When Microsoft made it possible for enterprises to quickly resolve incompatibilities between their applications and new Windows versions, it didn’t intend to help malware authors as well. Yet, this feature is now abused by cybercriminals for stealthy and persistent malware infections. The Windows Application Compatibility Infrastructure allows companies and application developers to create patches, known as shims. These consist of libraries that sit between applications and the OS and rewrite API calls and other attributes so that those programs can run well on newer versions of Windows. Shims are temporary fixes that can make older programs work even if Microsoft changes how Windows does certain things under the hood. They can be deployed to computers through Group Policy and are loaded when the target applications start. Shims are described in special database files called SDBs that get registered on the OS and tell Windows when they should be executed. Security researchers have warned that this functionality can be abused to inject malicious code into other processes and achieve persistence, and it seems the attackers were listening. Security researchers from FireEye have recently seen the shim technique used by a group of financially motivated cybercriminals known in the security industry as FIN7 or Carbanak. Since 2015, this group has stolen between $500 million and $1 billion from hundreds of financial organizations worldwide. FIN7 has recently diversified its targets and in March launched a spear-phishing campaign that targeted personnel involved with U.S. Securities and Exchange Commission (SEC) filings at organizations from multiple sectors, including financial services, transportation, retail, education, IT services and electronics. In an even more recent FIN7 attack detected by FireEye, the group used a PowerShell script to register a rogue shim database for services.exe, a legitimate Windows process. This ensured that its malicious shim code started on every system reboot and injected the Carbanak backdoor into the Windows Service Host (svchost.exe) process. The group used the same technique to install a tool for harvesting payment card details from compromised systems, the FireEye researchers said in a blog post. “This was a departure from FIN7’s previous approach of installing a malicious Windows service for process injection and persistent access.” In the attack seen by FireEye, the rogue shim database masqueraded as a Windows update using the description: Microsoft KB2832077. This Microsoft Knowledge Base (KB) identifier does not correspond to any legitimate patch, so finding a reference to it in the system registry or in the list of installed programs can be a sign that the computer was compromised by FIN7. To detect shim attacks, the FireEye researchers recommend monitoring for new files in the default shim database directories, monitoring for changes in registry keys related to shim database registrations and monitoring for processes that call the “sdbinst.exe” utility. The post Cybercrime group abuses Windows app compatibility feature appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/cybercrime-group-abuses-windows-app-compatibility-feature/
0 Comments
Whether to select a best-of-breed or an integrated security solution is an age-old question, and it’s no different for channel partners when deciding what security products to deploy for their clients. The verdict? There is no right or wrong answer, channel security experts said; it comes down to what makes the most sense for the individual organization. ![]() By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. The number of highly-publicized security breaches over the years has prompted organizations to develop in-depth security strategies to protect their networks from cyberattacks. This led to a proliferation of vendors and technologies, many of which work in a siloed manner, creating management headaches for IT, especially as they have to contend with an avalanche of alerts and notifications. As a result, some vendors now offer integrated security solution suites that tie together many elements of IT security. Channel security providers said there are advantages and negatives to both approaches. “Security is not one-size-fits-all, so it depends on the type of organization and what their risk tolerance level is,” said Michelle Drolet, CEO at Towerwall Inc., a data security services provider based in Framingham, Mass. “There are a lot of questions that need to be answered before you can make that decision.” Today’s security challengesThe security product landscape has changed significantly, compared to five to 10 years ago, when companies offered products for endpoint and email protection, URL filtering and also firewalls, “and no one talked to each other,” Drolet said. ![]() Now, there are integrated security solution suites from providers such as Sophos and Cisco, which purchased Sourcefire, a next-generation firewall, and Forcepoint, which purchased Websense for URL filtering, Drolet said. As a result, “There’s a lot of best-of-breed products inside the integrated solutions,” she noted. For other