Category Archives: Security

Locky Ransomware Encrypts Files Even When Machine Is Offline

The Locky ransomware has added a fallback mechanism in the latest strain of  malware created for situations where the code can’t reach its Command & Control server.

Researchers from antivirus vendor Avira blogged about this version which starts encrypting files even when it cannot request a unique encryption key from the Command & Control server because the computer is offline or a firewall blocks outgoing communications.

Calling the mothership is normally required for ransomware that uses public key cryptography. And actually, if the code is unable to call home to a Command & Control server after they infect a new machine, most ransomware does not start the encryption process and is dead in the water.

Why? The encryption routine needs unique public-private key pairs that are generated by the Command & Control server for each infection. How does this work? Here is a simplified sequence of events.

  1. The ransomware program generates a local encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files with certain extensions.
  2. It reaches out to a Command & Control server and asks that machine to generate an RSA key pair for the newly infected system.
  3. The public key of that pair is sent back to the infected machine and used to encrypt the AES encryption key from step 1. The private key, (needed to decrypt what the public key encrypted), stays on the Command & Control server and is the key that you get when you pay the ransom and is used for decryption.

As you see, a lot of ransomware  strains are useless if a firewall detects their attempt to call home and blocks it as suspicious. There is another scenario however…

As damage control, organizations also cut off a computer from the network the moment a ransomware infection is detected. They might even take the whole network offline until they can investigate if other systems have also been infected.

The silver lining? If someone pays the ransom and gets the private key, that key will work for all other offline victims as well, so expect a free decryptor to become available in the near future.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Weird New Cerber Ransomware Speaks To Its Victims

There is a new strain of ransomware called Cerber that takes creepiness to the next level.

It drops three files on the victim’s desktop named “# DECRYPT MY FILES #.” These files contain instructions about the ransom amount and how to pay it. One of the files is your standard TXT format, one is HTML and the third is plain weird. It contains a Visual Basic Script, which contains text-to-speech code that converts text into an audio message.

“When the above script is executed, your computer will speak a message stating that your computer’s files were encrypted and will repeat itself numerous times,” Larry Abrams from Bleepingcomputer said in a blog post. They have a sample in that post you can listen to.

Cerber’s criminal developers are selling the tool as Ransomware-as-a-Service (RaaS) so that practically anyone can use it without any coding experience. It is easy to find out where this new strain originated.  When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan.

Yup, that was easy. Another Eastern European cyber gang with another strain.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Beware – Android Malware That Erases Your Phone With a Single Text

It’s been a bad week for people’s phones, and it’s not getting any better: A Danish security firm’s found malware that ravages your Android phone with a single text—erasing data or sending rogue calls and texts.

Denmark-based security firm Heimdal detected the malware, called “Mazar,” which sends text messages that include an ostensibly harmless multimedia message link to users. Click through, and it downloads Tor to your phone, and then the actual malware, whose source the Tor software hides. (By the way, a little reminder for living in the twenty-first century, friends: Don’t click on text message links from random senders.)

Heimdal thinks that over 100,000 phones have received the Mazar text in Denmark, the BBC reports, and the firm isn’t yet sure if it’s spread to other countries.

We’ve heard of such one-text menaces targeting Android before. Last year, a University of Cambridge study found that 85 percent of Android devices could face at least one crucial security vulnerability. This report is just the latest confidence crusher threatening the operating system’s security.

[BBC]

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Scam Of The Week: Apple ID Suspension Phish With A Twist

Scam Of The Week: Apple ID Suspension Phish With A Twist
OK, this scam is widespread enough to alert your users about it. The email claims to be from Apple Support and says your Apple ID and iCloud are both going to be suspended because you did not complete verification on time. With the massive amount of new Apple devices being sold at the moment, this attack may hit many employees.

Supposedly Apple sent you an earlier email about this but they did not receive a response. The email has a “Verify now” link that allows you to complete the verification process and save your account from suspension. (Yeah, sure.) If an employee clicks the link, they land on a bogus Apple login page asking for their credentials. But wait, there’s more!

