tech

Microsoft: Russians targeted conservative think tanks, U.S. Senate

Posted on

Originally Seen: Cybersecurity.com on August 21, 2018 by Sean Lyngaas

The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft.

The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said.

“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.”

The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites meant to steal credentials.

The two think tanks are conservative, yet count many critics of U.S. President Donald Trump and Russian President Vladimir Putin among their members. The International Republican Institute lists Sen. John McCain, R-Ariz, and former Republican presidential candidate Mitt Romney as board members. The Hudson Institute and International Republican Institute also have programs that promote democracy and good governance worldwide.

There is no evidence that the domains had been used to carry out successful cyberattacks, according to Microsoft. The company says it continues to work with both think tanks and the U.S. Senate to guard against any further attacks.

The attacks come as more and more instances of cyberattacks directed at the 2018 midterm elections come to light. Last month, Russian intelligence targeted Sen. Claire McCaskill, a critic of Moscow and a red-state Democrat who faces a tough reelection bid in Missouri. Additionally, a number of election websites have been hit with DDoS attempts during their primary elections.

“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Microsoft’s blog post read. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

Smith also announced that Microsoft was providing cybersecurity protection for candidates, campaigns and political institutions that use Office 365 at no additional cost.

Greg Otto contributed to this story. 

SMARTPHONE VOTING IS HAPPENING, BUT NO ONE KNOWS IF IT’S SAFE

Posted on

Originally seen on Wired by Emily Dreyfuss

When news hit this week that West Virginian military members serving abroad will become the first people to vote by phone in a major US election this November, security experts were dismayed. For years, they have warned that all forms of online voting are particularly vulnerable to attacks, and with signs that the midterm elections are already being targeted, they worry this is exactly the wrong time to roll out a new method. Experts who spoke to WIRED doubt that Voatz, the Boston-based startup whose app will run the West Virginia mobile voting, has figured out how to secure online voting when no one else has. At the very least, they are concerned about the lack of transparency.

“From what is available publicly about this app, it’s no different from sending voting materials over the internet,” says Marian Schneider, president of the nonpartisan advocacy group Verified Voting. “So that means that all the built-in vulnerability of doing the voting transactions over the internet is present.”

And there are a lot of vulnerabilities when it comes to voting over the internet. The device a person is using could be compromised by malware. Or their browser could be compromised. In many online voting systems, voters receive a link to an online portal in an email from their election officials—a link that could be spoofed to redirect to a different website. There’s also the risk that someone could impersonate the voter. The servers that online voting systems rely on could themselves be targeted by viruses to tamper with votes or by DDoS attacks to bring down the whole system. Crucially, electronic votes don’t create the paper trail that allows officials to audit elections after the fact, or to serve as a backup if there is in fact tampering.

But the thing is, people want to vote by phone. In a 2016 Consumer Reports survey of 3,649 voting-age Americans, 33 percent of respondents said that they would be more likely to vote if they could do it from an internet-connected device like a smartphone. (Whether it would actually increase voter turnout is unclear; a 2014 report conducted by an independent panel on internet voting in British Columbia concludes that, when all factors are considered, online voting doesn’t actually lead more people to vote.)

Thirty-one states and Washington, DC, already allow certain people, mostly service members abroad, to file absentee ballots online, according to Verified Voting. But in 28 of those states—including Alaska, where any registered voter can vote online—online voters must waive their right to a secret ballot, underscoring another major risk that security experts worry about with online voting: that it can’t protect voter privacy.

“Because of current technological limitations, and the unique challenges of running public elections, it is impossible to maintain separation of voters’ identities from their votes when Internet voting is used,” concludes a 2016 joint report from Common Cause, Verified Voting, and the Electronic Privacy Information Center. That’s true whether those votes were logged by email, fax, or an online portal.

Enter Voatz

Voatz says it’s different. The 12-person startup, which raised $2.2 million in venture capital in January, has worked on dozens of pilot elections, including primaries in two West Virginia counties this May. On a website FAQ, it notes, “There are several important differences between traditional Internet voting and the West Virginia pilot—mainly, security.”

Voatz CEO Nimit Sawhney says the app has two features that make it more secure than other forms of online voting: the biometrics it uses to authenticate a voter and the blockchain ledger where it stores the votes.

The biometrics part occurs when a voter authenticates their identity using a fingerprint scan on their phones. The app works only on certain Androids and recent iPhones with that feature. Voters must also upload a photo of an official ID—which Sawhney says Voatz verifies by scanning their barcodes—and a video selfie, which Voatz will match to the ID using facial-recognition technology. (“You have to move your face and blink your eyes to make sure you are not taking a video of somebody else or taking a picture of a picture,” Sawhney says.) It’s up to election officials to decide whether a voter should have to upload a new selfie or fingerprint scan each time they access the app or just the first time.

“We feel like that extra level of anonymization on the phone and on the network makes it really really hard to reverse-engineer.”

NIMIT SAWHNEY, VOATZ

 

The blockchain comes in after the votes are entered. “The network then verifies it—there’s a whole bunch of checks—then adds it to the blockchain, where it stays in a lockbox until election night,” Sawhney says. Voatz uses a permissioned blockchain, which is run by a specific group of people with granted access, as opposed to a public blockchain like Bitcoin. And in order for election officials to access the votes on election night, they need Voatz to hand deliver them the cryptographic keys.

