IT Support and Hardware for Clinics
38.7K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


No comment yet.
Scoop.it!

How to protect your wireless router from malware

How to protect your wireless router from malware | IT Support and Hardware for Clinics | Scoop.it

O D worries that other people, including criminals, can see his IP address. “What can happen if they come into my router?”

As I pointed out last year, your router’s IP address is anything but a secret. Every website you visit gets a look at that number. And from that IP address, they can discover your ISP and your general location (your neighborhood, but not your address).

But can they infect your router with malware? It’s not likely, but the danger is significant enough to take precautions.

[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

Last year, researchers discovered a worm, which they called TheMoon, that infected several Linksys routers. Linksys soon issued a fix to stop it. This wasn’t the first such attack, and it will almost certainly not be the last.

Note that TheMoon infected only Linksys routers. I’m not picking on Linksys; the next attack could be on D-Link or Netgear routers. That’s the nature of this kind of  malware— it’s manufacturer-specific. So chances are that a worm that tries to attack your router won’t be compatible with it—and for once, you can be thankful for incompatibility.

What follows are the basic precautions everyone should take. For more details, read this helpful router security piece by Michael Brown and Jon L. Jacobi.

  1. Update your browser firmware. Check the manufacturer’s website regularly to see if there’s a new version.
  2. Go into your router’s setup page and make sure that remote administration is turned off. (If the IP address is 0.0.0.0, it’s off.)
  3. Change the name of your wireless network. There’s no need to advertise the make of your router.
  4. Change the router’s password. I’m not talking about the Wi-Fi password, but the one that gets you into the router’s setup. And make it a strong password.

Finally, if you’re really worried, hide your IP address by using either an anonymity browser like Tor, or a virtual private network (VPN) like CyberGhost.



No comment yet.
Scoop.it!

DDoS-attack takes Dutch government sites offline for 10 hours

DDoS-attack takes Dutch government sites offline for 10 hours | IT Support and Hardware for Clinics | Scoop.it

A sophisticated distributed denial-of-service (DDoS) blocked Dutch government and privately run commercial sites from the public for more than 10 hours Tuesday.

The ministry of General Affairs, the National Cyber Security Center (NCSC), website hosting company Prolocation and services provider Centric are working to determine the specific methods used in the attack and who was behind it.

The attack, which started at 9:45 a.m. local time, was difficult to deflect because the attack patterns changed regularly, said Prolocation’s director, Raymond Dijkxhoorn. The attack was different from the usual DDoS attempts that happen on an almost daily basis and are easier to defend against, he said.

“It is the first time that we couldn’t deal with it,” Dijkxhoorn said.

The attack targeted the sites of the federal government directly, but also caused other sites that were hosted on the same network to go down, Dijkxhoorn said. Blog site Geenstijl.nl and telecom provider Telfort’s site were among those blocked in the attack.

A few of the sites on the network used DDoS-deflecting services from providers like Cloudflare, Dijkxhoorn noted. But unless all clients on a network are able to ward off a DDoS attack, there is a risk for other sites on that network, he said.

Geenstijl, for instance, uses Cloudflare, which will usually allow traffic to reach the site’s server when a DDoS attack targets the site. However, Geenstijl’s server can still become unreachable as a result of a DDoS attack aimed at other sites on the network that don’t have such protection, Dijkxhoorn said. The Dutch government did not use such external DDoS protection services, he said.

The DDoS attack consisted of mix of methods used alternately, according to Dijkxhoorn. Though Prolocation has experience with DDoS attacks, this was the first time they encountered this strategy, he said. He declined to provide more details about the attacks, since he has agreed with the NCSC not to do so until the investigation is finished.

The NCSC and Centric both declined to comment on details of the attack, pending the investigation.

Prolocation, however, has discussed the incident with engineers at Prolexic and Akamai, who say they have seen similar methods used in DDoS attacks in other places around the world.

Sites hosted on the same IP block can go down as collateral damage when one site is the focus of the attack, confirmed Akamai’s manager for Belgium, the Netherlands and Luxembourg, Hans Nipshagen. If the government sites had used external DDoS filtering services, the network might have stayed up, he said.

