Category Archives: PSA

Thousands of xHamster login credentials surface online

Members of the porn site xHamster should be changing their passwords today after a set of nearly 380,000 usernames, emails and poorly hashed passwords appeared online.

The subscription-only breach notification site LeakBase has published the set of login credentials, which Motherboard reports were being traded online. It’s not clear exactly where the database originated, but it contains information for only a small subset of xHamster’s 12 million registered users. While xHamster doesn’t require viewers to register with the site, those who do can comment and make video playlists.

Still, the leaked information has the potential to embarrass users — several of the accounts are linked to U.S. Army and other government email addresses. If xHamster’s subscribers reused their passwords on other sites, their accounts on those sites are at risk of compromise, as well.

“The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured,” an xHamster spokesperson told Motherboard.

But according to LeakBase,  the passwords were hashed with the MD5 algorithm, which is considered insecure. “MD5 hashes are trivial and easy to crack,” according to LeakBase. “The fact they think the hashes are secure is a blatant example of the faulty security placed in companies even to this day.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

New Cry Ransomware Strain Has Unusual Advanced Features

“A new ransomware that pretends to be from a fake organization called the Central Security Treatment Organization has been discovered by security researcher MalwareHunterTeam.  When the Central Security Treatment Organization, or Cry, Ransomware infects a computer it will encrypt a victim’s files and then append the .cry extension to encrypted files. It will then demand approximately 1.1 bitcoins, or $625 USD, in order to get the decryption key.”

Reported – Larry Abrams at Bleepingcomputer

Abrams continued: “For example, like Cerber, this ransomware will send information about the victim to the Command & Control server using UDP. Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.”

This strain is clearly created by experienced coders that know what they are doing. Just look at the list of advanced features this Version 1.0 came out with. Looking at the resources spent to create this strain, you can expect a massive wave of attacks to follow soon. These bad guys have the resources and then some:

  • Uses UDP to communicate with the Command & Control Server to evade detection
  • Uses social networks to upload and host information about the victims using fake PNG files
  • Queries Google Maps API to identify victim location using nearby wireless SSID’s
  • Deletes the system Shadow Volume Copies
  • Stays persistent after reboots Uses TOR payment site that requires the victim’s personal ID from ransomnote
  • Has functioning support page to communicate with the criminals
  • Includes a free (drag & drop, imagine that) decryption of one file to prove the files can be decrypted

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Major Qualcomm chip security flaws expose 900M Android users

Four major security holes in the Qualcomm chips which power modern Android devices have left as many as 900 million users vulnerable to a range of attacks.

According to Israel-based security firm Checkpoint, the flaws—dubbed “Quadrooter”—found in the firmware which governs the chips, could allow potential attackers to “trigger privilege escalations for the purpose of gaining root access to a device” using malware which wouldn’t require special permissions, allowing it to pass under suspicious users’ radars.

Qualcomm makes chips for the majority of the world’s phones, holding a 65 percent share of the market. Most of the major recent Android devices are expected to be affected by the flaw, including:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6, and Nexus 6P
  • HTC One, HTC M9, and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2, and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Three of the four holes have already been patched, with a solution for the fourth on the way. However, most users are at the mercy of their handset manufacturers if they want these patches applied. Owners of Google’s Nexus devices have already had patches pushed to their phones, but other manufacturers have historically been less interested in patching flaws found in their devices after release.

According to Checkpoint—which revealed its findings over the weekend at the Defcon security conference in Las Vegas—the “vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them.”

Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pokémon Malware

In case you have not heard of the new craze going on with an augmented-reality smartphone app called Pokémon Go. It’s a geocaching game, meaning it’s tied to real-world locations.

It’s a smash hit sending people on the street, trying to catch virtual creatures in real-world locations — called Pokestops — that players can capture, train and trade.

However, the game’s rapid rollout and breakaway success has its risks. Pokémon Go has immediately hit several security and privacy-related speed bumps.

  • The Google Login Permissions Problem

Many security researchers have been warning that the initial release of the Pokémon Go app has access to many more device permissions than needed meaning a possible privacy risk.

  • Trojanized Apps

Just 72 hours after the release of Pokémon, bad guys had Trojanized a legitimate version of the free Android app to include malware and released it via unofficial, third-party app stores, researchers at security firm Proofpoint said.