Sawhney says that election officials print out a copy of each vote once they access them, in order to do an audit. He also tells WIRED that in the version of the app that people will use in November, Voatz will add a way for voters to take a screenshot of their vote and have that separately sent to election officials for a secondary audit.

To address concerns about ballot secrecy, Sawhney says Voatz deletes all personal identification data from its servers, assigns each person a unique but anonymous identifier within the system, and employs a mix of network encryption methods. “We feel like that extra level of anonymization on the phone and on the network makes it really really hard to reverse-engineer,” he says.

Experts Are Concerned

Very little information is publicly available about the technical architecture behind the Voatz app. The company says it has done a security audit with three third-party security firms, but the results of that audit are not public. Sawhney says the audit contains proprietary and security information that can’t leak to the public. He invited any security researchers who want to see the audit to come to Boston and view it in Voatz’s secure room after signing an NDA.

This lack of transparency worries people who’ve been studying voting security for a long time. “In over a decade, multiple studies by the top experts in the field have concluded that internet voting cannot be made secure with current technology. VOATZ claims to have done something that is not doable with current technology, but WON’T TELL US HOW,” writes Stanford computer scientist and Verified Voting founder David Dill in an email to WIRED.

Voatz shared one white paper with WIRED, but it lacks the kind of information experts might expect—details on the system architecture, threat tests, how the system responds to specific attacks, verification from third parties. “In my opinion, anybody purporting to have securely and robustly applied blockchain technology to voting should have prepared a detailed analysis of how their system would respond to a long list of known threats that voting systems must respond to, and should have made their analysis public,” Carnegie Mellon computer scientist David Eckhardt wrote in an email.

Ideally, experts say, Voatz would have held a public testing period of its app before deploying it in a live election. Back in 2010, for example, Washington, DC, was developing an open-source system for online voting and invited the public to try to hack the system in a mock trial. Researchers from the University of Michigan were able to compromise the election server in 48 hours and change all the vote tallies, according to their report afterward. They also found evidence of foreign operatives already in the DC election server. This kind of testing is now considered best practice for any online voting implementation, according to Eckhardt. Voatz’s trials have been in real primaries.

“West Virginia is handing over its votes to a mystery box.”

DAVID DILL, STANFORD UNIVERSITY

 

Voatz’s use of blockchain itself does not inspire security experts, either, who dismissed it mostly as marketing. When asked for his thoughts on Voatz’s blockchain technology, University of Michigan computer scientist Alex Halderman, who was part of the group that threat-tested the DC voting portal in 2010, sent WIRED a recent XKCD cartoon about voting software. In the last panel, a stick figure with a microphone tells two software engineers, “They say they’ve fixed it with something called ‘blockchain.’” The engineers’ response? “Aaaaa!!!” “Whatever they’ve sold you, don’t touch it.” “Bury it in the desert.” “Wear gloves.”

“Voting from an app on a mobile phone is as bad an idea as voting online from a computer,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins, who has studied electronic voting systems since 1997. “The fact that someone is throwing around the blockchain buzzword does nothing to make this more secure. This is as bad an idea as there is.”

Blockchain has its own limitations, and it’s far from a perfect security solution for something like voting. First of all, information can be manipulated before it enters the chain. “In fact, there is an entire industry in viruses to manipulate cryptocurrency transactions before they enter the blockchain, and there is nothing to prevent the use of similar viruses to change the vote,” says Poorvi Vora, a computer scientist and election security expert at George Washington University.

She adds that if the blockchain is a permissioned version, as Voatz’s is, “It is possible for those maintaining the blockchain to collude to change the data, as well as to introduce denial of service type attacks.”

Click on this iOS phishing scam and you’ll be connected to “Apple Care”

Posted on Updated on

Scam website launched phone call, connected victims to “Lance Roger at Apple Care.”

Originally seen on ArsTechnica by:  – 

India-based tech support scams have taken a new turn, using phishing emails targeting Apple users to push them to a fake Apple website. This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.

Scammers are following the money. As more people use mobile devices as their primary or sole way of connecting to the Internet, phishing attacks and other scams have increasingly targeted mobile users. And since so much of people’s lives are tied to mobile devices, they’re particularly attractive targets for scammers and fraudsters.

“People are just more distracted when they’re using their mobile device and trust it more,” said Jeremy Richards, a threat intelligence researcher at the mobile security service provider Lookout. As a result, he said, phishing attacks against mobile devices have a higher likelihood of succeeding.

This particular phish, targeted at email addresses associated with Apple’s iCloud service, appears to be linked to efforts to fool iPhone users into allowing attackers to enroll them into rogue mobile device management services that allow bad actors to push compromised applications to the victim’s phones as part of a fraudulent Apple “security service.”

I attempted to bluff my way through a call to the “support” number to collect intelligence on the scam. The person answering the call, who identified himself as “Lance Roger from Apple Care,” became suspicious of me and hung up before I could get too far into the script.

Running down the scam

In a review of spam messages I’ve received this weekend, I found an email with the subject line, “[username], Critical alert for your account ID 7458.” Formatted to look like an official cloud account warning (but easily, by me at least, discernable as a phish), the email warned, “Sign-in attempt was blocked for your account [email address]. Someone just used your password to try to sign in to your profile.” A “Check Activity” button below was linked to a webpage on a compromised site for a men’s salon in southern India.