While it was difficult to tell from the outside the exact methods used against the government sites, the DDoS attack seems to have been large-scale, employing a vast amount of traffic, Nipshagen said. Some big DDoS attacks use multiple vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed, swarming target sites, according to an Akamai report. These incidents have been fueled by the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry, Akamai said.


No comment yet.
Scoop.it!

TorrentLocker ransom rampage encrypts 285 million files and counting

TorrentLocker ransom rampage encrypts 285 million files and counting | IT Support and Hardware for Clinics | Scoop.it

Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted—a misery-inducing 285 million to date.

Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.

On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.

Of the nearly 40,000 victims detected by analyzing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.

As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.

A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realized, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.

Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.

“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Lveill.

As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.

The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users—an alleged unpaid invoice, a speeding ticket, and package tracking—all localized to the country of the victim.



No comment yet.
Scoop.it!

Devastating malware that hit Sony Pictures similar to other data wiping programs

Devastating malware that hit Sony Pictures similar to other data wiping programs | IT Support and Hardware for Clinics | Scoop.it

A malware program with data wiping functionality that was recently used to attack Sony Pictures Entertainment bears technical similarities to destructive malware that affected organizations in South Korea and the Middle East in the past.

Security researchers from Kaspersky Lab, Symantec and Blue Coat Systems independently reported that Trojan Destover, the malicious program used in the Sony Pictures attack, relied on a legitimate commercial driver called EldoS RawDisk to overwrite data and master boot records.

That same driver was used by a piece of malware called Shamoon that is believed to have been used in August 2012 to render up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia.

A previously unknown hacktivist group called the Cutting Sword of Justice took credit for the attack on Saudi Aramco through a series of posts on Pastebin. The group said it targeted the company because it was the main financial source for Saudi Arabia’s Al Saud regime, which the group claimed supported oppressive government actions in countries like Syria, Bahrain, Yemen, Lebanon and Egypt.

The attack against Sony Pictures Entertainment was carried out by another previously unknown group called the Guardian of Peace (GOP), which claimed to have targeted the company because “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years.”

The sharing of a third-party driver is not enough evidence to establish a direct link between the two malware programs, but it is possible that the Destover creators copied techniques from Shamoon, especially since the EldoS RawDisk driver is an unusual choice for implementing data wiping functionality.

Both Destover and Shamoon stored the EldoS RawDisk driver in their resource sections and both were compiled just days before being used in attacks, researchers from Kaspersky Lab said in a blog post.


Destover shares even more commonalities with another wiper malware program called DarkSeoul or Jokra that affected several banks and broadcasting organizations in South Korea in March 2013.

“The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired,” researchers from Symantec said in a blog post. “Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks.”

The Jokra attacks were accompanied by website defacements that displayed a message from an obscure group of hackers called the Whois Team. “This is the beginning of our movement,” the message said. “User accounts and all data are in our hands.”

The GOP also left a message for Sony Pictures informing the company that it had obtained its internal data and both GOP’s and Whois Team’s messages were accompanied by images of skeletons, though this might be a mere coincidence.

“Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack,” the Kaspersky researchers said. “It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.”

A more direct connection was established by Symantec between Destover and a backdoor program known as Volgmer that allows attackers to retrieve system information, execute commands, upload files, and download files for execution.

“Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets,” the Symantec researchers said. “The shared C&C indicates that the same group may be behind both attacks.”

The apparent links between Destover and malware that was used to target South Korean organizations will likely fuel ongoing speculation that North Korea might be behind the attack against Sony Pictures Entertainment, supposedly as retaliation for an upcoming comedy film called “The Interview” in which two reporters are asked by the CIA to assassinate North Korean leader Kim Jong Un. North Korea reportedly denied its involvement in the attack.

These commonalities “do not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover,” the Kaspersky researchers said. “But it should be noted that the reactionary events and the groups’ operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.”




No comment yet.
Scoop.it!

Is Government Malware unstoppable? - Avira Blog

Is Government Malware unstoppable? - Avira Blog | IT Support and Hardware for Clinics | Scoop.it

During the last couple of weeks we have received various requests on our standpoint and capabilities regarding the detection of spyware programs developed by governments. It looks like this has become the hot topic of the moment also due to the recently discovered Regin malware.

What is Regin?

