NijaSecure...: October 2017

Web Attacks Spike in Financial Industry

Web application compromise beats human error as the top data breach cause, putting finance companies at risk for larger attacks, according to a new study.

Web application compromise has topped human error as the most common type of data breach for finance companies. This shift gives the financial sector reason to be worried about broader, and more dangerous cyberattacks, acccording to a recent report from BitSight.

BitSight investigated types of data breaches targeting finance companies over the past three years. After massive cyber attacks hit major corporations in 2017, researchers wanted to learn the growth and impact of different attack types.

What they discovered was a fundamental shift in the types of attacks hitting the sector.

"One of the first things we were interested in was a significant increase in Web application compromise as the type of breach most prevalent within the finance industry," says BitSight data analyst Ryan Heitsmith

When BitSight says a breach is caused by "human error," Heitsmith explains, it's referring to one-off events in which an employee erroneously emailed personal or financial data to the wrong person. These incidents are typically smaller, and easier to contain, than web-based attacks, he says.

Back in 2015, more than half (51%) of breach events were caused by human error, 13% were caused by privilege abuse, and 8% were caused by Web applications. In 2016, human error caused 35% of breach events, followed by DoS (14%), and Web applications (11%).

This year had a significant uptick in Web application compromise, which accounted for 33% of breach events among finance companies in 2017. Human error fell in second, at 21% of events. Heitsmith says there could be a few reasons behind the shift. Better employee education, for one, could be driving the decrease in human error. More detailed reporting is another factor.

"Over the years we've been collecting data breach events at a large scale. We've seen reporting get a lot better, and stricter mandatory breach reporting requirements," he explains. More intense scrutiny in the press has also driven a broader understanding of the threat landscape, he notes.

Web application compromise, or any incident in which a Web application was the attack vector, encompasses a range of incidents including SQL injection attacks or a hacker who bypasses employee authentication to gain access into the company

This year, researchers also saw the threat landscape shift from events primarily caused by internal actors, to those caused by actors outside the company. Researchers note that while internal actors were sometimes malicious, some were making silly mistakes. Not all attacks were intentional or widespread, according to researchers who observe that external actors intentionally seek data through a variety of different exploits.

"What's interesting is these events tend to be larger in significance due to the large number of records lost as a result of data breaches," says Heitsmith of Web application compromise. "Human error incidents are smaller, maybe one to a couple of records, though some might be larger. But in Web applications, the median record count is a lot larger than any of the other breaches we look at within the finance industry."

There is a two-pronged approach to how finance companies can monitor for Web application compromise, he continues. The first is to ensure all Web applications are properly configured and invest in proper Web application security. The second is to use continuous monitoring platforms to keep an eye on third parties, which Heitsmith says is a weak spot in finance.

The spike in Web application compromise shouldn't diminish the focus on human error, which at 21%, is still a large problem. Mandatory employee training, to provide awareness around common exploits and problems like phishing, says Heitsmith, is as important as Web monitoring.

Source: Darkreading

cybersecurity firm discovers severe security vulnerability in LG smart products

Check Point Software Technologies discovered a serious security vulnerability in LG smart products that exposed millions of homes to hackers from around the world. By exploiting the vulnerability, the hackers spied on homeowners and were able to figure out when the houses were empty. According to Check Point, the issue was discovered in July and fixed after two months.

The Israeli cybersecurity giant Check Point Software Technologies revealed Thursday that a severe security vulnerability in LG smart products has been discovered. Hackers have exploited the vulnerability in order to control the devices and surveil the millions of homes where the products are used, making it easier for burglars to spy on homeowners and know when the home is empty. The issue was discovered in July and fixed after two months.

According to Check Point, the security issue was found in the mobile app SmartThinkQ and the LG cloud platform. When hackers gain access to LG user accounts, they can control all the smart electronic devices that are connected to the accounts, such as vacuum cleaners, refrigerators, ovens, washing machines, dryers and air conditioning units.

If an account is linked to an LG Hom-Bot robotic vacuum cleaner, the hackers can monitor the movements and actions of the homeowners through the device’s camera, which streams a live feed to the smartphone using the app. The hackers can also interfere with refrigerator data, change air-conditioning settings and turn on stoves and ovens that are connected to the hacked accounts.

Source: Jerusalem online

DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions

DUHK — Don't Use Hard-coded Keys — is a new 'non-trivial' cryptographic implementation vulnerability that could allow attackers to recover encryption keys that secure VPN connections and web browsing sessions.

DUHK is the third crypto-related vulnerability reported this month after KRACK Wi-Fi attack and ROCA factorization attack.

The vulnerability affects products from dozens of vendors, including Fortinet, Cisco, TechGuard, whose devices rely on ANSI X9.31 RNG — an outdated pseudorandom number generation algorithm — 'in conjunction with a hard-coded seed key.'

Before getting removed from the list of FIPS-approved pseudorandom number generation algorithms in January 2016, ANSI X9.31 RNG was included into various cryptographic standards over the last three decades.

Pseudorandom number generators (PRNGs) don’t generate random numbers at all. Instead, it is a deterministic algorithm that produces a sequence of bits based on initial secret values called a seed and the current state. It always generates the same sequence of bits for when used with same initial values.

Some vendors store this 'secret' seed value hard-coded into the source code of their products, leaving it vulnerable to firmware reverse-engineering.

Discovered by cryptography researchers — Shaanan Cohney, Nadia Heninger, and Matthew Green — DUHK, a 'state recovery attack,' allows man-in-the-middle attackers, who already know the seed value, to recover the current state value after observing some outputs.

Using both values in hand, attackers can then use them to re-calculate the encryption keys, allowing them to recover encrypted data that could 'include sensitive business data, login credentials, credit card data and other confidential content.'

"In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4." researchers said.

"Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS."

Here below you can check a partial list (tested by researchers) of affected devices from various vendors:

The security researchers have released a brief blog post and technical researcher paper on a dedicated website for DUHK attack.

Source: thehackernews

Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe

A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours.

Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly.

"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites." Kaspersky Lab said.

However, security researchers at ESET have detectedBad Rabbit malware as 'Win32/Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

ESET believes the new wave of ransomware attack is not using EternalBlue exploit — the leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks.

Instead it first scans internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatzpost-exploitation tool to extract credentials from the affected systems.

The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.

The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.

Researchers are still analyzing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.

How to Protect Yourself from Ransomware Attacks?

Kaspersky suggest to disable WMI service to prevent the malware from spreading over your network.

Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.

Source: the hackernews

BoundHook' Technique Enables Attacker Persistence on Windows Systems

CyberArk shows how attackers can leverage Intel's MPX technology to burrow deeper into a compromised Windows system.