That page, using an obfuscated JavaScript, forwards the victim to another website, which in turn forwards to the site applesecurityrisks.xyz—a fake Apple Support page. JavaScript on that pagethen used a programmed “click” event to activate a link on the page that uses the tel:// uniform resource identifier (URI) handler. On an iPhone, this initiates a dialog box to start a phone call; on iPads and other Apple devices, this attempts to launch a FaceTime session.

Meanwhile, an animated dialog box on the screen urged the target to make the call because their phone had been “locked due to illegal activity.” Script on the site scrapes data from the “user agent” data sent by the browser to determine what type of device the page was visited from:

window.defaultText='Your |%model%| has been locked due to detected illegal activity! Immediately call Apple Support to unlock it!';

While the site is still active, it is now marked as deceptive by Google and Apple. I passed technical details of the phishing site to an Apple security team member.

The scam is obviously targeted at the same sort of audience as Windows tech support scamswe’ve reported on. But it doesn’t take too much imagination to see how schemes like this could be used to target people at a specific company, customers of a particular bank, or users of a certain cloud platform to perform much more tailored social engineering attacks.

AT&T mobile 5G network falling short

Posted on Updated on

Originally Seen: TechTarget April 2018

The latest update on AT&T’s mobile 5G network trials indicates the company will need to work faster to meet its goal of launching a commercial service by the end of the year.

AT&T’s latest update on its mobile 5G trials indicates the carrier has significant hurdles to clear to achieve its goal of launching by the end of the year a commercial service based on the high-speed wireless technology.

AT&T published this week a blog describing its progress in the mobile 5G network trials in Austin and Waco, Texas; Kalamazoo, Mich.; and South Bend, Ind. The company started the tests roughly 18 months ago in Austin, adding the other cities late last year.

AT&T, along with Verizon and other carriers, is spending billions of dollars to develop fifth-generation wireless networks for business, consumer and internet of things applications. But the latest metrics published by AT&T were not what analysts would expect from technology for delivering mobile broadband to smartphones, tablets and other devices.

When I look at how AT&T is characterizing these tests, it doesn’t look like mobile 5G to me.

Chris Antlitz, analyst, Technology Business Research Inc.

“When I look at how AT&T is characterizing these tests, it doesn’t look like mobile 5G to me,” said Chris Antlitz, an analyst at Technology Business Research Inc., based in Hampton, N.H.. “It seems like there are some inconsistencies there.”

AT&T plans to deliver mobile 5G over the millimeter wave (mmWave) band, which is a spectrum between 30 gigahertz (GHz) and 300 GHz. MmWave allows for data rates up to 10 Gbps, which comfortably accommodates carriers’ plans for 5G. But before service providers can use the technology, they have to surmount its limitations in signal distance and in traveling through obstacles, like buildings.

AT&T’s mobile 5G network challenges

AT&T’s update indicates mmWave’s constraints remain a challenge. In Waco, for example, AT&T delivered 5G to a retail business roughly 500 feet away from its cellular transmitter. That maximum distance would require more transmitters than the population outside of major cities could support, Antlitz said.

AT&T, however, could provide a fixed wireless network that sends a 5G signal to residences and businesses as an alternative to wired broadband, Antlitz said. AT&T rival Verizon plans to offer that product by the end of the year.

Other shortcomings include AT&T’s limited success in sending a 5G signal from the cellular transmitter through the buildings, trees and other obstacles likely to stand in the way of its destination. In the trial update, AT&T said it achieved gigabit speeds only in “some non-line of sight conditions.” A line of sight typically refers to an unobstructed path between the transmitting and receiving antennas.

Distance and piercing obstacles are challenges for any carrier using mmWave for a mobile 5G network. Buildings and other large physical objects can block the technology’s short, high-frequency wavelengths. Also, gases in the atmosphere, rain and humidity can weaken mmWave’s signal strength, limiting the technology’s reach to six-tenths of a mile or less.

AT&T’s achievement in network latency also falls short of what’s optimal for a mobile 5G network. The carriers’ 9 to 12 milliseconds seem “a little high,” Antlitz said. “I would expect that on LTE, not 5G. 5G should be lower.”

While AT&T has likely made some progress in developing mobile 5G, “a lot of work needs to be done,” said Rajesh Ghai, an analyst at IDC.

Delays possible in AT&T, Verizon 5G offerings

Meanwhile, Verizon is testing its fixed wireless 5G network — a combination of mmWave and proprietary technology — in 11 major metropolitan areas. So far, the features Verizon has developed places the carrier “fairly far ahead of AT&T in terms of maximizing the capabilities of 5G,” Antlitz said.

Nevertheless, neither Verizon nor AT&T is a sure bet for launching a commercial 5G network this year.

“Some of this stuff might wind up getting pushed into 2019,” Antlitz said. “There are so many things that could throw a monkey wrench in their timetable. The probability of something doing that is very high.”

HOW CREATIVE DDOS ATTACKS STILL SLIP PAST DEFENSES

Posted on Updated on

Originally Seen: March 12, 2018 on Wired.