According to Virus Bulletin, we are looking at a multi-staged threat (like Stuxnet) that uses a modular approach (like Flame), a combination that makes it one of the most advanced threats ever detected. Researches show that Regin has been used in espionage campaigns for the last 6 years. This sophisticated backdoor Trojan affects Microsoft Windows NT, 2000, XP, Vista, and 7 and it is able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization.

Protection against government malware

In this context, we would like to remind our users that Avira is a founding member of IT Security made in Germany and we pride on providing our customers a guarantee of Quality and Reliability.

We thus committed ourselves, among other things, to:

  • Exclusively provide IT security solutions no other third party can access.
  • Offer products that do not cause the transmission of crypto keys, parts of keys or access recognition.
  • Eliminate vulnerabilities or avoidance methods for access control systems as fast as possible once detected.

Additionally, we would like to clarify our standpoint on malware developed by government. Whenever we discover a new piece of malware, we are adding detection for this for all of our customers, regardless of the source of the malware. It is the case for recently discovered Regin as well, since our Antivirus products already detect all known Reging samples.

We strongly believe that no malware is unstoppable, not even government malware. Users need to make sure that they are protecting all of their digital devices with the latest technology, keeping their operating system, 3rd party applications and of course their antivirus software up-to-date.



Via Paulo Félix
No comment yet.
Scoop.it!

Lenovo Patches Critical PC Flaws

Lenovo Patches Critical PC Flaws | IT Support and Hardware for Clinics | Scoop.it

Lenovo issued an emergency patch to fix flaws in software that it preinstalls on many of its Windows PCs after security researchers warned that it contained vulnerabilities that attackers could use to remotely seize control of systems.


The vulnerabilities affect the Lenovo System Update software - version 5.6.0.27 and before - which was previously known as ThinkVantage System Update. The Chinese PC manufacturer says the vulnerable software may be present on its ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series devices.


The flaws were discovered by IOActive security researchers Michael Milvich and Sofiane Talmat in February, after which they alerted Lenovo and helped it prepare related fixes, which Lenovo released in April. But the researchers' findings were only made public this week.


One flaw, rated critical by the IOActive researchers, centered on a "race condition," in which attackers could have System Update verify that an executable file was legitimate, and then substitute a malicious executable. "Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation," Lenovo warns in a related security advisory.


To fix the flaws, users should update to version 5.06.0034 or later of Lenovo's software, which includes related patches. "Lenovo System Update automatically checks for a [new] version whenever the application is run," the company's security advisory says. "Click OK when prompted that new version is available." Alternately, users can download updates manually.

Follows Superfish

The security alert follows revelations in February that Lenovo, which is the world's largest PC manufacturer, had been preinstalling adware called Superfish on many of its PCs. Numerous security experts warned that the adware put users at risk because of the insecure manner in which it used digital certificates to intercept and decrypt otherwise encrypted Internet traffic.


Now, security experts are expressing dismay that yet more flaws have been found in Lenovo's preinstalled software. "Lenovo has been found wanting again on the security front," information security expert Alan Woodward, a professor at Surrey University, tells the BBC. Following on the Superfish debacle, he said Lenovo was demonstrating a "lamentable record for security."


While Lenovo initially defended Superfish - as a feature - it later backed off and began working with security firms to delete the software. The manufacturer also promised that beginning with new devices running the forthcoming Windows 10 operating system it would include only essential operating system and related software, including hardware drivers, security software and Lenovo's own applications, with a spokeswoman saying they would be free from "what our industry calls 'adware' and 'bloatware.'"

Predictable Security Tokens

While Superfish adware was preinstalled on many consumer-focused Lenovo systems, the new vulnerabilities are largely present on business-oriented machines.


Furthermore, Lenovo's System Update software is powerful, in that it will execute any code that it receives, for example to update the Windows operating system. Such functionality would be useful to attackers, of course, if they could trick it into installing malicious code. If that attack was successful, then the attackers could install a backdoor, execute malware that steals data stored on the device, and take full control of the machine.


To guard against that, the System Update software requires any client that attempts to connect to the service to authenticate itself, using a security token. "Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions," the IOActive researchers say about the previous version of System Update. "As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed." Lenovo's patch, however, fixes that problem.

Another Flaw Patched

Another problem present in previous versions of the Lenovo System Update software was a failure to conduct complete security checks on executable code.


