for forwarding on false information. In fact, Social Media can be used as an exercise in learning about false information as a prelude to identifying other online security issues such as phishing, malware, spyware and spam.

If you’re keen to share something on Social Media, make sure you validate that information first. And don’t take offense when someone points out that something you’ve posted may be incorrect – rather accept the correction with grace and move on from there. We all make mistakes from time to time – we’re “only human”.

DNS Meltdown

There have been enough clues over the last few years that the global DNS system as used in its current form, is particularly frail and subject to simple attacks. Yet the main commercial protagonists piggy-backing onto this system, have remained almost spectacularly silent on the issue and there seems to be little impetus to change things. Similar to the massive holes found in OpenSSL 2 years ago, the DNS system performs a critical job with very little support. As was the case with OpenSSL after these issues, it’s probably time for a few of the larger companies who are making a living from the internet, to come together and add their financial muscle to the DNS system.

Dyn’s meltdown last Friday is a small hint of what’s to come.  But besides Dyn’s specific problems, there are some issues here that need addressing:

First, why do global brands like CNN, Twitter and Spotify use a 3rd party for their authoritative DNS? This alone beggars belief … it takes a skilled IT admin a few hours to put up a geo-safe, high-availability authoritative DNS solution. Were they trying to save money? Was it simply the easy route? Or maybe they were sold on the Cloud gravy train … where TITSUP* seems to be a common theme.

Second, is it too much to ask that manufacturers of IoT devices, do at least the simplest of security audits on their products? Perhaps there should be a global program where a seal of approval is  given to IoT devices once they’ve passed a security test.

And finally, the DNS system itself, an aging 35-year old solution that’s well past its sell-by date. Amplification attacks on the DNS infrastructure are simple to enact. The DNS system needs to be rebuilt with security in mind even if this means running a dual-system for a period or breaking the internet.

Because if we don’t do something soon, a trivial attack on the DNS system will mean total carnage for the internet as we know it.

*total inability to support user performance

Security News – WK4 May 2016

The great Linkedin hack

A hacker called “Peace” recently tried to sell a password database of ~ 117 million Linkedin login details that come as a the result of a 2012 breach on the professional relationship social media site.

In a blog post published on May 18, LinkedIn CISO Cory Scott wrote, “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.”

All affected passwords are being reset, Scott wrote, and all those impacted will be notified. “We have no indication that this is as a result of a new security breach,” he added.

There is a high possibility that users who have not changed their password since that time will have been compromised. Even worse, the common practice of password reuse on other sites could result in hackers having access to those sites as well.

MySpace, Tumblr and Fling are other sites that were caught up in the same hack and are vulnerable too. If anyone has a MySpace ( new ) or LinkedIn account, now is the time to both change your password and enable 2-factor authentication.

As unwieldy as it sounds, using distinct and unique passwords for each site is the way to go. This is a huge burden to users with accounts on many sites, but a password manager ( like KeePass ) can assist greatly in improving security and automating the  chore of logging into sites.

Teamviewer becomes a remote pawn

The last month has seen a marked increase in Teamviewer attacks, either due to a breach in TV’s own systems or due to the above password reuse issue. The exact cause is not known yet but the problem is accelerating with more victims coming to the fore each day. Malware actors are logging into Teamviewer-accessible systems, dumping browser credential databases ( another reason to use a password manager instead of the browser’s password system ) and using these credentials ( yes people are saving their banking login details using their browser password manager ) to access financial systems, transfer money and cause all sorts of chaos.

One option is to not leave TV running on systems but rather to activate it as required. Not efficient or easy to use, but certainly much safer.

Squatting

Can you spell? Well that may be the difference between getting to the correct site or not. And being safe.

A class of threat called typosquatting, is making use of sites with addresses that are similar ( but not the same ) to well-known sites, to host malware. Eg. let’ s say you wanted to go to www.ibm.com but actually typed in www.bmi.com. You don’t notice the mistake and get sent on to a site that looks like www.ibm.com but is not. In addition, this mistaken site now hosts malware that infects your machine.

