Tag: Technology News

New Malware Takes Screenshots and Steals Your Passwords

Recently, a new strain of malware called “SquirtDanger” has been found by researchers at Palo Alto Networks Unit 42, and it’s a particularly nasty one for a couple of reasons.  First and foremost, the owner of the malware isn’t orchestrating campaigns himself, but rather, selling his product as a commodity on the Dark Web.

That has troubling implications because the malware is quite advanced, and since it’s being sold to a broad cross-section of hackers, odds are excellent that it will be used in numerous campaigns that could affect a number of industries.

As for the software itself, it gives the hackers who purchase it a vast array of tools. It communicates back to its controller every minute, giving the hackers who use the malware a tremendous amount of useable data.

Among other things, SquirtDanger can take live-action screen shots of an infected device, steal passwords, and send, receive, or delete files on the target system.  It can also swipe directory information and drain the contents of cryptocurrency wallets, making it something of a “Jack-of-All-Trades” malware.

Also, there’s no single attack vector being used to infect machines with SquirtDanger. According to the research team, the most common means of infection is that the malware is disguised as a piece of legitimate software and installs when the poisoned executable file is run.

Researchers from Unit 42 had this to say on the matter: “Being infected with any type of malware represents significant danger to an individual or victim. However, because of the large list of capabilities this malware family includes, it would certainly be very bad for the victim.”

At latest count, the researchers have discovered 1,277 unique SquirtDanger samples in the wild, tied to 119 unique command and control servers that were widely geographically dispersed.  Odds are, there are many more samples that have yet to be discovered.  Be on your guard, it doesn’t appear that this threat will abate anytime soon.

The U.S. Is The Most At Risk Nation For Cyber Attacks

Being “number 1” isn’t always a good thing.  Rapid7 has just published their third annual “National Exposure Index,” and unfortunately, the United States has the dubious honor of being the nation most at risk for a cyber attack on its core services.  The group’s methodology for ranking national exposure comes down to tracking the number of exposed services and comparing this number to the nation’s total allocated IP address space.

Ranked in this way, the top four most vulnerable countries are:

  • The United States
  • China
  • South Korea
  • The UK

All told, these four nations control more than 61 million servers listed on at least one of the points surveyed by Rapid7.

Drilling down a bit more deeply, the report also contained this chilling fact:

“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL.  Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack.”

Given that this year has already given us the largest DDOS attack in the history of the internet, Rapid7’s findings should not be taken lightly.  The risks are very real, which is why the company is so strongly committed to the publication of their annual report.

As they put it:

“…national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.”

A lofty goal indeed.  Unfortunately, although the data is illuminating, there are no quick or easy answers here, especially in the United States.  Thus far, the U.S. has struggled to put together a cohesive digital security policy at the national level, which seems unlikely to change at least in the near future.

Information On 48 Million People Leaked Through Massive File

File this one away under self-inflicted wounds.  It has recently come to light that a company called LocalBox left a massive data file vulnerable on a cloud server.  The data file was more than a terabyte in size and contained detailed psychometric profiles of more than 48 million people.

LocalBox describes itself as a combination of personal and business data search service, but most of their revenue comes from the creation of psychometric profiles created by mining data from a wide range of publicly available sources (social media, public records, and the like).  On the company’s website, they describe themselves as being “the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles – at scale.”

According to the UpGuard Cyber Risk Team, they got confirmation from Ashfaq Rahman (LocalBox’s co-founder) that the data file was placed on a mis-configured cloud-based storage system.  The misconfiguration left the file vulnerable. The file included names, dates of birth and physical addresses culled from sources including Twitter, LinkedIn, Facebook, Zillow (a popular real estate site), and more.

UpGuard researchers had this to say about the incident:

“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent.  This combination of information begins to build a three-dimensional picture of every individual affected–who they are, what they talk about, what they like, even what they do for a living–in essence, a blueprint from which to create targeted persuasive content, like advertising or political campaigning.  If the legitimate uses of the data aren’t enough to give pause, the illegitimate uses range from traditional identity theft, to fraud, to ammunition for social engineering scams such as phishing.

The data gathered on these people connected their identity and online behaviors and activity, all in the context of targeted marketing, (i.e., how best to persuade them).  Your psychographic data can be used to influence you.  It is what makes exposures of this nature so dangerous, and also what drives not only the business model of LocalBox, but of the entire analytics industry.”

Terrifying indeed.

