Page 22 of 44 FirstFirst ... 12141516171819202122232425262728293032 ... LastLast
Results 526 to 550 of 1081
  1. #526
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Keylogger campaign infects 2,000 WordPress sites
    Monday, January 29, 2018 |




    Security researchers have discovered over 2,000 WordPress sites —possibly more— infected with a keylogger that's being loaded on the WordPress backend login page and a crypto jacking script (in-browser cryptocurrency miner) on their frontends.


    Researchers at Sucuri who made the discovery said the recent campaign is tied to threat actors behind a December 2017 campaign. Both incidents used a keylogger/cryptocurrency malware called cloudflare[.]solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, cloudflare[.]solutions.


    Cloudflare[.]solutions is in no way related to network management and security firm Cloudflare.


    The attack is quite simple. Miscreants find unsecured WordPress sites —usually running older WordPress versions or older themes and plugins— and use exploits for those sites to inject malicious code into the CMS' source code.


    Attackers use injection scrips on WordPress sites with weak or outdated security. “The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file,” Sinegubko wrote.


    HTLM is obfuscated to include JavaScript code, such as “googleanalytics.js”, that load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.


    The malicious code includes two parts. For the admin login page, the code loads a keylogger hosted on a third-party domain. For the site's frontend, crooks load the Coinhive in-browser miner and mine Monero using the CPUs of people visiting the site.


    “While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” wrote Denis Sinegubko, a senior malware researcher at Sucuri who authored research blog this week.


    For the late-2017 campaign, crooks loaded their keylogger from the "cloudflare.solutions" domain. Those attacks affected nearly 5,500 WordPress sites but were stopped on December 8 when the registrar took down the miscreants' domain.


    Keylogger campaign infects 2,000 WordPress sites - E Hacking News

  2. #527
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Microsoft Issues Out-of-Band Fix for Intel’s Broken Spectre Patch
    Infosecurity 20h

    Microsoft has been forced to issue an out-of-band patch to fix problems caused by a buggy Intel update for one of the Spectre vulnerabilities disclosed earlier this month.
    The Redmond fix (KB4078130) was issued over the weekend and disables the mitigation for branch target injection vulnerability CVE-2017-5715.
    The fix covers Windows 7 (SP1), Windows 8.1 and all versions of Windows 10, for client and server.
    Intel first reported “reboot issues” for Broadwell and Haswell platforms on January 11.
    Last week it claimed to be making good progress on fixing the problem, and recommended that in the meantime “OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.”
    The chip giant then claimed during its fourth quarter financials that the ‘fix’ may also lead to “data loss or corruption.”
    Microsoft agreed, but said its new out-of-band update reverses the problem. It can be applied by downloading from the Microsoft Update Catalog website or – for advanced users – via registry setting changes.
    Microsoft added:
    “As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”
    This is the second unscheduled fix Redmond has been forced to issue since the Spectre and Meltdown flaws were made public at the start of the year.
    The previous one was issued in the first week of January to address the Meltdown vulnerability, but itself ended up causing problems for customers because of compatibility issues with some AV tools. These caused blue screen (BSOD) errors for some customers.

    https://www.infosecurity-magazine.co...nd-fix-intels/


  3. #528
    5 4 Knoll
    david44's Avatar
    Join Date
    Aug 2011
    Last Online
    @
    Location
    At Large
    Posts
    21,088
    https://www.economist.com/blogs/gull...8/01/free-bird full post in news for those unable to open link

  4. #529
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Techrader says the best free antimalware of 2018 is Bitdefender.


    It does seem to have an impressive feature set for a freebie.


    Details here:

    The best free anti-malware software 2018 | TechRadar

  5. #530
    RIP pseudolus's Avatar
    Join Date
    Jan 2012
    Last Online
    @
    Posts
    18,083
    I used it for a while, but changed again. Can't precisely remember why but irritating "please upgrade" pop ups all the time seems to ring a bell.

  6. #531
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Quote Originally Posted by pseudolus View Post
    I used it for a while, but changed again. Can't precisely remember why but irritating "please upgrade" pop ups all the time seems to ring a bell.
    Well all the free ones tend to do that... they want your subscription.

  7. #532
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Last year, attackers linked to the Russian hacking group APT28 (sometimes called Fancy Bear) started hacking like its 1999 with Microsoft Word-based malware that doesn’t trigger security warnings along the way. These types of attacks are called “macro-less malware” because they bypass the security warnings added to Microsoft Office programs in response to traditional macro malware like the Melissa virus at the end of the 20th century.

    In a November 2017 analysis, security giant McAfee noted one APT28 campaign that used a combination of phishing and macro-less malware to drop spyware onto victim computers.

    Macro-less malware exploits a Microsoft protocol called Dynamic Data Exchange (DDE) to run malicious code within Microsoft Office documents. DDE has its legitimate uses too, mainly to share data between applications. In this case, attackers can use DDE to launch other applications, like PowerShell, and execute malicious code.


    These new DDE attacks still require some amount of user interaction, just like traditional Office macro attacks. In order for the malicious DDE code to execute, the attacker must convince the victim to disable Protected Mode and click through at least one additional prompt. Where they differ from traditional Office macro attacks though, is how the prompts are framed to the user.


    With Microsoft Office 2003 and later, Microsoft changed macro warning prompts to highlight their security implications, using yellow shields and prominent “Security Warning” messages. DDE execution prompts however, are simple grey boxes, sometimes with no mention of security, that ask users “This document contains links that may refer to other files. Do you want to update this document with the data from the linked file?” In other words, DDE is now handled similarly to how traditional macros were handled 20 years ago back in Office ’97. New attack method, but the same user interaction.


    Both traditional macro malware and macro-less malware have the same end result – they allow attackers to leverage the Microsoft Windows scripting engine to download and execute malicious payloads. While macros can embed Visual Basic code directly into a Word document, DDE must launch a separate application, like PowerShell, to perform complex tasks like downloading and executing malware.


    So why are attackers doing this? Macro-less malware attacks are successful for the same reason that macro malware has stuck around for over 20 years. A large amount of end users simply do not read pop up prompts before clicking “yes.” Attackers often increase their chances of successfully infecting their targets by using social engineering tactics like explicit instructions to accept all prompts in order to “view the important message.” Bad actors are notorious for recycling anything that works, so it’s common for malicious tactics like this to resurface in different forms time and time again.


    Luckily, there are steps you can take to protect yourself. In the wake of the APT28 attacks, Microsoft
    published a security advisory with instructions for enabling DDE controls to disable the protocol entirely. Many advanced malware sandboxing solutions can detect DDE-based malware and stop it from ever entering your network. Most importantly though, end users need to be trained to spot phishing attacks and the social engineering tricks that attackers use to trick their victims into clicking through DDE prompts.


