Select Page

Leak of the Week – 7/8/2016

The following are data breaches that have been reported this week:

 

Badoo – 112 Million records – Leaked data was usernames, e-mail addresses, simple MD5-hashed passwords.  The data was discovered for sale in May, though Badoo denies a breach ever occurred.  The leak appears this week because HIBP (see below) ran a check on the data and loaded into their database as an “unverified breach” (a first for HIBP).

 

Wendy’s – Now up to 1000 restaurants – Leaked data was credit card data (maybe mine!) from transactions at Wendy’s restaurants.  This breach began in the Fall of 2015 and wasn’t discovered until early this year.  Wendy’s confirmed this week that more restaurants are involved than their original estimate of 300.  Yep, 1000 is more than 300 by quite a bit.

 

Democratic National Convention – 17,000 records – Leaked data was a database of records dating back to 2013 including names, addresses, email addresses and phone numbers of people who purchased tickets to DNC events, including events attended by the President and the Vice President.  No word on whether financial data was leaked as well.

 

BIOS Exploit by Bad Researcher

A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems has now been found to exist in products from other vendors, including certain HP and GigabyteAccording to Lenovo, the vulnerability found by researcher Dmytro Oleksiuk in various ThinkPad models, was not in its own Unified Extensible Firmware Interface (UEFI) code, but in an implementation provided to Lenovo by an un-named independent UEFI vendor.  Since other manufacturers use the same third-party UEFI code, the same vulnerability applies to some of their machine models as well.

 

Already, an exploit for the vulnerability found in the Lenovo ThinkPads, dubbed ThinkPwn, has been published and can be used to execute rogue code in a CPU’s privileged System Management Mode (SMM).  The exploit can disable Windows Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits.  Other Windows security features, like Virtual Secure Mode and Credential Guard, which depend on the UEFI to be secure, could also be circumvented.

 

ThinkPwn, was published by researcher Dmytro Oleksiuk and was not reported at all to Lenovo.  Bad researcher!  No kudos!  And I’m not kidding.  Even though Mr. Oleksiuk downplays the threat of this exploit being used… :

 

“It’s very unlikely that this vulnerability will be exploited in the wild, for regular customers there are much more chances to be killed with the lightning strike than meet any System Management Mode exploit or malware.”

 

…he still demonstrated that his ego is more important than the safety and security of others:

 

“I decided to do the full disclosure because the main goal of my UEFI series articles is to share the knowledge, not to make vendors and their users happy.”

 

So, vendors that use the vulnerable UEFI code had no warning that would give them time to develop a fix, and the public is exposed to a zero-day exploit.  Shame, Mr. Oleksiuk, shame!  Your technical prowess is overshadowed by your lack of social conscience.

End users should look to see if there is an updated version of the firmware for affected machines.  Lots of grisly detail about the UEFI vulnerabilities and the exploit, including some vulnerable ThinkPad models, can be found here.  Info on vulnerable Gigabyte motherboards can be found here.

Android Ransomware Quadrupled Over Last Year

Windows continues to be the operating system most commonly targeted with ransomware threats – but malware that attempts to extort money out of you isn’t just for the Microsoft-based anymore.  A new report published by Kaspersky shows that mobile device ransomware is a fast-growing sector of the ransomware pie.  Facts from the report, as well as some marketing puffery, state:

  • “From April 2014 to March 2015, Kaspersky Lab security solutions for Android protected 35,413 users from mobile ransomware. A year later the number had increased almost four-fold to 136,532 users.”
  • Most of the affected users are reported to be based in the United States, followed by Germany, Canada, and the UK.
  • “The share of users attacked with ransomware as a proportion of users attacked with any kind of malware also increased: from 2.04% in 2014-2015 to 4.63% in 2015-2016. The growth curve may be less that that seen for PC ransomware, but it is still significant enough to confirm a worrying trend.”
  • Android attacks are typically designed to block access to the phone.  This is known as “lock screen ransomware”.

 

The best defense for Android users is to stick to the same security basics used on workstations:

  • Be extremely cautious of installing apps from third-party sites
  • Backup important data on a regular basis
  • Run an endpoint security solution (we like Sophos)

 

More about the rise of mobile ransomware can be found here.

Cameras on the Loose!

Remember last week when we looked at the large number of unsecured cameras running wild on the Internet, like Mustangs on the open, Western plain?  Well, this week, someone found a way to harness all of that unsecured horse power to cause mischief and woe.  It’s enough to make a cowboy cry.