channel companies, the decision is more clear-cut and they believe unequivocally the best-of-breed approach is the way to go. Key Information Systems, based in Agoura Hills, Calif., offers colocation and distributed denial of service (DDoS) mitigation services, and also resells Palo Alto and Cisco firewalls. Scott Youngs, Key information Systems’ CIO, said that while the company takes “the best-of-breed approach” it is “also the best of breed appropriate to the client.” ![]() Small and medium businesses have different challenges and different needs than a 1,000-person enterprise, he explained, since they may not have security staff with specialized skill sets for products like Splunk and Palo Alto’s Traps and WildFire. The most important thing a security provider can and should do is have a conversation with clients to see if their organizations can handle different platforms for different security needs, and whether they have the right people to manage them, Youngs emphasized. “This is the challenge with all the products that are out there,” he said. “You have to move into the solution sell, not just the widget sell. You’re not doing the client a service if you don’t first have a conversation of ‘What problem are you trying to solve?’ and ‘Do you have the people to run the particular product?'” What frustrates Youngs, and what he has seen on more than one occasion, is when his company is contacted by a prospective client that bought a “fairly large behemoth” all-in-one package, and the person charged with managing it quits. “Then we get the call, ‘Hey, can you help us run this?’ It’s not what we do, but we can sit down and help them see what the right path forward is,” Youngs explained. He said he usually hears that management depended on that one person to run this system and there’s been no cross-training, “and now they’re screwed.” This happens across all technologies — not just security, he added. ![]() Zohar Pinhasi, CEO at MonsterCloud, a managed cybersecurity services firm based in Hollywood, Fla., also believes buying best of breed makes the most sense. “The way I see it, you can’t really have one suite that protects your business.” He also finds that “unfortunately, and this is the reality, businesses feel they can win the war with guns,” meaning having lots of security products. A company could deploy a million dollars’ worth of security products, but all it takes is one smart hacker who bypasses those systems, he said. “Customers are investing in hardware and software, compared to investing in people,” Pinhasi said. “At the end of day … finding the right IT guy can save a lot of money in hardware and software because this guy will know how to create the right protection for your network without spending a lot of money.” That said, companies should adopt a best-of-breed strategy, Pinhasi said, because “every security platform handles one specific area. Yes, you can [deploy] a security suite but, unfortunately, they’re good at one piece and not the other.” ![]() NTT Security, the security arm of NTT Group, also believes in providing best-of-breed products to its customers, said Gary Napotnik, senior vice president of global marketing. This is where channel partners can provide significant value add. “One of the biggest challenges facing organizations’ IT departments is lack of experience in cybersecurity,” he said. “By offering a comprehensive, yet modular approach to cyber resilience, NTT Security delivers best-of-breed services across its entire portfolio — there are no gaps. This holistic approach to cybersecurity ensures clients receive the prevention, protection and remediation they need.” The pros and the cons of both approachesThe integrated security solution suites have come a long way, Drolet observed. Years ago, “If we had this conversation I would not be saying [this],” she said. But given how the threat landscape has grown and become scarier, she said, technologies such as next-generation firewalls and encryption have come such a long way that the suites have become more intuitive and better at providing better security. Towerwall acts as the virtual CISO to three New England hospitals — two in Maine and one in New Hampshire. The company provided risk assessment services and has become “the one throat to choke,” Drolet said. As three disparate organizations, the hospitals use a lot of different security technologies and have a selection process requiring input from different people. “We’re helping them have those conversations,” Drolet said. Because two of the hospitals were using the same technology for security information and event management (SIEM), the other hospital “got on board and said, ‘Okay, we’ll do that as well,'” she said.