DISTRIBUTED DENIAL OF service attacks, in which hackers use a targeted hose of junk traffic to overwhelm a service or take a server offline, have been a digital menace for decades. But in just the last 18 months, the public picture of DDoS defense has evolved rapidly. In fall 2016, a rash of then-unprecedented attacks caused internet outages and other service disruptions at a series of internet infrastructure and telecom companies around the world. Those attacks walloped their victims with floods of malicious data measured up to 1.2 Tbps. And they gave the impression that massive, “volumetric” DDOS attacks can be nearly impossible to defend against.

The past couple of weeks have presented a very different view of the situation, though. On March 1, Akamai defended developer platform GitHub against a 1.3 Tbps attack. And early last week, a DDOS campaign against an unidentified service in the United States topped out at a staggering 1.7 Tbps, according to the network security firm Arbor Networks. Which means that for the first time, the web sits squarely in the “terabit attack era,” as Arbor Networks put it. And yet, the internet hasn’t collapsed.

One might even get the impression from recent high-profile successes that DDoS is a solved problem. Unfortunately, network defenders and internet infrastructure experts emphasize that despite the positive outcomes, DDoS continues to pose a serious threat. And sheer volume isn’t the only danger. Ultimately, anything that causes disruption and affects service availability by diverting a digital system’s resources or overloading its capacity can be seen as a DDoS attack. Under that conceptual umbrella, attackers can generate a diverse array of lethal campaigns.

“DDoS will never be over as a threat, sadly,” says Roland Dobbins, a principal engineer at Arbor Networks. “We see thousands of DDoS attacks per day—millions per year. There are major concerns.”

Getting Clever

One example of a creative interpretation of a DDoS is the attack Netflix researchers tried out against the streaming service itself in 2016. It works by targeting Netflix’s application programming interface with carefully tailored requests. These queries are built to start a cascade within the middle and backend application layers the streaming service is built on—demanding more and more system resources as they echo through the infrastructure. That type of DDoS only requires attackers to send out a small amount of malicious data, so mounting the offensive would be cheap and efficient, but clever execution could cause internal disruptions or a total meltdown.

“What creates the nightmare situations are the smaller attacks that overwork applications, firewalls, and load balancers,” says Barrett Lyon, head of research and development at Neustar Security Solutions. “The big attacks are sensational, but it’s the well-crafted connection floods that have the most success.”

‘We see thousands of DDoS attacks per day—millions per year.’

ROLAND DOBBINS, ARBOR NETWORKS

These types of attacks target specific protocols or defenses as a way of efficiently undermining broader services. Overwhelming the server that manages firewall connections, for example, can allow attackers to access a private network. Similarly, deluging a system’s load balancers—devices that manage a network’s computing resources to improve speed and efficiency—can cause backups and overloads. These types of attacks are “as common as breathing,” as Dobbins puts it, because they take advantage of small disruptions that can have a big impact on an organization’s defenses.

Similarly, an attacker looking to disrupt connectivity on the internet in general can target the exposed protocols that coordinate and manage data flow around the web, rather than trying to take on more robust components.

That’s what happened last fall to Dyn, an internet infrastructure company that offers Domain Name System services (essentially the address book routing structure of the internet). By DDoSing Dyn and destabilizing the company’s DNS servers, attackers caused outages by disrupting the mechanism browsers use to look up websites. “The most frequently attacked targets for denial of service is web severs and DNS servers,” says Dan Massey, chief scientist at the DNS security firm Secure64 who formerly worked on DDoS defense research at the Department of Homeland Security. “But there are also so many variations on and so many components of denial of service attacks. There’s no such thing as one-size-fits-all defense.”

Memcached and Beyond

The type of DDoS attack hackers have been using recently to mount enormous attacks is somewhat similar. Known as memcached DDoS, these attacks take advantage of unprotected network management servers that aren’t meant to be exposed on the internet. And they capitalize on the fact that they can send a tiny customized packet to a memcached server, and elicit a much larger response in return. So a hacker can query thousands of vulnerable memcached servers multiple times per second each, and direct the much larger responses toward a target.

This approach is easier and cheaper for attackers than generating the traffic needed for large-scale volumetric attacks using a botnet—the platforms typically used to power DDoS assaults. The memorable 2016 attacks were famously driven by the so-called “Mirai” botnet. Mirai infected 600,000 unassuming Internet of Things products, like webcams and routers, with malware that hackers could use to control the devices and coordinate them to produce massive attacks. And though attackers continued to refine and advance the malware—and still use Mirai-variant botnets in attacks to this day—it was difficult to maintain the power of the original attacks as more hackers jockeyed for control of the infected device population, and it splintered into numerous smaller botnets.

‘There’s no such thing as one-size-fits-all defense.’

DAN MASSEY, SECURE64

While effective, building and maintaining botnets requires resources and effort, whereas exploiting memcached servers is easy and almost free. But the tradeoff for attackers is that memcached DDOS is more straightforward to defend against if security and infrastructure firms have enough bandwidth. So far, the high-profile memcached targets have all been defended by services with adequate resources. In the wake of the 2016 attacks, foreseeing that volumetric assaults would likely continue to grow, defenders seriously expanded their available capacity.

As an added twist, DDoS attacks have also increasingly incorporated ransom requests as part of hackers’ strategies. This has especially been the case with memcached DDoS. “It’s an attack of opportunity,” says Chad Seaman, a senior engineer on the security intelligence response team at Akamai. “Why not try and extort and maybe trick someone into paying it?”

