New WiFi Issue Could Affect Millions Of Users And Devices

Security researchers have found a new critical security flaw dubbed “Krack” (Key Reinstallation Attacks) that affects literally every WiFi router and smart phone in use today. The reason? The security flaw resides in the WiFi standard itself, rather than in a third-party product.

In addition to being vast in scope and scale, Krack is a particularly nasty, versatile flaw, allowing hackers to intercept credit card numbers, passwords, photos and a whole host of sensitive personal information.

It works like this: A hacker finds a vulnerable WPA2 network, and then makes an exact copy of it, including impersonating the MAC address. This clone then serves as a “man in the middle” allowing the hacker who controls it to intercept everything passing through it.

WPA2 encryption requires a unique key to encrypt each block of plain text, but because Krack attacks make a copy that’s indistinguishable from the original, they’re able to use the same encryption key.

As bad as that is, it gets worse for Android and Linux users. Thanks to a bug in the WPA2 standard, these devices don’t force the client to demand a unique encryption key with each use. Instead, they allow the key to be “zeroed out,” literally creating an encryption key containing all zeroes, which interferes with a key part of the handshake process.

In addition to that, hackers can deploy specialized scripts that can cause the connection to bypass HTTPS, which leaves passwords and other normally protected data exposed.

If there’s a silver lining, it is that the attack can’t be used to target routers directly, but honestly, that’s not much of a silver lining, because the potential damage this new vector could cause is virtually without limit.

Unfortunately, until a patch is released, there’s not much you can do, short of turning off WiFi altogether. This may work for smartphone users, but it is simply impractical for routers.

There’s some good news, though. The fix should be relatively easy to implement, although no ETA has been given at this point.

Update: WiFi Security Issue That Could Impact Most Routers, Smartphones

Recently, we wrote an urgent article about a serious security flaw in the current WiFi standard that could impact almost every wireless router and smartphone on the planet.

Dubbed the “Krack Attack,” this flaw allows a hacker to make a carbon copy of your WPA2-encrypted network, spoof its MAC address, change the WiFi channel and reroute all network traffic through the clone that they control.

This, of course, allows them to spy on all network traffic and execute a wide range of “man in the middle” attacks against any traffic passing through, which opens the door to tremendous damage.

Microsoft has been quick to respond to the latest threat and has already released a patch which addresses the issue for Windows-based PCs. If you’re running Windows 8 and above and automatically getting security updates, then you should already have the patch, and you are protected.

That’s good news, given how large a footprint Windows has, but sadly, it does not completely solve the problem.

That’s because Android and Linux-based systems are even more at risk. In those cases, a second flaw makes the problem worse. They do not demand a unique encryption key, which makes it easier, by far, for hackers deploying the Krack Attack to abuse devices running those operating systems.

There’s been no word on an ETA for a Linux fix, but Google has announced that an updated planned for release on November 6 will resolve the issue on that front. For Apple’s part, the company reports that the flaw has been addressed in beta versions of MacOS, iOS, tvOS, and watchOS. They are anticipating rolling out live versions of these fixes later this month, although a specific release date has not been announced at this point.

All that to say, regardless of which platform you’re using, hang tight. Help is on the way, and kudos to Microsoft for being the first tech giant out the gate with a solution.

New Malware Can Infect Computers, Even With Windows Defender

Researchers at the security firm CyberArk have discovered a new attack vector they’ve dubbed “Illusion Gap.” While it’s somewhat tricky for a hacker to implement, when it works, it can be devastatingly effective, completely bypassing Windows Defender, which is security software that comes pre-loaded on all Windows-based computers.

To successfully execute the attack, the hacker relies on a combination of social engineering tricks and the use of a rogue SMB server. Thanks to the way Windows Defender scans files stored on an SMB share, if he can convince a user to execute a poisoned file hosted on a malicious server, then Windows Defender can be bypassed completely.

This is actually not as difficult as it may first appear. Often, simply presenting the user with a shortcut to the poisoned file is sufficient, and the moment that a user double clicks the shortcut, the damage is done.

Windows Defender does try, because before the file is executed, it requests a copy for scanning purposes, but the hackers can simply substitute a clean copy of the file to hand off to Windows Defender, tricking it into thinking that there’s no problem. That done, the poisoned file executes and can inject whatever code the hacker likes into the target system.

Unfortunately, Microsoft does not view this as a security issue at all. CyberArk contacted Microsoft when they discovered the flaw, and received the following as a response from the company:

“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.”

All that is to say, where Illusion Gap is concerned, you’re on your own, at least for the time being. Be very careful when you click on any file hosted on an SMB server, or any shortcuts to them.