"As a security measure, Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them," the IOActive researchers said in their vulnerability warning. As before, this flaw was patched by Lenovo in April.

In particular, the Lenovo software did not fully validate the certificate authority chain. As a result, an attacker could create a fake certificate authority, use it to sign a malicious executable, and then fool the System Update software into executing it.


For example, per the "classic coffee shop attack," a related man-in-the-middle attack could be launched if the attacker was connected to the same WiFi network as a vulnerable Lenovo PC, the researchers say. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks," they add.


But protection was provisional on the Lenovo software correctly handling digital certificates, which it was not. "Lenovo - like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers - were not able to validate if certificates were from a trusted authority," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which develops software to secure and protect cryptographic keys and digital certificates. "As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide [via] encryption, and go undetected."


Again, however, Lenovo and IOActive report that all of the above flaws have now been patched.


No comment yet.
Scoop.it!

Ransomware Attacks' New Focus: Businesses

Ransomware Attacks' New Focus: Businesses | IT Support and Hardware for Clinics | Scoop.it

Ransomware attacks are getting more agile, varied and widespread, and are increasingly taking aim at businesses of all sizes in all sectors, rather than consumers.

These attacks involve two-part schemes. First, a device is infected with malware that locks the user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.

In recent weeks, three reports from security firms and researchers have noted new ransomware scheme trends that are making these attacks more difficult to thwart and detect.

As a result, experts say businesses need to focus more attention on employee education about how to avoid falling victim to these attacks and other socially engineered schemes.

New Attacks

On March 2, security firm FireEye warned that hundreds of websites may have been exposed to "malvertisements" - ads containing ransomware - via criminals' abuse of ad networks that use real-time bidding.

"Real-time bidding is an ad sale and delivery system that allows for instant, autonomous ad auctions at the time the ads are served," FireEye says. "A number of buyers set up bids ahead of time for a certain amount of ad impressions (i.e., page loads) on pre-selected sites and certain target demographic characteristics. When a user requests an ad, the ad exchange awards the highest bidder who has an active bid on advertising matching the incoming user's demographic profile. As a result, the auction winner's ad is displayed."

In another recently released report, anti-virus provider Bitdefender noted that cybercriminals were using help files as a way of infecting devices with a variant of the ransomware known as CryptoWall. Attackers sent malicious emails with the subject "Incoming Fax Report" that contained help files with a compiled HTML extensions, Bitdefender noted. When users opened the files, they were presented with a help window that automatically downloaded CryptoWall in the background.

In a third report, released March 6, a French malware researcher known as Kafeine said he discovered what at first appeared to be a new version of the ransomware known as TorrentLocker, but was later determined to be new malware. This is concerning, researchers say, because it proves how quickly hackers are adapting by developing entirely new malware strains that evade current detection mechanisms.

The Evolution of Ransomware

"Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared," says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro. "The most troubling evolution is the migration to mobile ransomware.

In May 2014, security researchers warned of a new type of ransomware attack taking aim at employees and customers of banking institutions in Europe. The attack was being spread to mobile devices through the banking Trojan known as Svpeng (see New Ransomware Targets Mobile).

Today, attacks waged against Windows and Android operating systems have continued to spread.

"There is a lot of momentum behind ransomware and we do expect it to be a continuing issue throughout the rest of this year and beyond," says John Miller, manager of the Cyber Crime Threat Scape at cyber-intelligence firm iSIGHT Partners. "Law enforcement in different countries can help educate residents about the threats," which are designed for targeted global markets based on language and payments habits, he explains.

But it's up to individual companies to educate their own employees about how to identify a ransomware attack before becoming victimized, Miller adds.

Why Ransomware Is So Dangerous

Rather than targeting home-users' files, as was common in 2012 and 2013, attacks emerging in late 2014 started targeting business assets by encrypting enterprise database files and shared storage systems, says Jeff Horne, vice president of the security firm Accuvant.

"This is extremely dangerous to an enterprise network, as it could potentially destroy a business if offline backups haven't been stored," Horne says. "The real issue is the encryption that is being utilized, more often than not, cannot be broken with today's computers. Therefore, when these files are locked, if the ransom isn't paid, the files are gone until computers can break the encryption."

