Category: Blog

Be Careful – Fake Amazon Emails Could Hold Locky Ransomware

For a time, it seemed we had reached the high-water mark where Locky Ransomware was concerned. After the big, global attack earlier this year, interest in that particular strain of ransomware seemed to wane as hackers went off in search of the “next new thing” to deploy against the unwitting public.

Unfortunately, rumors of Locky’s death may have been highly exaggerated. A massive new email campaign is underway, using Amazon as a cover, and the infected emails come bearing Locky as a “gift” to anyone who opens them and downloads the attachment.

While no one knows who is behind the Locky software itself, this new email campaign is being run through a large botnet-for-hire called Necurs, which is currently made up of more than five million devices from all over the world.

These devices have been sending out a million emails an hour that appear to come from Amazon and contain downloadable attachments with their malicious payload.

The hackers are being quite savvy about the operation too, timing the sending of their emails so that they arrive during normal working hours, which makes them seem more legitimate. As ever, anyone unfortunate enough to download the attachment contained in one of these emails will soon find all the files on their system encrypted, and get a notification that they must pay a ransom in BitCoin if they want the unlock code to get their files back.

It gets even worse, though. This latest attack does more than just install Locky. It also installs a program called “FakeGlobe,” which appears to be another variant of ransomware that’s designed to trigger after files are unlocked. So, even if you pay the ransom, you may find yourself immediately facing newly encrypted files and having to pay a second one.

As ever, the keys to avoiding scams like these are vigilance, employee education and a robust backup and file recovery plan, in the event that someone in your organization does open one of these emails.

Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

Breach Of Health Data Gets California Company $2M Fine

Cottage Health System, a company that operates five hospitals in the Santa Barbara area of California, is the latest firm to have been hit with a hefty fine for losing control of PHI and PII for patients that it serves.

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.

As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

• Training employees on the collection, storage and proper use of PHI and PII
• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review
• Encrypting all PHI and PII in transit
• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate
• And conducting periodic testing to identify and address additional vulnerabilities.

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”

A Million Imgur Users Affected By Breach

Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:

  • Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.
  • At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.
  • In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.

All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Bug in macOS Could Allow Hackers Root Access

Do you own a Mac? Is it running Apple’s latest macOS, the “High Sierra?”  If so, be extra careful with who you allow access to your machine.

A security flaw recently discovered by a developer named Lemi Orhan Ergin can easily allow anyone unfettered access to everything on your machine, and by extension, give them an easy “in” to whatever network it’s connected to. All they need is physical access.

Exploiting this vulnerability is a lesson in simplicity. All a hacker has to do is enter “root” in the username field, leave the password field blank, and press Enter.

Done.

They now have total access.

Needless to say, this is a large and rather glaring security issue, and one which Apple will be remedying in the near future via a patch. Until they do, however, be aware that the physical security of your Mac is of paramount importance. Leaving your workstation unsecured and unattended, even for a few minutes, is all it would take to lose control over all the files on your machine and give a hacker access to the even more sensitive data lurking elsewhere on your company’s network.

Unfortunately, as bad as this security flaw is, it’s not the only recent stumble by Apple. Just last month, the company had to issue an emergency patch to fix a flaw that affected encrypted volumes, where the password hint section was displaying the actual password in plain text.

To try this exploit out for yourself to verify how easy it is to use, simply do the following:

  • Open your machine’s System Preferences and select “Users and Groups”
  • Click on the lock icon, which will allow you to make changes. You’ll get a user name and password box at this point
  • Type in “root” in the username field
  • Move the cursor into the password field and hit enter

That’s all there is to it.

Until Apple issues their patch, the best thing you can do is leave your machine on and lock your workstation when you step away. At least that way, the hacker would have to know your current password in order to gain access.

Of course, they could simply power the machine off and reboot, but that would take a bit more time, during which they could be discovered.

It’s far from perfect, but for the time being, it’s the best protection you have.

