Tag: Security

Huge Spike in Malware With Mining Capabilities

There’s a new type of hacking attack to be concerned with, and it’s growing by leaps and bounds.  Called “Crypto-Jacking,” it’s a process by which malicious code is placed on websites. When the sites are visited, the code secretly siphons off a portion of the affected user’s PC, laptop, or smartphone’s processing power and uses it to mine for various cryptocurrencies  so that the hackers can profit from it.

Kevin Haley, the Director of Symantec’s Security Response Team, had this to say about the issue:

“Cryptojacking just came out of nowhere.  I think what we’re going to learn in the year to come is when people see the opportunity to take money, they’re going to come up with some really wild ways to do that.”

Based on the statistics the company has been collecting, cryptojacking increased a whopping 8500 percent in the fourth quarter of 2017 alone. As the prices of various cryptocurrencies continue to rise, we can expect to see even more of this because it provides the hackers with a hands-free method of gaining tremendous profits with almost no risk or exposure.

Mike Fey, the President and COO of Symantec adds, “Cryptojacking is a rising threat to cyber and personal security.  The massive profit incentive puts people, devices and organizations at risk of unauthorized coin miners siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers.”

Perhaps the most insidious aspect of this new attack vector is how easy it is to pull off.  Even a low-skill hacker with a very limited toolset can manage to insert the handful of lines of code needed to begin siphoning resources.

Unlike most other forms of attack, however, no company data is directly at risk.  What you can expect to see though, are serious performance hit as more of your equipment becomes infected.  It’s not a happy situation given the importance of speed in today’s fast-paced business environment.

Fitbit and Google Partnership May Raise Privacy Concerns

Depending on which side of the privacy debate you’re on, you’re either going to love or hate this announcement:

“Fitbit intends to use Google’s new Cloud Healthcare API to help the company integrate further into the healthcare system, such as by connecting user data with electronic medical records.”

Rarely has a single sentence been so fraught with risk, while simultaneously promising such great opportunity.

On the plus side, the potential for innovation is virtually unlimited, and this new partnership will no doubt be a boon for the still-struggling wearables market. There are also potential increases in health care delivery efficiency, but the privacy concerns surrounding the issue are very real.

One has to only think back to the recent Allscripts fiasco, in which some 1,500 healthcare providers found themselves impacted by a nasty ransomware attack.

Google already collects copious amounts of data on its users, and with Fitbit angling to tap into healthcare records, the amount of private and personally identifiable information collected on users is bound to grow exponentially.

In addition to that, depending on exactly what data Fitbit attempts to link, it could very well make them a “business associate” from a HIPAA perspective. This can expose one or both companies to increased liabilities and vastly stricter standards on how the data can be used, and the steps that must be taken to safeguard it.

Right now, those details are very much in the air, and the issue could go either way. But there are some legal experts who believe that Google and Fitbit will be able to skirt the issue sufficiently so that they will not gain the “business associate” classification.

For Fitbit’s part, the company had this to say: “We have a longstanding commitment to privacy and data, and our data practices will continue to be governed by the Fitbit Privacy Policy.  We are not sharing our user data with Google, we are partnering with Google to host Fitbit user data, similar to other cloud/hosting service providers.  We take our obligation to safeguard users’ personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices.”

Comforting words, but they have done little to allay the concerns of privacy advocates, who see any number of negative outcomes associated with the new partnership.  This is a debate that will no doubt be continuing for quite some time to come.

Intel Releases New Patch For Spectre Chip Issue

By now, you’ve probably heard more than you ever wanted to hear about the critical Intel security flaw known as “Spectre.”  The flaw is massive in scope and scale, impacting every chip that Intel has released over the past decade, and if exploited, would allow a hacker to take complete control over the vulnerable system.  Needless to say, once discovered, the company got to work right away on a fix for the issue.

Unfortunately, there were problems.  Whatever form the fix ultimately took, it was going to mean a performance hit to any machine receiving the update.  Early estimates were that performance could be degraded by between 17 and 24 percent.

As it turns out, things were worse than expected.  Intel’s first attempt at patching the issue can only be described as a catastrophic failure, causing updated systems to spontaneously reboot multiple times a day and ruining performance.  The problem got so bad that the company formally recommended not installing the patch and waiting for a better one to be developed.

That better patch is now available, and has been extensively tested to avoid the problems that plagued the release of the first patch.  If you’re running a machine that uses Intel’s sixth, seventh, or eighth generation processor (Kaby Lake, Coffee Lake, or Skylake), or if you’re using a machine running an X-series processor, you should have already received the update via OEM firmware push.  If not, now is the time to grab it.

While it’s true that we’ve seen worse bugs and flaws than Spectre, this is as bad as anything we’ve seen recently. Given how many Intel-based machines there are out there in the wild, the problem posed by Spectre couldn’t get much bigger.  Don’t leave yourself vulnerable.  Get the update today.

Mi-Cam Baby Monitor Video Feeds Vulnerable To Hacking

Do you have a Mi-Cam in your home?  Even if you don’t have kids, you may have one. They’re a highly popular, inexpensive means of keeping tabs on the comings and goings inside your home when you’re not around.