Security researchers at CyberArk have developed a technique showing how attackers can exploit a feature in the Memory Protection Extension (MPX) technology on modern Intel chips to steal data from Windows 10 systems and to remain completely undetected on them.

CyberArk's new BoundHook technique is similar to the GhostHook method that the company revealed earlier this year in that it is a post-exploitation technique. In other words, for BoundHook to work, an attacker would need to already have privileged access on a Windows 10 system.

Microsoft itself, for that reason, has refused to categorize the issue as a vulnerability that merits a security patch. "The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work," the company said in a statement. "We encourage customers to always keep their systems updated for the best protection."

Intel's MPX technology, introduced with the chipmaker's Skylake line in 2015, is designed to protect applications against buffer overflows, out-of-bounds access, and other memory errors and attacks. Applications running on Windows 10 systems use the feature as protection against buffer overflow attacks.

CyberArk's BoundHook technique uses a boundary check instruction in MPX to hook processes on a system, and to essentially change its behavior. "The BoundHook technique allows you to run your own code inside foreign processes and change its normal behavior, without leaving any traces inside these foreign processes," says Doron Naim, senior security researcher at CyberArk.

Hooking is about changing the behavior of certain functions in the operating system or application software on a system, he says. As one example, he points to the key input function. "If an attacker were able to hook this function, they would be able to sniff and steal your keystrokes."

Typically, to do hooking you have to write hooking code inside a target process, he says. With BoundHook, the code is not used to execute the hook itself but to cause an error, like a boundary exception error in the process. From there an attacker can take complete control of the thread execution, Naim notes. "If you control the thread execution, you can do anything you want by the name of the target process. For example, if it's Word.exe, you can steal credentials or send information to the Internet through this process." Most antivirus tools are not equipped to detect the malicious activity that is enabled via BoundHook, according to CyberArk.

While Microsoft has downplayed BoundHook just as it did with GhostHook, Naim insists CyberArk's latest technique indeed poses a threat. "The first thing to note is that this technique is most likely to be used by nation-state attackers, or very well financed criminal organizations that are looking for infiltrations that last."

In the current threat environment, gaining administrative privileges on an endpoint system is something that administrators should assume even the most basic attacker can accomplish, he says. In most cases, all it takes is for a single individual to click on the wrong link or fall for a phishing scam.

Techniques such as the one that CyberArk demonstrated this week are important because they show how attackers can improve their dwell-time on a compromised network, Naim notes. "Techniques like this are incredibly powerful in helping attackers disappear after the initial infection point — allowing them to build in backdoors and plan their attacks in de facto stealth mode."

Source: Darkreading

How to download and install the Windows 10 Fall Creators Update right now

The much-anticipated Windows 10 Fall Creators Update has now been released, and here’s how you can download and install it right now.

The Fall Creators Update is a major package of new and improved features for Windows 10, and it’s completely free. It brings support for Windows Mixed Reality headsets, as well as improved privacy features, better accessibility options and a new interface.

As with previous updates, Microsoft will be performing a roll-out release for the Windows 10 Fall Creators Update, which means you may have to wait until the update is available for your device – so read on to take matters into your own hands, as we show you how to download and install the Windows 10 Fall Creators Update.

How to download and install the Windows 10 Fall Creators Update using the Update Assistant

You can now officially download the final version of Windows 10 Fall Creators Update using Microsoft's Update Assistant.

To do this, head to the Windows 10 Update Assistant webpage and click 'Update now'.

The tool will download, then check for the latest version of Windows 10, which includes the Fall Creators Update.

Once downloaded, run it, then select 'Update Now'. The tool will do the rest. Your PC will restart a few times – so save any work first – and then your PC will be updated with the Fall Creators Update, while all your files and settings will remain where they were.

How to download and install the Windows 10 Fall Creators Update using a fresh install

If you want to install the Windows 10 Fall Creators Update as a fresh install on your machine you’ll need to download the ISO file with the Fall Creators Update included.

Before you do this, make sure you've backed up all your important information and documents. Check out our list of the best free backup software for advice.

Microsoft has made the process of downloading and installing the Windows 10 Fall Creators Update using a fresh install very easy. Just go to the Download Windows 10 web page, and below where it says ‘Create Windows 10 installation media’, click the ‘Download tool now’ button.

You’ll also need a blank DVD or a USB stick to add the installation files to. Be warned this process wipes any data on the drives, so make sure the drive doesn’t have any important data on it. Also, make sure the USB stick has at least 5GB of space spare.

If you don’t have a spare drive, check out our list of the best USB flash drives 2017.

You’ll need to know if you have a 64-bit or 32-bit processor to download and install the correct version. If you have a recent PC it’s most likely to have a 64-bit processor.

Download and install the tool, then open it up and agree to the license terms. On the ‘What do you want to do?’ page, select ‘Create installation media for another PC’ then click ‘Next’. Select the language, edition and 32-bit or 64-bit version, then select either ‘USB flash drive’ or ‘ISO file’, depending on whether you’re installing from a USB drive or from a DVD (select ISO file for this).

Once the tool has formatted and created the installation drive, you can restart your PC, boot from the drive and install the Windows 10 Fall Creators Update from scratch. Our How to install Windows 10 guide will show you how.

You’ll now have Windows 10 Fall Creators Update installed and ready to go on your PC!

Source: techradar

Secure Wifi Hijacked by KRACK Vulns in WPA2

All modern WiFi access points and devices that have implemented the protocol vulnerable to attacks that allow decryption, traffic hijacking other attacks. Second, unrelated crypto vulnerability also found in RSA code library in TPM chips.

Researchers at Belgium's University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure WiFi networks.

The vulnerabilities are present on both client and access point implementations of the protocol and give attackers a way to decrypt data packets, inject malware into a data stream and hijack secure connections via so-called key reinstallation attacks (KRACKs).

(The disclosure of the WPA2 flaws is the second one in recent days involving a crypto standard. Last week, Google, Microsoft and others warned about a bug in several Infineon trusted platform module (TPM) firmware versions that gives attackers a way to recover the private part of RSA keys generated by the TPM using only the corresponding public key. Nearly all Chrome OS devices that include an Infineon TPM chip are affected, and although large-scale attacks are not possible, a practical exploit already exists for targeted attacks.)

The KRACK attacks work on all modern wireless networks using the WPA2 protocol and any device that supports WiFi is most likely impacted, the researchers said in a technical paper that they will present at the upcoming Black Hat Europe security conference. However the flaws are not easy to exploit and require attackers to be in close proximity to a victim, thereby making the flaws somewhat less severe of a threat despite their ubiquity.

