How to get Google to stop tracking your location for real

You might think you have turned off the search giant’s ability to learn your location, but there’s a good chance the company still knows where you are. Some background: An Associated Press report out today revealed that Google applications can still collect location data even when you have the “location history” feature turned off. Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to. An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so. Computer-science researchers at Princeton confirmed these findings at the AP’s request. For the most part, Google is upfront about asking permission to use your location information. An app like Google Maps will remind you to allow access to location if you use it for navigating. If you agree to let it record your location over time, Google Maps will display that history for you in a “timeline” that maps out your daily movements. Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects — such as a warrant that police in Raleigh, North Carolina, served on Google last year to find devices near a murder scene. So the company lets you “pause” a setting called Location History. Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subjectstates: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.” That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .) Stop it: If you want to rescind Google’s permission to monitor your phone’s location in any circumstances, you will need to turn off both ”location history” and “web and app activity.” To do this, you can follow these steps: 1.  Open “settings” on your Android device, or the Google Maps app on your iOS device and open "settings". 2.  Search for “location” under “data & personalization” on Andriod, and "location settings" on iOS. 3.  Select to turn off location history for your account and/or your devices. 4.  Visit the “activity controls” page for your Google account. 5.  Switch “web and app activity” off. This will prevent information, including location data, from any devices from being saved to your account. Turn it off or keep it on? Keeping location and data tracking on can enable more features in Google, included automated commuting estimates and more ads related to your area. But turning it off will help protect your privacy and keep more of your data for you, and you alone.   via How to get Google to stop tracking your location for real - MIT Technology Review Read the full article

Cisco Patches Its Operating Systems Against New IKE Crypto Attack

Cisco, one of the world's largest vendor of networking equipment, released security updates today to patch a vulnerability in the IOS and IOS XE operating systems that run the vast majority of its devices. The vulnerability is tracked as CVE-2018-0131 and is one of four CVE identifiers for a new Bleichenbacher oracle cryptographic attack against the IKE (Internet  Key Exchange) protocol.

Patches address new cryptographic attack

This new attack is described is a recently published research paper entitled "The Dan­gers of Key Reuse: Prac­tical At­tacks on IPsec IKE," set to be presented at the 27th Usenix Security Symposium later this week in Baltimore, USA. From the paper's abstract: In this paper, we show that reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE. Researchers say their attack works against the IKEv1 implementations of Cisco (CVE-2018-0131), Hua­wei (CVE-2017-17305), Cla­vis­ter (CVE-2018-8753), and ZyXEL (CVE-2018-9129). The research team, made up of three academics from the Ruhr-University Bochum, Germany and two from the University of Opole, Poland, say they notified vendors that had products vulnerable to this attack. "All ven­dors pu­blis­hed fixes or re­mo­ved the par­ti­cu­lar au­then­ti­ca­ti­on me­thod from their de­vices’ firm­wares in re­s­pon­se to our re­ports," researchers said.

Cisco IOS and IOS XE affected, but not IOS XR

Cisco was by far the biggest vendor affected by this flaw, and the hardest hit. CVE-2018-0131 affects the company's main product, the IOS (Internetworking Operating System), and its Linux-based offshoot, IOS XE. The IOS XR operating system, which runs on a different codebase and is used mainly for carrier-grade routers, is not affected. Cisco released patches today for both OSes. The company says that any IOS and IOS XE device that's configured with the "authentication rsa-encr" option is vulnerable.