In this instance, the available options are IBM’s QRadar and HP, which purchased ArcSight, but there’s no integrated SIEM platform, according to Drolet. “That’s where there’s a tradeoff with integrated solutions, and that’s what we tell our customers: Do you need best of everything or do you need something that’s really good and utilizes 75% of its attributes?” Typically, clients say they appreciate that they can utilize the technologies they own, Drolet said. Echoing Youngs, she said the customer is glad to “not just have someone throw technologies at them. And that’s where we need to be careful as security partners to our customers — because if you’re just selling best of breed and not really integrating it, the customer has a very false sense of security.” If an organization is only using 10% of whatever product from a so-called best-of-breed vendor, they are not protected, she emphasized. “And that scares me to death. And I think, ‘Oh my gosh, how much do they actually have deployed?’ And the stuff fights each other so then you have to turn it down. That’s another check off box [in favor of] integrated [suites].” A negative of the best-of-breed approach is having too many management consoles, Drolet said. “Information security is about repeatable processes, so whatever technologies you’re using, you need to have documented,” she said. The organization can decide how often it wants reports generated, however: “If there are too many technologies, nothing’s going to get done, unfortunately, because people don’t have the big staffs they used to have,” she said. “So that’s a risk. If you have a lot of different consoles, people have to go in and view every day, and look for threats and attacks.” With the integrated suite approach, there is a single pane of glass and with “one throat to choke … there could never be finger-pointing,” Drolet said. Also, “everything’s talking to each other. All the data should be correlated,” so a company is notified of a potential breach or cyberattack. “Target, for example, had every bell and whistle — every monitoring tool — but it gets so noisy you start ignoring stuff and nothing talks to each other,” Drolet maintained. “So that’s how that breach happened. All the information was there, but no one was looking at it. And the bad guys are getting badder.” Yet, a negative to the integrated security solution approach would be if a client only needs data leakage prevention technology, for example, and the integrated solution provides pieces of what the company needs. “So then, you have to go out and buy a best-of-breed solution, because you have a risk you have to take care of and the integrated solution can’t do it for you,” Drolet said. But Pinhasi believes “one giant system is not practical because … cybersecurity evolves on a daily basis, and I truly don’t believe you can have one system that will handle everything from A to Z and do the right job.” How to pick productsThe best-of-breed approach has led to a proliferation of vendors, creating a challenge when it comes to deciding how to select one for a client’s needs. Towerwall creates a requirements document so the company can understand what is really important to the client, what their risk tolerance is, what the actual problem is they’re trying to solve and whether it will be solved by technology or process. “Sometimes it’s not about technology,” Drolet noted. “I think as VARs [value-added resellers] or as consultants, we need to help our customers understand the threat landscape and help them figure out what their risk tolerance is, because that changes the whole story. If they have high risk tolerance, there’s different technologies for that. Then we have to talk about budget: Do you have a Chevy budget, but want a Cadillac?” In the final analysis, it is better not to pick a “side” when it comes to best-of-breed products versus integrated suites, she said. If a company tells its managed security services provider it wants to order 30 copies of McAfee’s antivirus software, ask what is prompting this, since it requires a different discussion if they have already been hit with ransomware, Youngs advised. “At least have a conversation with them so they go in with eyes wide open, especially with security,” he said. “There’s a lot of bad guys out there and there’s a lot of vectors of attack. Any VAR should be doing that.” “It depends on the customer and the problem and what they need,” Drolet agreed. “It’s about learning and listening to what the customer needs and what they’re concerned about, and then you can decide. We just don’t want to throw spaghetti against the wall.” The post Channel weighs integrated security solution vs. point-product approach appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/channel-weighs-integrated-security-solution-vs-point-product-approach/ Google said that up to 1 million Gmail users were victimized by yesterday’s Google Docs phishing scam that spread quickly for a short period of time. In a statement, Google said that fewer than 0.1 percent of Gmail users were affected; as of last February, Google said it had one billion active Gmail users. Google took measures to protect its users by disabling offending accounts, and removing phony pages and malicious applications involved in the attacks. Other security measures were pushed out in updates to Gmail, Safe Browsing and other in-house systems. “We were able to stop the campaign within approximately one hour,” a Google spokesperson said in a statement. “While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event.” The messages were a