The DDoS defense and internet infrastructure industries have made significant progress on DDoS mitigation, partly through increased collaboration and information-sharing. But with so much going on, the crucial point is that DDoS defense is still an active challenge for defenders every day. “

When sites continue to work it doesn’t mean it’s easy or the problem is gone.” Neustar’s Lyon says. “It’s been a long week.”

Look-Alike Domains and Visual Confusion

Posted on

Originally Seen: March 8th, 2018 on krebsonsecurity.

How good are you at telling the difference between domain names you know and trust and impostor or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names (IDNs), as well as which browser or Web application you’re using.

For example, how does your browser interpret the following domain? I’ll give you a hint: Despite appearances, it is most certainly not the actual domain for software firm CA Technologies (formerly Computer Associates Intl Inc.), which owns the original ca.com domain name:

https://www.са.com/

Go ahead and click on the link above or cut-and-paste it into a browser address bar. If you’re using Google ChromeApple’s Safari, or some recent version of Microsoft‘s Internet Explorer or Edge browsers, you should notice that the address converts to “xn--80a7a.com.” This is called “punycode,” and it allows browsers to render domains with non-Latin alphabets like Cyrillic and Ukrainian.

Below is what it looks like in Edge on Windows 10; Google Chrome renders it much the same way. Notice what’s in the address bar (ignore the “fake site” and “Welcome to…” text, which was added as a courtesy by the person who registered this domain):

IE, Edge, Chrome and Safari all will convert https://www.са.com/ into its punycode output (xn--80a7a.com), in part to warn visitors about any confusion over look-alike domains registered in other languages. But if you load that domain in Mozilla Firefox and look at the address bar, you’ll notice there’s no warning of possible danger ahead. It just looks like it’s loading the real ca.com:

The domain “xn--80a7a.com” pictured in the first screenshot above is punycode for the Ukrainian letters for “s” (which is represented by the character “c” in Russian and Ukrainian), as well as an identical Ukrainian “a”.

It was registered by Alex Holden, founder of Milwaukee, Wis.-based Hold Security Inc.Holden’s been experimenting with how the different browsers handle punycodes in the browser and via email. Holden grew up in what was then the Soviet Union and speaks both Russian and Ukrainian, and he’s been playing with Cyrillic letters to spell English words in domain names.

Letters like A and O look exactly the same and the only difference is their Unicode value. There are more than 136,000 Unicode characters used to represent letters and symbols in 139 modern and historic scripts, so there’s a ton of room for look-alike or malicious/fake domains.

For example, “a” in Latin is the Unicode value “0061” and in Cyrillic is “0430.”  To a human, the graphical representation for both looks the same, but for a computer there is a huge difference. Internationalized domain names (IDNs) allow domain names to be registered in non-Latin letters (RFC 3492), provided the domain is all in the same language; trying to mix two different IDNs in the same name causes the domain registries to reject the registration attempt.

So, in the Cyrillic alphabet (Russian/Ukrainian), we can spell АТТ, УАНОО, ХВОХ, and so on. As you can imagine, the potential opportunity for impersonation and abuse are great with IDNs. Here’s a snippet from a larger chart Holden put together showing some of the more common ways that IDNs can be made to look like established, recognizable domains:

Holden also was able to register a valid SSL encryption certificate for https://www.са.com from Comodo.com, which would only add legitimacy to the domain were it to be used in phishing attacks against CA customers by bad guys, for example.

A SOLUTION TO VISUAL CONFUSION

To be clear, the potential threat highlighted by Holden’s experiment is not new. Security researchers have long warned about the use of look-alike domains that abuse special IDN/Unicode characters. Most of the major browser makers have responded in some way by making their browsers warn users about potential punycode look-alikes.

With the exception of Mozilla, which by most accounts is the third most-popular Web browser. And I wanted to know why. I’d read the Mozilla Wiki’s IDN Display Algorithm FAQ,” so I had an idea of what Mozilla was driving at in their decision not to warn Firefox users about punycode domains: Nobody wanted it to look like Mozilla was somehow treating the non-Western world as second-class citizens.

I wondered why Mozilla doesn’t just have Firefox alert users about punycode domains unless the user has already specified that he or she wants a non-English language keyboard installed. So I asked that in some questions I sent to their media team. They sent the following short statement in reply:

“Visual confusion attacks are not new and are difficult to address while still ensuring that we render everyone’s domain name correctly. We have solved almost all IDN spoofing problems by implementing script mixing restrictions, and we also make use of Safe Browsing technology to protect against phishing attacks. While we continue to investigate better ways to protect our users, we ultimately believe domain name registries are in the best position to address this problem because they have all the necessary information to identify these potential spoofing attacks.”

If you’re a Firefox user and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type “about:config” without the quotes into a Firefox address bar. Then in the “search:” box type “punycode,” and you should see one or two options there. The one you want is called “network.IDN_show_punycode.” By default, it is set to “false”; double-clicking that entry should change that setting to “true.”

Incidentally, anyone using the Tor Browser to anonymize their surfing online is exposed to IDN spoofing because Tor by default uses Mozilla as well. I could definitely see spoofed IDNs being used in targeting phishing attacks aimed at Tor users, many of whom have significant assets tied up in virtual currencies. Fortunately, the same “about:config” instructions work just as well on Tor to display punycode in lieu of IDNs.