"Vulnerabilities that focus on issues with network protocols across many devices makes the threat landscape of this vulnerability very large," says Richard Rushing, CISO of Motorola Mobility and a speaker at Dark Reading's upcoming INsecurity security conference in November.

But as with all Wifi threats, physical proximity is required for the vulnerabilities to be exploitable, he says. "Most wireless IDS and IPS should be able to see this attack, and take preventative actions," Rushing said. "In many cases there are other Wifi man-in-the-middle attacks that can be just as successful given a user WiFi configuration."

Meanwhile, US-CERT described the KRACK vulnerabilities as existing in the WPA2 standard itself thereby putting all correct implementations of the protocol at risk of attack. An attacker within range of a modern access point and client can use the vulnerabilities to carry out a range of malicious actions. Depending on the encryption protocols being used by the WiFi network, the "attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames," US-CERT said. The advisory listed close to 150 vendors whose products are impacted by the vulnerabilities.

In the technical paper and a blog, researchers Mathy Vanhoef and Frank Piessens from the University of Leuven demonstrated a proof-of-concept key reinstallation attack that takes advantage of the WPA2 vulnerabilities to decrypt encrypted data.

The attack is targeted at the four-way handshake that takes place when a client device wants to join a protected WiFi network. The handshake is designed to ensure that both the client and the access point have the correct credentials to communicate with each other. The manner in which the third handshake takes place essentially gives attackers an opportunity to force resets of a cryptographic nonce counter used by the encryption protocol so data packets can be decrypted, replayed or forged, according to the two researchers.

The key reinstallation attack against the 4-way handshake is the most widespread and practically impactful attack currently possible against the WPA2 vulnerabilities, Vanhoef and Piessens said in the paper. "First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies." The manner in which WPA-2 has been implemented on devices running Linux and Android 6.0 and above make them particularly vulnerable to key reinstallation attacks, they said.

Organizations – corporate enterprises, businesses, schools and universities, retail shops and restaurants, government agencies – that have deployed Wi-Fi networks using WPA2 encryption are affected. When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected.

Hemant Chaskar, CISO and vice president of technology, at Mojo Networks says corporate enterprises, businesses, schools and universities, retail shops restaurants, government agencies and any organization that has deployed Wi-Fi networks using WPA2 encryption are affected. "When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected," he says.

Nine of the 10 vulnerabilities require attackers to be relatively sophisticated, he says. In order to exploit these flaws an attacker would need to use a MAC spoofing access point as a Man-in-the-Middle to manipulate data flowing between the client device and the real access point. "For the remaining, a practical exploit can be launched using a sniffer that can listen to and replay the frames over the wireless medium. So, it requires less attacker sophistication. "The main risk from all of them is replay of packets into the client or access point," Choskar says. "Another potential arising out of these exploits is the presence of packets in the air that are decryption-prone."

Gaurav Banga, founder and CEO of Balbix said the newly vulnerabilities, while present in a lot of products, should not be a cause of widespread panic. For one thing, it requires a sophisticated attacker and physical proximity in order to exploit. There has also been no sign of any exploit code in the wild so far and patches are available or will soon be available. "With iOS and Windows, the attack is quite difficult to pull off. Many of the security questions are around Android, since it is rarely patched," he says.

Users and organizations can mitigate the risk by using VPN over WiFi, avoiding websites that do not use HTTPS and updating their devices as soon as patches are released, he says.

Source: Darkreading

Wi-Fi security has been breached, say researchers

At 8AM Monday morning Eastern Time, researchers plan to reveal details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points. The exploit, as noted by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks.

So yeah, this looks bad.

The United States Computer Emergency Readiness Team issued the following warning in response to the exploit:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

It's not yet clear how easy it will be to hijack and eavesdrop on targeted Wi-Fi networks, but we expect all to be revealed later on today through the website krackattacks.com, before the vulnerabilities are formally presented on November 1st in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 at a security conferencein Dallas.

Source: the verge

Single Sign-On (SSO) for Cloud and On Premise Apps

If you have signed into Gmail and noticed that you were also able to access Google portfolio apps such as Google Maps, YouTube, Google Play, Google Photos and other Google applications, you are already using SSO! The user logs in once to a Google account, and has access to other Google applications.

Single Sign-On happens when a user logs into one application and then is able to sign into other applications automatically, without being prompted for passwords, regardless of the domain they are in or the technology they are using. SSO makes use of a federation service or login page that orchestrates the user credentials between multiple applications. In the above example, this service is Google Accounts.

SSO reduces password fatigue for users having to remember a password for each application. SSO also streamlines security by centralizing provisioning and maintaining the same security rules across applications. Unlike in the past, a user’s access may be easily revoked across all applications when an employee leaves.

However, as applications are web-enabled and delivered through cloud or on premise deployments, we can assume that application-specific cyber-attacks will continue.
Securing these applications is a complex task, in terms of provisioning and maintenance, but especially in terms of securing access. Authenticating users by having them provide their identity, and challenging them to verify their identity are some of the aspects of securing access

Balancing convenience with caution – Multi-Factor Authentication (MFA)

As single sign-on provides access to many applications once a user is authenticated; this convenience also increases the impact in case the user credentials are compromised.

According to Wikipedia, “Multi-factor authentication (MFA) is a method of access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).”

The more commonly used form of MFA is a two-factor authentication (2FA). An example that many of us are familiar with is using the password as the first factor and providing the second factor such as a PIN through a token generator such as RSA SecurID, one time password (OTP) or once received through a phone call, SMS message, or an email.

There are other variations, especially when a user is not personally known to the organization. For example, credit companies extract information from the user’s credit file and present them as challenge questions, and use them as one of the factors, before granting access to sensitive credit information.

Conclusion

SSO is great for convenience, but the fact remains that some hackers would want that user credential since it represents access to restricted information and money. MFA adds a layer of security to application access, making it more difficult to hack.

Source: radware

Protecting the Multi-CDN Part II: Approaches for Securing the Multi-CDN

Bringing back your security from the ‘edge’ of the CDN has many advantages – particularly in multi-CDN deployment scenarios. We take a look at the various deployment models for creating a centralized security protection layer, and when each should be considered.

In the the first of this series, we discussed some of the unique security challenges that can arise from adopting a multi-CDN strategy – namely inconsistent protection among different CDNs and the lack of centralized reporting.

Many of these problems arise from fact that CDN security is done at the ‘edge,’ i.e., security policies are ultimately propagated and executed at the points-of-presence (PoPs) of the CDN. And when ingress traffic originates from disparate CDNs that don’t talk to each other – as is the case in multi-CDN – the result can be gaps in protection and reduced transparency.