You will be taken to a second fake page that asks for a large amount of your personal and financial information including credit card and banking details. The page is designed to look like a real Apple webpage and even includes seemingly legitimate information explaining in detail why you need to complete the verification process.

This scam even has retaliation against investigators testing the phish. If you enter false data that includes words such as ‘scam’ into fields on the fake form, your browser will automatically redirect you to a preconfigured Google search for pornography.

I suggest you send the following to all employees, and while you are at it, friends and family will also benefit.

“You need to watch out for a phishing scam that seems to come from Apple. The email is supposedly from Apple Support and they threaten that your account is going to be suspended because you did not reply to an earlier verification email. The phishing email has a link that allows you to “verify now” but if you click the link, you land on a bogus webpage that looks like it’s Apple but is a fake, and it tries to manipulate you into giving out your password, credit card and other personal information.

Don’t fall for this scam. Always go direct to the website of your vendor and do not click on links in emails that look like they are legit. Think Before You Click!” Happy and Safe Holidays.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

It’s time to secure your Amazon account with two-factor authentication

Relying solely on passwords to secure important accounts may be outdated, but until they’re gone for good your best alternative is locking things down with two-factor authentication: Amazon. Considering you probably already have a credit card or other payment info stored there, it just makes sense to add an extra layer of security that makes sure it’s really you logging in. The only problem? Until recently Amazon didn’t have any option to support the feature, but now it does. I noticed the new option while updating my password last night (also a good security idea), and one of the engineers told me it launched a couple of weeks ago after a private beta.

Source: Amazon Support

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Fraud and Shopping Online

The holidays are coming. Are you protected while shopping online?

It’s holiday shopping season. If you’re like millions of other shoppers, you like to do your shopping online, however, online shopping also comes with risk.

Here are some tips to help protect you while shopping online.

  • Secure your mobile device and computer. Make sure your anti-virus software is up to date.
  • Use strong passwords. If you need to create an account, use a strong password, and use a unique password for each site.
  • Do not use public computers or public wireless networks for your online shopping. Criminals may be intercepting traffic on public wireless networks to steal credit card numbers and other confidential information.
  • Pay by credit card, not debit card. Credit cards are covered by the Fair Credit Billing Act, which may limit your liability if your information is used improperly. Check your statements regularly.
  • Limit your online shopping to merchants you know and trust. If you have questions about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller’s address and phone number.
  • Look for “https” when making an online purchase. The “s” in “https” stands for “secure.”
  • Do not respond to pop-ups. When a window pops up promising you cash or gift cards for answering a question or taking a survey, close it by pressing Control + F4 for Windows and Command + W for Macs.
  • Hover over links in emails before clicking on them to verify where you’re being directed. If you question the validity of an email, contact the source directly.
  • Do not auto-save your personal information. t is always safest to opt out of auto-save and enter in your information manually every time.
  • Don’t ever give your financial or personal information by email or text. Information on many current scams can be found on the FBI Internet Crime Complaint Center.
  • Review privacy policies. Know what information the merchant is collecting about you, how it will be stored, how it will be used, and if it will be shared with others.
  • Keep all receipts and documents. Make sure you print out a copy of the receipt once you have finished your purchase.
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Malicious adware’s latest trick is replacing your whole browser

Just recently, infosec celebrity Swift on Security pointed out a new piece of adware called the “eFast Browser.” It does the kind of malicious crap that we’ve all seen quite often over the years: throwing pop-up and pop-under ads on your screen, putting other ads into your web pages, pushing you towards other websites with more malware, and (of course) tracking your movements on the web so that nefarious marketers can send more crap your way.

But what’s nefariously intriguing about this software is that it isn’t trying to hijack your current browser, it’s straight-up replacing it. As reported by Malwarebytes, eFast tries to delete Chrome and take its place, hijacking as many link and file associations as it can. Its icon and window looks a lot like Chrome’s and it’s based on the open source Chromium project in the first place, so it acts a lot like Chrome too. The software comes from a company calling itself Clara Labs, which is actually behind a slew of similar browsers with names like BoBrowser, Tortuga, and Unico.