    Microsoft has already started to improve Office’s handling of macro-less malware by adding several behind-the-scenes controls to stop malicious DDE code in its tracks. It likely won’t be long until Microsoft improves their DDE security prompts to provide better guidance to would-be victims. But, these prominent security warnings have failed to end macro malware, which means both types of attacks are still something to watch out for in the future. As always, when in doubt, don’t click on anything you don’t understand or expect.

    https://www.helpnetsecurity.com/2018/02/05/macro-less-malware/

  8. #533
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Flaw in Grammarly’s extensions opened user accounts to compromise

    A vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them.
    The vulnerability was discovered by Google project Zero researcher Tavis Ormandy, who reported it to Grammarly on Friday.
    “I’m calling this a high severity bug because it seems like a pretty severe violation of user expectations. Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites,” Ormandy noted.
    He also provided proof-of-concept code for triggering the bug.
    By Monday, the company pushed out a new version of the popular extension, with the hole plugged.
    “At this time, Grammarly has no evidence that any user information was compromised by this issue. The bug potentially affected text saved in the Grammarly Editor,” the company stated on Tuesday.
    “This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension. The bug is fixed, and there is no action required by our users. We’re continuing to monitor actively for any unusual activity.”
    Ormandy praised the company’s swiftness in responding to the report and issuing the fix.
    “I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version,” he noted.
    The vulnerable Chrome extension has been downloaded by over 10 million users. The Firefox Grammarly extension has over 600,000 users.

    https://www.helpnetsecurity.com/2018...vulnerability/

  9. #534
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Once again, the record has been broken for both the most breaches and the most data compromised in a year. There were 5,207 breaches recorded last year, surpassing 2015’s previous high mark by nearly 20%, according to the 2017 Data Breach QuickView Report by Risk Based Security.

    The number of records compromised also surpassed all other years with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion.

    “The level of breach activity this year was disheartening”, commented Inga Goddijn, Executive VP for Risk Based Security. “We knew things were off to a bad start once the phishing season for W-2 data kicked into high gear. But by the time April 18th came and went, breach disclosures leveled off and we went into summer hopeful the worst was behind us. Unfortunately, that wasn’t the case.”

    Record number of exposed records


    In addition to the number of breaches and amount of data lost, 2017 stood out for another reason. For the past eight years, hacking has exposed more records than any other breach type. In 2017, breach type Web – which is largely comprised of accidentally exposing sensitive data to the Internet – took over the top spot compromising 68.8% or 5.4 billion records.

    Hacking still remained the leading breach type, account for 55% of reported incidents, but its impact on records exposed fell to the number two spot, with 2.3 billion records compromised. For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.


    “We’re seeing a lot of interest in calling out organizations that mishandle sensitive data”, said Ms Goddijn. “Several of the security researchers that are actively engaged in searching for exposed datasets are no longer willing to keep their findings confidential. Likewise, more individuals are calling out breaches when they discover their own data is exposed.”


    Aetna breach


    A prime example of this is the August breach impacting 11,887 Aetna members. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process. Unfortunately the letter shop used envelopes with an especially large glassine window, exposing highly sensitive HIV status information.

    The breach was brought to light by a letter recipient – triggering both civil lawsuits and an investigation by the New York Attorney General and ending with Aetna agreeing to pay $18.3 million in order to settle the various proceedings. While this is an extreme example, 2017 saw many other situations where customers, clients and unrelated third parties discovered the problem and chose to take action.

    Types of breaches

    Comparing the number of breaches discovered internally to the number of breaches found by outsiders highlights one dynamic behind the trend. Of the 3,904 breaches with a confirmed discovery method, only 728 or 18.6%, were discovered by the organization responsible for protecting the data.

    The remaining 3,176 were found by law enforcement, external fraud detection or monitoring, customers, or unrelated parties including disclosure by the malicious actors themselves. While there is not a direct correlation between discovery method and interest in publicizing breach activity, this data does show that the majority of breaches still go undetected by the compromised organization.

    https://www.helpnetsecurity.com/2018...activity-2017/

  10. #535
    I'm in Jail

    Join Date
    Mar 2010
    Last Online
    14-12-2023 @ 11:54 AM
    Location
    Australia
    Posts
    13,986
    One of the world’s most popular free VPN services is leaking sensitive data on its users, a security researcher has claimed.

    A flaw in Hotspot Shield, which boasts more than 500 million users, leaks information such as what country a user is located in and the name of their Wi-Fi network.

    https://tech.thaivisa.com/worlds-lea..._campaign=news

  11. #536
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    If you find yourself hit with something like this, just open Task Manager and kill Chrome. And then stay away from the offending site.



    A New Trick discovered to block Visitors and Scare Non-Technical Users into Paying for Unneeded Software and Servicing Fees
    5 E Hacking News - Latest Hacker News and IT Security News by Medha


    The administrators of some technical support scam websites have discovered a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded programming or overhauling charges.


    The trick depends on utilizing JavaScript code stacked on these vindictive pages to start thousands of file download tasks that rapidly take up the client/user's memory assets, solidifying or (freezing more likely) Chrome on the con scammer's webpage.


    The trap is intended to drive the already panicked clients into calling one of the technical support telephone numbers that appear on the screen. A GIF of one of these noxious locales freezing a Chrome program running the most recent rendition (64.0.3282.140) is implanted underneath.


    *** The Security News Thread  ***-chrome_tss-gif

    A New Trick discovered to block Visitors and Scare Non-Technical Users into Paying for Unneeded Software and Servicing Fees - E Hacking News
    Attached Thumbnails Attached Thumbnails *** The Security News Thread  ***-chrome_tss-gif  

  12. #537
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Quote Originally Posted by Latindancer View Post
    One of the world’s most popular free VPN services is leaking sensitive data on its users, a security researcher has claimed.

    A flaw in Hotspot Shield, which boasts more than 500 million users, leaks information such as what country a user is located in and the name of their Wi-Fi network.

    https://tech.thaivisa.com/worlds-lea..._campaign=news

    It's worse than that describes, but I'd expect that from those Thaivisa mongs.



    According to the entry for the vulnerability (CVE-2018-6460) in the National Vulnerability Database, Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895, and the web server uses JSONP and hosts sensitive information including configuration.
    But user-controlled input is not sufficiently filtered: “An unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.”
    According to researcher Paulos Yibelo, who discovered the flaw, the attacker can also extract information such as the users’ country code and Wi-Fi network name, if the user is connected to one.

  13. #538
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Meanwhile, on with the show....


    Swiss telecoms giant Swisscom has admitted suffering a data breach late last year which exposed the personal details of around 800,000 customers to unauthorized parties.
    The company, which is majority-owned by the government, claimed that the intruders accessed the data via a sales partner last Autumn.
    Most of those affected were mobile customers, although a “few” fixed network subscribers were also hit. The number of breached customers represents around 10% of the entire population of Switzerland.
    Customers’ names, addresses, telephone numbers and dates of birth were compromised. Although Swisscom maintained this data is “non-sensitive” it would be enough to give fraudsters a useful start to help craft convincing follow-on phishing attacks.
    That said, the firm has claimed no such activity has affected customers as yet.
    “Swisscom discovered the incident during a routine check of operational activities and made it the subject of an in-depth internal investigation,” the company continued.
    “Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident. Rigorous long-established security mechanisms are already in place in this case.”
    After discovering the incident, Swisscom said it blocked the offending partner’s access rights immediately. It promised to introduce two-factor authentication for all sales partners this year, put in place systems to raise the alarm in the case of any unusual activity and make it impossible to run high-volume queries for all customer info.
    Ilia Kolochenko, CEO of High-Tech Bridge, argued that security exposure via partners is still a widely unacknowledged problem.
    “Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third-parties. Cyber-criminals won't assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels,” he explained.
    “However, the good news is that we see more and more companies who rigorously implement, for example, vendor risk assessment policies now, to prevent such risks. Swisscom's efforts to mitigate and investigate the breach are laudable, but they won't really help the victims.”

  14. #539
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Inside North Korea’s Hacker Army

    The regime in Pyongyang has sent hundreds of programmers to other countries. Their mission: Make money by any means necessary. Here's what their lives are like.