A security barrier between you and the multi-CDN

One potential solution in such cases is to bring back security from the edge and create a separate – and centralized – layer of security between the origin server and incoming traffic. As a result, ingress traffic – even from multiple CDNs – will all pass through a central focal point, which will make it possible to apply uniform security policies on all traffic.

There are several advantages to this technique, compared to the traditional CDN approach of ‘edge security’:

Decouples cost and security. When deploying a multi-CDN solution (or even a standalone CDN), cost is one of the most important factors that determines which CDNs are chosen to begin with, and how traffic is routed. However, the cheapest CDN may not always be the one with the best security – or even any security at all. Decoupling cost and security, therefore, makes sense so as to make sure that traffic cost considerations do not interfere with the quality of protection.

A single, unified security policy. As we pointed out in the previous installment, different CDN vendors offer different security features with different technologies and different policies. A unified security layer that aggregates all traffics ensures that there are no security gaps between different vendors, and that all traffic is subjected to the same rigorous inspection.

A single pane of glass for all traffic. Using a multi-CDN solution frequently means splitting management and reporting across disparate management consoles with disparate configurations. This is key when it comes to security, where attacks can come from multiple vectors and from multiple sources. Centralizing security within a single layer ensures full security visibility and reporting, regardless of traffic origin.

On the cloud or on-prem?

A key consideration in consolidating security layers is to decide whether these should run in the data center (on-prem) as a hardware appliance, or whether this should be in the cloud.

There are advantages and drawbacks to each approach, and each organization can decide differently depending on their specific context and configuration.

Premise-based security

The greatest advantage of on-premise security solutions is the high degree of control they afford organizations, and ability to configure it to any type of internal network topology. In addition, on-premise solutions tend to have near-zero latencyperformance, meaning that the speed of business is not impacted.

The flip side of using hardware-based solutions is that they tend to have higher cost compared to cloud solutions, and require high, upfront capital expenditure. Moreover, the higher degree of control comes with higher management overhead. Finally, they have limited capacitycompared to cloud-based solutions.

Premise-based security is best for organizations that have physical data centers (as opposed to cloud-based), who prefer the higher degree of control that comes along with it, and whose applications are sensitive to latency.

Cloud-based security

Perhaps the most noticeable advantage of cloud-based infrastructure is lower cost compared to hardware-based solutions, coupled with lower management overhead. This is one of the primary drivers which have led application developers to increasingly move their infrastructure to the cloud. In addition, cloud services have higher capacity and are therefore able to absorb larger attacks, such as volumetric DDoS attacks. Finally, if your applications are already running in the cloud, then it makes sense for your security to run on the cloud, as well.

The drawbacks of cloud deployments are the mirror image of the advantages of hardware-based solutions, namely minor additional latency(although usually not much) to application performance, a lower degree of control over hardware managed by outside vendors, and compliance barriers in certain regulated industries such as healthcare and finance.

This is best for customers with existing cloud applications, as well as those who are not sensitive to the minor additional latency.

Hybrid security model

Hybrid security deployments are arguably the most robust of application security strategies. In a nutshell, hybrid security models involve usage of both on-prem and cloud-based defense layers, enabling organizations to adapt their security deployment to their particular network topology. Indeed – as more companies begin moving infrastructure to the cloud – even Gartner saysthat hybrid cloud deployments will soon be the most common usage type.

Hybrid deployments provide the greatest degree of flexibility, allowing organizations to protect applications wherever they are deployed. Moreover, they also retain a high degree of control for organizations. Hybrid deployments also resolve the capacity-vs-control tradeoff by allowing organizations to put in place cloud-based defense mechanisms that can be activated on-demand when hardware capacity isn’t sufficient.

It is usually most suited for larger organizations with complex network topologies, multiple data centers, or applications that are split between cloud and on-prem. Ultimately, the decision of whether to implement a hybrid model is highly dependent on the particulars of your network configuration and needs.

Choosing the right deployment for you

As we’ve seen, multi-CDN strategies can create some fairly complex security challenges that arise from multiple traffic origins, coupled with fact that CDN security is usually executed at the edge of the network. The solution, therefore, is to bring back security from the edge and into a centralized security layer that applies a uniform security policy to all traffic.

Whether such solutions should be implemented as premise-based, cloud-based, or hybrid solutions is dependent on the particulars of each organization’s network configuration and applications.

Part III of this series takes a broader look at CDN security, and how taking security out of the ‘edge’ can enhance application defenses in general.

Source: radware

Protecting the Multi-CDN Part I: The Security Challenge of Multi-CDN

Adopting a multi-CDN approach can be great for performance, but can also create some complex security challenges.

Using a Content Delivery Network (CDN) to accelerate content delivery has been common practice for many years. In fact, it is rare nowadays to find a website which does not employ a CDN to enhance webpage performance.

Increasingly, more and more organizations are adopting multi-CDN solutions, which split their traffic among several CDNs to ensure constant availability. But while adopting a multi-CDN strategy can be great for website performance, it can also create some unique security challenges for your website.

98% CDN availability = 7 days of outage a year

CDNs have been around for many years now. There’s a CDN out there for every pocket and every need. It is surprising, therefore, that even a mature technology such as CDN hasn’t yet been able to bridge the final availability gap to ensure true always-on availability.

Although some CDNs promise 100% uptime SLA, in practice most CDNs don’t get anywhere near that. CDN performance metrics tracked by web optimization provider Cedexis demonstrate how even leading CDNs only provide, on average, about 98.5% of uptime.

While this may sound pretty good, consider this: every 1% of downtime equals about 3.5 days of outage per year. A 98.5% availability benchmark, therefore, is equal to about 5.5 days of downtime annually.

An example of Cedexis’ performance data – updated daily – of leading CDNs is shown below (CDN provider identities have been obfuscated).

Enhancing performance with a multi-CDN strategy

One solution customers have come up with in order to avoid CDN downtime is to split their traffic among two or more CDNs concurrently. Application traffic is routed dynamically between CDNs based on availability, performance, cost, and proximity to the end user.

Adopting a multi-CDN approach is hardly a new concept. As early as 2014, Ernie Regalado of Bizety explained how some of the largest enterprises are splitting their traffic among two, three, or even four separate CDNs. Recently, however, multi-CDN solutions have been gaining momentum as new multi-CDN solutions are making it easier and more cost-effective to deploy.

Nonetheless, while a multi-CDN strategy might be great for performance, it can create some unique security challenges for companies, particularly those who also rely on their CDN vendor for security.