This issue is more common than one would like to think and malware authors are starting to put up a lot of sites with domain names that are similar to mainstream and popular sites. It’s not just important to monitor the SSL certificates of websites but also the address itself – this is especially true for transaction sites like online banking, eCommerce and the like. Be wary …

WordPress plugins, again …

WordPress is the most-used blogging platform in the world and has become very popular with website designers as well. WordPress has been a favourite target for hackers, but the developers are fairly proactive and for the most part, WP itself is kept secure. The same can not be said for WP’s impressive 3rd party plugin library where anyone can store and offer plugins.

These are regular recipients of hacks, including popular and well-maintained plugins. Recently, the WP Mobile Detector plugin has been compromised by a vulnerability that is being actively exploited to distribute porn-related spamming scripts. The plugin has been removed from the official WP plugin directory  but there are probably many site owners out there that are still vulnerable. There is no update for this issue yet so the only option is to disable the plugin.

Healthcare and your ( digital ) health

The breaching of healthcare systems is becoming an almost daily occurrence. This makes it even more concerning when healthcare companies ( eg. Discovery ) want to automatically provide your health status to 3rd parties via systems like Discovery HealthID. Like financial information, health details are some of the most private data that a private individual possesses. One cannot discount the benefits of 3rd parties having accessing to life-saving critical data about you especially in emergencies, but how is this data handled and secured outside of those emergencies?

I’m only using Discovery as an example here – they state in their T&C’s:

I understand that once Discovery Health has shared my information with authorised medical practitioners, Discovery Health has no further control over this information and they will not be accountable for its safeguarding. I also understand that the authorised medical practitioners have confirmed to Discovery Health that they will treat my information as confidential and in line with applicable laws.

and

I agree that by making this information available, Discovery Health will not be responsible for any loss or damage (whether direct or indirect) that may arise from the use of this information, other than where it is due to or attributable to grossly negligent or fraudulent conduct by Discovery Health.

What chance would one have to prove negligent conduct by one of these large companies? Food for thought.

Surprise!

And following on from Locky comes Surprise, this week’s flavour of ransom-ware! Yeah! This latest ransom-ware family that’s being distributed with Teamviewer 10, specifically version 10.0.47484, launches a file remotely called surprise.exe and then silently goes about its business injecting malware and encrypting files. Teamviewer themselves have indicated that they’ve had no breach of credentials ( which appears to be what is assisting the spread of this malware ) and that it’s likely this is a case of compromised end-user credentials. As per most modern r-w malware, RSA2048 and AES256 is employed to do the dirty work and this is little to no chance of decrypting without the keys. The C&C is down at the moment so it looks like there is a lull in activity but that doesn’t stop the malware from spreading. Extreme caution is required and make 100% sure that you dependable and reliable backups, because backups are the only verifiable method of recovery. Security Awareness training can also go along to way to avoiding infection completely.

Security News – Wk2/3 Mar 2016

MITRE has been running the CVE vulnerability identification and logging system for what seems like forever. Mostly this has worked well but recently it seems that applications to MITRE for CVE no’s have been taking longer than expected. In fact, the issue appears to be so bad that Kurt Seifried from Red Hat has decided to create a complimentary system to CVE for assigning vulnerability identifiers, calling it DWF – Distributed Weakness Filing system. DWF uses the same format as CVE and if you have a CVE no. already, this will be mapped directly to DWF. It seems that this action has woken MITRE up and they have started engaging with stakeholders to improve things. Identifiers are very important because they allow everyone to see if a vuln has been logged by someone else, it keeps a common identifier that all can work with and it lends a sense of  legitimacy to vuln logging. Let’s hope the 2 groups can reach common ground.