As with so many such devices these days, users have the option of installing either an Android or iOS app on their phones so they can peek in remotely, any time they like, and therein lies the problem.

It’s no secret that the IoT is filled with “smart” devices that don’t live up to their name when it comes to security, and the Mi-Cam is no exception.  Security researchers have discovered that the communications between the company’s cloud servers where the video feeds live and the smartphones of the product’s user based are not secure.

So far, six different vulnerabilities have been identified, all of them critical. Any one of them would allow a hacker to hijack the window into your video feed and use that to scroll through literally every video feed on the company’s cloud, regardless of who owns it.  All told, that’s more than fifty thousand video feeds, accessible from a single point of entry.

It gets worse.  The attack is trivial to perform, because no SSL certificate is needed.  All that’s required is a copy of either the Android or iOS mobile app.

The manufacturer of the Mi-Cam has been notified of these critical security flaws, but as of now, none have been addressed. The company has not released any information about when they might be.  In light of that, if you have one, your best bet is to simply stop using it until the company can at least employ some rudimentary security protocols.

Another 2.4 Million Users Hacked In Equifax Breach

It looks like it’s going to be another bad month for Equifax.  The company just can’t seem to get out of its own way.

In 2017, the company announced a massive data breach that (it initially claimed) impacted some 140 million users.  Several months after the official announcement, the company was forced to revise the number of impacted users upward, as the forensic investigation into the breach continued.

Now, the company has announced a further upward revision of 2.4 million, bringing the total number of impacted users to slightly more than 148 million.

Equifax CEO Paulino do Rego Barros Jr. had this to say about the announcement, which raised more than a few eyebrows:

“This is not about newly discovered stolen data.  It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, making connections that enabled us to identify additional individuals.”

As it did originally, the company has also announced that it would notify the newly identified consumers and offer them free credit monitoring and identity theft protection at no cost.

After last year’s congressional hearings on the matter, this portion of the announcement tends to illicit eyerolls. The company is in the credit monitoring business, and the way the company offers its “free” protection is that at the end of the free period, it automatically rolls into a paid plan unless the user cancels the service.

Of course, as with most such schemes, a high percentage of users won’t think about it until they get their first bill. One of the more acidic comments made during last year’s hearings was that the company actually seems to be profiting from their own data breach.  That makes the CEO’s statement that “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network” ring a bit hollow.

Trustico CEO Leaks HTTPS Certificate Keys Through Email

The CEO of Trustico, a TLS certificate reseller based in the United Kingdom, finds himself at the center of a controversy that raises a number of disturbing questions about browser-trusted security certificates.

The email in question was sent to Jeremy Rowley, an executive Vice President at DigiCert.  The catalyst that prompted the fateful email was that officials at Trustico notified DigiCert that 50,000 certificates originally issued by Symantec and resold by Trustico had been compromised and should be mass revoked due to security concerns.

Mr. Rowley, not wanting to take such drastic action without proof, asked for it.  In response, Trustico’s CEO emailed the private keys of 23,000 certificates, an action which drew shocked reactions from security professionals around the world when news of the email became public.

If you’re not familiar with the inner workings of browser-trusted certificates, there are a few problems here.  First, there’s no good reason why a reseller should have a copy of the private keys to begin with.  Second, even if that were the norm, to simply email them to a third party shows incredibly poor judgement, especially given that there’s no evidence the email in question was encrypted.  Third, customers used Trustico’s website to generate their private keys, which is a service that should never even have been offered.

To make matters even worse, not long after news of the email hit the internet, Trustico’s website went dark, when a security expert posted details about a critical vulnerability on the company’s website.  The flaw resides in a site feature that allows customers to confirm that certificates are properly installed.  Unfortunately, Trustico’s website had been compromised and any time a user would use the feature, the hackers could use the opportunity to run malicious code.  It’s a tangled web, and it paints everyone involved in a very bad light.

Microsoft To Help Intel With Security Issues

By now, you’ve almost certainly heard of the “Spectre” and “Meltdown” security flaws that affect every Intel chip produced in the last decade.  Users have been waiting for a fix for both of these since January, when the issues were first discovered.

From the beginning, Microsoft agreed to include the fix for Spectre in its regular software updates but insisted that Intel and PC manufacturers would have to push the Meltdown fix on their own.

Unfortunately, the overwhelming majority of users are still waiting, and in the meantime, untold millions of machines are at risk.  Intel’s first attempt at a fix was so spectacularly bad that the company urged users not to install it until a better fix could be rolled out.

Intel has since released an updated fix, but few users have taken advantage of it so far.  The reason is because most users simply don’t know how.  They’re not aware that they have to go to Intel’s website to manually download and install it, or wait for an OEM push, which could still be months away.

Given this reality and the extreme danger that Spectre poses, Microsoft has reversed course and agreed to make special Windows update releases that include the Spectre fix.  The first such update, KB4090007, is now out and available to users.