    In most respects, Jong Hyok looks like any other middle-aged male tech worker you might see on the skyscraper-shadowed streets of Seoul’s Gangnam district: smartphone in hand, dark-blue winter coat over a casual, open-collared work shirt. Sit him down at a sushi restaurant and start asking him questions, though, and you soon sense that Jong is harboring an extraordinary tale. He slouches, staring intently at the table before him and speaking haltingly, his sentences often trailing away unfinished.


    Jong tells you he’s in his late 30s, but his tired eyes and wizened skin make him look a decade older. He says he’s concerned that you’ll be indiscreet with details that could expose him or his family. You wonder momentarily if he suspects you’re a North Korean spy. But no, you’re here to relate the remarkable story of his years spent cracking computer networks and programs to raise money for the regime in Pyongyang.


    North Korea’s hacking prowess is almost as feared globally as its nuclear arsenal. Last May the country was responsible for an internet scourge called WannaCry, which for a few days infected and encrypted computers around the world, demanding that organizations pay ransom in Bitcoin to unlock their data. A few years before that, North Korea stole and published the private correspondence of executives at Sony Pictures Entertainment, which had produced a Seth Rogen satire of the country called The Interview.


    Jong wasn’t involved in those attacks, but for half a decade before defecting, he was a foot soldier in North Korea’s hacker army. Unlike their counterparts elsewhere, who might seek to expose security vulnerabilities, steal corporate and state secrets, or simply sow chaos, North Korean hackers have a singular purpose: to earn money for the country, currently squeezed by harsh international sanctions for its rogue nuclear program. For most of the time Jong spent as part of this brigade he lived and worked in a crowded three-story home in a northeastern Chinese city. The hackers he shared it with were required to earn up to $100,000 a year, through whatever means they could, and were allowed to keep less than 10 percent of that. If they stepped out of line, the consequences could be severe.


    Experts in the South Korean government say that over the years, North Korea has sent hundreds of hackers into neighboring countries such as China, India, and Cambodia, where they’ve raised hundreds of millions of dollars. But actually finding one of these cyberwarriors is, for obvious reasons, difficult. Sources in South Korea’s government and the North Korean defector community provided Bloomberg Businessweek with the name of someone who has deep knowledge of the latter group—a fixer of sorts. This contact, a middle-aged man who chose his words with painstaking deliberation, asked that his name not be used. After several meetings, he offered the phone numbers of three contacts, requesting that Businessweek shield their identities. Jong—which is not his real name—was one of them.


    For decades, North Korea’s government has sought to use modern technology to transform one of the most isolated, impoverished parts of the world. During the 1990s, Kim Jong Il, the father of current leader Kim Jong Un, touted programming as a way for the country to rebuild its economy after years of catastrophic famine. He established technology degrees at Pyongyang’s universities and attended annual software-writing contests to put gold watches on the wrists of winners.


    Reports from Korea watchers suggest that, sometime in the back half of the decade, Kim Jong Il formed a cyber army designed to expand North Korea’s hacking activities. Initially the unit managed only random incursions, on targets like government websites and banking networks, but when Kim died in 2011, his son expanded the program. Soon it was launching attacks more consistently and on more important targets, such as nuclear plants, defense networks, and financial institutions.


    Formally, North Korea denies engaging in hacking and describes accusations to that effect as enemy propaganda. It says its overseas computer efforts are directed at promoting its antivirus software in the global market. The country has for more than a decade been working on such programs, including one called SiliVaccine. It also has a homegrown operating system, Red Star, that software developers have pointed out looks suspiciously like macOS. Kim Jong Un’s affinity for Apple products is well-known. In 2013, he was photographed sitting in front of an iMac during a meeting with military officials to discuss missile attacks on the U.S.; a picture released a few years later showed him with an Apple laptop on his private jet.


    Kim has also moved to make more smartphones available to North Korea’s 25 million citizens and begun rewarding computer scientists with nicer homes and higher salaries. And he’s sent increasing numbers of them into neighboring countries, where internet access is better and they can more easily hide their tracks. Defectors say programmers cross the border clutching bean paste, hot pepper paste, dried anchovy, and other comforts of home.


    “Elite programmers? No way. We were just a bunch of poor, low-paid laborers”


    Jong was part of an earlier wave sent by Kim Jong Il. Born in Pyongyang during the early 1980s, he was raised by parents who were faithful to the Workers’ Party of Korea and Kim Il Sung, North Korea’s founder, who led the party and is Kim Jong Un’s grandfather. Growing up, Jong heard tales of his own grandfather’s brave fight against Japan’s imperial army in Manchuria alongside Kim Il Sung during World War II.


    As a child, Jong’s favorite subject was biology, and he aspired to become a doctor. His parents were supportive, but the state determined from his test scores that he should study computer science. There was no questioning the decision. Heartbroken at first, he eventually became fascinated by the inner workings of computers, and in his junior year of university, in the late 1990s, he was selected by the government to study in China.


    The years he spent there were a revelation. A government minder accompanied each delegation, but Jong’s was lax, and he managed to go drinking, dancing, and camping with Chinese students. The biggest shock was having almost unlimited access to the internet. The computers back home were so strictly controlled that they were useful mostly for calculating figures or displaying diagrams. The ones in China showed Jong much more of the world. “I felt like a colt cut loose on the field,” he says.


    For a brief moment, North Korea seemed to be moving in a more open direction. During school breaks, Jong would return home to find that some of his wealthier friends owned personal computers. They played video games like Counter-Strike and watched DVDs of South Korean soap operas, which were becoming so easy to obtain that Jong almost believed unification was at hand. Soon, though, government authorities were storming homes to confiscate such material in a crackdown on the so-called yellow wind of capitalism.


    Jong graduated and returned home to get his master’s degree, for which he worked at a state agency, creating office software. The government was at the time investing in a variety of tech projects, including one that used power lines to transmit data. Once again, Jong glimpsed hope that the regime might see technology as a means for advancement, not just a threat.


    After graduation, he went to work for a state-affiliated software development agency. Before he could settle in, the government informed him that it had other plans. He was being moved to China, to conduct software research that would “brighten the future” of North Korea’s information technology sector.


    Jong knew exactly what that meant: Go make money for your country.


    Not long after, Jong crossed the border on foot and caught a bus to his assigned city. There, he made his way to a relatively large house set on a busy street amid a forest of high-rises. The place was owned by a Chinese tycoon with business ties to Pyongyang. Dozens of graduates from North Korea’s elite universities—all men—slept in cots and bunks on the top floor. A warren of cubicles and computers occupied the lower floors, and portraits of Kim Jong Il and Kim Il Sung hung on the walls.


    At first Jong didn’t have a computer, so he borrowed one from his roommates, promising to pay a rental fee once he’d made enough money to buy his own machine. He began his new career by obtaining beta versions of commercial software such as video games and security programs, then making pirate replicas his clients could sell online. Orders came in via word of mouth and broker websites from around the world; many were from China or South Korea, allowing for easier communication.


    Each unit was overseen by a “chief delegate,” a non-coder who arranged transactions and collected payments. A separate minder from North Korea’s state police was there to handle security issues. The work was arduous, involving reverse-engineering code and intercepting communications between the source program and the servers of the company that made it. Jong recalls that it took 20 programmers to build a functioning replica of one program. The hackers often found themselves racing to decipher vulnerabilities in a piece of software before its creators could patch the security holes.