convincing mix of social engineering and abuse of users’ trust in the convenience of mechanisms that share account access with third parties. Many of the phishing messages came from contacts known to victims since part of the attack includes gaining access to contact lists. The messages claimed that someone wanted to share a Google Doc with the victim, and once the “Open in Docs” button in the email is clicked, the victim is redirected to a legitimate Google OAUTH consent screen where the attacker’s application, called “Google Docs” asks for access to victim’s Gmail and contacts through Google’s OAUTH2 service implementation. OAUTH is a standard that allows the user to authorize account access to third-party applications through the exchange of an authorization token behind the scenes, rather then requiring a password from the user. While the ruse was convincing in its simplicity, there were a number of red flags, including the fact that a Google service was asking for access to Gmail, and that the “To” address field was to an odd Mailinator account. Also, the developer information associated with the Google Docs malicious app was linked to a Gmail address connected to a Eugene Pupov. A Twitter account profile bearing that same Gmail address said Pupov was a Coventry (U.K.) student and tweets from the account yesterday claimed the emails were not a phishing attack, but a graduate final project. The Twitter account has been taken down, and a message to the Gmail account from Threatpost bounced back. Bojan Zdrnja, a handler with the SANS Internet Storm Center, identified a number of spam domains involved, all with different TLDs for googledocs[.]g-docs[.]xxxx or googledocs[.]docscloud[.]xxxx. Many of those domains were taken down within 15 minutes of the first reports. Google also quickly updated Safe Browsing and Gmail with warnings about the phishing emails and attempts to steal personal information. The phishing emails spread quickly on Wednesday and likely started with journalists and public relations professionals, each of whom are likely to have lengthy contact lists ensuring the messages would continue to spread in an old-school worm-like fashion. Researchers at Duo Security said today during a short Q&A hosted on YouTube that the scam was also particularly effective because it did not require email spoofing like traditional phishing campaigns. As designed, Wednesday’s attack bypassed all email security checks embedded in Gmail such as SPF and DKIM, which are designed to check sender reputations and prevent spoofing, said Duo analyst Trevor Sokley. [embedded content] As for OAUTH, which experts point out has its shortcomings in terms of security and privacy, Google’s implementation doesn’t seem to be at fault, said the Duo researchers as well as Johannes Ullrich, dean of research at the SANS Institute. Ullrich pointed out that people are used to the convenience of the Google OAUTH process, and failed to recognize the excessive behavior of the malicious Google Docs app. “In this case, the OAUTH message did correctly state that the application asked for access to the user’s e-mail. This ‘should’ have been a tip off that the application wanted to do more than share a document,” Ullrich said. He added that Google could overtly bring publisher information forward to the user, which might help raise a red flag. “From a user education perspective, it is important to emphasize the danger of sharing access with third-party applications, and to be sensitive if an application needs all the privileges it asks for,” Ullrich said. “This is also often abused for user profiling and monitoring (e.g. Facebook applications almost always try to get a list of your friends).” OAUTH’s open nature allows anyone to develop similar apps. The nature of the standard and interaction involved makes it difficult to safely ask for permission without giving the users a lot of information to validate whether an app is malicious, said Duo’s Sokley. “There are many pitfalls in implementing OAUTH 2.0, for example cross site request forgery protection (XSRF). Imagine if the user doesn’t have to click on the approve button, but if the exploit would have done this for you,” said SANS’ Ullrich. “OAUTH 2.0 also inherits all the security issues that come with running anything in a web browser. A user may have multiple windows open at a time, the URL bar isn’t always very visible and browser give applications a lot of leeway in styling the user interface to confuse the user.” The post 1 Million Gmail Users Impacted by Google Docs Phishing Attack appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/1-million-gmail-users-impacted-by-google-docs-phishing-attack/ New clues have surfaced on how the Blackmoon banking Trojan is infecting its victims using a new framework to deliver the malware. “We noticed recent campaigns (two weeks ago) where Blackmoon had shifted its infection strategy and is now utilizing a unique and interesting technique,” said Hardik Modi, vice president of threat research at Fidelis Cybersecurity in an interview with Threatpost. Blackmoon, also known as KRBanker, is