Splitting your traffic also means splitting your security

As CDNs evolved, many CDN vendors also began integrating web application security into their delivery stack. While this makes sense from the CDN vendor’s point-of-view, it also burdens the customers with the legacy shortcomings of CDNs: inconsistent availability, varying security service quality, and the drawbacks of having security at the ‘edge’ of the CDN.

Moreover – in the context of multi-CDN strategy – splitting your traffic among different CDNs also means splitting your security.

Consider, for example, the following hypothetical scenario of splitting traffic between three CDNs and their respective security portfolios:

CDN 1: High-quality CDN service; ModSecurity-based WAF; separate DDoS scrubbing; relies heavily on professional services for configuration; very expensive

CDN 2: Low quality CDN service; proprietary WAF; no standalone DDoS scrubbing; easy-to-use management console but no MSSP service; very cheap

CDN 3: Medium-quality CDN; No WAF at all; DDoS scrubbing provided via 3^rd party; mid-range price

A scenario such as the one above raises a number of security challenges:

Clashing security and cost concerns: as the scenario above demonstrates, CDNs can vary significantly in terms of cost, quality, and breadth of security protection. However, adopting a multi-CDN strategy is usually driven by a desire to increase availability and/or decrease cost. As a result, a cost-driven or availability-driven decision of which CDN to use can lead to situations where traffic isn’t properly secured. Moreover, as multi-CDN load-balancing doesn’t factor security into consideration, there is also no visibility into whether traffic is protected or not.

Inconsistent protection across vendors: there is a wide array of CDN vendors out there, and equally wide variance in the breadth and protection offered by each CDN: some bundle a web application firewall (WAF) into their offering, while others don’t; some provide native DDoS scrubbing capabilities, while others don’t; and so on. As a result, it is nearly impossible to reach parity in security features between any two CDNs.

Varying, redundant security policies: if you have three different CDN vendors, you will need to configure your security policies three times – once for each vendor. Apart from the added overhead this creates, there is wide variance in the particulars of each security policy configuration: different vendors use different technologies and different rule sets, with some using open-source technologies from ModSecurity or OWASP, while others employ proprietary solutions. This leads to incompatible security policy configurations and gaps.

Separate management consoles: similarly, each CDN vendor provides a different management console, with some providing feature-rich, hands-on GUI consoles, while others provide very rudimentary self-service options and mandate the usage of professional services for nearly every change. In a multi-CDN/multi-security scenario, this creates a problem of having to update separate configurations using separate configuration processes every time there is a policy change.

No central reporting: finally, splitting traffic between different CDNs also means that there is no central reporting. Security becomes effectively siloed, and it becomes difficult – if not impossible – to aggregate attack data across the different channels, locate attack sources, analyze defenses and look across the entire security range.

Securing the multi-CDN

Clearly, a scenario as the one described above is untenable, as it would lead to inconsistent protection and high amount of overhead in managing concurrent security configurations.

Therefore, in order to be truly secure, multi-CDN deployments requires a different approach to web application security – which is not dependent on the CDN.

Part II of this series discusses different alternatives for securing the multi-CDN, and describes the considerations for on-prem, cloud, and hybrid solutions.

Source: radware

Financial Institutions Must Protect the Data Like They Protect the Money

If you are like most people and myself, you do not go into a bank and have a conversation with a teller when you make a deposit or withdrawal. You probably do not write paper checks and sign them. You have an app on your phone to access your bank account and use one of the thousands of automated teller machines (ATM), around the world to move money in and out of your accounts.

The financial world is very different with the advent of the internet and near real-time information. Gone is the time when Leonardo DiCaprio Frank Abagnale Jr. can forge checks and cash them at banks around the country. Today’s verification systems will flag the bad check immediately through online record matching. All of this information flying between branches and banks through the network depends on security technologies to protect the money as well as the personal information tied to all of the bank accounts and transactions.

Financial institutions have a responsibility to protect sensitive information on their systems and through their networks. The business must protect the data at rest, the data in transit, and the systems holding and transmitting the data.

Data at rest

Encryption algorithms and hashes are used to obscure the data within the applications and databases. There are many methods to protect the databases varying from field level encryption to solutions that encrypt the entire database. The method used often depends on the application requirements and how often individual records within the database are being updated.

All financial and personal information within these databases are vulnerable. The encryption protects the data even if the database is stolen by a malicious person. Without the proper key or credentials, the hacker will not be able to decipher the contents of the database

Data in transit

For the past 20 years, SSL/TLS has been the encryption standard for communications over the network. The algorithms to encrypt the data have advanced as computer technologies have improved over the years. Today, the internet is using the RSA algorithm with 2K keys to encrypt data on the network. Elliptic curve cryptography (ECC ) is emerging as a new standard with 256-bit keys to address the advancements in computing power.

The encryption standards and keys are important because the data is most vulnerable when it is in transit. The original data is often unencrypted so it is important for the network transport protocol to provide security and encryption. This is like taking a valuable item out of the secure vault and transporting it within a protected armored car to the destination, hopefully another vault. SSL/TLS is the armored car for the internet.

Systems accessing data

The data is not the only concern for financial institutions. They need to be concerned with the applications and tools that have access to the data. If the vault is compromised, it does not matter how strong or secure the armored car is. This is most likely what happened in the recent Equifax case. They used an application that had a vulnerability that the hackers exploited to access the data.

Businesses often assume that the applications accessing the data are secure. There are two problems with this assumption. First, as in the Equifax case, the application is not secure. There are vulnerabilities in software that can be exploited to access sensitive information. Applications need to be validated through a process to ensure that they are secure.

The second problem is that people access the data through the applications. People are the weakest link in the security chain. They can accidentally share their credentials, download malware, or expose sensitive data. Policies and security technologies need to be implemented to minimize the potential negative impact of an inadvertent or intentional mistake that a person makes.

Inspecting and securing the data

The application delivery controller (ADC) provides three key functions to secure the data within the financial institution. As a reverse proxy or load balancer, the ADC is a key network component to make the application data available and secure.

The ADC is the SSL/TLS termination point for the network communications. It needs to offer high performance encryption and decryption while supporting today’s RSA encryption standard and tomorrow’s ECC algorithm. Over 50% of the internet is encrypted today, and it is assumed that the financial services traffic percentage is higher due to its sensitivity.

Inbound SSL inspection solutions are necessary to protect the applications from threats. As the encryption termination point, the ADC can steer the decrypted content to different security solutions to inspect the traffic before it reaches the application. Financial institutions may use web application firewalls (WAF), next generation firewalls, intrusion prevention systems (IPS), and/or data loss prevention (DLP) technologies to protect their applications and servers.