The malicious Android application file “was modified to include the malicious remote access tool called DroidJack – also known as SandroRAT, which would virtually give an attacker full control over a victim’s phone,” the researchers warn in a blog post. Gaming websites have begun publishing instructions about how users can download the app, including using side-loading – evading Google’s official app store – to install them.

Proofpoint said: “In the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk.”

  • Send this to your employees, friends and family:

You have probably heard about the new Pokémon app. It’s going viral and sends people on the street to catch these little virtual creatures. There are some risks if you have the “gotta catch ’em all” fever.

First, please stick to the vetted app stores, do not download the app from anywhere else. Why? Bad guys have taken the app and infected it with malware, and try to trick you downloading it from untrustworthy websites.

Second, anyone using the app, and especially kids should be VERY aware that they are not lured into a real-world trap which could lead to mugging or abduction. Other players can track you in the real world using this app so be careful.

Third, there are possible privacy issues if you use your Google account to log into the app. Create a throw-away account and use that to log into Pokémon, not your private or business account .

As always, Think Before You Click!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Locky Ransomware Encrypts Files Even When Machine Is Offline

The Locky ransomware has added a fallback mechanism in the latest strain of  malware created for situations where the code can’t reach its Command & Control server.

Researchers from antivirus vendor Avira blogged about this version which starts encrypting files even when it cannot request a unique encryption key from the Command & Control server because the computer is offline or a firewall blocks outgoing communications.

Calling the mothership is normally required for ransomware that uses public key cryptography. And actually, if the code is unable to call home to a Command & Control server after they infect a new machine, most ransomware does not start the encryption process and is dead in the water.

Why? The encryption routine needs unique public-private key pairs that are generated by the Command & Control server for each infection. How does this work? Here is a simplified sequence of events.

  1. The ransomware program generates a local encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files with certain extensions.
  2. It reaches out to a Command & Control server and asks that machine to generate an RSA key pair for the newly infected system.
  3. The public key of that pair is sent back to the infected machine and used to encrypt the AES encryption key from step 1. The private key, (needed to decrypt what the public key encrypted), stays on the Command & Control server and is the key that you get when you pay the ransom and is used for decryption.

As you see, a lot of ransomware  strains are useless if a firewall detects their attempt to call home and blocks it as suspicious. There is another scenario however…

As damage control, organizations also cut off a computer from the network the moment a ransomware infection is detected. They might even take the whole network offline until they can investigate if other systems have also been infected.

The silver lining? If someone pays the ransom and gets the private key, that key will work for all other offline victims as well, so expect a free decryptor to become available in the near future.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers

As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death and putting their ransom notes at system startup—as in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.

petya_figure1

This is the routine of a new crypto-ransomware variant dubbed “Petya”. Not only does this malware have the ability to overwrite the affected system’s master boot record (MBR) in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service (in this case, via Dropbox).

This isn’t the first time that malware has abused a legitimate service for its own gain; however, this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits.

Infection Routine

Reportedly, Petya is still distributed via email. Victims would receive an email tailored to look and read like a business-related missive from an “applicant” seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s curriculum vitae (CV).

In samples analyzed, the Dropbox folder the link points contains two files: a self-extracting executable file, which purports to be the CV, and the applicant’s photo. Further digging revealed that the photo is a stock image that is most likely used without permission from the photographer.

petya_archive

Of course, the file downloaded isn’t actually a resume at all, but rather a self-extracting executable file which would then unleash a Trojan onto the system. The Trojan then blinds any antivirus programs installed before downloading (and executing) the Petya ransomware.

Infection Symptoms

Once executed, Petya overwrites the MBR of the entire hard drive, causing Windows to crash and display a blue screen. Should the user try to reboot his PC, the modified MBR will prevent him from loading Windows normally and instead greet him with an ASCII skull and an ultimatum: pay up with a certain amount of bitcoins or lose access to your files and computer.

Another thing to point out here is that the edited MBR also disallows restarting in Safe Mode.