Attackers can recover VPN sessions

According to Cisco, this flaw "could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session." "The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces," Cisco said in a security advisory. An attacker that has the ability to recover IKEv1 nonces can recover data sent via IPsec, the protocol at the base of most VPN traffic. With this in mind, applying the Cisco patches is highly recommended.   via Cisco Patches Its Operating Systems Against New IKE Crypto Attack Read the full article

HIPAA Rules for Disposing of Electronic Devices and Media

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media. Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner. HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes. Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI. If electronic devices are not disposed of securely and a data breach occurs, the costs to a healthcare organization can be considerable. Patients must be notified, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired. OCR and/or state attorneys generals may conduct investigations and substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information. The costs all add up. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security highlighted the high cost of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million. It is not possible to ensure that all ePHI is disposed of securely if an organization does not know all systems and devices where PHI is stored. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is purchased the list must be updated. A full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices and media when they reach the end of their lifespan. Organizations must develop a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.” Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed. Third party contractors can be used to dispose of electronic devices, although they would be considered business associates and a business associate agreement would need to be in place. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance processes. Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.   via OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media Read the full article

Patrick Wardle on Breaking and Bypassing MacOS Firewalls

A Black Hat talk demonstrates the ease of poking holes in firewalls: How to break, bypass and dismantle macOS firewall products.   Taking aim at the status-quo of MacOS firewalls, researcher Patrick Wardle has made his case for Apple and third-party security firms to beef up their protections. At a session here at Black Hat 2018, Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, showed how easy it is to break, bypass and dismantle macOS firewall products. For starters, Wardle pointed out that while macOS does have a built-in firewall, its effectiveness is limited because it only blocks and monitors incoming connections; there’s no processing of outgoing connections, he points out. “That means if a piece of malware does get on your system in some way, even if your Mac firewall is on, it’s not going to filter or block that (outbound) connection,” Wardle said. Those shortcomings put the spotlight on third-party macOS firewall solutions. But, even with those, Wardle uncovered problems. During his talk, Wardle showed that it’s fairly trivial to bypass these firewall products. In a test of top third-party macOS firewall products, he found that some simply “look for” the name of the whitelisted process. And if the process is recognized (and appears legitimate) the firewall lets the connection through. “Basically, you could just name your malware the same name of the process,” he said. “The firewall isn’t even looking at the path, just the name.” In more worrisome findings, other firewalls simply check what domains a process is reaching out to. He points out that an attacker could easily host malicious software or plant a C2 hub on an iCloud domain in order to trick the firewall. “An attacker could easily exfiltrate data to an iDrive account,” Wardle said. “A firewall would see this traffic and allow it because they fully trust that domain.” Other bypass techniques for adversaries (when they already have a foothold on a system) include piggybacking on trusted application traffic. “Today our computers are so connected, that invariably there’s going to be some traffic that’s basically going to be allowed out – even if the firewall is set to be very restrictive,” he said. That creates an opportunity for an attacker to passively monitor what traffic is allowed by the firewall. “From that it can intelligently choose a variety of ways to surreptitiously utilize either those same trusted protocols for the same trusted processes to piggyback off them,” he said. Examples include using the trusted DNS protocol in DNS tunneling attacks. On the macOS the DNS requests are handled by a core Apple trusted system daemon. So if malware (or a third-party application) tries to resolve a DNS name, that’s going to be routed through the core Apple daemon on the applications behalf, he said. “So if there’s a firewall sitting there, it’s going to see that request going through and say, ‘Hey, this is a DNS requests from the daemon, I have to let it go though,'” he explained. “Such bypasses could be easily added to existing macOS malware to allow to perform undetected bi-directional network communications – even on systems protected by firewall products.” Wardle said he’s not trying to pick on firewall-makers, but rather, he’s pointing out their limitations and breaking any preconceived notion that they’re a panacea when it comes to fighting off malware. “You need to know your limitations with any product. You’re are not going to buy a car and expect it to fly,” he said. he also pointed out that macOS firewalls are several paces behind their Windows counterparts. Windows firewalls are more mature mainly because they have been a bigger target for attackers for so long, he said. Wardle said he wasn’t aware of any publicly available Mac malware that has any firewall bypasses in them; however, “I would confidently say that advanced adversaries that are developing persistent Mac implants know they are going to have no problem passing these products,” he said. In an effort to encourage development of better host-based macOS firewall products, Wardle released the open-source LuLu firewall earlier this year. The code is hosted on GitHub and he hopes it will be serve as a starting point for more robust macOS firewalls in the future. via Patrick Wardle on Breaking and Bypassing MacOS Firewalls | The first stop for security news | Threatpost Read the full article