Microsoft Officially Pulls Plug On Windows Phone

The Windows phone is officially dead, with the announcement from Joe Belfiore that there would be no new feature updates and no further development.

The writing has been on the wall for a while now, with Microsoft gutting its phone division and laying off thousands of employees. But until Belfiore’s announcement, the company hadn’t made it official.

Microsoft was very slow to recognize how big a footprint smartphones would ultimately have in the market, and as such, paid little attention to them when they were first introduced.

Their first serious effort to try and gain a foothold in the market was with the introduction of Windows CE, a “lite” version of Windows that was plagued with problems almost from the start.

The company tried again with Windows 8, which was redesigned with apps specifically in mind.

Unfortunately, it represented too much of a change and was introduced too quickly. The new OS was not well-received.

Windows 10 essentially represented a “do-over”, and to the company’s credit, it was much more well-received than its predecessor. However, by the time the company hit upon something that may have worked, the market was already too mature, and the big players were already too well-entrenched for the company to have a realistic shot at gaining significant ground.

They struggled to get a sufficient number of developers interested in writing apps for their phone, and even if they had, their app store was plagued with problems. Thus, the company’s decision to pull the plug was not terribly surprising.

Mr. Belfiore stressed that the company would continue to support the platform, providing bug fixes and security patches to all those who wish to continue using them, but as the already small user base continues to shrink, it will eventually reach a point where it’s simply no longer financially viable to do even that.

Car Tracking Device Company Had Its Passwords Leaked

We’ve seen a lot of hacking attacks so far this year, but the successful breach of SVR Tracking may take the prize as the most invasive attack of 2017.

If you’re not familiar with the company, SVR Tracking provides a vehicle tracking service. This is accomplished by mounting a small, unobtrusive device on your car in an area where an unauthorized driver is unlikely to notice or look.

Once the device is attached, it reports the vehicle’s location back to the app database in two-minute intervals when the vehicle is in motion, and in four-hour intervals when the vehicle is stationary. One-hundred and twenty days of vehicle location information is available to anyone with the proper login credentials.

On September 18, researchers from Kromtech Security Center discovered files in an unsecured Amazon S3 bucket containing login credentials for more than half a million SVR Tracking accounts. Note that the total number of vehicles this could impact is likely far higher than half a million, because the app is frequently used by companies that manage entire fleets of vehicles, so one account may have dozens (or more) vehicles associated with it.

The exposed files contained account names, passwords, vehicle maintenance reports, dealer contracts and more.

There are two primary ways that a hacker could profit from this information. First and most obvious is that if you know exactly where a vehicle is, and when it’s likely to be sitting idle for hours at a time, then it’s incredibly easy to steal it.

Second, and less obvious, is that knowing where a vehicle goes allows hackers to build a detailed profile about the person driving the car, which can be used to provide better email targeting for attacks down the road.

In any case, the offending files have now been removed and the server locked down, but there’s no way of knowing how many unauthorized people accessed those files while they were publicly visible. If you use the SVR Tracking app, just to be safe, you should change your password immediately.

Fake Symantec Blog Post Is Spreading Mac Malware

Sometimes hackers opt for a stealthy approach. Other times, their attempts are downright brazen.  That’s definitely the case with a newly launched malware campaign that seeks to spread “Proton Mac,” a strain of malware designed to steal passwords from Mac users.

The hackers registered a domain very similar to Symantec’s blog, mirrored its content and then created a fake post about a new version of CoinThief, which was moderately successful back in 2014.

After going into a bit of faux analysis about this nonexistent threat, the post recommended downloading a nonexistent piece of software called “Symantec Malware Detector” which it claimed was the best means of protecting against the new version of CoinThief. Unfortunately, “Symantec Malware Detector” is actually Proton Mac in disguise.

It’s a good scam, and it’s proven to be highly effective thus far. Its effectiveness is due in no small part to the fact that references to the post have been tweeted, initially by fake Twitter accounts, and later, by a growing number of legitimate ones.