Another danger, he says, is that hackers sometimes collect the ransom but never unencrypt the data, making it virtually useless to the business.

Randy Abrams, research director for cyberthreat intelligence firm NSS Labs, malware strains used in ransomware attacks are getting stealthier. And like Horne, he says the encryption hackers are using to lock files is getting harder to break.

"Older ransomware used cryptographic techniques that could be cracked," Abrams says. "This currently is no longer the case."

Ransomware can be devastating to victims who have no back-ups or who don't back up to local or network-connected drives, he says. "Online backup services, such as Carbonite, are very useful. But users must be certain that file types are also backed up."

A Growing Threat

The use of ransomware is spreading because the attacks make good business sense for cybercriminals because they can reap big payouts, iSIGHT's Miller says. "Windows ransomware is all over the place," he says. "It's very effective and very popular."

Cryptolocker was the first type of ransomware that got attention, Miller points out, "and criminals' observations of the damage that Cryptolocker was doing made them realize how profitable ransomware could be."

Today's attackers, who range from organized cybercrime rings to nation-states, are selling ransomware using sophisticated business models, says Peter Tran, general manager and senior director of security firm RSA's global advanced cyber-defense practice.

"The hacker distribution techniques and ecosystem are run like a business," Tran says. "The development, buying, selling, trading and distribution creates micro-economies that scale very quickly for both cybercriminals and nation-state attackers. This is a global network much like the open-source software developer communities, where software can be developed very quickly and with greater capacity than closed, proprietary development."

Also, most of the malware strains used in these attacks are evading detection by anti-virus programs, he adds.

"In the past 12 months, over 300 million malware samples have been reported in circulation, many of which are modifications of existing variants, but many are unique," Tran says. "The sheer scale is overwhelming."


No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


No comment yet.
Scoop.it!

Survey shows cyber crime on the rise

Survey shows cyber crime on the rise | IT Support and Hardware for Clinics | Scoop.it

An estimated 40% of Irish internet users have received emails or phone calls trying to get access to their computer or personal details such as their banking information.

That is according to the latest Eurobarometer poll on the experience of cybercrime.

Nearly a third of Irish internet users have discovered malicious software on their device, but just over half of them have installed anti-virus software.

This compares with an EU average of 61% who have taken this precaution.

16% of Irish internet users - the third highest in the EU - say they have had experience of their social media or email account being hacked compared to an EU average of 12%.

Among the top concerns of Irish people are the misuse of personal data, security of online payments and online purchases.

While Irish people are more aware of cybercrime than the EU average, half of users do not take basic precautions such as changing their passwords every 12 months.

And while internet access in Ireland has never been higher at 80%, Ireland is behind Sweden (96%) the Netherlands (95%) and Denmark (94%).

Lowest access was in Romania (54%), Portugal (55%), and Greece (58%).


HK Khan's curator insight, February 18, 2015 2:38 AM

We Gives Latest News Of Hacking, Updates Of Cyber Crimes, Computer Technology News, Reviews and Full Version Softwares, Drivers For Laptops

Scoop.it!

Why Fraud Is Shifting to Mobile Devices

Why Fraud Is Shifting to Mobile Devices | IT Support and Hardware for Clinics | Scoop.it

As a result of the explosive growth in worldwide use of smart phones, mobile malware will play a much bigger role in fraud this year, predicts Daniel Cohen, who heads up the anti-fraud services group at security firm RSA, which just released its 2014 Cybercrime Roundup report.


Mobile devices will be the new focus for phishing attacks, taking the place of spam attacks that for more than a decade have been waged against PCs, Cohen, an expert on phishing trends, says in an interview with Information Security Media Group.

"Smart phone technology is the fastest adopted technology in the history of mankind," Cohen says. In 2014, 1.3 billion new smart phones were purchased by consumers throughout the world, while in 2015, forecasts suggest that another 2 billion of these devices will be shipped to consumers, he points out.

"The bad guys are looking at this ... and they understand that they have to be on those platforms and those systems," he says.

Security Challenges for Mobile

This shift to mobile fraud is posing challenges for security teams, because the methods used to protect end-users from attacks waged against PCs don't translate well for mobile, Cohen notes.