WhatsApp flaw lets hackers intercept and manipulate messages

WhatsApp users have been warned to be vigilant against a new security flaw that could allow outsider to intercept and alter messages. Researchers from security firm Check Point found that hackers could be able to take advantage of a vulnerability in WhatsApp's security protocols to change the content of a message. Such a tactic could be hijacked in order to spread the reach of fake news stories across the world, Check Point warns. WhatsApp fake news flaw WhatsApp has over 1.5 billion users worldwide, with over 65 billion messages sent every day, providing a huge potential attack vector for criminals looking to take advantage of this flaw. The vulnerability concerns WhtasApp's encryption process, which is meant to protect every message, picture, call, video or other content sent in chats. However when decrypted, the Check Point team realised that the protocols being used by WhatsApp could be converted and accessed, allowing them to see exactly what rules were being used, and also to change them to their liking. This could allow hackers to alter the text of someone else’s reply to a group chat, essentially putting words in their mouth, or use the ‘quote’ feature in a group conversation to change the identity of the sender. Hackers could also send a private message to another group participant disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation. Check Point, which says it has alerted WhatsApp of the flaw, is urging users to be vigilant around the content of their messages, noting that, "if something sounds to good to be true, it usually is." via WhatsApp flaw lets hackers intercept and manipulate messages | TechRadar Read the full article

Snapchat Hack — Hacker Leaked Snapchat Source Code On GitHub

The source code of the popular social media app Snapchat was recently surfaced online after a hacker leaked and posted it on the Microsoft-owned code repository GitHub. A GitHub account under the name Khaled Alshehri with the handle i5xx, who claimed to be from Pakistan, created a GitHub repository called Source-Snapchat with a description "Source Code for SnapChat," publishing the code of what purported to be Snapchat's iOS app. The underlying code could potentially expose the company's extremely confidential information, like the entire design of the hugely-successful messaging app, how the app works and what future features are planned for the app. Snapchat's parent company, Snap Inc., responded to the leaked source code by filing a copyright act request under the Digital Millennium Copyright Act (DMCA), helping it takedown the online repository hosting the Snapchat source code.

SnapChat Hack: Github Took Down Repository After DMCA Notice

Though it is not clear precisely what secret information the leaked SnapChat source code contained, the company's panic can be seen in the DMCA request (written in all-caps) which suggests the contents of the repository were legitimate. "I AM AT SNAP INC., OWNER OF THE LEAKED SOURCE CODE," a reply from a Snap employee, whose name is redacted, on the DMCA notice reads. Upon asking "Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online," the Snap employee responded: "SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN'T PUBLISH IT PUBLICLY." "WE WOULD APPRECIATE YOU TAKE DOWN THE WHOLE THING." Snap told several online news outlets that an iOS update in May exposed a "small amount" of its iOS source code. Although the company identified and rectified the mistake immediately, it discovered that some of the exposed source code had been posted online. However, Snap did confirm that the code has been subsequently removed and that the event did not compromise its application and had no impact on its community.

Pakistani Hacker Threatens to Re-Upload Snapchat's Source Code

It appears that the online user behind the source code leak created the Github account with the sole purpose of sharing the Snapchat source code as nothing else was posted on the account before or after the Snapchat leak. Moreover, some posts on Twitter by at least two individuals (one based in Pakistan and anotherin France) who appear to be behind the i5xx GitHub account suggest that they tried contacting Snapchat about the source code and expecting a bug bounty reward. But when they did not get any response from the company, the account threatened to re-upload the source code until they get a reply from Snapchat. The Snapchat source code has now been taken down by GitHub after the DMCA request, and will not be restored unless the original publisher comes up with a legal counterclaim proving he/she is the owner of the source code. However, this does not rectify the issue completely. Since the Snapchat source code is still in the hands of outsiders, they could re-publish it on other online forums, or could use it for individual profit. via Snapchat Hack — Hacker Leaked Snapchat Source Code On GitHub Read the full article

