It was all over the news this weekend. A sustained DDoS attack that caused outages for a large number of web sites Friday was launched with the help of hacked “Internet of Things” (IoT) devices. In a relatively short period of time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.
Early Friday morning someone aimed their DDoS attack on Dyn, a New Hampshire based Internet infrastructure company that provides critical DNS technology services to major websites. The attack immediately created problems for internet users of Twitter, Amazon, Tumblr, Reddit, Spotify, Netflix and a host of other websites.
This outage was similar to the recent DDoS attack on IT security reporter Brian Krebs’ site, caused by the Mirai botnet which consists of hacked IoT devices — mainly compromised of digital video recorders and IP cameras made by a Chinese hi-tech company called XiongMai Technologies.
The components that XiongMai makes are sold downstream to vendors and manufacturers who then use it in their own products. All credentials are hardcoded in the firmware and cannot be changed. This is a very dangerous practice and we need laws against this ASAP.
Who Is Learning How to Take Down the Internet?
Last month, IT security Guru Bruce Schneier created some controversy when he wrote that someone — probably a country — was learning how to take down the internet:
“Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guess.
These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”
It’s either a large country, or these two other scenarios:
1) Someone tried to extort DYN and when they did not cough up the money, they decided to show them what they could unleash.
2) Anonymous and/or some other hacktivists decided to flex their virtual muscle and show netizens they are still a force to be reckoned with. Either way is disconcerting.
What can you do about this?
Well, not much EXCEPT keep your unnecessary IoT devices off the internet – don’t simply follow the manufacturers instructions and routinely connect everything to your WiFI connection. In the future, laws should be passed forcing manufacturers to build standard security functionality into these things making it somewhat safer for us consumers to use them.
It’s all over the press. Here is a quote from Reuters: “Yahoo Inc said on Thursday information associated with at least 500 million user accounts was stolen from its network in 2014 by what it believed was a “state-sponsored actor.”
The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords (the vast majority with the relatively strong bcrypt algorithm) but may not have included unprotected passwords, payment card data or bank account information, the company said.
Right, that is how it usually goes. This whole disclosure smells like a professional crisis-handling exercise. Later, after more breach-investigation, they disclose that more credentials were stolen and that more data (credit cards) was exfiltrated than was known at the time of the discovery. It is disappointing that Yahoo doesn’t share more details about the hack, when it first discovered that it had been attacked.
It’s easy to blame Russia (likely) or China (unlikely) If I had to break the bad news that my company had been hacked, I would feel much happier saying that the attackers were “state-sponsored” rather than a bunch of 15-year-old kids working in their parents’ basement.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said. “Yahoo said it was working with law enforcement on the matter. It was not clear how this disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications Inc.
Yahoo launched an investigation into a possible breach in early August after a Russian hacker named “Peace” offered to sell a data dump of over 200 million Yahoo accounts on the darknet for just $1,800 including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.
Based on the chart below this is the largest data breach ever – so far!!!
This is going to be a phishing paradise with significant fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will rear its ugly head is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match using the stolen Yahoo username and passwords.
Yahoo put a security announcement on their website and has started to send users notices that they need to change their password.
The bad guys are going to have field day with this, so BE CAREFUL!
We can expect to be confronted with a raft of Yahoo-related scams in our inbox. As a matter of fact, as I was preparing this article I received a phishing email along with an infected attachment in RTF or Rich Text Format. See below:
Can you identify all the “markings” of a fake email from the screen capture above? Let’s hope so – it’s time for all of us to be EXTRA VIGILANT when opening emails.
Have you been the target or victim of ransomware-wielding attackers? If so, your government needs you to come forward.
So says the FBI in a new public service announcement aimed at both individuals and businesses. The FBI says the effort is designed to get “victims to report ransomware incidents to federal law enforcement to help us gain a more comprehensive view of the current threat and its impact on U.S. victims.”
The bureau says that while anecdotal reports of crypto-locking attacks abound, it needs more precise information about attackers – ranging from the ransomware variant to the attacker’s bitcoin address – to help it pursue, disrupt and potentially arrest suspects. “While ransomware infection statistics are often highlighted in the media and by computer security companies, it has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the FBI’s alert says.
The bureau has previously asked victims of everything from tech support scams to CEO fraud to come forward in efforts that parallel outreach by European law enforcement and security experts.