Finally, the ADC provides outbound SSL inspection capabilities to protect the people from the internet threats. Outbound SSL inspection solutions decrypt and steer traffic between the users and the internet to security solutions. The security solutions look for malware, phishing sites, and other internet threats to protect the users and their internal systems.

Financial data is sensitive and vulnerable with the potential to affect every single person, if exposed. All businesses involved in the financial services industry must do their due diligence and ensure that appropriate architectures and solutions are put in place to protect the information that they manage. It is almost impossible to do too much to protect this information. If they do not take a fresh look at their security policies and practices, the Equifax breach may be the tip of the iceberg.

Source: radware

GOOGLE WARNS OF DOS AND RCE BUGS IN DNSMASQ

Seven flaws in what is known as Dnsmasq can be exploited by attackers who can use the bugs to carry out remote code execution, information exposure or a denial of service attacks against affected devices.

Google researchers identified the flaws in a research paper published Monday, the same day a patch for affected hardware arrived. Google also published proof-of-concept code to demonstrate the flaws and is urging hardware vendors to deploy patches as soon as possible.

Dnsmasq is open-source software that can be found in Android OS and Mac OS X. It’s also included in popular desktop Linux distributions including FreeBSD, OpenBSD and NetBSD, and in home routers, IoT devices and for tethering of smartphones and portable hotspots, said Google.

“During our review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017,” wrote researchers behind the Google Security Blog.

The Dnsmasq software package acts as a local domain name system (DNS) helping devices identify other devices and route traffic within small networks. “(Dnsmasq) is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls,” the maintainer of Dnsmasq, Simon Kelley, said.

On Monday, Kelley announced a fix for the vulnerability that includes upgrading to Dnsmasq version 2.78. All versions of Dnsmasq 2.77 and prior contain the multiple vulnerabilities.

“I’ve just released dnsmasq-2.78, which addresses a series of serious security vulnerabilities,” Kelley said. “Some of these, including the most serious, have been in Dnsmasq since prehistoric times, and have remained undetected through multiple previous security audits.”

According to Google, its Android partners have or will receive a patch as part of the October Android security update released Wednesday.

Google said the Dnsmasq vulnerabilities can be triggered remotely via DNS and dynamic host configuration protocol (DHCP) that could lead to the remote code execution, information exposure and denial of service conditions.

DNS attacks can be problematic for companies ill equipped to mitigate against them, a survey of firms said last month.

“Despite heightened DDoS attacks, many companies have inadequate defenses when it comes to DNS security,” the study, carried out by security firm Infoblox said.. The study found one-third of “professionals” surveyed doubt their company can defend against a DNS attack.

In the case of Dnsmasq, the three remote code execution vulnerabilities (CVE-2017-14491, CVE-2017-14492 and CVE-2017-14493) are tied to heap buffer overflow and stack buffer overflow errors through DHCP and DNS.

Another three vulnerabilities (CVE-2017-14495, CVE-2017-14496 and CVE-2017-13704) are denial of service bugs caused by invalid boundary checks, bug collisions and memory leakage.

The bug for the information leak (CVE-2017-14494) can be exploited to bypass the address space layout randomization (ASLR) memory protection function and allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests, according to the Common Vulnerabilities and Exposures (CVE) description.

Source: threatpost

NETGEAR FIXES 50 VULNERABILITIES IN ROUTERS, SWITCHES, NAS DEVICES

Netgear recently issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws.

Twenty of the patches address “high” vulnerability issues with the remaining 30 scored as “medium” security risks. Netgear posted advisories for the bugs to its website over the last two weeks.

Network security firm Beyond Security is credited by Netgear for discovering several of the vulnerabilities patched last week. One of the issues was a command injection vulnerability in the ReadyNAS Surveillance Application running on versions prior to 1.4.3-17 (x86) and 1.1.4-7 (ARM). A command injection attack can execute arbitrary commands on host operating systems via vulnerable applications that facilitate the passing of unsafe user supplied data (forms, cookies, HTTP headers) to a system shell.

“These are all vulnerabilities caused by what appears to be inadequate verification of user input, oversight on what should and should not require authentication, and improper mechanism of enforcing security on users accessing their product web interface,” Noam Rathaus, founder and CTO of Beyond Security said. “I believe much of Netgear products share the same codebase and same underlying code structure which is what causing many of their products to be vulnerable.”

In addition to Beyond Security, researcher Martin Rakhmanov of Trustwave, and researcher Maxime Peterlin with ON-X Security are also credited for finding vulnerabilities in Netgear products.

“Some of the issues reported are pretty severe,” said Rakhmanov. One of those vulnerabilities (PSV-2017-1209) is a command injection security vulnerability tied to 17 consumer routers running vulnerable firmware.

“This vulnerability would allow any local user to take full control of the router,” Rakhmanov said. “Luckily ‘Remote Administration’ is not turned on by default, but if it were turned on manually this could make the router vulnerable to anyone on the Internet.”

Netgear told Threatpost that most of the vulnerabilities and patches disclosed last week were reported via the company’s bug bounty program,launched in January in partnership with Bugcrowd. Since inception, the company has made several disclosures via the program, including a password bypass bug found in hundreds of thousands of Netgear routers reported earlier this year.

In this most recent wave of disclosures, affected products range from networking gear used in IoT applications such as the ProSAFE M4300 Intelligent Edge Series switch to a consumer-grade Netgear D6400 Wireless Router.

“We are taking the security of our products very seriously and have been working closely with Bugcrowd to help monitor instances of potential security vulnerabilities,” said a Netgear spokesperson. “We work with Bugcrowd to identify potential vulnerabilities and release fixes in bulk, which is why you saw the quantity you did come across last week.”

The company said it is working on an automated processes for a more even distribution of disclosures in the future.

Netgear has faced criticism in past by Beyond Security’s Rathaus for allegedly dragging its feet when it comes to acknowledging technical claims of a vulnerability and the subsequent coordinated advisory.

From Trustwave’s vantage point Netgear is on the right track. “We’ve been working with Netgear through their responsible disclosure process for quite some time and watched them mature tremendously including their current participation in bug bounty programs,” Rakhmanov said.

Netgear isn’t the only networking equipment firm scrambling to patch bugs over the past year. Last month, independent researcher Pierre Kim found a wireless router made by D-Link had nearly one dozen critical vulnerabilities. In April, researchers at IOActive found more than 20 Linksys router models vulnerable to attacks that could allow a third party to reboot, lock out and extract sensitive router data from affected devices. ASUS reported in May vulnerabilities in 30 models of its popular RT routers.

Rathaus blames router and IoT vendors that, he claims, for years have put little effort into security, testing and hardening of products.