 

Bad actors, created and used a large botnet of CCTV devices to knock a jewelry website offline during a Distributed Denial of Service (DDoS) attack.  Researchers at Sucuri, providers of website security, determined that there were 25,513 unique IP addresses being used to generate the DDoS attack, which Sucuri was able to thwart.  Usually this type of attack is performed using infected workstations or servers, but this time Digital Video Recorders (DVRs), the devices to which video cameras send their data, were compromised and infected with malware and used to perform repeated web requests against a single website.  The attack, delivered by devices from 105 countries and all running the BusyBox operating system, generated almost 35,000 HTTP requests each second against the affected website, making it impossible for legitimate users to reach the site.  The attack was later increased to 50,000 HTTP requests each second after Sucuri neutralized the initial attack.

 

While it is not known how all these DVRs were compromised, it is suspected that a Remote Code Execution (RCE) flaw affecting DVR devices sold by more than 70 vendors may the cause.  The fault was discovered and reported back in March by security researcher Rotem Kerner.

 

So, not only were each of these 25,000 devices compromised, but the herd was turned into a network that was used to trample websites.  The moral of the story is, don’t trust wild horses.  No, not really, but don’t trust that devices in the Internet of Things (IoT) will come with security in mind.  Depending on IoT manufacturers to build adequate security into their devices can be dangerous to you and others.  All networked devices should be secured behind a firewall that allows only the minimum of traffic required to and from them, and access from the outside world should be severely limited.

 

For more information, and some nice detailed write-ups on this event, please see Ars Technica here and Ms Smith here.

Fansmitter

We knew it could be done with a wireless mouse, a computer speaker, a microphone or a camera, but now you can steal data using… a fan.  Yes, we can now transmit data using the variation in the speed of your computer’s fan.  By infecting a computer with specific malware that can control your CPU, case, or power supply fan you can place a smartphone with a specific app nearby and transmit data to it.

From the Hot For Security blog:

“Before you get too fearful that your computer’s fan is sharing your personal or business secrets, it’s important to underline some important points:

  • Your computer cannot be infected by malware via sound. Your computer would need to be already compromised and infected by malware to interpret soundwaves collected by its microphone as malicious instructions. And if a computer is already infected, where would be the attraction in infecting it again via the sound of some noisy fans?
  • If your computer is air-gapped from the rest of the world, what are the chances that a malicious attacker would be able to infect it with malicious code in the first place to start sharing its secrets by messing around with its fan speed? The most likely route might be via malware on a USB stick being shared with individuals who use the victim PC, or to have meddled with its software somewhere along its supply chain – but it’s not a method of attack that is likely to be deployed against the vast majority of computer users.
  • You don’t just have to have a target computer that has been compromised and pumping out data via the fan. You also need a device which can receive the data – it needs to be physically close by (the researchers claim from one to four metres distance).
  • Not only does the surveillance device picking up on the sound of the fan need to be close by, it also needs to be present for an extended period of time. In some of its tests the researchers were only able to steal 3 bits (not bytes!) per minute – getting as high as 15 bits per minute when they raised the fan’s oscillation speed”

That’s 900 bits/hour of pure spy fun!  This could be handy for getting something like a drive encryption key, but not for those Monty Python videos you have saved.

Password Hygiene

This is a quick list from Tripwire’s security experts “for consumers to improve their password hygiene”:

  • Change your passwords on a regular basis. Many of the passwords from the data breaches mentioned above are being sold on the dark web and are over three years old. Using stale passwords can keep you exposed to threats.
  • Stop using passwords and start using passphrases. Using a series of words is far less likely to show up in an attacker’s password dictionary than a single word. A starting point for a secure passphrase could be a favorite quote or a line from a song, complete with spaces and punctuation.
  • Be liberal with character substitutions. A password can be made stronger by replacing “o” with “0,” “e” with “3,” or “a” with “@.”
  • Use a different password for each website or service. If an attacker manages to steal a password for one website, they can’t use the same password to access other websites.

In short; change ‘em, make ‘em longer, be creative, be unique.  This is a nice and short hit list that our clients can use that avoids the technical jargon that we tech folk, OK, maybe just me, fall into.

Tripwire also adds turning on multi-factor authentication wherever you can and we concur. I do recommend using an outside authentication application like Google Authenticator, Authy, Duo, or Usher rather than relying on SMS text messages sent by your service provider.   There are known problems with using SMS texting as your second authentication factor.

Passwords will be around for some time to come (my prediction) so keeping them clean is important.