    Jong got up to speed quickly and was soon considered a senior member of the house. When orders were slow, he and his colleagues hacked gambling sites, peeking at the cards of one player and selling the information to another. They created bots that could roam around in online games such as Lineage and Diablo, collecting digital items like weapons and clothes and scoring points to build up their characters. Then they’d sell the characters for nearly $100 a pop. Every so often, to maintain the facade that he was pursuing research to benefit North Korea, Jong would create scholarly software, for example a data-graphing program, and send it across the border.


    All in all, the work was unglamorous. “Elite programmers? No way. We were just a bunch of poor, low-paid laborers,” Jong recalls. He denies any complicity in the kinds of crimes that security experts have attributed in recent years to North Korea, such as snatching credit card numbers, installing ransomware on corporate servers, and swiping South Korean defense secrets. But he doesn’t doubt that such things were going on. “North Korea will do anything for money, even if that means asking you to steal,” he says.


    Any moral qualms that he or other programmers might have felt were subordinated by their mission. They had targets to meet—or else. Failing to clear a benchmark known as juk-bol-e (“enough to buy a bowl of soup”) could mean being sent home. More serious offenses, such as skimming profits or not showing sufficient fealty to the regime, could result not only in repatriation but “revolutionization,” hard labor at a factory or farm.


    On Saturdays the handlers, sometimes alongside visiting officials, would hold two-hour meetings with the units to discuss the philosophies of Kim Il Sung and Kim Jong Il, as well as any new ideological tenets dispensed by Kim Jong Un. Key statements would be memorized and recited in a loyalty pledge of sorts. A few times, Jong says, he dealt with two especially talented hackers who handled military espionage assignments, infiltrating the websites and servers of foreign countries. They were staunchly loyal to the regime, and he was particularly careful not to make any comments they might see as critical.


    Jong estimates that he was eventually bringing in around $100,000 a year. Because he and his cohorts were regarded as productive, they were allowed to live relatively well. They enjoyed air conditioning during the summer and ventured into the neighborhood in chaperoned groups. In their spare time they played Counter-Strike, sometimes sneaking down at night to their cubicles to catch up on South Korean soap operas. On Saturdays, after their indoctrination session, they might go outside to the sizable backyard to play soccer, badminton, or volleyball. Twice a year, they would meet with hacking units from across China to celebrate propaganda events such as the blossoming of Kimilsungia and Kimjongilia, orchids named for Kim Jong Un’s father and grandfather.


    Jong’s abilities also led him to be sent on trips elsewhere in China with North Korean officials. As he traveled, he got a view of how the hacker corps were organized and learned that not every unit was as lucky as his. Government agencies and state-affiliated corporations would each send their own units abroad to generate cash. All of their activities were planned and directed by a shadowy branch of the Workers’ Party called Office 91. The hacking units tended to keep in close touch with North Korea’s consulates, gathering there to drink, talk shop, and trade computer gear.


    “Some hackers barely fed themselves and were just fortunate to have orders to work on”


    One summer, Jong and some colleagues visited a cramped, run-down building in the northeastern city of Yanji. Living there were a dozen coders who’d been sent by North Korea’s railways ministry. They were trying to crack high-end software that analyzed live orchestral performances and wrote musical scores. It was the rainy season, and the men worked in shorts and relied on fans to combat the heat and humidity; water dripped from the ceiling.


    Stacked against one wall were packages of ramen. “Some hackers barely fed themselves and were just fortunate to have orders to work on,” Jong says. One of them was being treated for tuberculosis; another had required medical treatment after waking up with a cockroach lodged in his ear. But they weren’t getting the kind of care his crew would have received.


    Other programmers told Jong similarly gruesome stories. He heard about a young coder in Beijing, known for boasting of his elite education, whose colleagues had severely beaten him, shattering his ribs, after finding out he’d been receiving kimchi from a South Korean businessman. A hacker in Guangzhou was said to have died of dengue fever a year after leaving his home and children behind. The man’s boss apparently decided it would be too expensive to repatriate the body, so it was cremated and six months later another programmer took the ashes home. Hackers joked darkly that while they’d arrived as protein, they might return as powder.


    Finally, after he’d been working in China for a few years, Jong himself landed in trouble. He’s spare with the details, describing only an “unsavory incident” involving a government official. He fled before the regime could mete out the inevitable beating or trip home for revolutionization. For two years he roamed southern China, earning money by hacking, sleeping in hotels, and tasting the sort of freedom he’d previously only imagined. His last stop in the region was Shenzhen, near Hong Kong, where, after making $3,000 and quickly spending it in ways he vaguely describes as “enjoying life,” he realized he was tired.


    Returning home wasn’t an option—desertion could be punishable by death. Instead, Jong bought a fake Chinese passport for 10,000 yuan (about $1,600), traveled to Bangkok by train and bus, and knocked on the door of the South Korean embassy. He lived inside the compound for a month, undergoing a security check, before being flown to Seoul.


    The two other defectors I spoke with confirmed the broad contours of Jong’s story, though their own work was somewhat different from his. They were among a group of programmers that North Korea had deployed to China to develop and sell iPhone and Android applications. Using fake identities, they posted on freelancing websites such as Upwork.com and took jobs developing apps for taxi-hailing, online shopping, facial recognition—anything that generated money. They say they were required to make around $5,000 a month for the government, working up to 15 hours a day and operating under the same pressures and threats as Jong and his peers.


    One of the defectors, who worked under the auspices of a state agency called the Korea Computer Center, had long been cynical about his country; he’d come to hate bellowing out the loyalty oath to Kim Jong Un every Saturday and finally concluded that everything about the regime was a lie. He managed to escape when a Chinese client who liked his work asked to meet in person. He declined at first but changed his mind and wound up confessing that he was from North Korea. When he said he wanted out, the client offered to help.


    The other defector says that one day he simply snapped from overwork and left, roaming around China on foot in hopes of encountering one of the South Korean spies he’d been warned about before leaving home. For six days he slept inside greenhouses, gyms, any place with a roof, worrying the whole time that he’d made a huge mistake. It was already too late, though—if he went back he’d be punished. Finally, he found a shop whose sign indicated it was run by someone from South Korea. The shopkeeper was willing to help.


    Lim Jong In, head of the department of cyberdefense at Korea University in Seoul and a former special adviser to South Korea’s president, says that North Korea’s hacking strategy has evolved since Jong defected. At the program’s height, he says, well over a hundred businesses believed to be fronts for North Korean hacking were working in the Chinese border cities of Shenyang and Dandong alone. China has since cracked down on these operations in an effort to comply with United Nations sanctions, but they’ve simply been moved elsewhere, to countries such as Russia and Malaysia. Their value to the regime—and to the hackers themselves—is simply too high to forgo. “North Korea kills two birds with one stone by hacking: It shores up its security posture and generates hard currency,” Lim says. “For hackers it offers a fast track to a better life at home.”


    Jong is doing well for himself in Seoul. He blushes when congratulated for a promotion he recently received at a local software security company, saying he had to work especially hard for it. “I feel like my value as a programmer is discounted by half when I tell people I’m from North Korea,” he says. Others in the 30,000-odd defector community express similar frustrations about their outsider status; some display contempt for their adopted country’s concerns about appearances and money, and recall with pride their homeland’s penchant for bluntness.


    Still, there’s no going back. Jong is sometimes visited by South Korean and U.S. agents who ask him for details that might fill holes in ongoing investigations. The South Koreans ask about Office 91—what its hackers are like and what they’ve worked on in the past. The Americans recently inquired whether he knew anything about a four-story building in Pyongyang where Western-designed semiconductors are photographed and X-rayed for replication.