Another Vulnerability Found In Intel CPU’s

More bad news for Intel. Yet another security flaw has been identified in the processors the company makes.  This one is so newly discovered that the full technical details have yet to be released.  Here’s what we know so far, from a recent Intel announcement:

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch…Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other process through a speculative execution side channel that infers their value.”

In simpler terms, what this means is that a hacker could use this exploit to gain partial cryptographic keys used by other programs running on the target computer.

While related to the recent Spectre and Meltdown security flaws, this one is different in two ways.  First, it’s not quite as severe as the formerly discovered flaws in scope or scale.  To make use of this, one would require an incredibly exotic attack that would simply be beyond the capabilities of most hackers.

Also, it should be noted that where Spectre and Meltdown impacted dozens of chipsets dating back more than a decade, the “Lazy FP State Restore” flaw only impacts chips beginning at Sandy Bridge.

The other key difference is that the flaw in this case, does not reside in the hardware.  That’s good news for businesses of all shapes and sizes, because it means that when Intel and their hardware vendors have a patch ready, it will be quick and relatively painless to install it.

Unfortunately, since the initial discovery of Spectre and Meltdown, a number of variants of those flaws have emerged, and now this new one.  It’s unlikely that this will be the last we’ve seen of these types of issues, so if you’re using Intel equipment, brace yourself.  There’s likely more to come.

WiFi Sync on iOS Vulnerable To TrustJacking

Owners of Apple devices have a new attack vector to worry about, called “TrustJacking.”  Symantec researchers recently stumbled across a pair of scenarios that take advantage of Wi-Fi syncing of various Apple devices. These are scenarios that also take advantage of the trust users have in the security of their own devices, allowing hackers to take complete control over those devices.

The flaw is a consequence of the way that iTunes Wi-Fi Sync is designed.  The vulnerability manifests when a device is connected and the user selects the “sync” feature. This creates an opening which could potentially allow a hacker to take complete control over the device.

The first issue manifests like this:  With the “sync” setting enabled, the device owner has access to both that device and a paired iPhone over a wireless connection, even after the device is disconnected from the syncing service.  That sets up part one.

Part two of the first scenario requires a bit of social engineering, where a hacker tries to trick the device owner to click on a malicious link that will install malware of the hacker’s choosing on the vulnerable system.

The second part of the second scenario targets users who are traveling.  A hacker could take control of a free airport charging station.  In order to make use of those free charging stations, users are required to trust the device.  As soon as that happens, the hacker controlling the charging station can remotely issue a command to connect to iTunes, and then enable the sync command.

Once those two steps are completed, even when the victim disconnects from the charging station, the hacker can still access the compromised device remotely, gaining access to most (if not all) of the user’s private information.

Unlike similar, recently discovered vulnerabilities in Apple products, this one distinguishes itself by allowing the hacker permanent access to the device, making it a dangerous vulnerability indeed.

Google Cracking Down On 3rd Party Browser Extension Installs

Malicious code can wind up on your PC or phone by any number of roads.  Companies do their best to guard the digital passes, but invariably, things get missed and the hackers find a way in.  It’s a constant battle, and sadly, one that the good guys are losing.

Recently Google has stepped up its efforts, this time by focusing on Chrome browser extensions installed by third parties.  By the end of the year, no extensions will be allowed on Chrome except for those acquired via the Web Store.

James Wagner, Google’s Product Manager for the Extensions Platform, had this to say on the topic:

“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly – and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites.”

It’s a thorny problem, but industry experts broadly agree that Google is taking the right approach here.  Beginning in September, Google plans to disable the “inline installation” feature for all existing extensions.  The user will instead be redirected to the Chrome Web Store where they’ll have the option to install the extension straight from the source.

Then, in December 2018, the company will remove the inline install API from Chrome 71, which should solve the problem decisively.

Of course, hackers being hackers will no doubt find a way around that, but kudos to Google for taking decisive action here.  While browser extensions aren’t a major attack vector, it’s troublesome enough that Google’s attention is most welcome.

It should be noted that one of the indirect benefits of Google’s plan is that it further bolsters the importance of user ratings of extensions.  They’re highly visible on the Web Store, so anyone who’s considering installing something has a good, “at-a-glance” way of telling whether the extension is good or a scam. That’s information they wouldn’t get had the extension been installed inline.

Again, kudos to Google!

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack.  He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes.  Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document.  Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader).  Regarding the others, we highly suspect they may be vulnerable as well.  We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did.  Unfortunately, their response was not encouraging.  They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system.  This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy.  Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines.  People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials.  It appears that every reader is affected and that no help is coming for older systems.