Chrome really lead the way to the new paradigm of how to do extensibility correctly. Firefox/Edge is almost literally working on copying it.

— SecuriTay (@SwiftOnSecurity) October 16, 2015

The weird thing about this software is that it’s actually kind of good news, security wise. As Swift on Security points out, it’s easier for malware to just try to replace your browser than it is to infect it. That’s because Chrome moved toward locking down extensions by requiring that they come through Google’s web store (and thereby Google’s code review and code signing). Mozilla’s Firefox and Microsoft’s Edge browsers are moving in the same direction. So while replacing your whole browser isn’t totally new for malware, the fact that it’s the best vector for attack now might be.

According to PCrisk, eFast and its ilk try to get on your computer by burrowing themselves into the installers for free software from dubious sources on the web. It should be relatively easy to avoid installing it and, fortunately, should also be relatively easy to uninstall if you’ve found it on your computer.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

An Android Porn App Takes Your Photo and Holds It to Ransom

Android-Porn-Randsom

Users of the “Adult Player” Android app are in for a shock: it’s emerged that the Android app has been secretly taking photos of users – and wants their cash in exchange for deletion.

The Register reports that security firm Zscaler was first to spot the app, which presents itself as a normal video playing app, albeit for playing videos of an adult nature. Apparently once it has silently snapped photos of its victim it will display a message on screen demanding that they pay $500 . Otherwise, well… do you want people knowing you’ve used the app?

Apparently once the ransom message appears it will stay fixed on your phone screen, even if you reboot. Whilst no doubt highly illegal and bad and wrong, you have to admire how clever the ruse is.

But there is good news: Adult Player isn’t actually available on the Google Play store, and to use it users will have to have installed the app’s APK file manually, checking the box in settings to allow their phones to run apps from non-trusted sources. So there’s no need to be too nervous when downloading new apps to your phone. If an app was listed in the app store, apart from the fact that Google would probably stop it from being published in the first place, if it wanted to use your camera you would have to grant it explicit permission.

So let this be a lesson: If you want to let a porn app do anything to your phone, make sure you use an app that ensures that it does it, umm, explicitly.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Phone and laptop encryption guide: Protect your stuff and yourself

How to encrypt local storage on your Google, Microsoft, and Apple devices.

The worst thing about having a phone or laptop stolen isn’t necessarily the loss of the physical object itself, though there’s no question that that part sucks. It’s the amount of damage control you have to do afterward. Calling your phone company to get SIMs deactivated, changing all of your account passwords, and maybe even canceling credit cards are all good ideas, and they’re just the tip of the iceberg.

Using strong PINs or passwords and various Find My Phone features is a good place to start if you’d like to limit the amount of cleanup you need to do, but in this day and age it’s a good idea to encrypt your device’s local storage if at all possible. Full-disk or full-device encryption (that is, encrypting everything on your drive, rather than a specific folder or user profile) isn’t yet a default feature across the board, but most of the major desktop and mobile OSes support it in some fashion. In case you’ve never considered it before, here’s what you need to know.

Why encrypt?

Even if you normally protect your user account with a decent password, that doesn’t truly protect your data if someone decides to swipe your device. For many computers, the drive can simply be removed and plugged into another system, or the computer can be booted from an external drive and the data can be copied to that drive. Android phones and tablets can be booted into recovery mode and many of the files on the user partition can be accessed with freely available debug tools. And even if you totally wipe your drive, disk recovery software may still be able to read old files.

Encrypting your local storage makes all of that much more difficult, if not impossible. Anyone trying to access your data will need a key to actually mount the drive or read anything off of it, and if you wipe the drive the leftover data that can be read by that file recovery software will still be encrypted even if the new data on the drive isn’t.