Holden said he’s still in the process of testing how various email clients and Web services handle look-alike IDNs. For example, it’s clear that Twitter sees nothing wrong with sending the look-alike CA.com domain in messages to other users without any context or notice. Skype, on the other hand, seems to truncate the IDN link, sending clickers to a non-existent page.

“I’d say that most email services and clients are either vulnerable or not fully protected,” Holden said.

For a look at how phishers or other scammers might use IDNs to abuse your domain name, check out this domain checker that Hold Security developed. Here’s the first page of results for krebsonsecurity.com, which indicate that someone at one point registered krebsoṇsecurity[dot]com (that domain includes a lowercase “n” with a tiny dot below it, a character used by several dozen scripts). The results in yellow are just possible (unregistered) domains based on common look-alike IDN characters.

I wrote this post mainly because I wanted to learn more about the potential phishing and malware threat from look-alike domains, and I hope the information here has been interesting if not also useful. I don’t think this kind of phishing is a terribly pressing threat (especially given how far less complex phishing attacks seem to succeed just fine for now). But it sure can’t hurt Firefox users to change the default “visual confusion” behavior of the browser so that it always displays punycode in the address bar (see the solution mentioned above).

The security concerns of cloud cryptomining services

Posted on

Originally seen on: TechTarget

Cloud cryptomining as a service is a security risk to users. Expert Frank Siemons discusses cloud mining service providers and what to look out for if you use one.

One of the more interesting news stories over the last year has been the rise — and, currently, the fall of cryptocurrencies.

Bitcoin is the best-known variety, but other cryptocurrencies, such as Litecoin, Ripple and Ethereum, also saw dramatic increases in their worth during 2017. While some of this value dropped off in the first few weeks of 2018, there exists significant value in these currencies.

These virtual coins or their transactions can be mined for a fee, though some coin varieties are more profitable than others. Bitcoin, for instance, has passed the stage where mining at home returns a profit. The complexity and the mining workload have increased so much that the generated electricity costs far outweigh the value of the mined coins.

To avoid individual initial setup costs and to benefit from some of the efficiency increases that large specialized clusters bring, prospective miners can sign up with a cloud mining service provider.

Cloud mining service providers

The main benefit cloud cryptomining providers offer is their economy of scale. Primarily, these providers operate large data centers filled with specialized mining rigs. Everything from purpose-built hardware and software to power consumption is built around gaining maximum efficiency for cryptomining operations.

This significant investment has already been made, and the customer rents a small part of the processing power — expressed in mega or giga hashes per second — based on their expectancy that the currency will be at a certain price point during the rental period.

Security concerns for cloud cryptomining

The mined virtual coins need to be stored in a digital wallet eventually. Home miners are advised to store this wallet on an encrypted offline medium, such as a detachable USB drive, or to use a secure online digital wallet service.

However, both options carry the risk of losing the stored cryptocurrency. This could be due to the theft or loss of the USB drive, a compromised computer, or a hack or bug within a digital wallet service, for instance.

A cloud cryptomining provider is not bound by the same regulations as a traditional bank. This lack of regulation brings with it significant risk. The providers potentially hold a significant amount of value in the form of virtual money, which makes them an attractive target for cybercriminals.

Some research into where data centers are located and under which jurisdiction they fall is fundamental. After all, technically these data centers could hold a significant investment in their virtual vault. Even physical security is an essential factor to consider.

Because cloud cryptomining services depend on distributed networks and require access to the internet, fully air-gapped storage is not possible in a cloud system. This opens up an entry point for external attackers, which is what the NiceHash hackers exploited when they stole an estimated $64 million worth of bitcoin in 2017.

The attackers gained access to a corporate machine through an engineer’s VPN account and started making transactions via NiceHash’s payment system. This simply could not have happened if an offline wallet was used, as is often the case in smaller, individual setups.

Of course, attacks do not need to come from the outside. When relying on a company that is located in another country, the risk of internal fraud is high because it is handling a large amount of money without the protection of banking regulations. Several cases have been reported where either a staff member ran off with a significant amount of virtual currency or the entire cloud mining company was based on a scam.

Several provider comparison sites exist that discuss the reputations of cloud cryptomining companies. It is also advised to check online forums and social media channels before committing to any investment. Research is critical.

Conclusion

Where there is money, there is crime. The substantial increase in cryptocurrency investments and their meteoric rise in value over the recent months have paved the way for many scams and breaches that are traditionally linked to banks and investment schemes.

Does this mean cloud cryptomining is always unsafe? It does not, but it is essential to look at the providers with at least the same amount of scrutiny as one would use when looking at a more traditional investment firm.

Probably even more scrutiny should be applied because of the lack of proper regulation at this point. As always, technology has outpaced policy.

 

Google Bans Cryptocurrency-Related Ads

Posted on Updated on

Originally seen on: Bleepingcomputer.com

Google has decided to follow on Facebook’s footsteps and ban cryptocurrency-related advertising. The ban will enter into effect starting June 2018, the company said today in a help page.

In June 2018, Google will update the Financial services policy to restrict the advertisement of Contracts for Difference, rolling spot forex, and financial spread betting. In addition, ads for the following will no longer be allowed to serve:
‧  Binary options and synonymous products
‧  Cryptocurrencies and related content (including but not limited to initial coin offerings, cryptocurrency exchanges, cryptocurrency wallets, and cryptocurrency trading advice)

The ban will enter into effect across all of Google’s advertising network, including ads shown in search results, on third-party websites, and YouTube.