“Today using sites such as Shodan you can locate hundreds to hundreds-of-thousands of devices all vulnerable to serious bugs that allow compromising of the device without requiring any authentication or any information beside the IP address of the device,” Rathaus said.

Rathaus said researchers at the firm have reported 60 similar authentication bugs this year alone.

“Every once in a while something unique (a new type of vulnerability) shows up, but in numerous cases it’s the same type of vulnerabilities over and over again,” he said. “Vendors are not spending enough time tracking down these bugs before the product becomes public.”

Source: threatpost

FIVE CRITICAL ANDROID BUGS GET PATCHED IN OCTOBER UPDATE

Four critical vulnerabilities were reported by Google Monday as part of its October Android Security Bulletin. In all, 14 patches were issued for corresponding vulnerabilities, ranging from critical to high.

The relative low bug count for the month of October is due to the fact this month Google announced it would handle security bulletins differently. It introduced a separate monthly Pixel/Nexus Security Bulletin that covers bug fixed for these specific devices.

The Android Security Bulletin will continue to report on partial patch levels and complete patch levels monthly. But because of this change Google only reported just over a dozen vulnerabilities for the month of October.

Three of the vulnerabilities, rated critical, are tied to remote code execution bugs found in the Android media framework. Another two critical vulnerabilities are related to Qualcomm components.

The Android Security Bulletin also contains a fix for the Dnsmasq software flaws impacting Android OS and also Mac OS X, various Linux distributions and routers and IoT devices.

Google said one of the most severe bugs this month was an escalation of privileges (EoP) vulnerability (CVE-2017-0806) impacting Android versions 6.0 (Marshmallow) through its most recent Android 8.0 (Oreo) OS. According to Google, the vulnerability “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.” That could lead to further attacks.

Other “severe” bugs, according to Google, included two vulnerabilities found in Android kernel components that could enable a local malicious application to execute arbitrary code within the context of a privileged process.

One of the two EoP vulnerabilities is CVE-2017-7374 and impacts the Android filesystem. According application security firm F5 Networks, the bug is a use-after-free vulnerability in cryptographic file system (fs/crypto/) in the Linux kernel. It allows local users to cause a denial of service condition or possibly gain privileges by revoking keyring keys being used for file systems ext4, f2fs, or ubifs encryption. That can cause “cryptographic transform objects to be freed prematurely,” F5 Networks said.

A second severe vulnerability includes the EoP CVE-2017-9075, also tied to the Android kernel and the network subsystem. “An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely,” wrote security experts at Brocade.

The October bulletin also includes a bevy of fixes on the hardware side of the house, including patches for drivers for MediaTek and Qualcomm hardware.

Two of the Qualcomm vulnerabilities are critical. CVE-2017-11053 is a fix for an issue with the system-on-a-chip driver that allows remote code execution. A second Qualcomm vulnerability (CVE-2017-9714) addresses a bug in the network subsystem and blocks privilege escalation.

The last patch, rated as high severity, is tied to a MediaTek system-on-a-chip driver vulnerability (CVE-2017-0827). Google says the flaw could enable a local malicious application to execute arbitrary code within the context of a privileged process.

As for the Pixel/Nexus Security Bulletin, Google lists 38 security vulnerabilities. The company says the vulnerabilities impact the Android OS and components manufactured by Broadcom, HTC, Huawei, Motorola and Qualcomm.

“Security vulnerabilities that are documented in (the Android) security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in device / partner security bulletins are not required for declaring a security patch level,” Google said of the new bulletin.

Source: threatpost

Cybersecurity researchers warn Facebook users to beware Faceliker malware

As nowadays social media is an inseparable part of society’s social life, naturally scammers prey for victims online. Phishing messages^[1] or compromised web links can easily trick unsuspecting users into providing sensitive information or installing dangerous malware on their computers unknowingly.

There’s plenty of space for discussions about fake news on social media that users are likely to click, especially if they see their friends liking such posts. However, such fake news are often promoted by bots or accounts compromised by Faceliker malware.

McAfee experts^[2] have spotted an unexpected surge of Faceliker Trojan, a malicious virus that takes control over Facebook accounts and uses them to promote certain content on social media. The security firm claims that the malicious virus takes 8.9% of 52 million new malware samples in the Q2 of 2017.^[3] Experts suggest that the rise of Faceliker significantly influenced the overall growth of newly discovered malware.

Modus operandi of the virus

According to the research team from the aforementioned security firm, Faceliker compromises victims’ devices as soon as they visit a malicious domain online. The malware tricks people into thinking that they like things they want when the virus actually redirects the click and likes an entirely different thing on Facebook instead. This way, the click-fraud Trojan^[4] falsifies likes on content it seeks to promote.

VirusActivity experts advise^[5] that users who have noticed suspicious content appearing in their feeds should immediately check their activity logs on Facebook to see whether there were some unauthorized attempts to use their accounts for promoting particular online content.

In case the user detects some suspicious activity, an immediate Facebook virus removal is required, as well as actions to protect user’s account. The first thing victims should do is to run a system scan using up-to-date anti-malware software, and secondly, changing Facebook passwords. Besides, users can un-like the content that was liked without their consent.

Facebook malware more dangerous than it seems

Although Faceliker virus does not infect victim’s device or distribute malicious links, it operates silently and without user’s knowledge. Besides, liking and promoting vague content online using victim’s account without one’s knowledge is an illegal activity. Therefore, Faceliker removal is a highly suggested option.

Since Facebook is one of the most popular social network platforms available today, criminals rush to take the opportunity and spread malicious viruses via it. In case you noticed that your friend shared a suspicious link or sent you a message that looks fishy, warn your friend using a different contact method (phone call or message) and let them know what happened to their accounts. They might not be aware of Facebook virus acting on their behalf online.

Source: 2-spyware

Send nudes? That’s what nRansom asks in exchange to your locked files

Nude photos – as digital currency

A few days ago, virus researchers had a good laugh after they found nRansom ransomware. Not only the ransom message evoke smile after seeing its logo with the Thomas the Tank, but the demands are hilarious and absurd as well. Unlike typical ransomware, for instance, Ykcol (new Locky) which again raised the price up to 0.5 bitcoins, this malware asks for 10 your nude photos. Is it a new generation ransomware or a mere prank?

nRansom – hackers’ sort of “vacation”?

However, 10 nude photos are only the beginning of the story. The perpetrators instruct victims to send the photos to 1_kill_yourself_1@protonmail.com. They continue making fun of users by stating that they will not reply instantly.

What is more, the felons mention that they will verify the photos. However, the methods of such verification indeed spark intrigue. Even if victims risk sending the compromised material, the hackers will send you the decryption key and still publish the photos on the dark web.