Security experts say that even if law enforcement agencies cannot act on every criminal report they receive, having victims come forward serves several essential purposes:
•Intelligence: Reporting crime gives law enforcement agencies a more accurate picture of attackers’ techniques so that they can attempt to track and ultimately disrupt them.
•Funding: Crime reports also help law enforcement agencies gauge the scale of the problem so they can devote sufficient resources as well as secure needed funding from legislators or other policymakers.
•Arrests: Amassing intelligence on cybercrime gangs helps investigators better correlate gangs’ activities, thus potentially helping them unmask and pursue the individuals involved as their attacks generate more clues. The FBI has previously noted that “much of the infrastructure being used by cybercriminals is hosted overseas,” and that it often works with international law enforcement agencies.
FBI Seeks 9 Data Points
The FBI is asking anyone who’s been the victim of a ransomware infection to file a report with the local FBI field office or via the website of the Internet Crime Complaint Center, or IC3. That’s a joint partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance, which was set up to receive and investigate internet-related crime complaints.
Here’s the exact information being sought by the bureau:
•Date of infection;
•Ransomware variant, as identified on the ransom page or by the encrypted file extension;
•Victim company information – industry type, business size;
•How the infection occurred – link in email, browsing the internet, etc.;
•Requested ransom amount
•Attacker’s bitcoin wallet address – often listed on the ransom page;
•Ransom amount paid, if any;
•Overall losses associated with a ransomware infection, including the ransom amount;
•Victim impact statement.
Please Don’t Pay
In its public service request, the FBI again urges anyone who’s suffered a ransomware infection to never pay ransoms because it helps criminals refine their attacks and snare even more victims.
“Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom,” the FBI says. “Paying a ransom emboldens the hacker to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain.”
The FBI also notes that business realities may, of course, influence some organizations to pay the ransom. “While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers.”
Legal experts say there appears to be no way for U.S. law enforcement agencies to prosecute anyone who pays a ransom, even if the money ends up in the hands of an individual or organization on the U.S. Treasury Department’s sanctions list, provided victims employ an intermediary. I’ve been told that some organizations are setting up such plans as well as stockpiling bitcoins in the event that they do fall victim to a related attack.
Anti-Ransomware Portal Offers Help
Some victims, however, can get the equivalent of a “get out of jail for free” card, thanks to ongoing efforts by security researchers to crack attackers’ weak crypto or otherwise exploit code-level flaws in attack code.
One related effort, the public/private No More Ransomware portal, says that since launching in July, it’s enabled 822 CoinVault and 941 Shade ransomware victims to decrypt their data for free.
While that’s good news, as the FBI noted earlier this year in an intelligence memo, don’t count on decryptors always being available, because they rely on attackers making coding errors. “Since the most sophisticated ransomware variants are practically impossible to defeat without obtaining the actor’s own private decryption keys, the FBI has focused on performing significant outreach to educate the public on ransomware and the importance of keeping backups and maintaining a level of operational security when using a computer,” the FBI’s memo states.
Thanks to KnowBe4 – an online internet safety and security training company for this new scam alert. There’s an unusual phishing email making the rounds which revealed a new scam you could soon find in your inbox.
Many online service providers like Microsoft, Google, Facebook, Twitter, and PayPal have adopted a policy to warn users via email when there is a possible security-related event like “unusual sign-in activity”.
Copies of these emails have been used for credential phishing for a few years, but the NEW problem is that these security notifications are now being used by bad guys as an attack vector for a tech support scam.
These new “phishing email” points victims to a 1-800 number where either a scammer picks up, or the victim gets sent to voice mail hell for a while and their number is queued for a fraudulent follow-up call like the one below.
PS: KnowBe4 uses HubSpot to host their website and for marketing automation so that is where this download link points to. It is safe to click, entertaining and instructive:
So, I suggest you send the following alert/information to your employees, friends and family. You’re welcome to freely copy/paste the information below for sharing.
“There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.
Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.
If you do, two things may happen:
1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, “fix” it, and ask for your credit card.
2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you back and try the same scam.
Remember, if you get any emails that either promise something too good to be true, OR look like you need to do something to prevent a negative consequence, Think Before You Click and or this case before you pick up the phone.
If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Don’t fall for it!
The world’s most unpopular internet browser now comes with opt-in Super Stalking. Microsoft wants people to use its Edge browser so badly it will even pay people to use it.