New Windows 10 Mail App Update Lets You Draw Your Emails

Microsoft has just started rolling out a new update for Windows 10 Mail app that adds the highly-anticipated inking feature. This feature was previously being tested in Windows Insider builds, but Microsoft has added the inking support to the default Mail app in Windows 10 for everyone and allows users to draw and write on their email messages with a variety of tools. The latest version of Windows 10 Mail app is 16005.10325.20091.0 and it began rolling out sometime last week. The inking capabilities in Mail app should show up on all devices including the ones running Windows 10 April 2018 Update. You can find the official changelog below: Insert a Drawing Canvas from the ribbon anywhere in your email to add a sketch. Annotate any picture by drawing on or next to it. Use ink effects like galaxy, rainbow, and rose gold colored pens. Microsoft explains that you can take notes on pictures or add a drawing using a pen or your finger. To get started, compose a new mail and go to the Draw tab in the ribbon. "This feature works best with any pen that supports Windows Ink. No pen? No problem. Just choose Draw with Touch in the Draw tab of the ribbon to start using ink with your finger," Microsoft explains. via New Windows 10 Mail App Update Lets You Draw Your Emails Read the full article

Let's Encrypt Root Trusted By All Major Root Programs

Let's Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.  With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly. Before anyone says this could never happen, just remember what happened with the Symantec certs being untrusted by Google and Mozilla. Unfortunately, while this news benefits affects newer browsers and operating systems, older versions will still not directly trust Let's Encrypt. Due to this, Let's Encrypt certificates will continue to be cross-signed by IdenTrust so they can continue to work on older products. "While Let’s Encrypt is now directly trusted by almost all newer versions of operating systems, browsers, and devices, there are still many older versions in the world that do not directly trust Let’s Encrypt," stated the announcement by Let's Encrypt. "Some of those older systems will eventually be updated to trust Let’s Encrypt directly. Some will not, and we’ll need to wait for the vast majority of those to cycle out of the Web ecosystem. We expect this will take at least five more years, so we plan to use a cross signature until then." For users of Let's Encrypt, there is nothing you need to do. Any site's that utilize Let's Encrypt certificates will continue working as normal.   via Let's Encrypt Root Trusted By All Major Root Programs - Let's Encrypt - Free SSL/TLS Certificates Read the full article

Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack

Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)". It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. Because of this requirement, the attacks can't be performed with spoofed IP addresses, notes CERT/CC's Trent Novelly. The bug, which has the identifier CVE-2018-5390, has been dubbed 'SegmentSmack' by Red Hat. The "expensive" TCP calls cause the CPU to become saturated on the affected system, in turn creating the DoS condition. An attacker could do this "with a relatively small bandwidth of the incoming network traffic", notes enterprise Linux distribution maker, Red Hat. "In a worst-case scenario, an attacker can stall an affected host or device with less than 2kpps of an attack traffic," explains the software company. "A result of the attack with four streams can look like a complete saturation of four CPU cores and delays in a network packets processing," it adds in its advisory. It has confirmed that Red Hat systems affected include those running RHEL 6 and 7, RHEL 7 for Real Time, RHEL 7 for ARM64 systems, RHEL 7 for IBM POWER systems, and RHEL Atomic Host. Unfortunately for admins there's "no effective workaround/mitigation besides a fixed kernel is known at this time", according to Red Hat. The bug was found by Juha-Matti Tilli of a Nokia Bell Labs supported networking department from Finland's Aalto University, where Finnish-born Linux kernel founder Linus Torvalds famously gave his own version of a SegmentSmack to Nvidia for not supporting Linux with its Optimus technology. via Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack | ZDNet Read the full article