There are two important caveats to be aware of, however:

  • These special updates will not be delivered automatically. Users will have to go to the Windows Update Catalog and select the appropriate package, then run it on their computers
  • The updates are available only for Windows 10, version 1709, and Windows Server, version 1709
  • The currently available package (KB4090007) is meant for Intel Skylake CPU owners only. Additional packages will be released over the course of the next few months.

Your Kids’ Personal Info May Have Been Compromised

An identity threat company called 4iQ has recently published a report called “Identities in the Wild:  The Tsunami of Breached Identities Continues.”  Unfortunately, the information in the report contains all bad news.  Some of the details are simply confirmations of things we already knew, and some are shocking statistics that will leave you feeling dismayed.

For instance:

  • Cybercriminals and hackers are getting increasingly sophisticated – This isn’t new, but it’s even worse than that. While there are still a few “lone wolf” type hackers, organized syndicates are increasingly coming to the fore.  Their collaboration with each other is accelerating the development of ever-more-advanced tactics.  New threats are emerging at a much faster pace than data security personnel can respond.
  • Personal data breaches are now the second most common cybercrime on the planet, with corporate data breaches not far behind. The reason hackers are increasingly gravitating toward hacks of individuals has everything to do with the fact that most people have little to no security.  It’s just low-hanging fruit.  Corporate hacks are a bit more difficult, but as we’ve seen via the constant parade of headlines, these tend to be more far-reaching, with a scope and scale that can impact tens of millions of users, or more.
  • There has been a shocking 182 percent increase in the number of identities available on the Darknet belonging to children.

This last point is beyond disturbing.  Bad enough that your own personal and confidential data is at risk, but now your kids are increasingly at risk too. Hackers are using their information to apply for credit cards, rent cars and hotels, and more.

In addition to the obvious dangers of hackers around the world knowing everything there is to know about your kids, it can also irreparably damage your kids’ credit, long before they ever have an opportunity to make use of it.  A grim report that bears close reading.

New And Potentially More Dangerous Intel Vulnerability Discovered

The “Spectre” vulnerability that impacts literally every Intel chip made over the last decade keeps finding new ways to make the news.  In this instance, researchers at Ohio State University have discovered a new variant of the vulnerability that they have dubbed “SGX Spectre.”  To understand how it’s different, a bit of explanation is in order.

SGX stands for “Software Guard eXtensions,” and is a feature only found in the latest Intel processors.  It allows applications to create “data enclaves,” which are hardware-isolated portions of a CPU’s processing memory.  The purpose of such enclaves is to give applications a secure space to run operations that deal with especially sensitive data, like passwords and encryption keys.

The original Spectre and Meltdown vulnerabilities were unable to extract any data from SGX enclaves, but SGX Spectre can. Even worse, the recent Spectre patches will do nothing to prevent it.

Intel has announced that on March 16, it will release an update for its SGX SDK that adds SGX Spectre mitigations.  App developers will need to integrate the update into their SGX-capable apps and issues an update to all users.

The research team had this to say about the recent discovery:

“SgxPectre Attacks can completely compromise the confidentiality of SGX enclaves.  Because vulnerable code patterns exist…and are difficult to be eliminated, the adversary could perform SgxPectre Attacks against any enclave programs.

Because there are vulnerable code patterns inside the SDK runtime libraries, any code developed with Intel’s official SGX SDK will be impacted by the attacks.  It doesn’t matter how the enclave program is implemented.”

In addition to the discovery of SGX Spectre, the research team discovered new variations of the original security flaws, which they have dubbed MeltdownPrime and SpectrePrime, respectively.  Needless to say, more patches will be forthcoming.

Vega Stealer Malware Goes After Your Saved Credentials

There’s a new security threat to be worried about, and security professionals are warning that it could be very bad indeed.  The new malware is known as the “Vega Stealer,” and is currently being used in a relatively simplistic phishing campaign designed to harvest financial data that has been saved in both Google Chrome and Firefox browsers.  Unfortunately, based on an analysis of the code, it could be a much more serious threat.

Vega Stealer isn’t 100 percent original work, but rather, is a variant of another nasty bit of malware known as “August Stealer.”  Built on the .NET framework, it’s designed to ferret out and steal cryptocurrency wallets, passwords, cookies, saved credit cards, and more.

If your computer is infected, and you’re using Firefox, Vega Stealer will specifically target the files “key3.db” and “key4.db,” along with “cookies.sqlite” and “logins.json,” which store a variety of keys and passwords.

In addition to that though, it can also take screen captures of your PC and scan for, and steal any file with the following extensions:

  • .pdf
  • .xlsx
  • .xrft
  • .docx
  • .doc

Of course, it would be a trivial matter for the owners of the malware to expand this list even further.

As mentioned, the current campaign isn’t terribly sophisticated, relying on emails bearing titles like “Online Store Developer Required.”  The emails being sent contain a poisoned file called “brief.doc” which contains macros designed to install the malware.

If the recipient clicks on the word doc, it will install a file named “ljoyoxu.pkzip” in that user’s “Music” directory, and then automatically executes the file so it can begin harvesting.

Researchers from Proofpoint, who found the malware strain had this to say:

“The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan.  However, the URL pattern from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID.  As a result, we attribute this campaign to the same actor with medium confidence.”

Be on your guard.