 

Windows 10 Fresh Start

In the latest test build of Windows 10 Anniversary Update released last week, Microsoft has introduced a tool that allows users to get rid of bloatware in rather dramatic fashion.  Microsoft’s new tool removes all applications that do not come standard with Windows (including other Microsoft applications such as Office) and most pre-installed OEM applications, support applications, and drivers.  In effect, this is close to being a full nuke and re-pave of a system.  Call it a “scrape the asphalt” tool.  The user has the option of keeping personal files through the “cleansing”, but will then have to re-install needed software.

The utility was released in May 2016 as a standalone tool, but is now bundled with the Windows test build 14367 and will soon make its way into production builds.  The tool runs on Windows 10 Insider Preview Home or Pro versions – not sure if it will run on Enterprise or Ultimate versions of Windows 10.  More info here, here, and here.

 

Leak of the Week – 6/20/2016

Here are the latest breaches/leakages that impact large groups of people.  More evidence for the adage “if you haven’t been hacked yet, you soon will be”.

VerticalScope – 45 million login accounts – VerticalScope runs AutoGuide.com, Motorcycle.com, PetGuide.com, Tractor.com, IBSgroup.org and other community websites and forums

Acer Online Store – 34,500 customers credit card data – Hacked from the Acer store.

GoToMyPC – All gumptyillion accounts – All account data stolen (maybe ‘all’, not sure) and it was stored with pretty-easy-to-hack MD5 encryption.  So old even my grandmother would call it old.  Some attack details here.  No exact number on the accounts breached, but I am sure it will be revealed once the data pops-up on the Dark Side.

GitHub – A “large number” of accounts – Github forced a password reset on accounts that it felt might be compromised after an attacker tried to gain access using lists of email addresses and passwords from other online services that have been compromised in the past. The attack was detected and examined and determined to be someone trying out data from already available breaches rather than data leaked from GitHub.  Another example of why you need to use separate passwords for each account and/or use multi-factor authentication.  Again, no evidence that GitHub data was directly hacked and kudos to them for being proactive.

Embedded Security in Cars

Cars are on the road and, now, in the airwaves as many new vehicles come equipped with on-board broadband Internet connections.  A third of new cellular ‘customers’ last quarter were cars.  With the added connections to the outside world, cars become connected targets, available to be hacked from anywhere.

Security companies are taking note and beginning to provide solutions.  Symantec officially announced its Anomaly Detection for Automotive product in early June and is pushing it to various car manufacturers.   The Symantec product is a passive solution which can be plugged into, or integrated with, the vehicle.  Anomaly Detection fro Automotive learns the vehicles’ normal behavior to develop a baseline behavior.  Once that baseline has been learned, it can be used in continuous monitoring of the vehicle to detect deviations from normal operation and inform the vehicle when it might either be under attack, or simply malfunctioning.

Symantec is also rolling out its Symantec Embedded Security Critical System Protection product, which helps lock down automotive control modules against runtime attacks. The Embedded Security Critical System Protection product runs on QNX, used in automobiles, as well as other OSes in industrial control environments and embedded systems.   Symantec also has code-signing capabilities that it is already selling to automotive vendors, to ensure that authentic and verified code is running.

Symantec isn’t the only one to address this IoT space.  Karamba Security has the Carwall product that it sells to manufacturers.  Carwall integrates into the software development environment and hardens the runtime code that the manufacturer installs in the vehicle.  We can expect to see other manufacturers enter this space as more IoT devices are introduced.

While Symantec and Karamba are taking things to the developers/manufacturers, I am waiting for others to address the existing vehicle market.  We soon may be installing “Kaspersky for Kia” and “McAfee for Mazda” on Managed Services Agreement (MSA) clients’ vehicles.

Microsoft Enables Threat Detection in Office 365

Office 365 has now stepped up the bundled tools available to help secure data by adding threat detection into their online suite.  The new Office 365 Advanced Security Management feature is now available to Office 365 Enterprise customers.  The new tools include Anomaly Detection which works by scanning user activities and evaluating their risk against over 70 different indicators, including sign-in failures, administrator activity and inactive accounts.  For example, if it detects that a user’s Office 365 account was used to check email in the U.S. and then used to access SharePoint half way around the world a few minutes later an alert will be triggered.

Configurable templates can be used to notify administrators via text or email and can also be used to control which third-party apps are allowed access to your Office 365 data.  If users take it upon themselves to link a helper app to their Office calendar data, for example, administrators are made aware and can revoke the offending app’s permissions.  The service can detect 1,000 different apps, including Webmail, collaboration and cloud storage apps (can you say, Dropbox?).

Advanced Security Management is included as part of the Office 365 E5 plan. Customers with other Office 365 Enterprise plans can subscribe to it for $3 per user per month.  More info can be found here.