Some ads will be allowed, but not many

But the ban is not total. Google said that certain entities will be able to advertise a limited set of the banned services, including “cryptocurrencies and related content.”

These advertisers will need to apply for certification with Google. The downside is that the “Google certification process” will only be available for advertisers located in “certain countries.”

Google did not provide a list of countries, but said the advertisers will have to be licensed by relevant financial services and “comply with relevant legal requirements, including those related to complex speculative financial products.”

Prices for almost all cryptocurrencies fell across the board today after Google’s announcement, and most coins continued to lose value.

 

Scams and phishing sites to blame

While Google did not provide a backdrop to the reasons it banned cryptocurrency ads, they are likely to be the same to the ones cited by Facebook —misleading ads being abused to drive traffic to financial scams and phishing sites.

There’s been a surge in malware and phishing campaigns targeting cryptocurrency owners ever since Bitcoin price surged in December 2016 [12]. Just last month, Cisco Talos and Ukrainian police disrupted a cybercriminal operation that made over $50 million by using Google ads to to drive traffic to phishing sites.

Malicious ads for cryptocurrencies
Malicious ads for cryptocurrencies

 

report published by “Big Four” accounting firm Ernst & Young in December 2017 reveals that 10% of all ICO (Initial Coin Offering) funds were lost to hackers and scams, and cryptocurrency phishing sites made around $1.5 million per month. The company says that cryptocurrency hacks and scams are a big business, and estimates that crooks made over $2 billion by targeting cryptocoin fans in the past years.

Furthermore, a Bitcoin.com survey revealed that nearly half of 2017’s cryptocurrencies had already failed.

The recent trend of using the overhyped cryptocurrency market and ICOs for financial scams is also the reason why the US Securities and Exchange Commission (SEC) has started investigating and charging people involved in these practices.

This constant abuse of the cryptocurrency theme was the main reason why Facebook banned such ads on its platform, and is, most likely, the reason why Google is getting ready to implement a similar ban in June.

 

Emotet Trojan: How to defend against fileless attacks

Posted on Updated on

Last Seen: March 2018 on Tech Target
An increase in fileless malware, including PowerShell malware, was reported in McAfee Labs’ December 2017 Threat Report. Discover how enterprises can defend again fileless attacks.

It can be easy to dispute or question industry reports from top security vendors because the data is often collected from those vendors’ customers, and it is frequently used to show how the vendors’ products can better protect enterprises.

However, these reports can often help enterprises improve their information security programs. Antimalware companies often use this data-driven tactic to dig into specific examples of threats so enterprises can determine if they are adequately protected from those threats.

In this tip, we’ll discuss PowerShell malware, the specific example of the Emotet Trojan and enterprise defenses for these threats.

PowerShell malware and the Emotet Trojan

McAfee reported a surge in fileless attacks in 2017’s Q3 in which malicious code in macros used PowerShell to execute malware. One notable piece of fileless malware was the Emotet Trojan.

Before getting into the details of the threat, it’s important to note than when a vendor report states that the highest number of incidents for a specific malware type was observed, that doesn’t necessarily mean that the number is all that meaningful. The amount of malware detected only matters to an antimalware company in terms of how many resources they need to analyze the malware, report on it and ensure that their customers are adequately protected.

When a report references fileless attacks, it also doesn’t necessarily mean that no files were used in the attack.

When a report references fileless attacks, it also doesn’t necessarily mean that no files were used in the attack. Fileless usually means that no files were left behind on a system for persistence, but files were used in the attack.

The fileless aspect could also mean that PowerShell, cmd or WMIC were used as part of the attack to execute code on the endpoint. This could include downloading a file or writing data to the registry to create a persistence mechanism on the endpoint.

Emotet is a type of banking Trojan that is distributed by botnets; it spams recipients to socially engineer them into opening a malicious attachment — usually a Word document that has a malicious macro. When the macro runs, it calls a PowerShell, cmd or WMIC command to download malware onto the endpoint for persistence.

While files are used in several different parts of the attack, the fileless aspect occurs when PowerShell or cmd is used to download the next step in the attack. Unlike using a downloader to download a piece of malware to the endpoint, the fileless approach can help to avoid potential detection.

Enterprise defenses against PowerShell malware

Since responding to malware threats is absolutely critical, ensuring your enterprise is prepared is important. We’ve discussed fileless malware at length, but malware is constantly evolving and, thus, security tools must do the same.

Some tools have incorporated functionality to address fileless attacks, while other new endpoint security tools have emerged to address these threats and current attacks. However, attacks continue to use known vulnerabilities or insecure functionality, as well as legitimate tools and functions like PowerShell, to take over endpoints.

 

While the Emotet Trojan contains new functionalities, some of them can still be blocked using basic endpoint security hygiene to prevent known vulnerabilities or insecure functionalities, such as limiting admin privilege, reducing the attack surface of an endpoint by removing or restricting unnecessary applications or tools, whitelisting, and keeping a system up to date with patches.

Your next step should be to check how your existing security tool vendors address Emotet because many different endpoint security vendors have different methods and advice on how to protect your enterprise. One common method among these tools is blocking executables or changes to the system via signatures, behavioral monitoring, or a combination of both detecting and monitoring common methods for persistence, such as preventing the Run registry keys from being modified.

Some of the tools specifically block Microsoft Word from calling out to PowerShell, which can block a malicious PowerShell command from executing on the system.

Examining infected systems on your network to determine how they were infected can identify which security controls need to be updated to properly protect your endpoints.

Conclusion

While the world is changing faster than anyone may realize or want to admit, some of the basics have stayed the same. Ensuring that you are regularly updating your information security program to identify which security controls are properly working is necessary to manage information security risk and protect your enterprise from the Emotet Trojan.

How to handle Ransomware in the Cloud

Posted on Updated on

Expert Ed Moyle looks at ransomware in the cloud and how it differs from traditional ransomware attacks. Find out how your organization can prepare for both.

Originally seen: December 2017 on Tech Target
With recent events, like the WannaCry and NotPetya ransomware outbreaks, most organizations are fully alert to the threat of ransomware. They may have invested significant time and energy in response to those events, or they may have spent equal time bolstering their own preparedness. There is a potential attack surface that may have received comparatively less attention, but that is nevertheless equally important: the cloud.

Cloud environments are no less susceptible to ransomware than other environments. However, they have properties that can make response and preparedness different. For example, they might employ different notification and communications channels, they might involve different personnel, and there may be a different control set in use. It can behoove organizations to think through ransomware in the cloud the same way they prepare for ransomware for internal systems and applications.

Ransomware in the cloud

Using an infrastructure as a service (IaaS) platform gives the cloud customer more visibility into the underlying OS than other cloud models, but this, in turn, means that issues, like patching — particularly in the case of legacy or special purpose systems — are just as complex as in other environments, and therefore may take longer than one might like.

The issue is that an IaaS environment might be susceptible to ransomware. What is different with IaaS, though, is how the organization discovers the ransomware, how it responds and how it protects against the threat. As a practical matter, different personnel are often responsible for direct oversight of IaaS workloads compared to other technology.

For example, cloud is conducive to shadow IT. It can be hard for enterprise security teams to identify and manage shadow cloud applications used by employees and lines of business across an organization. Will a development team, business team or other non-IT organization plan for — and be ready to remediate — ransomware in the cloud to the same extent as the technology organization?

Even if shadow IT isn’t a factor for an organization, initial notification of a ransomware event might come through a different channel than expected. For example, notifications could come from a relationship manager for larger deployments; a defined escalation channel with the service provider, which might be a business team; or through a provider-maintained service portal.

Also, keep in mind that both the resolution and implementation of specific countermeasures might need to be done through different channels. As an example, if a key activity in response to a rapidly proliferating ransomware, like WannaCry, is to proactively patch, the manner in which you affect this might vary for the cloud — an enterprise might need to schedule a maintenance window with its provider, for instance.

Aside from IaaS, other cloud models can be impacted, as well. Even SaaS isn’t immune — consider storage such as Dropbox, Google Drive, etc. Typically, these services work by syncing local files to the cloud; for a small organization, this might constitute its primary storage, backup or data sharing mechanism. What happens when the local files are encrypted, deleted, overwritten with garbage or otherwise compromised by ransomware? Those changes will be synced to the cloud.

Mitigation strategies for cloud ransomware

What can organizations do to prepare for ransomware in a cloud environment? There are a few things that can make response significantly easier. Probably the most effective thing organizations can do — for both cloud environments and for any other environment — is to specifically exercise response and escalation procedures.

Regardless of what method an organization employs, though, the most important thing is to think through it in advance and view protection measures critically.

For example, a tabletop exercise can be very helpful in this regard. A tabletop exercise defuses the primary question: will you pay the ransom? Invariably, someone will suggest paying it regardless of law enforcement and others arguing against it — discussing this specifically ahead of time helps clarify pros and cons when adrenaline levels aren’t off the charts.

Secondly, working through alert and response scenarios ahead of time means you get answers to key questions: how will you be notified of an event? Who will be notified, and what notification pathways correspond to specific cloud relationships? Also, what is required to take responsive action in each of those channels?

It’s also a useful idea to undertake a systematic risk assessment specifically for ransomware. You might, for example, look at backup and response processes to ensure that, should data be specifically targeted by ransomware that seeks to render it inaccessible, the organization has thought through protection and recovery strategies at the technical level.

For an IaaS relationship, think through and test backup and response services that service providers might offer, technical controls that they offer and the countermeasures the organization already employs. This level of risk analysis is probably already done for the enterprise as a whole, but you should take measures to specifically extend that to cloud relationships. This can be somewhat time-consuming for organizations that have numerous service provider relationships in place, but this effort can be folded into a broader activity that has value beyond just ransomware — for example, malware mitigation more generally, data gathering about cloud relationships, threat modeling, cloud governance or other activities that involve the systematic analysis of cloud relationships.

The arguably harder situation in the event of ransomware in the cloud is the intersection of SaaS and smaller organizations — specifically, the possibility of corruption of cloud storage through synchronization of ransomware-impacted files to a remote storage repository. Specific measures to prevent this are available, such as keeping a manually synced or time-initiated mirror of data at another repository, assuming that the volume in question isn’t such that this is prohibitively expensive.

Alternatively, backup solutions that keep prior iterations of data can provide a means of recovery even if the primary storage location is compromised. Regardless of what method an organization employs, though, the most important thing is to think through it in advance and view protection measures critically.

 

Chime in and let us know what you are doing to stay proactive.