a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques. Now, according to Fidelis, the group behind Blackmoon has adopted a clever new three-stage technique for installing the malware onto victim’s computers. Fidelis calls it the Blackmoon Downloader Framework, describing it in a technical analysis that was posted Thursday. “This framework is unique, not because it is groundbreaking in technique, but because it’s well thought out. The staging utilizes a number of very clever obfuscation techniques that make it very effective at finding desirable targets and infecting them with the Blackmoon Trojan,” Modi said. The framework includes three separate downloader pieces that work together to identify targets and deliver the malware. Once installed, the banking Trojan is operating against many South Korean businesses including Samsung Pay, Citibank Korea, Hana Financial Group and KB Financial Group, according to Fidelis. The Blackmoon infection chain begins with a small 10KB file either sent via a phishing attack that includes a malicious attachment or an exploit kit that takes advantage of a browser vulnerability. The dropper file contains a hard coded URL that requests additional bytecode around 8KB in size and includes no obfuscation.
“Upon execution, the downloaded bytecode simply resolves any functions it will need. It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, which we observed to be a single-byte XORd PE (portable executable) file named as a jpg,” according to researchers. “The naming of this entire structure is interesting,” researchers wrote. That’s because the bytecode is downloaded from the file path “/ad_##/cod##” and the PE file downloaded as “/ad_##/test##.jpg”. This naming convention, according to Fidelis, suggests to it that all of these files are built at the same time, which would make each number a build number and suggest none of the files are generated on the fly and are hardcoded. “Based on this information, we conclude that the stages of the framework were all built to operate together in this sequence of events,” Fidelis wrote. Stage three involves the retrieval of the fake jpg file. This file serves two purposes. One is to verify the default language on targeted systems is Korean. When the default language is not Korean, the program goes dormant. Stage three also includes obfuscating command and control communications. Fidelis points out that this last stage of the Blackmoon framework uses a string encoding technique that has been previously discussed by researchers from Palo Alto Networks. “The framework, related to KRBanker/Blackmoon, encodes the strings with base64, swaps the case of the letters, and replaces the padding character ‘=’ Swith ‘@’,” wrote Fidelis. Fidelis believes one of the purposes of this obfuscation is to cloak the decoding of the C2 address that framework uses. “After check-in, the bot writes the downloaded exe file, along with random appended overlay data, to %TEMP% and then executes the program before deleting itself,” according to the research. The program is the last stage for delivering the malware. The sample of the Blackmoon malware Fidelis examined is similar to previous variants–attackers steal credentials by performing man-in-the-browser attacks. According to Modi, man-in-the-browser attacks traced back to Blackmoon malware are responsible for stealing credentials of 150,000 Koreans in July 2016. “For a crime campaign of this nature where Blackmoon or other Trojans are delivered, we have never seen this type of investment,” Modi said. “With this technique, it is clear adversaries are putting a considerable effort into each of these stages. That, to us, is what is unique about these campaigns.” The post Blackmoon Banking Trojan Using New Infection Technique appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/blackmoon-banking-trojan-using-new-infection-technique/ A zero-day vulnerability exists in WordPress Core that in some instances could allow an attacker to reset a user’s password and gain access to their account. Researcher Dawid Golunski of LegalHackers disclosed the vulnerability on Wednesday via his new ExploitBox service. All versions of WordPress, including the latest, 4.7.4, are vulnerable, the researcher said. The vulnerability (CVE-2017-8295) happens because WordPress uses what Golunski calls untrusted data by default when it creates a password reset email. According to the researcher, WordPress creates a From email header before calling a PHP mail() function, which leaves it open to modification. In a proof-of-concept writeup, Golunski points out that WordPress uses a variable, SERVER_NAME, to get the hostname to create a From/Return-Path header for the password reset email. Since that variable, by its nature, can be customized, an attacker could insert a domain of his choosing and make it so an outgoing email could be sent to a malicious address, the researcher says. The attacker would then receive the reset email and be able to change the account password and take over. “Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers,” Golunski wrote. “This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction.”