Locky is a new strain of ransom-ware that is starting to make waves; or encrypted files as it were. Locky is unique in that it uses Javascript attachments to spread its wares. Locky is being distributed by the same botnet responsible for the Dridex trojan – they’ve simply changed the delivery mechanism ( js ) and the payload ( ransomware ). Apparently, this has been enough to fool some AV programs. Locky will go after any accessible files including those on network shares. In addition, it will delete VSS shadow copies so making sure you have alternate backups is critical. Time to block .js files at the border of your networks.

The first Mac OS X ransom-ware recently came to light – dubbed KeRanger. This r-w is in fact just a copy of Linux Encoder which arrived in November 2015. KeRanger is basically a rewrite of v4 of Linux Encoder and while previous releases had a decryption tool available ( from BitDefender ), this release does not. KeRanger was originally distributed with the Transmission BitTorrent client, the result of the Transmission site being compromised. Linux Encoder is also not an original piece of software and comes as a result of Hidden Tear which is PoS ransom-ware …

Stagefright was an interesting Android exploit from last year that was mostly mitigated by the ASLR memory feature in Android. But a new variation on Stagefright, called Metaphor, has been released that apparently bypasses the ASLR protections. Let’s see what Google has to say about this over the next few days.

The UK’s telecoms regulator, Ofcom, was recently the subject of an insider data leak, with a former employee offering swathes of Ofcom data to their new employer. Kind of a silly thing to do because the new employer promptly alerted Ofcom. This incident goes to show that internal threats remain a serious barrier to maintaining network security. With more than 1/3 of data breaches resulting from employee actions, this is an area of security that’s becoming increasingly difficult to manage and balance against employee rights.

One of the biggest attacks of last week comes through advertising – or malvertising as it’s commonly called. A number of high profile sites including BBC, MSN and Newsweek ended up hosting ads that were redirecting visitors to sites serving malware and ransom-ware. The internet advertising community has already been under siege the last few years due to their high-handed tactics and invasive techniques – this latest attack is unlikely to help their cause.  If this news gets out more, people would start to view ad-blockers as another layer of security. Goodbye ads, most of them anyway. Google had better make a convincing statement soon, or the ads industry for the web faces a recession.

For my own security, I’ve been using Privacy Badger for a number of years now; this stops the automated execution of scripts in ads that might otherwise do damage. Am I aiding in the death of the ads industry? I’m not sure of that but I’d choose my security over the ad industry’s protection any day. Especially since the ads industry has not cleaned house. Maybe this latest attack will give them a wake-up call.

DROWN

Another day, another SSL attack. A new, low-cost attack has been found, that decrypts sensitive communications in a matter of hours and in some cases almost immediately. I hereby name you DROWN! And CVE-2016-0800.

The attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through SSLv2, a TLS precursor that was retired almost two decades ago because of crippling weaknesses. The vulnerability allows an attacker to decrypt an intercepted TLS connection by repeatedly using SSLv2 to make connections to a server.

The fact is though, that many of the listed SSL-based attacks over the last 2 years ( and yes there have been quite a few ), are not inherently serious, or do not have a large attack surface. Many require a particular ( and unusual ) set of circumstances and dependencies that make their effectiveness, well less effective.

And DROWN is not dissimilar. I requires SSLv2 to be enabled on the web server. For those in the know, and any sysadmin worth their salt, anything below TLSv1 ( at the very least ) should have been switched off on your web servers, years ago already. Known issues with these lesser versions of encryption have absolutely mandated their non-use. But unfortunately, the ease with which a web server can be put online is not directly comparable to the technical skill of those putting these servers online. So you can bet there are probably some misconfigured servers out there.

But the attack surface for DROWN should be relatively small and those who are effected, will probably ( and hopefully ) not be providing anything of value on their sites.

There’s a lesson to be learnt here though: just because something may seem simple to do on the surface, does not mean it is in reality. There’s no replacement for skill and experience.