The mobile threat involves the use of what Cohen describes as "permission-ware." The end-user knowingly downloads mobile applications and gives those apps permission to run on his device, Cohen says. So when the app is malicious, the user determines the number of permissions that app will have once it's installed.

Cohen points to Svpeng, mobile ransomware identified by security firm Kaspersky Labs in summer 2014, as an example of the kind of threat that will become more common this year.

"Svpeng started out as a phishing attack on the mobile phone," Cohen says. "The app would wait for a legitimate app to launch, and once that app launched, the malicious app, Svpeng, would launch and then ask for more information. ... In 2015, we will see the mobile channel leveraged more and more in attacks like this."

In the interview, Cohen also discusses:

  • How the underground economy is evolving and fueling the rapid spread of malware and phishing attacks;
  • Why the U.S. continues to rank No. 1 for phishing attacks waged against banking brands; and
  • Why remote-access attacks waged against point-of-sale vendors are expected to increase this year.

At RSA, Cohen serves as the head of the anti-fraud services group, where he focuses on phishing attacks, malware and threat intelligence.


No comment yet.
Scoop.it!

Sony Hack: Ties to Past 'Wiper' Attacks?

Sony Hack: Ties to Past 'Wiper' Attacks? | IT Support and Hardware for Clinics | Scoop.it

The "wiper" malware attack against Sony Pictures Entertainment has numerous commonalities with previous wiper attacks in Saudi Arabia and South Korea, anti-virus firm Kaspersky Lab reports.

While that's no smoking gun proving that the same group is behind all three attacks, "it is extraordinary that such unusual and focused acts of large-scale cyber destruction are being carried out with clearly recognizable similarities," says Kurt Baumgartner, a Kaspersky Lab principal researcher, in a blog post.


Previous, high-profile wiper malware attacks - designed to erase data from PC and file-server hard drives and delete the master boot record, so the machines cannot boot - have included the use of "Shamoon" malware against Saudi Aramco, and "Dark Seoul" malware against South Korean banks and broadcasters. The attacks - respectively launched in 2012 and 2013 - each resulted in an estimated 30,000 hard drives being erased. The identify of the attackers has never been confirmed - although South Korea published evidence of North Korean ties to Dark Seoul. Security experts say insiders, hacktivists or a nation state could be responsible.

Baumgartner sees an extensive list of similarities between the Shamoon and Dark Seoul campaigns, and the Nov. 24 Destover - also known as Wipal - malware campaign against Sony. From a timing perspective, for example, Kaspersky Lab says attackers compiled both the Dark Seoul and Destover wiper executable files 48 hours or less before the wiper attacks commenced, while Shamoon was compiled five days before the payload was set to "detonate."

For Sony, that timeline offers new clues about just how badly the company had likely been breached. "It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack," Baumgartner says, because it would have been very difficult to steal so much data and infect numerous systems in less than 48 hours.

Technical Similarities

Technically speaking, Shamoon and Destover both used commercially available EldoS RawDisk drivers, which enable developers to create applications that can gain direct access to Windows disks, thus allowing them to evade security restrictions or file locking, Baumgartner says. "The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself," he says. But the overwritten data wasn't just random zeros and ones. "Just like Shamoon, the DarkSeoul wiper event included vague, encoded pseudo-political messages used to overwrite disk data and the master boot record," he says.

By overwriting the master-boot record, or MBR, attackers could make it impossible to boot an infected Windows machine. But the good news, Baumgartner says, is that based on previous attacks, the attackers didn't forcibly wipe all data being stored on the disk, which ultimately made recovering whatever was being stored on the drive easier. "In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data," he says. "Destover data recovery is likely to be the same."

Shamoon, Dark Seoul and Destover were all hit-and-run attacks committed by groups about which nothing is known. "All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically charged event that was suggested as having been at the heart of the matter," Baumgartner says.

The graphic and warning used by the "Whois" team that claimed credit for Dark Seoul, and the "Guardians of Peace" - or G.O.P. - group that's claimed credit for hacking Sony, are aesthetically quite similar, including similar fonts, colors, warning language and love of skull graphics.

Not New: Sabotage, Ransomware

But the technical, timing and aesthetic similarities don't prove that the same group was behind all three attacks, and security experts say that whoever launched Destover may have just carefully studied Shamoon or Dark Seoul.