Golunski writes that there are three scenarios in which a user could be tricked, and only one of them relies on user interaction. In one, an attacker could perform a denial of service attack on the victim’s email account in order to prevent the password reset email from reaching the victim’s account. Instead, it could bounce back to the malicious sender address, pointed at the attacker. Second, Golunski says some auto-responders may attach a copy of the email sent in the body of the auto-replied message. Third, by sending multiple password reset emails, he says the attacker could trigger the victim to ask for an explanation, below, which could contain the malicious password link. Subject: [CompanyX WP] Password Reset Return-Path: From: WordPress Message-ID: X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Someone requested that the password be reset for the following account: http://companyX-wp/wp/wordpress/ Username: admin If this was a mistake, just ignore this email and nothing will happen. To reset your password, visit the following address: http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin> Golunski said he reported the issue to WordPress’s security team multiple times, initially more than 10 months ago in July 2016. The researcher told Threatpost that WordPress never outright rejected his claim – he says WordPress told him it was working on the issue – but acknowledged that too much time has passed without a clear resolution, something which prompted him to release details on the bug on Wednesday. WordPress did not immediately return Threatpost’s request for comment on the vulnerability Thursday. While there’s no official fix available, Golunski says users can enable the UseCanonicalName setting on Apache to enforce a static SERVER_NAME value to ensure it doesn’t get modified. Golunski has had his hands full finding vulnerabilities related to PHP-based email platforms. He discovered a remote code execution bug in SquirrelMail in January that disclosed and quickly patched last month and similar RCE bugs in PHPMailer and SwiftMailer, libraries used to send emails via PHP, at the end of 2016. The post Unpatched WordPress Password Reset Vulnerability Lingers appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/unpatched-wordpress-password-reset-vulnerability-lingers/ Researchers had full control and were able to make unauthorised withdrawalsUpdated A firm that supplies security software for cash machines has updated its technology after researchers uncovered a number of serious shortcomings. Flaws in GMV’s Checker ATM Security technology created a means for hackers to remotely run malicious code on a targeted ATM. The CVE-2017-6968 vulnerability opened the door to all manner of mischief – including but not limited to the possibility of stealing money from a compromised device, according to researchers at Positive Technologies. Checker ATM Security protects cash points by enforcing a wide range of restrictions: whitelisting with Application Control to block unauthorised applications, restricting attempts to connect peripheral devices such as a keyboard or mouse, limiting network connections using a firewall, and more. Positive Technologies was able to develop exploits that disable Checker ATM Security, allowing arbitrary code to then run on the ATM. The exploit relied on a combo punch: a man-in-the-middle to knock out crypto and buffer overflow to plant a knockout blow. “To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection,” said Georgy Zaytsev, a researcher with Positive Technologies. “During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution. “This can give an attacker full control over the ATM and allow a variety of manipulations, including unauthorised money withdrawal.” The developer confirmed the issue in Checker ATM Security versions 4.x and 5.x before providing a critical patch for the affected versions to all its customers worldwide, according to Positive Technologies. GMV is yet to respond to El Reg‘s request for comment on the matter. Positive Technologies’ experts have previously identified a number of other issues in ATM protection software, including a dangerous vulnerability in McAfee Solidcore last year. Exploitation of that zero-day vulnerability (CVE-2016-8009) could cause execution of arbitrary code with System privileges, escalation of user privileges from Guest to System, or a crash of the ATM operating system. ® Update: A spokesperson for GMV contacted The Reg to comment: “This vulnerability has been detected by Positive Technologies in their laboratories and until today we haven’t received any report about an attack in ATMs taking advantage of this vulnerability. “The possibility to exploit this bug is quite remote because: firstly, [it] requires access to the ATM network and if you have that kind of access it is easier to attack weaker objectives. “Secondly, the attack is difficult to be systematically exploited in an ATM network. In order to exploit it, the attacker needs some memory address that are strongly dependent on Windows kernel version, while in Windows XP systems could be theoretically possible to take advantage of the vulnerability, in