There are a few downsides. If you yourself lose the key or if your drive becomes corrupted, for example, it might be more difficult or impossible to recover data. It can slow down performance, especially for devices with processors that don’t provide hardware acceleration for encrypting and decrypting data. But, by and large, the benefits outweigh the drawbacks, and the slowdown for modern devices should be tolerable-to-unnoticeable.

iOS: Don’t worry about it

As of iOS 8, as long as you set a passcode, your personal data gets encrypted. Apple’s security whitepaper (PDF) for iOS 8.3 and later specifically says that “key system apps, such as Messages, Mail, Calendar, Contacts, Photos, and Health data values use Data Protection by default, and third-party apps installed on iOS 7 or later receive this protection automatically.”

The company also claims that every current iDevice features “a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory,” which ought to limit the impact of this encryption on system speed.

OS X: FileVault

Starting with OS X 10.7 (Lion) in 2011, Apple began supporting full-disk encryption with FileVault 2. In more recent OS X versions, some Macs even offer to encrypt your storage as part of the first-boot setup process, though it’s not the default as it is in iOS.

To encrypt your drive after the fact, go to the Security & Privacy pane in System Preferences, and select the FileVault tab. Click Turn On FileVault and you’ll be offered a pair of options: store the key used to unlock your disk somewhere yourself, or choose to store it in your iCloud account. A local recovery key keeps that key off of another company’s servers, but leaves you without recourse if you lose it and you’re locked out of your system. If you do store your key in iCloud (or even if you don’t, for that matter), we strongly recommend enabling two-factor authentication for your Apple ID.

Encrypting your disk doesn’t drastically change the way that OS X works—you just need to put your account password in to unlock the disk before the operating system boots instead of afterward. You’ll also need to specify which local users’ logins can decrypt the disk. Otherwise, just the account that enabled FileVault will be able to turn the machine on. If you ever need to decrypt your Mac, it’s pretty easy if you can log in to the computer or if you have the key available.

Generally speaking, performance for encrypted devices declines less for newer Macs with hardware acceleration—most Core i5s and i7s can do it, but Core 2 Duo Macs cannot.

Android

Despite past promises, new Android devices still aren’t being encrypted by default. Default encryption is an option for OEMs, but outside of Google’s Nexus devices few if any companies are choosing to enable the feature on their phones.

You can still encrypt any relatively modern version of Android pretty easily—these specific steps work for Nexus devices or anything running near-stock Android, but the process should be similar if your phone is using a skin.

Open the Settings app, go to Security, and then tap “encrypt phone” to get the process started. Your phone may ask you to plug it in or charge the battery to a specific level before it will give you the option to encrypt, mostly because interrupting this process at any point is likely to completely corrupt your data partition. You’ll need to protect your phone with some kind of PIN or pattern or password if you haven’t already, and as in OS X your phone will probably require it before the operating system will boot.

To confirm that your phone was encrypted, go to Settings and then Security and look for a small “Encrypted” badge under the “Encrypt phone” menu item. If your phone already says it’s encrypted, you may have one of the new post-Lollipop phones that came with encryption enabled out of the box.

Depending on your phone, encrypting your Android phone or tablet can significantly impact performance. This is the worst for older or slower devices, which can use slower flash memory and filesystems and lack hardware encryption acceleration. The experience is better on newer phones with 64-bit ARMv8 processors and higher-end, faster storage.

Additionally, if you need to decrypt the device later on, there’s no way to do it without wiping and resetting the phone. If your phone came encrypted out of the box, though, there’s no way to decrypt the device without making more extensive software modifications.

Finally, in Android Marshmallow, the Android phones that include external storage are able to encrypt and protect the data on those cards as well as on internal storage.

Chrome OS: Also don’t worry about it

Chromebooks and boxes are pretty locked down out of the box by default, and that extends to encryption of the local storage. As described in the Chromium design documents, ChromeOS uses the eCryptfs filesystem and each user directory is protected by a separate encryption key. Unless you’ve turned on Developer Mode, you don’t have anything to worry about.

Linux

The wide variety of Linux distributions available means that it’s difficult to recommend one tool or script or set of directions that will encrypt your drive.

If you’re running a recent Ubuntu or Ubuntu-based distribution, at least, the OS will offer to encrypt your data when you install it. All you need to do is tick a box. And for anything else, you can always take a look at that list of third-party disk encryption software.