Windows 10 and Edge users can earn credits that can be spent in the Microsoft online store on things like three months of advertisement-free Outlook and Amazon cards. But – Microsoft won’t let you just run Edge and cash in: they will monitor the user’s mouse and keyboard movements for “active use” of the browser. If you’re busy enough, Redmond will hand over credits, soon to be renamed points under a program detailed here.
It will take about 1,000 Bing searches and about 19 days to earn about $5 which you can put towards a Starbucks coffee. Microsoft will offer additional credits to users who click things like training videos, MSN videos on how to make s’mores, and other Microsoft promotional content.
The new effort involves the renaming of Bing Rewards to Microsoft Rewards, and expanding it to cover Edge. Under the change, users who sign up before the pending switch from Bing Rewards to Microsoft Rewards will be promoted to level two, a title that can only be maintained by searching enough every day to earn that Starbucks coffee. Level two users get access to “exclusive offers” and get 10 per cent off certain Microsoft offerings.
As Internet browsers go, Google’s Chrome is the uncontested champion of the web browsing wars, with some 51.04% of the market, according to NetMarketShare. The analyst site places Microsoft’s Internet Explorer in second place with 21.76% , Safari with 11.12%, Firefox with 6% and Edge lagging behind them all at a dismal 3.91%. ‘Other’ web browsers account for 6.18% of the total.
For additional information: Get rewarded faster by browsing with Microsoft Edge. Earn points for every hour of active browsing with Microsoft Edge – up to 30 hours a month.
Here’s some more scary info. Looks like one can start their own online ransomeware business now with ZERO investment and very little effort: Ransomeware-As-A-Service
Cerber Ransomware Earns Over $2 Million with a little as 0.3% of victims paying up! A new report from Check Point software’s researchers showed that Cerber’s Ransomware-as-a-Service (RaaS) affiliate program is a resounding success with more than 160 participants at current count, and that the combined direct sales plus affiliates was almost 200K in July, despite a victim payment rate of just 0.3%. That puts it on track to earn $2.3 million dollars this year, said Maya Horowitz, group manager of threat intelligence Check Point.
Aspiring criminal affiliates create their own campaigns using the Cerber platform and keep 60 percent of the profits. They also have access to user-friendly management tools, Cerber’s Bitcoin laundering architecture, and obviously the malicious code itself. Eight brand new Cerber ransomware campaigns are launched every day!
This means that there will be more and more such services, more and more attacks, even more than today. Just this week Symantec reported on a new RaaS that competes with Cerber. The new ransomware — dubbed Shark — is currently available for no charge in underground forums. Novice hackers that use the tool to extort money from victims pay only a 20% cut to the Shark developers.
Check Point researchers identified the IP addresses that infected machines used for data traffic with their C&C servers. They were also able to easily identify that the bad guys are probably based in or near Russia.
Currently, there are no infections in Russian-speaking countries and in the configuration of the ransomware, the authors, as default, chose not to operate on machines or PCs that have Russian as their default language. Obviously another indication of the hackers physical location.
This is a tried-and-true strategy of not getting picked up by the FSB, today’s equivalent of the KGB. As long as you don’t hack inside Russia’s borders, the Russian security forces leave you alone.
Follow The Money
What is interesting is that Check Point was able to extract the exact Bitcoin wallets assigned to every victim so that they could track the percentage of people who actually paid the ransom. The next step was to “follow the money” to one ultimate final central wallet through a network of other wallets that are part of Cerber’s Bitcoin architecture.
They followed these hundreds of thousands of different wallets. This is the first time that security researchers can say for sure what percentage of victims pay the ransom.
The people that actually pay ransoms was surprisingly low, compared to earlier estimates by other researchers, but it still pays off handsomely. A small team of four of five specialized cyber criminals can make between $300,000 to $400,000 each per year, which is at least 10 times more than they could earn in any legitimate enterprise where they live.
So with the extraordinary amounts of money that can be made using these Ransomeware-As-A Service programs, we can all expect them to continue to grow and thrive in today’s internet security environment.
A simple method to “help” circumvent this particular attack vector would be to log into your hardware based firewall/router (you do have a hardware firewall right?) and block all incoming WAN traffic from Russian based IP addresses. You should probably block IP addresses that originate from China at the same time.
Imagine the cybersecurity implications of a world in which hundreds of millions of people have a physical impairment and the corrective devices they use leave them internet-connected.