Apple Will Officially No Longer Sell Routers

After more than two decades in the business, Apple is officially going to stop selling routers.  The writing has been on the wall for a while now, since the company’s “AirPort” family of products hasn’t received a significant update in more than five years.

When Apple first introduced its AirPort product line, wireless computing was still something of a rarity, and Apple’s offerings were ahead of their time.  In the years between then and now though, the market has changed significantly.  Unfortunately, Apple’s product line never really changed with it.

These days the competition is fierce with industry giants like Google and Linksys both offering great options for power users. With the rise of mesh networks, the AirPort product line has fallen increasingly behind the times.

The company announced that it would sell its existing AirPort product inventory and support its current user base for the time being, but after that, it would quietly fade away.  The company has simply moved on and has redirected its efforts toward other initiatives.

In looking at the broader market, it’s not a huge blow. Of course, if you own and use an AirPort product, now is the time to begin casting about for alternatives.  The clock is ticking, and once Apple sheds its existing inventory, we can expect to get an end of support date from them. This will leave any AirPort products still in operation at that point increasingly vulnerable to a variety of hacks.

Even so, given how ubiquitous wireless networking is these days, and how many powerful options are out there, finding a replacement for your AirPort product shouldn’t present too much of a challenge.  Just make sure your IT staff knows that the end is nigh, so they can get a replacement in place before the clock runs out.

Study Shows People Prefer Alternatives Over Passwords

File this one away under “confirming things we already knew.”  A recent study conducted jointly by Blink and Trusona confirmed that people just don’t like passwords very much.

Their study tracked the login behavior of 148 participants over a three-week period.  Without knowing the true purpose of the study, participants were asked to log into a gift idea generation website at least three times a week.

They were given the option of a “classic” (password-based) login, or an “easy” login option, which utilized alternative forms of authentication.

The results should surprise no one, but here are some of the statistics collected during the course of the experiment:

  • 84 percent of participants utilized the easy login at least once
  • 47 percent of participants utilized the classic login at least once
  • Those who used the easy login had successful logins 78 percent of the time
  • Those who used the classic login had successful logins 56 percent of the time

Per Robert Capps, a VP for NuData Security,

“This report shows that consumers are ready to move beyond passwords and usernames to more secure authentication methodologies.  Using a multilayered authentication framework that combined behavioral analytics with biometrics allows companies to verify users accurately without adding unnecessary friction and detect any unauthorized activity before it enters the environment.

Multilayered solutions that include these technologies analyze hundreds of data points throughout a session and create an evolving profile of a user across the session.  Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to legitimate users, thus creating more convenient experiences for users.”

Clearly, users don’t like passwords.  Unfortunately, there’s currently no technology on the market capable of the feats Mr. Capps describes.  There are several promising models and products in varying stages of development, but sadly we’re still a ways off from realizing a password-free, hyper-secure login paradigm.  That day is no doubt coming though, and not a moment too soon.

Use Caution Traveling, Hackers Now Have Keys To Hotel Rooms

Score one for the good guys, but with hesitation. Unfortunately, in today’s fast-moving digital world, even a victory doesn’t mean the end of a problem.

Recently, a pair of researchers (Tomi Tuominen and Timo Hirvonen of F-Secure) released information about a new hack they had discovered. It takes advantage of a critical security flaw in the magnetic VingCard locking systems used in hotel chains around the world.

This particular system produced by Assa Abloy is deployed in more than 42,000 facilities around the world. So in terms of scope and scale, this flaw impacts literally millions of doors.

The security flaw is about as bad as it gets, too.  The duo found a way that hackers could turn an old, dead RFID key card into a master key that could be used to unlock any VingCard door.  Although the software they used to create the master key card is proprietary, any hacker worth his salt and with a couple hundred dollars to spare for equipment could reproduce the hack on their own, if given time.

Fortunately, long before the pair announced their discovery of the hack, they contacted Assa Abloy privately. They have been working with the company’s R&D department to develop a fix for the security flaw.  That fix has now been deployed, and the researchers stress that so far, there is no evidence that the exploit has ever been used in the wild.

Of course, that doesn’t mean that it couldn’t be used, and just because Assa Abloy has released a fix for the flaw doesn’t mean that everyone will promptly install it. So, the risk is still very real.  If you’re a frequent traveler, take extra precautions and don’t leave your valuables in plain sight in your room.  They may be more vulnerable than you realize.