Windows Phone 8.1

Windows Phone 8.1 is odd; it supports encryption, but only when some kind of device management server has told it to encrypt itself. There’s no option for end users to encrypt their own devices on demand.

User-initiated BitLocker encryption should be possible in Windows Phone 10, an update that at least most of the current Windows Phone 8.1 devices should be able to get.

Windows

Windows is a complex operating system that runs on what is by far the widest range of hardware of any operating system here, so encryption is more complicated. We’ll be focusing on the built-in tools included in modern versions of Windows, but if they don’t work for you there are lots and lots of other third-party drive encryption programs you can look into.

There’s a very small chance that the Windows system you’re using is already encrypted by default, at least if you have the right combination of hardware and software. That goes for users of Windows 8.1, and Windows 10 computers who sign into their systems with Microsoft or Active Directory accounts and whose hardware meets the following requirements:

  • Support for the Secure Boot
  • A Trusted Platform Module (TPM). The feature requires TPM 2.0, and most current devices use TPM 1.2.
  • Hardware and firmware support for Windows’ InstantGo (formerly Connected Standby) feature. InstantGo allows a sleeping system to wake up periodically and refresh certain data, like e-mail messages or calendar events. Your smartphone already does the same sort of thing.
  • InstantGo comes with its own set of hardware requirements, including a solid-state boot volume, NDIS 6.30 support for all network interfaces, and memory soldered to the motherboard. The system must also rely on passive cooling when in Connected Standby mode, even if it normally uses a fan.

This encryption method is also used by the handful of Windows RT systems that made it out the door.

The benefit of this method is that it’s automated and it’s available with every edition of Windows, including the Home editions. The bad news is that those hardware requirements are pretty stringent and there’s no way to just add them to a computer you’ve already bought. And the Microsoft account requirement may rankle if you have no desire to use one.

If you want encryption and don’t meet those requirements, your next best bet is BitLocker. It’s got less-stringent hardware requirements, though it works best if your computer includes a TPM. It also needs one of the higher-end versions of Windows. In Windows 10, users of the Pro, Enterprise, and Education editions can all use it. Windows 8.x provides it with the Pro and Enterprise editions, while Windows 7 and Windows Vista require either the Ultimate or Enterprise editions. Home and Bing editions of Windows are universally excluded, as are pre-Vista versions of Windows.

To enable BitLocker on any version of Windows that supports it, head to the desktop version of the Control Panel and click BitLocker Drive Encryption. If you have a TPM, you ought to be able to save your encryption recovery key to an external drive or your Microsoft account, click through all the screens, and come out on the other side with an encrypted laptop. You can choose to encrypt just the used space on the disk (leaving the free space unencrypted), or you can encrypt the full drive.

Many business-class laptops from the last decade or so and some more recent high-end Ultrabooks tend to include TPMs, though it’s never been a key part of Windows’ system requirements. They generally have their own entries in the Device Manager, if you don’t know whether your computer has one.

If you don’t have a TPM, you’re not out of luck, but there are extra steps. By default, BitLocker won’t work without one, but there are several other options available once you flip a switch. The steps:

  • Go to the Start menu search box or use the Windows+R hotkey combo and type in gpedit.msc. This is a local policy editor that works a lot like the group policy editor used in large businesses, the settings just apply to one computer instead of many.
  • Go to Computer Configuration, then Administrative Templates, then Windows Components, then BitLocker Drive Encryption.
  • Select the Operating System Drives folder.
  • Double-click Require additional authentication at startup.
  • Click the “enabled” bubble, and then check the “Allow BitLocker without a compatible TPM” option below.
  • Click OK.

Now head to the Control Panel and open up BitLocker Drive Encryption. From here, you can either use a USB key that will need to be plugged into your computer to unlock the drive every time it boots. Or you can come up with a special password, separate from your account password, that you type at boot to unlock the disk. Backup keys can be saved to an external drive, your Microsoft account, or to some other file on another local or network disk.

Facebooktwittergoogle_plusredditpinterestlinkedinmail