Introducing Kit Hunter, a phishing kit detection script

Kit Hunter, a basic Python script written by host Steve Ragan, searches on common tag elements to find hidden phishing kits on a web server. Today's post is a bit different, personal really. Over the last few months, I've attempted to learn something new, and I selected Python to be that thing. It's a slow process. So, what's my point? Well, here lately I've released a number of videos where I show phishing kits from the victim's, as well as the administrator's perspective. They're a useful awareness guide, and for some administrators, an interesting look into the kit's operation. I've gotten some really solid feedback on them, and I plan to keep doing them. However, something was missing. In each video, I've stated how important it is for administrators to detect these kits as quickly as possible. So, since I was already learning Python, I thought it would be neat to code something that would help administrators search their web servers for phishing kits, because the quicker they can be detected, the less of a problem they are in the long term. It wasn't an easy process, and I had a lot of help, but Kit Hunter works as expected. Better than expected really. It caught the kits I tested it with, and then other kits that were not part of the sample set. I'm pleased by the results and excited to share the code.

What is Kit Hunter?

Kit Hunter is a basic Python script that will run on Linux and Windows (works fine on Mac too). It was tested on Python 2.7, but there are some kinks to work out before it will run on the 3.x branch. That's my next project to tackle.

What does Kit Hunter do?

When you run Kit Hunter it searches web directories for phishing kits based on common kit elements located in the tag file. These elements are phishing kit mechanics (e.g. geolocation scripts); branding (e.g. script author names, crew names, or kit names); and security (e.g. block lists, bounce commands, and obfuscation techniques). The tags file is already populated with several common markers. Kit Hunter will search all the folders and sub-folders for .txt, .php, .htm, .html, .dat, and .htaccess files, and compare the contents of those files with the tags list. If there is a match, it logs the results. These filetypes were chosen because they are commonly used in most of the phishing kits we've seen over the last year or so. However, Kit Hunter will be an ongoing project, so as things change, the code will be adjusted to deal with it. The log itself is the most interesting aspect of the script. It has context. The log is split into blocks, and each tag will generate a block if there is a match. The results are then grouped into directory location and file. So, if a tag is found in multiple folders and files, they're all going to appear in the block. Finally, the block will show the exact line of code where the tag was discovered, so you can see at a glance if something is suspicious. Thing is, if you get a hit, it is certainly worth spending a few seconds investigating. So that's it for show and tell. If you want to play with Kit Hunter, it's available now on my GitHub. https://github.com/SteveD3   via Introducing Kit Hunter, a phishing kit detection script | Salted Hash, Ep. 40 | CSO Online Read the full article

In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1

Those of you with long memories might remember one of the more amusing (or perhaps annoying) bugs of the Windows 95 and 98 era: certain specially crafted filenames could make the operating system crash. Malicious users could use this to attack other people's machines by using one of the special filenames as an image source; the browser would try to access the bad file, and Windows would promptly fall over. It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out of support anyway) have a similar kind of bug. They can be taken advantage of in the same kind of way: certain bad filenames make the system lock up or occasionally crash with a blue screen of death, and malicious webpages can embed those filenames by using them as image sources. If you visit such a page (in any browser), your PC will hang shortly after and possibly crash outright. The Windows 9x-era bug was due to an error in the way that operating systems handled special filenames. Windows has a number of filenames that are "special" because they don't correspond to any actual file; instead, they represent hardware devices. These special filenames can be accessed from any location in the file system, even though they don't exist on-disk. While any of these special filenames would have worked, the most common one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen (for output). Windows correctly handled simple attempts to access the con device, but a filename included two references to the special device—for example, c:\con\con—then Windows would crash. If that file was referenced from a webpage, for example, by trying to load an image from file:///c:/con/con then the machine would crash whenever the malicious page was accessed. The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name—for example, trying to open the file c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released.Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted. As was the case nearly 20 years ago, webpages that use the bad filename in, for example, an image source will provoke the bug and make the machine stop responding. Depending on what the machine is doing concurrently, it will sometimes blue screen. Either way, you're going to need to reboot it to recover. Some browsers will block attempts to access these local resources, but Internet Explorer, for example, will merrily try to access the bad file. We couldn't immediately cause the same thing to occur remotely (for example, by sending IIS a request for a bad filename), but it wouldn't immediately surprise us if certain configurations or trickery were enough to cause the same problem. Microsoft has been informed, but at the time of publication has not told us when or if the problem will be patched. via In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1 | Ars Technica Read the full article