Although the fake blog is quite good, it doesn’t stand up to intense scrutiny. For one thing, the email address used to register the domain isn’t a Symantec address. For another, their SSL certificate comes from Comodo, rather than Symantec’s own certificate authority. Unfortunately, the overwhelming majority of users don’t look that closely at websites they visit, so they are unlikely to recognize the fake for what it is.

If you have downloaded “Symantec Malware Detector,’ then you’ve got Proton Mac running on your machine right now.

It’s designed to log your username and password in plain text, sending this and any other PII (Personally Identifiable Information) on your machine to a hidden file. It will also capture browser auto-fill data, keychain files and the like, and send all of this to the hackers controlling the software.

If you have been infected, you should treat all online passwords as having been compromised and change them immediately, once you have verified that the malware has been completely removed from your system. Enabling two-factor authentication will also help make you more secure.

Look And Feel May Change In Future Windows 10 Update

Microsoft is experimenting with a new feature that may change the look and feel of Windows 10 in some future update.

The new approach is referred to as “Sets,” which borrows from the playbook of modern web browsers and groups related applications into tabbed sets, with the groupings defined by project type. The applications you need to make use of on any given project will be grouped together, even if the last time you used a given app was several weeks prior.

Essentially, this approach is a combination of the Windows Explorer “Task View,” “Pick up where you left off” and “timeline.” They are wrapped into a single-window experience complete with an “application history” feature, which works a lot like a web browser’s history, so you won’t have to remember which application you were using a few weeks earlier to work on your current project.

It’s a good idea in theory, and it should streamline the user experience. If, for example, you need to use your email, Microsoft Word, Photoshop and Excel to complete a given project, all of these will be organized as tabs across a single window.

While there’s been no word from Microsoft on exactly when we can expect to see the new feature, if the past is any guide, it will first be available to Windows Insiders for an initial evaluation. In the meantime, Microsoft will be seeking support for the new concept from a wide range of third party developers.

Another clear sign that the company is committed to the new idea is that Stardock, a company which has provided some intriguing UI tweaks to Windows for several years now, has released a new product called “Groupy,” which reproduces some of the basic features planned for Sets.

So far, Microsoft hasn’t released a firm time table, so there’s no clear indication when we might be seeing the change. We’ll have more information on this topic as it becomes available.

Bill Gates’ One Windows Regret: CTRL, ALT, DELETE

Control-Alt-Delete.

It’s a series of keystrokes that pretty much everyone who has ever used a Windows PC knows well. It is, after all, your escape hatch. When the program starts misbehaving, it’s a user’s go-to keystroke command to force-quit the issue, and surprisingly, Bill Gates said in a recent interview that it’s one of his few regrets.

While that might surprise some, it’s important to note that he wasn’t saying he wished the keystroke command had never been offered – it would be difficult to imagine Windows without it, or something like it!—but merely that he wished it had been included as a single-key function, rather than a three-key function that made it difficult to issue.

Part of the blame for its current form, though, lies with IBM, which initially implemented the function as an interrupt command. Their goal, back in the 80’s, was to make it an inconvenient function that required two hands to issue, so that users wouldn’t execute it accidentally, and it stuck. We’ve had Control-Alt-Delete ever since.

When Gates sat down with Bloomberg recently, he was asked a lot of questions about the arc of his life and the role he played in making Windows the dominant OS in the computing world. Part of the reason Gates said he doesn’t have many regrets is that to change even one minor detail about the way things developed would have an enormous butterfly effect that would ripple throughout the entire industry with unpredictable consequences.

Still, the relative inconvenience of the three-key interrupt command sticks out in his mind as something that he’d change if he could get a do-over today. By introducing it in Windows 3.x, it became an enduring fixture in the computing world, one that remains with us to this very day.

It’s an interesting interview, and well worth the time to read. Check it out on the Bloomberg site.