    At night, Jong returns home to a quiet life with his South Korean wife. Their baby son, he says, babbles happily and has just started to walk.


    https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army




  15. #540
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    If you have a Netgear, go into Admin and check for a firmware update.



    Wish you could log into someone's Netgear box without a password? Summon a &genie=1

    Get patching – there's this auth bypass and loads of other bugs

    By Iain Thomson in San Francisco 9 Feb 2018 at 00:34


    If you're using a Netgear router at home, it's time to get patching. The networking hardware maker has just released a tsunami of patches for a couple of dozen models of its kit.

    The flaws were found by Martin Rakhmanov at infosec shop Trustwave, which has spent over a year hunting down programming gremlins in Netgear's firmware.

    Software updates to address these uncovered vulnerabilities have now been released – you should ensure they are installed as soon as you can before scumbags and botnets start exploiting them to hijack broadband gateways and wireless points. Instructions on how to apply the fixes are included in the linked-to advisories.

    Some 17 Netgear routers have
    a remote authentication bypass, meaning malware or miscreants that are on your network, or that are able to reach the device's web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo.

    That's pretty bad news for any vulnerable gateways with remote configuration access enabled, as anyone on the internet can exploit the cockup to take over the router, change its DNS settings, redirect browsers to malicious sites, and so on.
    Another 17 Netgear routers – with some crossover with the above issue – have a
    similar bug, in that the genie_restoring.cgi script, provided by the box's built-in web server, can be abused to extract files and passwords from its filesystem in flash storage – it can even be used to pull files from USB sticks plugged into the router.

    Other models have less severe problems that still need patching just in case. For example, after pressing the Wi-Fi Protected Setup button, six of Netgear's routers
    open up a two-minute window during which an attacker can potentially execute arbitrary code on the router as root over the air.

    "Trustwave SpiderLabs has worked with Netgear through our responsible disclosure process to make sure that these vulnerabilities are addressed," Trustwave's Rakhmanov said.

    "We'd also like to thank Netgear for their responsive and communicative product security incident response team. It's obvious that their participation in bug bounties has helped them improve their internal process for addressing issues like these." ®

    https://www.theregister.co.uk/2018/0...urity_patches/

  16. #541
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Probably good practice, but will probably cause a few people to panic.

    But of course if you read this thread you won't bat an eyelid, because you'll know all about it.



    Google announced earlier today plans to mark all HTTP sites as "Not Secure" in Chrome, starting with July 2018, when the company plans to release Google Chrome 68.
    The company's decision comes after HTTPS adoption increased among website owners and a large chunk of today's traffic is now encrypted.
    Google said that more than 68% of Chrome traffic on both Android and Windows and over 78% of Chrome traffic on both Chrome OS and Mac, is now being sent via HTTPS.
    https://www.bleepingcomputer.com/new...ing-july-2018/

  17. #542
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Handy if you want to stop your curiosity getting the better of you:


    If you ever come across a link in email or on a website, always hover your mouse cursor over it to see the destination URL at the bottom of the browser to ensure it’s safe. But, this trick doesn’t work with shortened URLs that are quite common these days on social media websites.

    However, this also doesn’t mean you have to facecheck every short URL and risk your security. There are multiple ways to check what’s behind a shortened URL without opening it. And in this post, I’ll show you how to do it on your PC and your smartphone.


    Use the built-in preview

    Most of the popular link shortening services let you preview the link by tweaking the shortened URL. Just memorize these simple tweaks, and for most short URLs you won’t have to depend on a third-party service. Below is the list of preview tweaks:

    TinyURL


    Add preview before the tinyurl.com part of the link. For example:
    convert https://tinyurl.com/2loblt to https://preview.tinyurl.com/2loblt


    Goo.gl

    Add + (plus sign) at the end of the original URL. For example, convert goo.gl/0WhZa7 into goo.gl/0WhZa7+.

    Bitly.com


    Similar to Goo.gl, add a + at the end of the URL.

    is.gd


    Add - (hyphen) at the end of the URL. For example, convert https://is.gd/1j6nkFinto https://is.gd/1j6nkF-.

    Tiny.cc


    Add ~ (tilde) at the end of the URL.

    BudURL


    Add ? (question mark) at the end of the URL.

    Use an online service



    If you don’t deal with short URLs often, then an online expander may workbetter for you. For this purpose, I like GetLinkInfo for its extensive support of URL shortening websites and detailed information about the link. Just paste the link on the website and press enter.

    *** The Security News Thread  ***-02-getlinkinfo-jpg


    GetLinkInfo will tell you the main title of the page, starting description, exact long URL, and any external links on the page. It also uses Google to check the safety of the website content.
    Use a browser extension

    In case you deal with short URLs frequently, then a dedicated browser extension is a better choice. Unshorten.It! is a good extension for this purpose that is available for both Chrome and Firefox.
    The cool thing about Unshorten.It! is that it doesn’t depend on the URL shortening service’s API, therefore, it can expand almost all types of short links. Once the extension is installed, right-click on any short link and select Unshorten it from the menu. The extension will expand the link in a new tab and also show safety information based on the Web Of Trust score.

    *** The Security News Thread  ***-03-unshortenit-jpg



    I also really liked the non-intrusive nature of the extension as it allows you to choose which links to expand and which to leave.
    Expand short URLs on Android

    On Android, you can use the free URL Manager app. This is actually an all-in-one link manager, but we will only be Looking at the expanding feature of the app. Here’s how to expand a link:

    1. Copy the short URL that you want to expand.
    2. Tap on the + icon in its main interface and select Expand.
    3. Now paste the URL into the text field and tap on Expand. The original link will be shown below.



    *** The Security News Thread  ***-04-url-manager-jpg

    Expand short URLs on iOS

    On iOS, you can use the free URL X-ray app. Although URL X-ray is popular for its web service, its iOS app does a fine job of expanding URLs. Once installed, you can copy/paste the short URL in the URL X-ray interface to expand it. It also adds a button in the share menu to let you directly share URLs from other apps.

    *** The Security News Thread  ***-05-url-x-ray-jpg


    Summing up

    You should be very careful while opening short links and always check what’s on the other side before opening, especially if you received them via email or a direct message. Memorizing short URL preview tweaks might involve some work, but it will make the process very easy if you deal with short URLs often. But of course, you can always get help from a third-party app when you are in doubt.

    https://www.hongkiat.com/blog/see-sh...-opening-them/

    Attached Thumbnails Attached Thumbnails *** The Security News Thread  ***-02-getlinkinfo-jpg   *** The Security News Thread  ***-03-unshortenit-jpg   *** The Security News Thread  ***-04-url-manager-jpg   *** The Security News Thread  ***-05-url-x-ray-jpg  

  18. #543
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Over 4000 websites including several belonging to UK and US government agencies were found over the weekend to be running hidden crypto-mining malware.

    Security researcher Scott Helme first investigated the website of the Information Commissioner’s Office (ICO) after a tip-off that AV filters were raising red flags.

    “At first the obvious thought is that the ICO were compromised so I immediately started digging into this after firing off a few emails to contact people who may be able to help me with disclosure. I quickly realised though that this script, whilst present on the ICO website, was not being hosted by the ICO, it was included by a third-party library they loaded” he explained.

    “If you want to load a crypto miner on 1,000 websites you don't attack 1,000 websites, you attack the one website that they all load content from. In this case it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”

    It turned out that attackers had compromised a JavaScript file which was part of the Texthelp Browsealout product, adding malicious code which effectively installed the CoinHive miner.