In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1

Those of you with long memories might remember one of the more amusing (or perhaps annoying) bugs of the Windows 95 and 98 era: certain specially crafted filenames could make the operating system crash. Malicious users could use this to attack other people's machines by using one of the special filenames as an image source; the browser would try to access the bad file, and Windows would promptly fall over. It turns out that Windows 7 and 8.1 (and Windows Vista, but that's out of support anyway) have a similar kind of bug. They can be taken advantage of in the same kind of way: certain bad filenames make the system lock up or occasionally crash with a blue screen of death, and malicious webpages can embed those filenames by using them as image sources. If you visit such a page (in any browser), your PC will hang shortly after and possibly crash outright. The Windows 9x-era bug was due to an error in the way that operating systems handled special filenames. Windows has a number of filenames that are "special" because they don't correspond to any actual file; instead, they represent hardware devices. These special filenames can be accessed from any location in the file system, even though they don't exist on-disk. While any of these special filenames would have worked, the most common one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen (for output). Windows correctly handled simple attempts to access the con device, but a filename included two references to the special device—for example, c:\con\con—then Windows would crash. If that file was referenced from a webpage, for example, by trying to load an image from file:///c:/con/con then the machine would crash whenever the malicious page was accessed. The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name—for example, trying to open the file c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released.Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted. As was the case nearly 20 years ago, webpages that use the bad filename in, for example, an image source will provoke the bug and make the machine stop responding. Depending on what the machine is doing concurrently, it will sometimes blue screen. Either way, you're going to need to reboot it to recover. Some browsers will block attempts to access these local resources, but Internet Explorer, for example, will merrily try to access the bad file. We couldn't immediately cause the same thing to occur remotely (for example, by sending IIS a request for a bad filename), but it wouldn't immediately surprise us if certain configurations or trickery were enough to cause the same problem. Microsoft has been informed, but at the time of publication has not told us when or if the problem will be patched. via In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1 | Ars Technica Read the full article