Thanks to the “internet of things,” that scenario is fast becoming reality in the form of internet-connected hearing aids. But like so many aspects of the internet of things, such devices carry upsides as well as big, potential data breach downsides, according to Phil Reitinger, the chief executive of the Global Cyber Alliance. He was formerly the Department of Homeland Security’s top cybersecurity official as well as CISO for Sony.
In an opening keynote presentation Aug. 2 at the Information Security Media Group’s Fraud & Breach Prevention Summit New York, Reitinger noted that unlike some internet of things devices – toasters come to mind – internet-connected hearing aids, which are still in their infancy, offer a lot of promise for improving users’ quality of life. When a user is watching a television show, for example, their hearing aids could identify the audio and instead of simply amplifying it they could begin downloading a live audio stream of the broadcast.
But what happens when internet-enabled hearing aids enter the workplace or any WiFi enabled environment for that matter? As with smartphones, the WiFi enabled hearing aids would be a natural target for attackers, because they could be exploited and used to facilitate remote surveillance, allowing hackers to “hear” whatever the wearer hears. And that would create risks for any such device wearer who works for an organization with access to classified or sensitive information. Without appropriate safeguards being put in place, we risk a future in which attackers could perpetrate targeted breaches with little risk of their attacks being spotted or traced.
In that sort of a future, “things like the DNC [Democratic National Committee] hack, are small potatoes … because a huge number of people are walking listening devices,” Reitinger said. “Everything is connected, everything is tied together.”
Security Essential: Think Big Our everyday lives will only continue to become more connected, with more data generated; that’s our inevitable internet of things future. But from a security standpoint, it’s possible to avoid some doomsday-style scenarios, provided we make some related moves, chief among them building networks that are as big as possible.
“Right now, I think the bad guys have almost all of the advantages,” Reitinger said. “But … it’s much tougher on the good guys than the bad guys. The bad guys operate at scale much better than the good guys.”
Citing a concern that Pokemon Go players are wandering into private property and near electrical equipment, power and utility companies in Florida have asked cybersecurity company LookingGlass to pull Pokemon off the map.
“We’re now in the business of killing Pokemon,” LookingGlass CEO Chris Coleman told CNNMoney.
He said clients have asked LookingGlass to help eliminate the game’s code to get rid of the little creatures in restricted areas. Clients have pinpointed eight locations, and Coleman’s team sends those coordinates to Niantic Labs, the maker of the game, asking that the critters be removed.
Police departments around the country have issued warnings to Pokemon players to stop trespassing on property belonging to businesses, the government or religious institutions. But no one until now has figured out how to rid their property of Pokemon.
The wildly popular smartphone game instructs players to explore their surroundings to collect Pokemon, then it projects digital images of the cute creatures into the real world.
It’s a wholesome, kid-friendly video game. But the merging of digital and physical realms has also caused awkward entanglements.
One teen in Wyoming stumbled upon a dead body in a river while playing the game. Two men fell of a cliff while trying to catch Pokemon with their eyes glued to their screens. Another player crashed into a police car, because he was playing while driving.
These types of accidents aren’t stopping people from playing the game, which has already broken records for its popularity.
Coleman said his cybersecurity company is in a unique position to help eliminate Pokemon(s), because he’s friends with a member of Niantic’s board of directors: Gilman Louie.
Louie is known in cybersecurity circles, because he was the first CEO of In-Q-Tel, the CIA’s venture capital firm that the intelligence agency uses to invest in state-of-the-art technology.
The next challenge for this popular application may come from a new product soon to be available to the masses called Pokédrone. Tech brand TRNDlabs has customized its miniature drone so Pokemon Go video game players can access Pokemon in difficult places and avoid walking into hazards.
The company’s rationale for this product is that sometimes the critters appear in hard-to-reach places, like in the middle of busy roads or hovering above bodies of water – making it difficult or impossible for avid fans to catch them.
Apparently there are disappointed fans all over the world because sometimes a Pokémon occurs on your screen but in reality there is no way for human beings to catch it. According to TRND Labs, the Pokédrone is the solution that delivers the power of catching them all!
Just when you think they couldn’t sink any lower, internet based criminals are now exploiting the tragedy in Orlando. Unfortunately, once again we need to warn people about these lowlifes just like we’ve done when earlier, similar incidents like this happened.