    Some of the sites affected by CoinHive included United States Courts, the General Medical Council, the UK’s Student Loans Company, NHS Inform and many others.
    Helme argued that mitigating the attack only requires a small code change to how the Browsealoud script is loaded.

    “What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page,” he explained.

    “To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute.”

    The good news is the attack took place on Sunday morning and Texthelp has been quick to recognise the issue and take its service temporarily offline to fix it.

    Crypto-mining is an increasingly popular way for cyber-criminals to make money; in fact, many are turning away from ransomware to focus on the new tactic, according to Cisco Talos.

    IBM claimed to have seen a six-fold increase crypto-mining malware attacks between January and August 2017.

    https://www.infosecurity-magazine.co...found-on-4000/

  19. #544
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    In case you're interested in what security features Microsoft are adding to Windows 10 with each new update...

    What’s new in Windows 10 security features: The anti-ransomware edition

    Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for 1709, Fall Creators Edition.


    With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.

    Below is a summary of all the new security features and options in Windows 10 version 1709, also known as the Fall Creators Edition. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.

    Windows 10 1709: The anti-ransomware edition

    The Windows 10 Fall Creators Edition release is, in my opinion, is the first release where Microsoft is vastly increasing and acknowledging the impact of ransomware. Key security features included in the 1709 release give IT professionals the ability to provide additional means to prevent and defend against ransomware. Here are the edition’s key features:

    Window Defender Exploit Guard

    Window Defender Exploit Guard is the name of four different feature sets that help to block and defend from attacks. The four features of Exploit Guard include Exploit Protection, Attack Surface Reduction tools, Network Protection, and Controlled Folder Access. Exploit Protection is the only feature that works if you use a third-party antivirus tool. The other three features require Windows Defender and will not work if you use third-party antivirus software. This prerequisite is unlikely to change due to the reliance on Windows Defender to provide the needed API and infrastructure to support the features.

    Exploit Protection

    This is the only one of the four Exploit Guard technologies that does not require Windows Defender to be your primary antivirus. Exploit Protection can be controlled via group policy or PowerShell. An additional cloud-based logging service called Windows Defender Advanced Threat Protection provides forensic tracking evidence of threats and attacks can be used to better track and investigate Exploit Guard events. It is not mandatory to enable this technology.
    To enable Exploit Protection, begin by deploying the technology on test machines before deploying widely. Open Settings, go to Update and Security, open the Windows Defender app, and then open the Windows Defender Security Center. Then go into App and Browser Control and scroll down to Exploit Protection. Open Exploit Protection Settings.
    By default, Windows 10 has the following settings:

    • Control Flow Guard (CFG) (on by default) is a mitigation that prevents redirecting control flow to an unexpected
    • Data Execution Prevention (DEP) (on by default) is a security feature that was introduced in Vista and later platforms. The feature helps to prevent damage to your computer from viruses and other security threats. DEP protects your computer by monitoring programs to make sure they use system memory safely. When DEP senses malware, it might trigger a blue screen of death to protect the operating system.
    • Force Randomization for Images (Mandatory ASLR) (off by default) is a technique to evade attackers by randomizing where the position of processes will be in memory. Address space layout randomization (ASLR) places address space targets in unpredictable locations. If an attacker attempts to launch an exploit, the target application will crash (blue screen), therefore stopping the attack.
    • Randomize Memory Allocations (Bottom-up ASLR) (on by default) enables bottom-up allocations (VirtualAlloc() VirtualAllocEx()) to be randomized. Attacks that use bypassed ASLR and DEP on Adobe Reader are prevented with this setting.
    • Validate Exception Chains (SEHOP) (on by default) prevents an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique. Since first being published in September 2003, this attack has often been in many hackers’ arsenal.
    • Validate Heap Integrity (on by default) protects against memory corruption attacks.



    You can set both system settings and program settings and then export them in an XML file to then deploy them to other computers via PowerShell.

    Attack Surface Reduction

    Attack Surface Reduction is a new set of tools that block primarily Office, Java, and other zero-day-type attacks. With the addition of a Windows E5 license and Windows Advanced Threat Protection, you will receive a cloud-based alerting system when these rules are triggered. However, it’s not mandatory to have the E5 license to manage and defend systems. This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.
    To enable these protections, you can use group policy, registry keys, or mobile device management. To enable via group policy, go to Computer Configuration in the Group Policy Management Editor, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction. Double-click the Configure Attack surface reduction rules setting and set the option to Enabled. To enable Attack Surface Reduction using PowerShell, enter Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled.
    Now you need to determine what you plan on blocking. It is recommended to begin in audit mode to evaluate the impact on your network and devices. The values you can set to enable Attack Surface Reduction are:

    • Block mode = 1
    • Disabled = 0
    • Audit mode = 2

    Once you have determined that the protection will not impact productivity, you can set the value to Block Mode to fully enable the protections. Enter each rule on a new line as a name-value pair with a GUID code and then the value of 1 to enforce blocking, 0 to disable the rule, or 2 to set the rule to audit. When beginning to evaluate rules, set the value to 2 and monitor the results in the event log.

    • Name column: Enter a valid ASR rule ID or GUID
    • Value column: Enter the status ID that relates to state you want to specify for the associated rule

    The following rules can be enabled to better protect your computer and your network.
    Rule: Block executable content from email client and webmail. ASR Rule ID or GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550


    • Blocks executable files (such as .exe, .dll, or .scr)
    • Blocks script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
    • Block script archive files

    Rule: Block Office applications from creating child processes. ASR Rule ID or GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

    This rule blocks Microsoft Office applications from creating child content. This is typical malware behavior, especially with macro-based attacks.
    Rule: Block Office applications from creating executable content. ASR Rule ID or GUID: 3B576869-A4EC-4529-8536-B80A7769E899.

    This rule blocks Office applications from creating executable content. This is typical malware behavior. Attacks often use Windows Scripting Host (.wsh files) to run scripts.
    Rule: Block Office applications from injecting code into other processes. ASR Rule ID or GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84.

    Office applications such as Word, Excel, and PowerPoint will not be able to inject code into other processes. Malware typically uses this to avoid antivirus detection.
    Rule: Block JavaScript or VBScript from launching downloaded executable content. ASR Rule ID or GUID: D3E037E1-3EB8-44C8-A917-57927947596D

    This rule blocks the use of JavaScript and VBScript to launch applications, thus preventing malicious use of scripts to launch malware.
    Rule: Block execution of potentially obfuscated scripts. ASR Rule ID or GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

    This rule prevents scripts that appear to be obfuscated from running. It uses the AntiMalware Scan Interface (AMSI) to determine if a script is malicious.
    Rule: Block Win32 API calls from Office macro. ASR Rule ID or GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

    Malware often uses macro code Office files to import and load Win32 DLLs, which then use API calls to further infect the system.

    Network Protection

    Network Protection is designed to protect your computer and your network from domains that may host phishing scams, exploits, and other malicious content on the internet. It can be enabled either via PowerShell or Group Policy. In the Group Policy Management Editor go to Computer Configuration, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection. Double-click the Prevent Users and Apps from Accessing Dangerous Websites setting and set the option to Enabled.
    To enable using PowerShell, enter Set-MpPreference -EnableNetworkProtection Enabled. To enable audit mode type in Set-MpPreference -EnableNetworkProtection AuditMode. To fully enable protection, you need to reboot the computer.
    Once enabled you can test the feature by going to this website. The site should be blocked and you should see a notification indicating the site’s threat status in the system tray. The system now relies on Microsoft SmartScreen technology to block web sites. If a false positive is found, you must submit a request to whitelist a website using Microsoft’s submission page.
    This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.