Ramnit Changes Shape with Widespread Black Botnet

A massive proxy botnet is just the tip of the iceberg, a warning sign of a bigger operation in the works by the Ramnit operators.   The recently uncovered “Black” botnet campaign using the Ramnit malware racked up 100,000 infections in the two months through July– but the offensive could just be a precursor to a much larger attack coming down the pike, according to researchers, thanks to a second-stage malware called Ngioweb. Check Point Research said that the actors behind the Black botnet are mainly working on creating a network of malicious proxy servers; infected machines that together operate as a high-centralized botnet, “though its architecture implies division into independent botnets.” In the Black operation, Ramnit malware, which is likely being distributed via spam campaigns, according to Check Point, is merely a first-stage malware. Ramnit has extensive information exfiltration capabilities stemming from its heritage as a banking trojan; but it also backdoors infected machines. In this case, it sets up a path for a malware called Ngioweb, marking a new chapter for the venerable old code, first seen in 2010. “Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” Check Point researchers explained in an analysis of the campaign posted on Sunday. “The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.” The concern is that between the two malwares, the operators are building a large, multi-purpose proxy botnet that could be marshalled into action for any number of nefarious purposes, from spreading cryptomining, ransomware or other malware to DDoS and information exfiltration. “This massive new campaign may actually be used for many things, but our current belief is that this is just the tip of the iceberg and this is a warning sign of a bigger operation that the Ramnit operators are cooking for us,” said the researchers. A Complex Proxy Approach Ngioweb can operate as both a regular back-connect proxy and a relay proxy. In its former guise, it can offer a remote user a connection to the infected host, or it can access internal resources on the infected machine’s local network. As a relay proxy, it ups the firepower of the operation by allowing the perpetrators to build chains of proxies, thus making it difficult to trace their activities. It’s a perfect cover for creating nefarious hidden services that can’t be tracked down. To build a hidden service using the Ngioweb botnet, the malware actor first publishes the address of a victim machine in a public channel like DNS; a second victim machine then resolves the address of the first one, thus connecting to it. The first infected machine then creates new connection to the server, and works as relay between that server and the second infected host. This can go on ad infinitum, with complex daily chains spiraling out from the command and control server (C2). “According to domain names which are resolved to the IP address of the , it pretends to control even old bots, first seen back in 2015,” researchers said. “The architecture of the botnet does not allow for determining if the address provided by belongs to the attacker or simply to another bot. Interestingly, Ngioweb uses two-stage C2 infrastructure; an unencrypted HTTP connection hooks the malware up with the mother ship by informing it that it’s ready to go; from there, an encrypted channel is used for controlling the malware. Also of note, the C2 server does not upload additional modules; instead, some (like FTPServer and WebInjects) are embedded within one package with Ramnit, according to Check Point Ramnit Bounces Back The Black botnet is yet another evolution of the Ramnit trojan. It emerged in 2010 in the more simplistic form of a self-replicating worm. But in 2011 Ramnit made use of the leak of the Zeus banking trojan’s source code to morph into a banking trojan. Originally used to steal banking credentials, it over the years widened its focus to include lifting passwords for social networking accounts, FTP log-ins and more. Meanwhile, its authors enhanced not only the evasion techniques protecting the malware, but also management of bots, such as encryption routines that would not set off triggers in security software. It even added mule recruitment to the mix. Ramnit soon became a favorite among thieves dabbling in financial fraud because of the frequent updates, and by 2015 had infected more than 3.2 million Windows computers. Unsurprisingly, it attracted the scrutiny of law enforcement, and in 2015 Europol and several private technology companies announced the takedown of the C2 infrastructure supporting the Ramnit botnet. The defenders redirected traffic from 300 domains used by Ramnit to domains controlled by authorities. The celebration didn’t last long. Ramnit was back by 2016. IBM X-Force researchers reportedthat the Ramnit trojan had relaunched, targeting customers of six major banks in the U.K. Ramnit’s operators had set up two new live attack servers and a new C2 server, and were essentially back in business, using the same internal payload, architecture and encryption algorithms, according to IBM. It was, however, updated with a spy module, “designed to hook the browser, monitoring URL access, enabling data theft in real time and displaying web injections to the victims,” IBM noted. It also had new attack schemes built for real-time fraud attacks targeting online banking sessions.   via Ramnit Changes Shape with Widespread Black Botnet | The first stop for security news | Threatpost Read the full article