And sabotage attacks launched against individuals and businesses are nothing new. On an individual level, for example, "what we are seeing a lot of is so-called ransomware, which is effectively a monetized version of this type of [wiper malware] attack," Roel Schouwenberg, a security researcher at Kaspersky Lab, tells Information Security Media Group.

While security experts say large-scale wiper attacks are rare, cybercriminals do sometimes employ these tactics. In June, for example, criminals used a distributed-denial-of-service attack against source code hosting firm Code Spaces to obscure their simultaneous 12-hour hack attack in which they deleted most of the business's data, machine configurations as well as onsite and offsite backups, and then demanded a ransom. Instead, Code Spaces shuttered.

Leaked: PII For Actors, Directors

For Sony, the breach is embarrassing for executives and puts employees and freelancers at risk. The list of leaked data includes Social Security numbers for numerous current and former employees and freelancers, including actor Sylvester Stallone, Australian actress Rebel Wilson and director Judd Apatow, The Wall Street Journal reports.

"More than 600 files that contained Social Security numbers - these included Acrobat PDFs, Excel spreadsheets, and Word docs - with more than 47,000 unique SSNs were publicly available," says Todd Feinman, president and CEO of data loss and leak-prevention firm Identity Finder, in a blog post, referencing data that had been leaked by Dec. 3.

The leaked information is reportedly now circulating on BitTorrent sites, meaning that anyone can download the files and potentially use the data to commit identity theft. The risk of ID theft - for example to fraudulently open credit card accounts or take out mortgages in someone else's name - for 15,000 current and former employees is high, Feinman warns, because their full names, birthdates, and home addresses are also included in the leaked Sony data.

Sony has not responded to repeated requests for comment on the hack attack.



No comment yet.
Scoop.it!

Destover: Destructive malware has links to attacks on South Korea

Destover: Destructive malware has links to attacks on South Korea | IT Support and Hardware for Clinics | Scoop.it

Backdoor.Destover, the destructive malware that was the subject of an FBI Flash Warning this week, shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.  

Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution. Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.

Destover also share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can’t be ruled out. Links also exist to the Shamoon Attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon.  

Destover in action
Destover is a particularly damaging form of malware that is capable of completely wiping an infected computer. It was the subject of an FBI Flash Warning earlier this week after at least one variant of it was understood to have been used in a high profile attack.

There are several malicious files associated with the FBI Destover report:

  • diskpartmg16.exe
  • net_ver.dat
  • igfxtrayex.exe
  • iissvr.exe

Diskpartmg16.exe is the first file that is created on an infected computer and, when executed, it creates the files net_ver.dat and igfxtrayex.exe.

When “diskpartmg16.exe” is run, it connects to a number of specific IP addresses within a set IP range, as well as computer names in the format “USSDIX[Machine Name]”. This indicates that this variant of Destover was not intended to be indiscriminate and the malware had instead been configured to only attack computers belonging to one particular organization.

The destructive payload of Destover is carried by igfxtrayex.exe. In certain instances, when run, it will:

  • Delete all files on fixed and remote drives
  • Modify the partition table
  • Install an additional module(iissvr.exe)
  • Connect to a number of IP addresses on ports 8080 and 8000.

Iissvr.exe, meanwhile, is a backdoor which listens on port 80. Once an attacker communicates with the compromised computer, this file displays a message, which reads:

 

“We’ve already warned you, and this is just a beginning.

We continue till our request be met.

We’ve obtained all your internal data including your secrets and top secrets.

If you don’t obey us, we’ll release data shown below to the world.

Determine what will you do till November the 24th, 11:00 PM(GMT).

Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.

Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.

And even if you just try to seek out who we are, all of your data will be released at once.”




Via Paulo Félix
No comment yet.
Scoop.it!

New Survey Reveals Enterprises Are At Risk From The Internet Of Things

New Survey Reveals Enterprises Are At Risk From The Internet Of Things | IT Support and Hardware for Clinics | Scoop.it
The Internet of Things (IoT) is challenging enterprises as IT teams struggle to secure the influx of newly connected devices.

Via Roger Smith, Paulo Félix
Roger Smith's curator insight, December 3, 2014 7:27 PM

When your fridge can SPAM the Internet to using an air conditioner to bug a meeting room, IOT is going to cause many problems when it comes to security