    Controlled Folder Access

    Controlled Folder Access protection is designed to prevent and defend from typical ransomware attacks. It can be enabled using Windows Defender Security Center app via Group Policy, PowerShell or configuration service providers for mobile device management. All applications that access any executable file (including .exe, .scr, and .dll files) use the Windows Defender Antivirus interface to determine if the application is safe. If the application is malicious, it is blocked from making changes to files in protected folders.
    Certain folders are protected by default and then the administrator can add folders they deem need additional protection. To enable controlled folder access via PowerShell type in the following command: Set-MpPreference -EnableControlledFolderAccess Enabled. To enable controlled folder access via group policy, Group Policy Management Editor, go to Computer Configuration, click Policies, then Administrative Templates, and then expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Double-click the Configure Controlled Folder Access setting and set the option to Enabled.
    By default, the following folders are enabled for protection:

    • C:\Users\<user>\Documents
    • C:\Users\Public\Documents
    • C:\Users\<user>\Pictures
    • C:\Users\Public\Pictures
    • C:\Users\<user>Videos
    • C:\Users\Public\Videos
    • C:\Users\<user>\Music
    • C:\Users\Public\Music
    • C:\Users\<user>\Desktop
    • C:\Users\Public\Desktop
    • C:\Users\<user>\Favorites

    You can then manually add folders as you see fit. If you have an application that is blocked by Controlled Folder Access, you can allow an application. To allow an override, go into Group Policy Management Editor and then go to Computer Configuration. Click on Policies and then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access. Double-click the Configure Allowed Applications setting and set the option to Enabled. Click Show and enter each app. To allow an application via PowerShell, enter Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>". You will want to test the settings before widespread deployment to note what adjustments you need to make for full application compatibility.
    This is the final one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.

    Windows Security Baselines

    Windows Security Baseline configurations have been updated to support Windows 10 1709. Security baselines are a set of recommended configurations to best secure systems in enterprises. Organizations can use the Security Compliance Toolkit to review recommended group policy settings. Microsoft certifies that they test updates against these configurations.

    Windows Defender Advanced Threat Protection (ATP)

    Windows Defender ATP is a cloud-based console that allows for forensic tracking of threats and attacks. It is enabled once you purchase a Windows E5 or Microsoft Office 365 E5 subscription. Once you purchase the subscription, you can enroll workstations via group policy or registry keys, which then upload telemetry to a cloud service. The service monitors for lateral attacks, ransomware, and other typical attacks. Release 1709 increases the analytics and security stack integration for better reports and integration.

    Windows Defender Application Guard


    Application Guard ensures that enterprises can control Microsoft’s new Edge browser to best block and defend workstations from attacks. Application Guard must be deployed on 64-bit machines, and the machines must have Extended Page Tables, also called Second Level Address Translation (SLAT), as well as either Intel VT-x extensions or AMD-V. Windows 10 Enterprise version is also mandated.
    Application guard can be controlled via group policy, Intune, or System Center. Application Guard can be deployed via features or PowerShell using Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard. Once enabled, you can limit websites to block outside content in Internet Explorer and Edge, limit printing, the use of clipboard, and isolate the browser to only use local network resources.

    Windows Defender Device Guard

    Device Guard is a new name for software restriction policies. Unless an application is trusted, it cannot be run on the system. Rather than the current model of software that we use now, where we trust software by default, Device Guard assumes all software is suspect and only allows software you trust to run on your system. Like Application guard, the requirements include virtualization technology.

    Windows Information Protection (WIP)

    WIP now works with Office and Azure Information Protection. WIP used to be called Enterprise Data Protection. Setting a WIP policy ensures that files downloaded from an Azure location will be encrypted. You can set a listing of apps that are allowed to access this protected data.
    BitLocker

    The minimum PIN length for BitLocker was changed in version 1709 from six to four, with six as the default.

    Windows Hello

    Microsoft’s facial authentication system has been improved in version 1709 to use proximity settings to allow multifactor authentication in more sensitive deployments.

    Windows Update for Business

    The group policy settings that allow you to better control updating in Windows 10 now include the ability to control the use of Insider Edition on systems in your network. This allows you to enroll business systems in Microsoft’s beta testing process. Organizations may wish to opt into this program to better test and prepare for feature releases.

    Security features prior to version 1709

    Security changes and enhancements introduced in previous editions include the following:

    Windows Defender Advanced Threat Protection

    Windows 10 1703 introduced the ability to use the threat intelligence API to build custom alerts. Improvements were made in operating system memory and kernel sensors to better detect attacks deep into the operating system. It also allowed for six months of historical detection to better review for patterns. Antivirus detection and Device Guard events were placed in the Threat Protection portal. Windows 10 1607 originally introduced the online cloud forensic tool to the Windows 10 platform for the first time.

    Windows Defender Antivirus

    This was renamed from Windows Defender in Version 1703 and was integrated into the Windows Defender Security Center Application. In addition, updated behavior monitoring and real-time protection was enhanced. In Windows 10 1607, PowerShell cmdlets were introduced to configure options and run scans.

    Windows Defender Credential Guard

    Usernames and passwords are stolen on a regular basis to gain access into systems. An attacker gains access into one compromised system and then using attacks such as “Pass the hash” or “Pass the ticket” can harvest credentials saved in systems to perform lateral movement attacks across a network. Credential guard protects NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials from attackers. However, be aware that single sign-on applications may not work if credential guard is enabled.
    Windows 10 1703 increased the hardware requirement to deploy Device Guard and Credential Guard to better protect from vulnerabilities in UEFI runtime scenarios:

    • Support for virtualization-based security (required)
    • Secure boot (required)
    • TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
    • UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)

    If you want to enable credential guard on virtual machines where the risk of lateral movement may be higher, additional hardware requirements include:

    • 64-bit CPU
    • CPU virtualization extensions plus extended page tables
    • Windows Hypervisor

    Windows 10 1511 introduced the ability to enable Credential Guard by using the registry to allow you to disable Credential Guard remotely.

    Group Policy Security

    Windows 10 1703 introduced a new security policy specifically to make the username more private during sign in. Interactive logon: Don't display username at sign-in allows for more granular control over the sign in process.

    Windows Hello for Business

    Windows 10 1703 introduced the ability to reset a forgotten PIN without losing profile data. Windows 10 1607 combined the technologies of Microsoft Passport and Windows Hello.

    Windows Update for Business

    Feature update installation can be deferred by 365 days, increased from the prior 180 days allowed.

    Virtual Private Network (VPN)

    Windows 10 1607 allowed the VPN client to integrate with the Conditional Access Framework and can integrate with the Windows Information Protection policy for more security.

    Applocker

    Windows 10 1507 introduced a new parameter that allows you to choose if executable and DLL rules will apply to non-interactive processes.

    BitLocker

    BitLocker received new features in Windows 10 1511 including enhancements in the XTS-AES encryption algorithm to better protect from attacks on encryption that utilize manipulating cipher texts. Windows 10 1507 introduced the ability to encrypt and recover a device with Azure Active Directory.