BGP hijacking attacks target payment systems

Researchers discovered BGP hijacking attacks targeting payment processing systems and using new tricks to maximize the attackers hold on DNS servers. Doug Madory, director of internet analysis at Oracle Dyn, previously saw border gateway protocol (BGP) hijacking attacks in April 2018 and has seen them continue through July. The first attack targeted an Amazon DNS server in order to lure victims to a malicious site and steal cryptocurrency, but more recent attacks targeted a wider range of U.S. payment services. "As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites.  By using long TTLvalues in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared -- maximizing the duration of the attack," Madory wrote in a blog post. "The normal TTL for the targeted domains was 10 minutes (600 seconds).  By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped." Madory detailed attacks on telecom companies in Indonesia and Malaysia as well as BGP hijacking attacks on U.S. credit card and payment processing services, the latter of which lasted anywhere from a few minutes to almost three hours. While the payment services attacks featured similar techniques to the Amazon DNS server attack, it's unclear if the same threat actors are behind them. Justin Jett, director of audit and compliance for Plixer, said BGP hijacking attacks are "extremely dangerous because they don't require the attacker to break into the machines of those they want to steal from." "Instead, they poison the DNS cache at the resolver level, which can then be used to deceive the users. When a DNS resolver's cache is poisoned with invalid information, it can take a long time post-attacked to clear the problem. This is because of how DNS TTL works," Jett wrote via email. "As Oracle Dyn mentioned, the TTL of the forged response was set to about five days. This means that once the response has been cached, it will take about five days before it will even check for the updated record, and therefore is how long the problem will remain, even once the BGP hijack has been resolved." Madory was not optimistic about what these BGP hijacking attacks might portend because of how fundamental BGP is to the structure of the internet. "If previous hijacks were shots across the bow, these incidents show the internet infrastructure is now taking direct hits," Madory wrote. "Unfortunately, there is no reason not to expect to see more of these types of attacks against the internet." Matt Chiodi, vice president of cloud security at RedLock was equally as worried and warned that these BGP hijacking attacks should be taken as a warning. "BGP and DNS are the silent warriors of the internet and these attacks are extremely serious because nearly all other internet services assume they are secure. Billions of users rely on these mostly invisible services to accomplish everything from Facebook to banking," Chiodi wrote via email. "Unfortunately, mitigating BGP and DNS-based attacks is extremely difficult given the trust-based nature of both systems." via BGP hijacking attacks target payment systems Read the full article

Sextortion scams are a new way of demanding ransom

Email fraudsters are using personal information to make their threats seem credible. Many people are receiving emails from hackers who are demanding anywhere between $1700 to $3000 in bitcoin or else they will send compromised information—such as pictures sexual in nature, porn-watching history and webcam video—to the victim’s friends, family and co-workers. But the victims don’t need to panic. They haven’t been hacked as the email claims. But this is merely a new variation on an old scam which is popularly being called "sextortion." This is a type of online phishing that is targeting people around the world and preying off digital-age fears. Sextortion scammers use urgent language to scare their intended targets into paying a ransom. One such "sextortion" scam that threatens to expose porn-viewing habits unless one pays a bitcoin "ransom" has hit New Zealand. The scam is in the form of an email claiming that the sender has installed a malware on the computer and has hacked the recipient's computer and got a copy of the website history which states that the victim has visited an adult website and the scammer has recorded what they were doing via the computer’s webcam. “Scams preying on human emotions aren’t new, but what stands out about this sextortion scam is how they’re trying to blackmail somebody using something that would be the most sensitive or embarrassing thing you could hold over them,” said Gordie Mah, the U of A’s chief information security officer. “And the personal information is the bait.” What makes the email especially alarming is that to prove their authenticity, they begin the emails showing you a password you once used or currently use or even your driver’s licence in some cases. However, cybersecurity experts have warned users against paying ransom as the hackers are not likely having any information and it is merely a way of threatening users. via Sextortion scams are a new way of demanding ransom - E Hacking News Read the full article

Facebook wants banks to hand over customers’ financial information

According to the Wall Street Journal, the company has reached out to JPMorgan Chase, Wells Fargo, Citigroup, and US Bankcorp to discuss joining forces with Facebook Messenger. Why? Facebook would reportedly use the information to build new features, like the ability for users to check their account balance or to get fraud alerts through Messenger. In exchange, banks would have to provide data on its customers’ transactions and balances. The social network says the information would only be used for creating new features, not for ad targeting. But... The legacy of the Cambridge Analytica scandal looms large. Banks have reportedly been hesitant to collaborate with the tech giant because of data privacy concerns, and one bank pulled out of talks entirely. Going offline: Facebook is increasingly trying to gain access to your offline data to bolster its profile of users and provide more features. Earlier this year they even reached out to hospitals about getting medical data on users. Facebook isn’t alone, either. Other tech giants like Google also want access to your offline information—because if they don’t get it, the thinking goes, their competitors will. via Facebook wants banks to hand over customers’ financial information - MIT Technology Review Read the full article