Interestingly, the developers launched a second version after a couple of days since the original version appeared. The latest edition functions via nRansom2.exe file and asks you to kill 10 people, send the video as well as 20 personal nudes. The email address changes to 2_kill_yourself_2@india.com.

This type of ransomware may indeed seem funny, but not for the victims of the threat. However, they may not know the fact that nRansom virus is actually a screen locker rather than a file-encrypting threat. The unlock code was 12345, though it seems to have ceased functioning anymore as well as the first email address is shut down.

At the moment, there are no reports about the victims (on the other hand, who would confess?). While this malware is a buggy screen locker, the fact that the fraudsters continue generating new versions of this prank might be worrying.

A prank to direct attention from bigger cyber issues?

Looking from IT researchers’ perspective, nRansom screen locker is indeed an easy virus to crack. Now their attention rests on Locky which continues rampaging in the new form of Ykcol version. CryptoMix devs also restlessly generate new versions the latest being Shark virus.

The “white hats” also have to solve the riddle how cyber criminals managed to corrupt CCleaner v5.33 version.

As users find themselves in the midst of these cyber wars, they have to pay attention to these tips:

update system and security tools

avoid installing programs which are issued by “unknown publishers”

verify the sender of an email attachment

double-check and inquire your friend about the sent video link on a social media

Source: 3-spyware

Credit card thieves are getting smarter. You can, too

Card skimmers have gotten so advanced, even experts may be fooled. But there's a way to spot at least some of them.

With one swipe of a credit card, you've just paid for some gas. You may also have given thieves some very valuable information.

That's if you've just fallen victim to a skimmer.

Card skimmers, which steal your credit or debit card data when you swipe at payment and money machines, have been around for nearly a decade, disguised so you don't know you're being duped. The devices have evolved, though, and researchers say they're now at the point where you really, really can't tell the difference.

Plus, they've swept across the United States at an alarming rate. The number of breached ATMs increased sixfold from 2014 to 2015 and rose again in 2016 by 30 percent, according to FICO, an analytics software company. In June of this year, the Federal Trade Commission put out a public warning, with tips on how you can avoid having your card information stolen.

Hackers have figured out how to create virtual skimmers -- malware that's installed remotely -- which let them steal card information without even touching the ATM, fuel pump or other device. It's an evolution from the physical skimmers, where thieves had to walk up to a machine to plant their hardware hack. In January 2016, one hacking campaign that used virtual skimmers across multiple ATMs netted thieves $13.5 million euros, security firm Trend Micro discovered.

Skimmers are getting harder and harder to notice, according to Mark Nunnikhoven, Trend Micro's vice president of cloud security. "If a machine has been compromised with software," he said, "there's no way you're able to tell."

As if you didn't already have enough to worry about when it comes to computer security.

This year alone has brought a number of threats from all kinds of angles. A few months back, ransomware took over PCs around the world, holding them hostage for payment, and that likely won't be the last time. Just last week, word came that some versions of the popular CCleaner software had been infected with malware.

Then on the credit card front, there's that massive Equifax hack, which coughed up sensitive information on nearly half the US population.

Yikes.

When 100 credit card numbers can be sold online for $19 a bundle, it's easy to see the appeal for cybercriminals. Credit card information is feeding an entire illicit ecosystem, with some thieves even opening online schools to teach the hackers of the future.

Hackers can create virtual skimmers by breaking into a bank's network -- for instance, by tricking an executive into providing access, as Nunnikhoven has seen. Instead of compromising physical ATMs one at a time, hackers can steal from multiple ATMs all at once. And there's less risk of getting caught.

"ATMs are really just very simple computers that happen to be attached to a box full of cash," Nunnikhoven said. "We have enough problems securing computers that aren't attached to cash."

The gas station problem

Banks are working to stay a step ahead of the thieves, with techniques like introducing chips on cards, which are more secure than the magnetic stripes. New rules are helping, too. As of October 2015, any stores still using old swipe terminals became liable when fraud occurs. That got businesses adopting the new tech pretty quickly. But take note: The rule doesn't apply to gas stations until 2020.

Which means thieves who used to target random ATMs in stores are now swarming to gas pumps instead.

"We're seeing an uptick of skimmers becoming more common at fuel stations," said Angel Grant, director of fraud and risk intelligence at security firm RSA. "We anticipate this to continue to grow."

At gas stations, the skimmers can be installed on card readers in less than 30 seconds, and they'll record all your card data for collection by the bad guys. It's an easy gig: Those pumps are often unattended late at night, and thieves can plug in their skimmers while pretending to get gas.

The skimmer stores the data, and the scammers return to grab the stolen credit or debit card numbers over Bluetooth, without touching the pump again.

Gas station owners aren't likely to rush to make changes. It's more expensive to upgrade pumps than ATMs.

Fighting back

On Reddit, it's a thing now to see posts of people finding card skimmers by fidgeting with the card reader on an ATM and sometimes snapping it right off. But there's an alternative: A programmer at SparkFun Electronics created an app to save you from having to brutalize your local cash machine.

Because the majority of these skimmers use Bluetooth for harvesting the stolen data, your phone should be able to detect them easily. Nathan Seidle, SparkFun's founder, created the Skimmer Scanner app to automatically detect the skimmer's Bluetooth signal, which is most noticeable at gas pumps.

The Boulder-based company worked with local police in Colorado to take a look at a popular skimmer in the region, a module called the HC-05. These modules are typically used for DIY educational projects to provide Bluetooth capabilities on homemade gadgets. But they're also extremely common for credit card skimmers, and cost only $3 each.

"They're obviously mass produced," Seidle said. "It's so cheap that they can just pepper these things all over the place."

Because these skimmers are a bargain, their Bluetooth names can't be changed -- it's always HC-05. They also have a hard-coded default password: "1234." In other words, their weak spot is the same one that can get you in trouble with lots of the gadgets in your home.

The Skimmer Scanner looks for connections with that name; then attempts to connect with the default password, the same way the thief who planted it would. The app then sends the letter "P" as a command to the Bluetooth device, and if it's a skimmer, it'll send back "M." The system has been able to detect skimmers at distances between 5 and 15 feet.

The Android app is available on the Google Play store for free, and in open-source format on Github.

Researchers said the app is a great step in fighting back, given how common the HC-05 Bluetooth module is, but it's not going to stop all skimmers.

Eventually, too, once hackers realize how dumb those Bluetooth modules are, Nunnikhoven said, they'll move onto something that isn't as detectable.

"There's a limited lifetime on apps like Skimmer Scanner," he said. "The attackers are always changing their tactics to avoid getting caught."

Source: CNET