    Windows 10 auditing

    Windows 10 Version 1507 added more auditing events and increased fields to better track processes and events.

    https://www.csoonline.com/article/32...es.html?page=2

  20. #545
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    An Essex man has been given two years in jail for running a website which allowed would-be hackers to test whether their malware could bypass AV filters.
    Goncalo Esteves, of Cape Close, Colchester, operated the reFUD.me site which charged visitors to test their tools against anti-malware scanners.
    Using the pseudonym 'KillaMuvz', he also sold custom-made malware-disguising products and offered technical support to users.
    These products are known as 'crypters' — tools which can be used by black hats to help evade AV.
    Esteves sold his Cryptex Lite product for $7.99/month, while a lifetime license for Cryptex Reborn cost $90. He also provided support via a dedicated Skype account and accepted payment in conventional currency, Bitcoin or even Amazon vouchers.
    His PayPal account alone netted him £32,000 between 2011 and 2015, although the amount received in Bitcoin and Amazon vouchers is unknown.
    “Esteves helped hackers to sharpen their knives before going after their victims. His clients were most likely preparing to target businesses and ordinary people with fraud and extortion attempts,” argued Mike Hulett, head of operations at the National Crime Agency’s National Cyber Crime Unit (NCA NCCU).
    “He made a fair bit of money, but he’d probably have made much more, and certainly for longer, if he’d pursued a legitimate career in cybersecurity.”
    The NCA also thanked Trend Micro, which helped conduct a joint operation with the agency to catch Esteves.
    This came after the two parties signed an MoU in 2015 formalizing their co-operation in the form of a ‘virtual team’ comprising members of the NCCU and Trend Micro’s Forward Looking Threat Research team (FTR).
    Esteves was sentenced at Blackfriars Crown Court in relation to two charges under the Computer Misuse Act.

    https://www.infosecurity-magazine.co...stermind-gets/

  21. #546
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Microsoft has deluged administrators with this month’s patch update round, fixing a total of 50 CVEs, 14 of them listed as critical.
    Most experts have highlighted CVE-2018-0825 for urgent treatment. It’s an RCE flaw in Structured Query.
    “This bug allows an attacker to get code execution through vulnerable versions of Microsoft Outlook. What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained Dustin Childs of the Zero Day Initiative.
    “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”
    Also worthy of note is the single publicly disclosed vulnerability in the list: CVE-2018-0771 is a Security Feature Bypass flaw in Edge that could allow an attacker to host a specially crafted website designed to exploit the vulnerability.
    “Compromised websites and websites that accept or host user-provided content or advertisements are also susceptible,” explained Ivanti director of product management, Chris Goettl. “The attacker could force the browser to send data that would otherwise be restricted.”
    Goettl also flagged a number of elevation of privilege flaws which could be leveraged by hackers who have already infiltrated systems, for example during an APT-style attack.
    “CVE-2018-0820 (a vulnerability in the Windows Kernel), CVE-2018-0821 (Windows AppContainer), CVE-2018-0822 (NTFS Global Reparse Point), CVE-2018-0826 (Windows Storage Services), CVE-2018-0844 (Windows Common Log File System Driver), CVE-2018-0846 (Windows Common Log File System Driver), and CVE-2018-0823 (Named Pipe File System) each have an exploit index of 1 for the latest Windows versions,” he explained.
    “These updates cover a lot of services and the kernel so the monthly OS updates will affect a broad surface area. This is also a good example of the importance of layered security. If you are running least privilege for users in your environment, vulnerabilities such as these can still enable an attacker to gain full control of a system.”
    Elsewhere there was plenty from Adobe to keep admins busy this month: APSB18-02resolves 41 vulnerabilities, including 17 critical ones.
    Most urgent is the out-of-band update released earlier this month to fix a zero-day actively being exploited in the wild.

    https://www.infosecurity-magazine.co...-flaws-to-fix/

  22. #547
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    Try as I might I can't get TD to upload an expandable version of this, so just click the link.

    https://hakin9.org/ransomware-gone-g...s-slowing-tsg/



    *** The Security News Thread  ***-ransomware-infographic-technology-services-group-jpg
    Attached Thumbnails Attached Thumbnails *** The Security News Thread  ***-ransomware-infographic-technology-services-group-jpg  

  23. #548
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    The North Korean–linked hacking group known as Reaper is expanding its operations in both scope and sophistication, and it has now graduated to the level of an advanced persistent threat.
    According to FireEye, the threat actor has carried out long-term targeting of North Korea’s interests in South Korea since 2013, but it’s now focusing on multinational campaigns using advanced capabilities. For instance, the group recently exploited a zero-day vulnerability in Abode Flash Player, CVE-2018-4878, which represents a concerning level of technical sophistication.
    “The slow transformation of regional actors into global threats is well established,” the firm said in a report on the group, which has added a new moniker to its name: APT37. “Minor incidents in Ukraine, the Middle East and South Korea have heralded the threats, which are now impossible to ignore. In some cases, the global economy connects organizations to aggressive regional actors. In other cases, a growing mandate draws the actor on to the international stage. Ignored, these threats enjoy the benefit of surprise, allowing them to extract significant losses on their victims, many of whom have never previously heard of the actor.”
    Reaper has set its sights primarily on corporations in vertical industries, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare – and has been seen recently targeting Japan, Vietnam and the Middle East. It uses social engineering tactics tailored specifically to desired targets, strategic web compromises and torrent file-sharing sites to distribute malware more indiscriminately.
    That malware represents a diverse bag of tricks to be used for both initial intrusion and data exfiltration, including custom malware used for espionage purposes. Its tool set includes access to zero-day vulnerabilities and destructive wiper malware, FireEye said.
    The firm also noted that it’s possible that APT37’s distribution of malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service (DDoS) attacks, or for other activity such as financially motivated campaigns or disruptive operations.
    As far as attribution, “disruptive and destructive cyber-threat activity (including the use of wiper malware, public leaks of proprietary materials by false hacktivist personas, DDoS attacks and electronic warfare tactics such as GPS signal jamming) is consistent with past behavior by other North Korean actors,” the firm said. FireEye also detected malware development artifacts that points to Pyongyang, and the targeting aligns with North Korean state interests.
    “North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms,” FireEye noted. “Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity. We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.



  24. #549
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    I hope you've all got a long and complex TD password.....



    An extraordinary 43 per cent of all attempted online account logins are malicious, Akamai claims in its latest internet security report.
    "Credential abuse" is an increasingly popular line of attack, thanks in large part to the readily availability of huge user/password databases that has been stolen and are sold online.
    Akamai identifies two main types of such attacks: "bursty, high-speed login attempts" to break into people's accounts, and "low and slow attempts to avoid apprehension by spreading login tries across longer time periods," again to gain unauthorized access to profiles and systems.
    The web hosting giant even reckons it may be underestimating the problem because it only gathered data from websites that use an email address as a username, which included no less than six billion login attempts over two months. Banks typically require you to select a username rather than an email and are often the most persistent focus of attackers attention, for obvious reasons, so are likely missing from this dataset.
    In addition to detailing credential abuse, Akamai's quarterly State of the Net report, out this week, identifies mobile devices, the internet of things, and APIs as the biggest, and somewhat bleeding obvious, new threats to online security.
    API attacks more than doubled in the last quarter, we're told. Akamai has also noticed a new trend in miscreants breaking into systems in order to use their computing power for activities including mining cryptocurrencies, rather than simply stealing information.
    "We are seeing a new trend of enterprise systems being targeted, not only to steal their data, but to steal their computing resources, perhaps driven in part by the rise of cryptocurrencies and the potential value of mining resources," the report notes.


  25. #550
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,561
    This made me laugh.

    Fucking Nazis complaining because Twitter deleted all their fake Russian followers!



    https://gizmodo.com/conservative-twi...ers-1823185428

Page 22 of 44 FirstFirst ... 12141516171819202122232425262728293032 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 3 users browsing this thread. (0 members and 3 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •