Trailrunner7 - Slashdot User

Submission + - Petya-Derived Ransomware Is Acting Like Shamoon, Wiping Data

Submitted by Trailrunner7 on Wednesday June 28, 2017 @11:29AM

Trailrunner7 writes: Security researchers are continuing to delve into the details of the latest ransomware outbreak, and have found that the ExPetr ransomware has a number of interesting characteristics that separate it from other variants and raise questions about its purpose.

Most ransomware is designed solely to make money for the attacker. But ExPetr not only encrypts users’ files but it exhibits some destructive behavior, too.

“Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware is run with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it overwrites the MBR of the victim’s machine,” Microsoft’s researchers said.

Overwriting the master boot record essentially leaves a PC unusable and is the kind of behavior that’s normally associated with wiper malware such as Shamoon. Those variants are designed to destroy data, not encrypt it and hold it for ransom, and researchers say the financial aspect of ExPetr may just be a decoy.

Submission + - Petya Ransomware Hits Companies Across Europe

Submitted by Trailrunner7 on Tuesday June 27, 2017 @10:44AM

Trailrunner7 writes: A fast-moving ransomware attack has hit a number of companies in several European countries, the second such widespread ransomware outbreak in as many months. The new attack is showing signs of using the same EternalBlue exploit developed by the NSA that the WannaCry worm used last month.

The attack is using a new variant of the Petya ransomware and there are reports of infections in several countries, including Ukraine, India, France, Russia, and Spain. Security researchers said the Petya variant being used in this campaign uses a fake Microsoft digital signature that was lifted from a legitimate Microsoft utility. The variant appears to be just a few days old.

“The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp,” Costing Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, said Tuesday morning as the attack was spreading.

Submission + - Lawsuit Filed After Personal Data of Nearly 200 Million Voters Exposed

Submitted by Trailrunner7 on Thursday June 22, 2017 @10:52AM

Trailrunner7 writes: A few days after the personal data of nearly 200 million registered American voters was accidently exposed online due to an “improperly configured security setting”, some of the people affected by the breach have filed a class-action lawsuit against the analytics company responsible for the leak.

A total of 1.1 terabytes of data were available to download and was left unprotected by a password or any other security measure. UpGuard cyber risk analyst Christopher Vickery found the unsecured database on June 12, and downloaded the data over the course of the next two days. Deep Root Analytics, a conservative data analytics firm, confirmed ownership of the data and responsibility for the misconfiguration. Much of the information came from the 2008, 2012, and 2016 presidential elections. The 2016 files were not as in depth as previous election cycles.

Deep Root Analytics claimed that this file became open on June 1 as new security settings were put in place. While the data was owned by Deep Root, it was collected from multiple different conservative data agencies leading all the way back to 2006.

Submission + - FBI Seeks $21M to Counter Encryption

Submitted by Trailrunner7 on Wednesday June 14, 2017 @03:17PM

Trailrunner7 writes: The FBI is asking for more than $20 million in the 2018 fiscal year budget to counter what the bureau sees as the threat of encryption, both in devices and in real-time communications tools such as text or voice apps.

The request is part of the Department of Justice’s proposed budget for the next fiscal year, and Deputy Attorney General Rod Rosenstein said during a Senate hearing Tuesday that the FBI would use the money for a wide variety of things. In his testimony, Rosenstein said that the increased use of encryption, which the FBI and other law enforcement agencies refer to as the problem of “going dark”, is a growing challenge and needs funding support.

“The seriousness of this threat cannot be overstated. ‘Going Dark’ refers to law enforcement’s increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies,” Rosenstein said.

Submission + - New macOS Ransomware Service Emerges

Submitted by Trailrunner7 on Monday June 12, 2017 @10:27AM

Trailrunner7 writes: The ransomware scourge is beginning to creep, ever so slightly, into the Apple ecosystem, as researchers have discovered a new service hosted on the Tor network that will develop custom ransomware samples for buyers on demand.

The ransomware as a service model is not new, but this is believed to be the first one that targets macOS specifically. In order to gain access to the ransomware, a buyer would need to locate the portal on the Tor network and then get in touch with the creator via email. Weirdly, in their email response to inquiries, the MacRansom creators claim to be legitimate security researchers who saw a market need and decided to address it.

“We are engineers at Yahoo and Facebook. During our years as security researchers we found that there lacks sophisticated malewares [sic] for Mac users,” the email says, according to a post by Rommel Joven and Wayne Chin Yick Low of Fortinet, who analyzed the MacRansom malware.

Submission + - Apple to Force Users to 2FA on iOS 11, High Sierra

Submitted by Trailrunner7 on Wednesday June 07, 2017 @10:58AM

Trailrunner7 writes: With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts.

The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically.

Submission + - NSA's EternalBlue Exploit Ported to Windows 10 (threatpost.com)

Submitted by msm1267 on Tuesday June 06, 2017 @11:29AM

msm1267 writes: EternalBlue, the NSA-developed attack used criminals to spread WannaCry ransomware last month, has been ported to Windows 10 by security researchers.

The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks.

These mitigations were introduced prior to a March security update from Microsoft, MS17-010, and any computer running Windows that has yet to install the patch is vulnerable.

Submission + - OneLogin Warns of Breach at U.S. Data Center

Submitted by Trailrunner7 on Thursday June 01, 2017 @09:17AM

Trailrunner7 writes: Security firm OneLogin, which provides single sign-on and other identity and authentication products, has suffered a data breach that it says likely affects all of its customers served by its data center in the United States.

In an email sent to customers, the company said that customer data was possibly compromised, but it didn’t specify what kind of data was affected. OneLogin has pointed customers to a support page that instructs them on how to deal with the breach, including having users change their passwords, creating new certificates, and creating new OAuth tokens. The company has a wide range of customers, and one its site lists a number of colleges, school systems, law firms, and technology companies among its enterprise customers.

Submission + - Bill Simmons says ESPN blew it by not embracing tech (cnbc.com)

Submitted by Anonymous Coward on Wednesday May 31, 2017 @02:57PM

An anonymous reader writes: ESPN's problem isn't competition over content: They didn't position themselves for a future where cord cutting was a reality, according to former ESPN personality Bill Simmons.

"They didn't see a lot of this coming," said Simmons. "They didn't see cord cutting coming. They weren't ready for it. A lot of decisions were made based on subs staying at a certain level. They had to realize they were a technology company. The ones winning are now Facebook, Twitter, Amazon, Hulu. ESPN should have been in that mix, but they're in Bristol. They should have had a place in Silicon Valley. That was their biggest mistake."

ESPN is far from over, Simmons points out. Though it may make less money in the future, it has such strong cable deals, he said.

"Everybody in here was paying $7 for ESPN whether they watched or not," he said.

Simmons left ESPN in May 2015 after a public breakup, and signed a deal for an HBO series called "Any Given Wednesday" shortly after. The HBO show was cancelled in November 2016. Simmons also launched a new website called The Ringer in 2016, which now has an advertising sales partnership deal with Vox Media.

Submission + - Ringless Voicemails May Become the New Robocalls

Submitted by Trailrunner7 on Tuesday May 30, 2017 @02:34PM

Trailrunner7 writes: Federal regulators are working on various methods to block robocalls, both to landlines and to mobile phones, with varying degrees of success. As those technologies make their way into the marketplace, some companies now are looking for clearance from the FCC to deliver their messages directly to customers’ voicemails without ringing their phones.

The commission is considering a petition from a company called All About the Message to “declare that the delivery of a voice message directly to a voicemail box does not constitute a call that is subject to the prohibitions on the use of an automatic telephone dialing system (‘ATDS’) or an artificial or prerecorded voice”. If the FCC approves the petition, it would mean that companies such as AATM would have the legal ability to push commercial or political messages to phone subscribers. The petition essentially asks the FCC to declare that these messages don’t constitute calls as defined by the commission, exempting them from the rules that govern robocalls and auto-dialers.

Submission + - Proposed Active-Defense Bill Would Allow Destruction of Data, Use of Beacon Tech

Submitted by Trailrunner7 on Thursday May 25, 2017 @02:46PM

Trailrunner7 writes: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker’s machine.

After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker.

“The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion,” the bill says.

Submission + - WannaCry Author Speaks Chinese and English (threatpost.com)

Submitted by msm1267 on Thursday May 25, 2017 @02:13PM

msm1267 writes: The WannaCry ransom note was likely written by Chinese- and English-speaking authors, adding more intrigue to the investigation into whether it was indeed a North Korean APT using stolen NSA exploits to spread ransomware worldwide.

Analysts at Flashpoint, including some fluent in Chinese, said the Simplified and Traditional Chinese notes differ significantly from the others and that they were likely the original notes. The English note was then the source note for the remaining translations and was flushed through Google Translate to create them.

Many of the notes, Flashpoint director of Asia-Pacific research Jon Condra said, contained glaring grammatical errors that a native would not make. Ironically, the version of the note written in Korean was among the most poorly translated.

“It was interesting to us and we were kind of shocked after hearing the links to the Lazarus group that the Korean note was so badly translated,” Condra said. “That could be intentional, or maybe the person who wrote it didn’t speak Korean.”

Condra said the analyst who looked at it said it was about 65 percent correct and there were some basic mistakes made in the translation.

Submission + - Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8 (www.ccc.de)

Submitted by schwit1 on Tuesday May 23, 2017 @09:17AM

schwit1 writes: A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner.

But whoever has a photo of the legitimate owner can trivially unlock the phone.

Submission + - WannaCry is the Ransomware We Deserve

Submitted by Trailrunner7 on Monday May 22, 2017 @03:08PM

Trailrunner7 writes: We knew this was coming. We’ve known for years that a ransomware attack on the scale of WannaCry was not just possible, but probable. What we didn’t know was that when it came it would involve a vulnerability discovered by the NSA, an exploit developed by the NSA, and a backdoor written by the NSA.

But that’s where we are in 2017.

We’re dealing with a ransomware worm, possibly unleashed by a foreign government, that uses exploit code lifted from a tool dump stolen from the NSA. Allegedly. It’s a weird, hall-of-mirrors kind of story, and it’s looking more and more like a harbinger of things to come as we move deeper into the era of cyber espionage. WannaCry is very, very bad. It’s the most effective ransomware campaign we’ve seen to date. And it’s probably not over yet. There’s likely another variant or two in the works that don’t include the kill switch domains that researchers have used to limit its spread this week and that will cause a fresh wave of infections.

Submission + - Experts: WannaCry Kill Switches Just a Temporary Fix

Submitted by Trailrunner7 on Wednesday May 17, 2017 @11:27AM

Trailrunner7 writes: While security researchers have had some success in preventing the WannaCry ransomware campaign from becoming a true epidemic with the use of kill switches hidden in the malware’s code, experts say those are just temporary solutions that may not last much longer.

Each of the variants of WannaCry that have emerged so far has a domain hidden inside of it that malware tries to contact once it infects a new machine. If the connection succeeds, the malware stops the infection routine, so researchers have registered the domains and prevented broader infections.

But those kill switches are essentially the only things standing between vulnerable machines and a huge wave of WannaCry infections. Although Microsoft released a patch in March for the vulnerability that the ransomware uses to infect new machines, there are plenty of PCs that haven’t been patched yet. Researchers say a new version of the malware without a kill switch could be brutally effective.

“We got incredibly lucky that was even involved in the creation of the malware,” said Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, said Wednesday.

“It actually means that we’ve barely bought a little time. If another version comes out without this, we’re going to have a very, very serious problem because there won’t be an easy way to slap a band aid on this.”

Slashdot Top Deals