Phishers are now sending a raft of scams varying from blood drives to pleas for charitable contributions for victims and their families. Additional attack vectors are messages that promise exclusive or inside information or — even worse– smartphone videos shot at the scene. Unfortunately, this type of scam is the worst kind of phish-bait we’ve seen lately.
These criminals are now sending out phishing campaigns that try to trick you into clicking on a variety of links about blood drives, charitable donations, “inside” information or “exclusive” videos. Don’t let them shock you into clicking on anything, or open possibly dangerous attachments you did not ask for!
With anything you receive about the Orlando shootings, be very, very suspicious – think three times before you click. It’s very possible that it is a scam, even though it might look legitimate or was forwarded to you by a friend — be especially careful when it seems to come from someone you know through email, a text or social media postings because their account may have been hacked.
If you want to donate to help those affected by this tragedy, go to your usual charity by typing their name in the address bar of your browser and do not click on a link in any email. Remember, taking these precautions is just as important at home as in the office, and don’t forget to warn your family members. It’s unfortunate that we continue to have to warn against the bad guys on the internet that try to leverage these tragedies for their own benefit.
Below are just a few of the email subject lines you should be extremely cautious about when opening:
- A friend has asked you to donate blood – find your nearest blood drive/blood center.
- Donations for Families of Orlando Shooting Victims.
- New ISIS Video Celebrating Orlando Attacks Turns Up On Dark Web – CNN headline
If the founders of a new face recognition app get their way, anonymity in public could soon be a thing of the past. FindFace, launched two months ago and currently taking Russia by storm, allows users to photograph people in a crowd and figure out their identities, with 70% reliability.
It works by comparing photographs to profile pictures and in the future, the designers imagine a world where people walking past you on the street could find your social network profile by sneaking a photograph of you, and shops, advertisers and the police could pick your face out of crowds and track you down via social networks.
In the short time since the launch, Findface has amassed 500,000 users and processed nearly 3m searches, according to its founders.
Unlike other facial recognition technology, their algorithm allows quick searches in big data sets. Three million searches in a database of nearly 1billion photographs: that’s hundreds of trillions of comparisons. With this algorithm, you can search through a billion photographs in less than a second from a standard desktop computer. The app will give you the most likely match to the face that is uploaded, as well as 10 people it thinks look similar.
The technology can work with any photographic database, though it currently cannot use Facebook, because even the public photographs are stored in a way that is harder to access. I’m sure it’s just a matter of time before this challenge is resolved. We might even see Facebook leading the charge if they see a way to monetize this technology.
Some security analysts have sounded the alarm about the potentially disturbing implications. The app has already been used by a St Petersburg photographer to snap and identify people on the city’s metro line.
But the FindFace app is really just a shop window for the technology, the founders said. There is a paid function for those who want to make more than 30 searches a month, but this is more to regulate the servers from overload rather than to make money. They believe the real money-maker from their face-recognition technology will come from law enforcement and retail.
The pair claims they have been contacted by police departments in other regions, who told them they started loading suspect or witness photographs into FindFace and came up with results. “It’s nuts: there were cases that had seen no movement for years, and now they are being solved,” said Kabakov.
The startup is in the final stages of signing a contract with Moscow city government to work with the city’s network of 150,000 CCTV cameras. If a crime is committed, the mugshots of anyone in the area can be fed into the system and matched with photographs of wanted lists, court records, and even social networks.
It does not take a wild imagination to come up with sinister applications in this field; for example being able to tag and identify participants in street protests, sporting events or any large group or gathering in places where CCTV cameras are installed.
The pair also has big plans for the retail sector. Kabakov imagines a world where cameras identify you looking at, say, a stereo in a shop, the retailer finds your identity, and then targets you with marketing for stereos in the subsequent days.
Again, it all sounds more than a little disturbing. In today’s world we are constantly surrounded by gadgets. Our cell phones, iPads, tablets, televisions, fridges, everything around us is sending real-time information about us to the internet. We already have large data files on people’s movements, their interests and so on, cataloged on massive internet servers around the world – next they’ll be matching our interests to our photographs and perhaps when a camera picks us up on the street – everyone will know exactly where we are. Now we can really kiss our privacy goodbye. From the Washington Post: https://www.washingtonpost.com/news/morning-mix/wp/2016/05/18/russias-new-findface-app-identifies-strangers-in-a-crowd-with-70-percent-accuracy/