Several Security Issues Found In Solutions That Use DNSmasq

Open source tools offer a lot of compelling advantages, with one of the biggest and most important being that they tend to have relatively fewer bugs and security flaws. The reason is that they’re open source initiatives, and anyone can dig into the source code and tweak it to make it better.

Unfortunately, there are exceptions to every rule, a fact that was brought into painful focus recently by a group of Google security researchers who found not one, not two, but a total of seven critical security flaws in an open source program called DNSMasq.

DNSMasq comes pre-installed on some Linux machines (Ubuntu and Debian) and is frequently used on home routers, smartphones and a variety of “smart” devices. Worldwide, there are approximately 1.1 million active installations.

Per the research team: “We discovered seven distinct issues over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of DNSMasq, Simon Kelley, to produce appropriate patches and mitigate the issue.”

Since all of the issues have been patched, Google has released the Proof-of-Concept exploit code for each of the bugs they found. Of them, three would have allowed a user to execute code remotely, and three others would have made it possible to commandeer a device so it could be used in a denial of service attack.

If you use DNSMasq, be sure you update your software to version 2.78 or later so that you’re using a version which contains the bug fixes. For Google’s part, they issued an update on Sept. 5, 2017 that fixes the issue on any Android device running the software.

MAC Computers Are Still Suffering From EFI Hack

One of the first, best pieces of advice computer owners get is to always keep their operating system up to date. It’s sound advice, because OS manufacturers generally do a good job of responding to new attack vectors and releasing security patches designed to make sure that hackers don’t have an easy time breaking into your system.

Mac users, though, face a slightly different problem. It’s one that can’t be solved by something as simple as keeping their OS current.

The issue lies with EFI, which stands for Extensible Firmware Interface. This technology was designed by Intel, not Apple, and it is the bit of code that runs before the Apple OS boots up and takes over. Unfortunately, any code, firmware included, can contain flaws and security vulnerabilities, and in the case of EFI, hackers have found a way in that bypasses Apple’s normally robust security measures.

By injecting malicious code prior to the OS taking the reins, hackers have been able to quietly infect a surprising number of Mac machines, and because the firmware isn’t part of the OS proper, none of Apple’s security updates touch it.

It’s certainly possible for the company to push firmware updates, but these are handled differently than OS security patches, and as such, not all users get them. Even if they get a notification, they may not install the update.

In fact, recent research by the security company “Duo Labs” analyzed more than 73,000 Macs and found that 4.2 percent of them were running firmware versions with known vulnerabilities.

This is a problem badly in need of a robust solution. Users have been conditioned to install OS security updates, but rarely think about the firmware that controls the initial boot process, and as such, have a blind spot for the dangers that outdated firmware represents.

So far, Apple has shown surprisingly little interest in offering a more reliable firmware update solution, so if you use Mac computers in your home or office, for the time being at least, it falls to you to be sure that you’re updating not just the OS that drives your machine, but the firmware that your OS relies on.

Literally Every Yahoo Email User Was Hacked In 2013 Breach

Late last year, Yahoo announced that it was the victim of the largest data breach in history. It impacted, by their initial estimates, fully one third of their user base, some one billion users.

As it turns out, Yahoo’s estimates were wildly inaccurate. Literally every person who had a Yahoo account in 2013 was impacted, making the total in the neighborhood of three billion accounts (yes, that’s billion, with a “B”).

If you’re a Yahoo user, and have had your account since 2013 or before, then your account was impacted, regardless of if you received a notification from the company.

You may be tempted to simply delete your account, especially if it’s one you no longer use on a regular basis, but don’t. Yahoo’s policy is to recycle defunct accounts after thirty days, meaning your account can be hijacked by anyone if you delete it.

The best bet is to change your password immediately and enable two-factor authentication to provide an added layer of protection.

Also, if you’re in the habit of using the same password across multiple websites, be sure to change any that share your Yahoo.com account’s password. One of the first things a hacker will try is to use compromised credentials on other accounts. If you don’t take immediate action, you’re essentially handing the hackers the keys to your digital kingdom and opening yourself up to identity theft, compromised bank accounts and credit cards and more.

In fact, this would be a great time to simply get out of the habit of using the same password across multiple web properties. It’s a bad habit, and if it’s one you’ve developed, then it’s time to make a change. True, it’s not as convenient, and having to remember multiple passwords can sometimes be annoying, but isn’t your digital security worth it?

Be Careful – Fake Amazon Emails Could Hold Locky Ransomware

For a time, it seemed we had reached the high-water mark where Locky Ransomware was concerned. After the big, global attack earlier this year, interest in that particular strain of ransomware seemed to wane as hackers went off in search of the “next new thing” to deploy against the unwitting public.

Unfortunately, rumors of Locky’s death may have been highly exaggerated. A massive new email campaign is underway, using Amazon as a cover, and the infected emails come bearing Locky as a “gift” to anyone who opens them and downloads the attachment.

While no one knows who is behind the Locky software itself, this new email campaign is being run through a large botnet-for-hire called Necurs, which is currently made up of more than five million devices from all over the world.

These devices have been sending out a million emails an hour that appear to come from Amazon and contain downloadable attachments with their malicious payload.

The hackers are being quite savvy about the operation too, timing the sending of their emails so that they arrive during normal working hours, which makes them seem more legitimate. As ever, anyone unfortunate enough to download the attachment contained in one of these emails will soon find all the files on their system encrypted, and get a notification that they must pay a ransom in BitCoin if they want the unlock code to get their files back.

It gets even worse, though. This latest attack does more than just install Locky. It also installs a program called “FakeGlobe,” which appears to be another variant of ransomware that’s designed to trigger after files are unlocked. So, even if you pay the ransom, you may find yourself immediately facing newly encrypted files and having to pay a second one.

As ever, the keys to avoiding scams like these are vigilance, employee education and a robust backup and file recovery plan, in the event that someone in your organization does open one of these emails.

A Million Imgur Users Affected By Breach

Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:

  • Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.
  • At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.
  • In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.

All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Bug in macOS Could Allow Hackers Root Access

Do you own a Mac? Is it running Apple’s latest macOS, the “High Sierra?”  If so, be extra careful with who you allow access to your machine.

A security flaw recently discovered by a developer named Lemi Orhan Ergin can easily allow anyone unfettered access to everything on your machine, and by extension, give them an easy “in” to whatever network it’s connected to. All they need is physical access.

Exploiting this vulnerability is a lesson in simplicity. All a hacker has to do is enter “root” in the username field, leave the password field blank, and press Enter.

Done.

They now have total access.

Needless to say, this is a large and rather glaring security issue, and one which Apple will be remedying in the near future via a patch. Until they do, however, be aware that the physical security of your Mac is of paramount importance. Leaving your workstation unsecured and unattended, even for a few minutes, is all it would take to lose control over all the files on your machine and give a hacker access to the even more sensitive data lurking elsewhere on your company’s network.

Unfortunately, as bad as this security flaw is, it’s not the only recent stumble by Apple. Just last month, the company had to issue an emergency patch to fix a flaw that affected encrypted volumes, where the password hint section was displaying the actual password in plain text.

To try this exploit out for yourself to verify how easy it is to use, simply do the following:

  • Open your machine’s System Preferences and select “Users and Groups”
  • Click on the lock icon, which will allow you to make changes. You’ll get a user name and password box at this point
  • Type in “root” in the username field
  • Move the cursor into the password field and hit enter

That’s all there is to it.

Until Apple issues their patch, the best thing you can do is leave your machine on and lock your workstation when you step away. At least that way, the hacker would have to know your current password in order to gain access.

Of course, they could simply power the machine off and reboot, but that would take a bit more time, during which they could be discovered.

It’s far from perfect, but for the time being, it’s the best protection you have.

New Hack Attempts To Access Office 365 Passwords

Companies are getting better at detecting and fending off brute force attacks. Depending on how big, and how hard-hitting the attack is, it can still get through, of course, but the main problem with such an attack is that it’s impossible to miss. The moment it starts, security professionals know what’s going on, and can immediately spring into action.

Of course, the hackers know this, and have been looking for ways around the problem. How can they launch an attack that will go unnoticed?

Now, it seems that they have a viable answer: low and slow.

It requires patience. Rather than hitting hard and all at once, this new attack vector utilizes a small number of machines and a low attack frequency in order to stay under the radar. Often, the hackers orchestrating such attacks will spread them out over weeks, or even months, and alternate between several different companies on the thinking that if it doesn’t trigger any alarms, then the security folks won’t go on high alert, and they can keep chipping away until they get lucky and break in.

While it hasn’t worked so far, the new approach did manage to go unnoticed for a number of months before the pattern was detected by SkyHigh Security.

The attack they discovered is an especially clever one. It has been going on since May, and it seeks to target email accounts not controlled by individuals, but used to fulfill other corporate functions. These are things like service automation, marketing and other system accounts.

The reason? Most of these don’t use two-factor authentication, and most people who check those types of accounts don’t expect to see malicious emails in those inboxes, and are thus more likely to click on embedded links, even if sent by accounts that are unrecognized.

Nothing is currently known about the group behind the attacks. They are focused on high-value targets in the financial services and medical fields and attempted to gain access to Office 365 accounts, which would give them access to a wealth of sensitive corporate information.

Although there’s no evidence that the attack has succeeded to this point, it is as clever as it is insidious, and definitely something to be aware of. From a practical standpoint, the strongest defensive move you can make is to be sure that all of the aforementioned types of email accounts are using two-factor authentication.