Windows 7 is almost impossible because those memory address are different in every windows installation.” GMV added that after the vulnerability was reported to it by Positive Technologies, its researchers were able to reproduce the attack, confirm the affected versions and develop a patch. The post ATM Security Devs Rush Out Patch After Boffins Deliver Knockout Blow appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/atm-security-devs-rush-out-patch-after-boffins-deliver-knockout-blow/ The BlackBerry KeyOne packs in productivity features and is worth a look if you’re in the market for a new phone. It’s the first time BlackBerry’s iconic keyboard has been paired with Android. The post The BlackBerry KeyOne – a surprising phone with a hardware keyboard appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/the-blackberry-keyone-a-surprising-phone-with-a-hardware-keyboard/ Computer security is science, yet it sure seems to traffic in enough beliefs to make it seem like a collection of warring cults. And no matter which infosec church you’re most swayed by, you’re probably one of the many who believe that Macs don’t get malware. Even if you’re not totally on board with this, chances are good you at least behave like Macs are immune. In fact, the number of malware attacks on Apple’s operating system skyrocketed by 744 percent in 2016. Despite this, most people still believe that Macs don’t get viruses. Add to this the fact that, despite the seeming ubiquity of Apple’s products, the company’s user base is still growing. There are nearly 100 million Apple users worldwide, myself included. ![]() Malware on Macs has increased dramatically. It makes sense that a large user base equals a larger target. To cybercrime rings, Apple users are a beggar’s banquet of trusting, sitting ducks. But McAfee Labs found something really interesting about the malware Mac users are ending up with. It’s coming from the other Mafia of nonconsensual tracking, recording, and surveilling innocent users: the ad industry. In the security firm’s most recent Threats Report, its researchers identified around 460,000 malware instances designed for MacOS in 2016. And they found that adware companies were behind most of them. (McAfee attributes the sharp increase in Q4 to the recent rise of “adware bundling” on Macs, where adware is bundled with things like Java for Mac and downloading services like SourceForge.) Adware is software that displays ads on your computer, collects marketing data about you (like what websites you visit), and can redirect your search requests to ad websites, among other things. Most adware is supposed to do this with your consent, though gaining consent is hazily defined these days—and it’s the nature of adware that users don’t typically know it’s on their computer because the files don’t readily appear in their system. Malicious adware operates without your consent, and in this context it’s considered a “Trojan spyware” kind of infection. ![]() Blame “adware bundling” on the recent spike. I’d argue that adware and spyware are indistinguishable and both are equally harmful, though the online advertising industry would insist otherwise. Because, you know, what they’re doing isn’t technically illegal. Adware lands on your Mac by way of free software and your visits to tainted websites. An adware infection might appear in the form of an app you don’t remember installing, or weird activity when you browse the internet, such as pop-up windows going nuts telling you that you’ve been infected with a virus. You can clean your Mac with an app such as Malwarebytes Anti-Malware for Mac, or do it manually. Using a robust ad blocker (like uBlock Origin) and enabling a pop-up blocker on whichever browser you use can serve as safeguards. ![]() An ad blocker is your best defense. Infosec cultists can still gloat that Macs are generally safer, even if they’re not at a price point everyone can access. We still want our less tech-savvy friends and family using Apple products for security reasons. But Apple’s defenses clearly aren’t catching everything, and pretending like nothing can happen is going to harm more than it will help. Of the 630 million total instances of malware that McAfee found last year, only 460,000 of them were Mac. Still, there have been some grave attacks on Macs recently, like ransomware, password-stealers, infections that steal iPhone backups, and more. So yes, we need to kill the myth of the perfect, impenetrable Mac. Even if McAfee’s findings show that the amount of malware designed for Mac is still small(er) potatoes by comparison. We don’t need to worry that much. The post Mac malware: Coming soon to a computer near you appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/mac-malware-coming-soon-to-a-computer-near-you/ Google said it has disabled offending accounts involved in a widespread spree of phishing emails today impersonating Google Docs. The emails, at the outset, targeted journalists primarily and attempted to trick victims into granting the malicious application permission to access the user’s Google account. It’s unknown how many accounts were compromised, or whether other applications are also involved. Google advises caution in clicking on links in emails sharing Google Docs. The messages purport to be from a contact, including contacts known to the victim, wanting to share a Google Doc file. Once the “Open in Docs” button is clicked, the victim is redirected to Google’s OAUTH2 service and the user is prompted to allow the attacker’s malicious application, called “Google Docs,” below, to access their Google account and related services, including contacts, Gmail, Docs and more.