The user is then given explicit instructions on how to do this, just like any crypto-ransomware currently making the rounds: a list of demands, a link to the Tor Project and how to get to the payment page using it, and a personal decryption code.

petya_figure2

Looking at its very professionally-designed Tor website, we discover that its ransom price is currently at 0.99 Bitcoins (BTC), or US$431 – and that said price would be doubled if the on-screen deadline for payment is missed.

petya_figure3

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Weird New Cerber Ransomware Speaks To Its Victims

There is a new strain of ransomware called Cerber that takes creepiness to the next level.

It drops three files on the victim’s desktop named “# DECRYPT MY FILES #.” These files contain instructions about the ransom amount and how to pay it. One of the files is your standard TXT format, one is HTML and the third is plain weird. It contains a Visual Basic Script, which contains text-to-speech code that converts text into an audio message.

“When the above script is executed, your computer will speak a message stating that your computer’s files were encrypted and will repeat itself numerous times,” Larry Abrams from Bleepingcomputer said in a blog post. They have a sample in that post you can listen to.

Cerber’s criminal developers are selling the tool as Ransomware-as-a-Service (RaaS) so that practically anyone can use it without any coding experience. It is easy to find out where this new strain originated.  When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan.

Yup, that was easy. Another Eastern European cyber gang with another strain.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Beware – Android Malware That Erases Your Phone With a Single Text

It’s been a bad week for people’s phones, and it’s not getting any better: A Danish security firm’s found malware that ravages your Android phone with a single text—erasing data or sending rogue calls and texts.

Denmark-based security firm Heimdal detected the malware, called “Mazar,” which sends text messages that include an ostensibly harmless multimedia message link to users. Click through, and it downloads Tor to your phone, and then the actual malware, whose source the Tor software hides. (By the way, a little reminder for living in the twenty-first century, friends: Don’t click on text message links from random senders.)

Heimdal thinks that over 100,000 phones have received the Mazar text in Denmark, the BBC reports, and the firm isn’t yet sure if it’s spread to other countries.

We’ve heard of such one-text menaces targeting Android before. Last year, a University of Cambridge study found that 85 percent of Android devices could face at least one crucial security vulnerability. This report is just the latest confidence crusher threatening the operating system’s security.

[BBC]

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Scam Of The Week: Apple ID Suspension Phish With A Twist

Scam Of The Week: Apple ID Suspension Phish With A Twist
OK, this scam is widespread enough to alert your users about it. The email claims to be from Apple Support and says your Apple ID and iCloud are both going to be suspended because you did not complete verification on time. With the massive amount of new Apple devices being sold at the moment, this attack may hit many employees.

Supposedly Apple sent you an earlier email about this but they did not receive a response. The email has a “Verify now” link that allows you to complete the verification process and save your account from suspension. (Yeah, sure.) If an employee clicks the link, they land on a bogus Apple login page asking for their credentials. But wait, there’s more!

You will be taken to a second fake page that asks for a large amount of your personal and financial information including credit card and banking details. The page is designed to look like a real Apple webpage and even includes seemingly legitimate information explaining in detail why you need to complete the verification process.

This scam even has retaliation against investigators testing the phish. If you enter false data that includes words such as ‘scam’ into fields on the fake form, your browser will automatically redirect you to a preconfigured Google search for pornography.

I suggest you send the following to all employees, and while you are at it, friends and family will also benefit.

“You need to watch out for a phishing scam that seems to come from Apple. The email is supposedly from Apple Support and they threaten that your account is going to be suspended because you did not reply to an earlier verification email. The phishing email has a link that allows you to “verify now” but if you click the link, you land on a bogus webpage that looks like it’s Apple but is a fake, and it tries to manipulate you into giving out your password, credit card and other personal information.

Don’t fall for this scam. Always go direct to the website of your vendor and do not click on links in emails that look like they are legit. Think Before You Click!” Happy and Safe Holidays.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

It’s time to secure your Amazon account with two-factor authentication

Relying solely on passwords to secure important accounts may be outdated, but until they’re gone for good your best alternative is locking things down with two-factor authentication: Amazon. Considering you probably already have a credit card or other payment info stored there, it just makes sense to add an extra layer of security that makes sure it’s really you logging in. The only problem? Until recently Amazon didn’t have any option to support the feature, but now it does. I noticed the new option while updating my password last night (also a good security idea), and one of the engineers told me it launched a couple of weeks ago after a private beta.

Source: Amazon Support

Facebooktwittergoogle_plusredditpinterestlinkedinmail