“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” a Google spokesperson told Threatpost. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.” OAUTH is an authentication standard that allows a user to authorize third party applications access to an account. The attempt to steal OAUTH tokens is a departure from traditional phishing attacks that target passwords primarily. Once the attacker has access to the victim’s account, the phishing message is sent along to the compromised contact list. “Considering how indiscriminate the targeting is, it doesn’t seem to be anything else but trying to exploit a weakness in how end users can be tricked into granting access to their Google accounts,” said Alvaro Hoyos, CISO at OneLogin. While this attack is likely the work of a spammer, nation-state attackers including APT28, aka Fancy Bear or Sofacy, have made use of this tactic. APT28 has been linked to last summer’s attacks attempting to influence the U.S. presidential elections. The group has long been targeting political entities, including NATO, and uses phishing emails, backdoors and data-stealing malware to conduct espionage campaigns against its targets. “I don’t believe they are behind this though because this is way too widespread,” said Jaime Blasco, chief scientist at AlienVault. “Many people and organizations have received similar attempts, so this is probably something massive and less targeted.” Bojan Zdrnja, a handler with the SANS Internet Storm Center, identified a number of domains involved, all with different TLDS for googledocs[.]g-docs[.]xxxx or googledocs[.]docscloud[.]xxxx. Many of those domains have been taken down; Google also quickly updated Safe Browsing and Gmail with warnings about the phishing emails and attempts to steal personal information. Anyone who allowed the malicious app access to their accounts can revoke those permissions at myaccount.google.com. “Google has a systemic issue,” said Eric Hodge of Cyber Scout. “Its OAUTH processes are subject to fakery and therefore phishing attacks. The question is will Google address the issue systemically (adding TLS certificate servers for individuals) or will they just try to address this particular attack?” The post Google Shuts Down Docs Phishing Spree appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/google-shuts-down-docs-phishing-spree/ China will start carrying out security checks of IT suppliers in the country, with the intent of keeping out internet products vulnerable to spying and hacking. The new rules, which take effect in June, mean that foreign vendors will face more scrutiny — including government-mandated background checks, and supply chain vetting — when selling IT products to China’s major business sectors. On Tuesday, the country’s Cyberspace Administration of China released the new rules, which call for the review of any important internet products and services that relate to the country’s security. The rules appear to be quite broad. IT vendors selling to China’s finance, telecommunication, energy, and transportation sectors — along with any other industry the government deems critical — must have their products undergo the security checks. Those checks will involve both third-party evaluators and government inspectors. They will also include product testing in labs, on-site examinations, and online monitoring. The checks are designed to look at whether a product can be controlled or disrupted through illegal means, and whether it can unlawfully store or collect data on users. The government will also review how the products are manufactured, tested, and delivered. China didn’t give any technical details on how the security reviews will occur. But a key concern is whether foreign tech companies will need to hand over any sensitive intellectual property, such as a product’s source code. The rules released on Tuesday only state that third-party evaluators and other staff conducting the security checks must do so confidentially. Any information obtained about the products cannot be used for any other purposes. China has been talking about the need for IT product security checks since 2014, following several high-profile leaks from Edward Snowden that claimed the U.S. was secretly spying on the country’s schools and companies. However, trade groups are concerned Chinese action will push out foreign vendors from the market. The post China will attempt to keep IT products spy-free with security checks appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/china-will-attempt-to-keep-it-products-spy-free-with-security-checks/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |