*** The Security News Thread ***

[headhunter]

i have just recieved by ems.mail a MCAFEE anti-virus package for 1device x 1yr.what i recieved was a jiffy bag wrapped in sticky tape that DOES NOT allow you to open.
i have managed to cut it open,inside was a small piece of cardboard with just a line id@ 8characters,no instructions just a bag of rubbish.luckely I have put a stop on the payment.please is there anyone that can help.
TRYING TO CONTACT LAZADA YOU GOT MORE CHANCE TO WIN THE LOTTERY.

[harrybarracuda]

i have just recieved by ems.mail a MCAFEE anti-virus package for 1device x 1yr.what i recieved was a jiffy bag wrapped in sticky tape that DOES NOT allow you to open.
i have managed to cut it open,inside was a small piece of cardboard with just a line id@ 8characters,no instructions just a bag of rubbish.luckely I have put a stop on the payment.please is there anyone that can help.
TRYING TO CONTACT LAZADA YOU GOT MORE CHANCE TO WIN THE LOTTERY.

No idea what you are babbling on about but you might be better posting it in the lounge in case anyone else can understand you.

[crackerjack101]

i have just recieved by ems.mail a MCAFEE anti-virus package for 1device x 1yr.what i recieved was a jiffy bag wrapped in sticky tape that DOES NOT allow you to open.
i have managed to cut it open,inside was a small piece of cardboard with just a line id@ 8characters,no instructions just a bag of rubbish.luckely I have put a stop on the payment.please is there anyone that can help.
TRYING TO CONTACT LAZADA YOU GOT MORE CHANCE TO WIN THE LOTTERY.

Repack it and get the refund code from your Lazada account, take it to a 7/11 and send it back. I've done this 2 or 3 times and had the money back in my account within 10 days.

[harrybarracuda]

Repack it and get the refund code from your Lazada account, take it to a 7/11 and send it back. I've done this 2 or 3 times and had the money back in my account within 10 days.

You can translate that?

What did they send him? And was it for someone else?

[crackerjack101]

You can translate that?

What did they send him? And was it for someone else?

I just assume he ordered something from Lazada and doesn't like it.

[harrybarracuda]

I just assume he ordered something from Lazada and doesn't like it.

Must have ordered it when he was pissed then. Like now.

[headhunter]

Must have ordered it when he was pissed then. Like now.

come on HB you know I cant get pissed,but what I ordered from lazada [A MCAFEE ANTI VIRUS PROTECTION PACKAGE was nothing like what they advertise and show.
sorry HB I am [PISSED] OFF.

[headhunter]

yes C.M.P.cash on delivery,postman excepted it back,for to be sent back to lazada.
to give you some idea what is advertised,google LAZADA ANTI VIRUS MCAFEE 1 DEVICE.
as lazada would not answer wed.1hr.yesterday the same,so I did NOT PAY.

[harrybarracuda]

come on HB you know I cant get pissed,but what I ordered from lazada [A MCAFEE ANTI VIRUS PROTECTION PACKAGE was nothing like what they advertise and show.
sorry HB I am [PISSED] OFF.

You ordered software. Sounds like they sent you a key.

If that's the case, you install the free McAfee from their site and then enter the key to register it for a year.

[headhunter]

You ordered software. Sounds like they sent you a key.

If that's the case, you install the free McAfee from their site and then enter the key to register it for a year.

thanks HARRY,the invoice says in the box,free instructions,no box,no instructions,just a piece of cardboard 2"x2"and a line id.thats it.

[harrybarracuda]

thanks HARRY,the invoice says in the box,free instructions,no box,no instructions,just a piece of cardboard 2"x2"and a line id.thats it.

Sounds well dodgy.

Unless you're supposed to get the key from the Line ID.

[headhunter]

Sounds well dodgy.

Unless you're supposed to get the key from the Line ID.

last yr.i bought a new pc.which came with MCAFEE protection,now its run out I contacted mcafee agent bkk.but their phone is dead.
to buy a package from mcafee you NEED a credit card,no have,so today the wife will go to our internet provider TOT.and get them to do it for us,one of their engineers lives 50mts.from us.

[harrybarracuda]

IIRC you can buy a proper antivirus license at Banana IT. Not sure about McAfee though.

[harrybarracuda]

I read that there are something like 15 different competing standards, but I doubt any of them have the one billion+ customer base this one has...

Mastercard and Microsoft say they're developing a universal identity management solution


Identity management is one of the most cumbersome issues in information security today. How should organizations verify that people using a banking, e-commerce or other digital service are who they say they are? Mastercard and Microsoft are banding together to try to find a universal solution, the two companies announced Monday.


Current identity management schemes are onerous for end users, Microsoft and Mastercard say.

Organizations and individuals have to rely on things like a Social Security number, proof of address, a username and password or something else.

“We believe that there is a huge need for a universally-recognized digital identity service the puts the individual in control. Right now, proving one’s identity online places a huge burden on individuals,” Charles Walton, Mastercard’s senior vice president of digital identity products, told
CyberScoop in an email. “People have to successfully remember hundreds of passwords for various identities and are increasingly being subjected to more complexity in proving their identity and managing their data.”

The partnership aims to develop a universal service that lets users prove their identity. The companies say it would work for everything including opening a new bank account, applying for a loan, online shopping, filing taxes, applying for a passport and simply logging into to online accounts.

“We will share more about product specifics in early 2019 but we see the need for a system that could drive convenience, security and simplicity for users interacting digitally across many vertical markets while removing unnecessary time and costs from the identity verification process,” Walton said.

It’s not clear what a universal identity management and verification solution would look like once it trickles down to the individual, but Walton said the hope is to have a service that user-centric and interoperable across platforms, services and even governments.

“Regardless of where they are, individuals today are more device-reliant than ever before, yet much of digital identity still requires using offline form factors of verification, like a passport number,” Walton said. “Our intention is to create a service designed for individuals’ digital lives, fully intertwined and enabled from the devices they use very day.”

Mastercard and Microsoft pose that such a solution can help reduce payment fraud, identity theft and even give underserved populations better access to resources like health, financial and social services.

The future service would be built upon Microsoft Azure, Microsoft’s cloud computing platform, Walton said. The two companies say they want to collaborate with others in the “banking, mobile network operator and government communities,” although no other partners have been announced yet.

“Digital identity is a cornerstone of how people live, work and play every day,” said Joy Chik, Microsoft’s corporate vice president of identity, in a press release. “We believe people should be in control of their digital identity and data, and we’re thrilled to first work with Mastercard to bring new decentralized identity innovations to life.”

https://www.cyberscoop.com/identity-...d-partnership/

[harrybarracuda]

Adobe released patches today for a new zero-day vulnerability discovered in the company's popular Flash Player app. The zero-day has been spotted embedded inside malicious Microsoft Office documents.


These documents were discovered last month after they've been uploaded on VirusTotal, a web-based file scanning service, from a Ukrainian IP address.

According to reports from Gigamon (formerly ICEBRG) and Chinese cyber-security firm Qihoo 360 Core Security, the two companies which spotted the documents, the zero-day was embedded as a Flash Active X object inside a Word document designed to look like a seven-page employment application for a Russian state healthcare clinic.

If victims who received the documents allowed the Flash Active X object to execute, researchers said the malicious code would escalate its access from the Office app to the underlying OS. Here it would drop a JPG file, then unzip another RAR file attached at the end of this JPG file to drop an EXE file on the victim's PC, and then run this file (a basic barebones backdoor trojan). Researchers said this zero-day was capable of running on both 32-bit and 64-bit architectures.

https://www.zdnet.com/article/adobe-...tag=RSSbaffb68

[harrybarracuda]

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.


This is the first time an APT (Advanced Persistent Threat --an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the Russian-linked Turla APT previously used a Firefox add-on in 2015 [1, 2].

According to a report that's going to be published later today by the ASERT team at Netscout reveals the details of a spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018.

Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.


Netscout researchers say the extension had the ability to steal both cookies and site passwords, but they've also seen email forwarding on some compromised accounts.

Speaking to ZDNet, Netscout researchers said the spear-phishing campaigns using this Chrome extension targeted the academic sector but did not want to give out the names of the victims just yet.

"We've identified three universities based in the United States and one non-profit institution based in Asia [that] we're certain to have been targeted," researchers told us.

"A large number of the victims, across multiple universities, had expertise in biomedical engineering, possibly suggesting a motivation for the attackers' targeting," researchers added separately, in their report.


But while looking into this recent attacks, researchers also discovered that the same infrastructure that hosted these phishing sites had also been previously used in another hacking campaign that relied on breaking into universities' networks via Remote Desktop Connections (RDP) connections.

Netscout told ZDNet that "the two separate threads of activity have shared infrastructure and overlapping victims, but it's unclear which came first."

Investigators also added that the people behind this recent campaign, which Netscout named Stolen Pencil, have been very sloppy when it came to hiding their tracks. Researchers said they found evidence suggesting that the group may be based in North Korea.
"Poor OPSEC led to users finding open web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean language settings," researchers said.

But while Netscout researchers didn't want to link this campaign to a specific North Korean APT (Advanced Persistent Threat --an industry term for nation-state hacking groups), multiple industry sources to whom ZDNet showed the Chrome extension file hashes yesterday pointed us to a cyber-espionage group known as Kimsuky (also known as Velvet Chollima).

A 2013 Kaspersky Lab report presented evidence linking the group to North Korea's regime. The same report also detailed Kimsuky's propensity for going after academic targets, the same ones targeted with this most recent campaign.

As for what the hackers were after, Netscout researchers told ZDNet that they've "seen no evidence of data theft, but like any intrusion, we can't entirely discount the possibility. None of the tools or commands were specifically geared towards stealing information - they were focused on credential theft and maintaining access."

Universities have always been an attractive target for nation-state hackers, especially those looking for proprietary information or unreleased research. While both Chinese and Russia state hackers have been known to go after the academic sector on a regular basis, Iranian hackers have been the most active of the bunch.

Earlier this year in March, the US indicted 10 Iranians for hacks against 320 universities in 22 countries, 144 of which were in the US. Some of the research papers the hackers stole were eventually published online on pay-for-access portals operated by some of the indicted hackers, who, apparently, found a way to generate side profits from their day-to-day state-sponsored hacking campaigns. The indictments didn't stop Iranian hackers from their attacks, though.

https://www.zdnet.com/article/cyber-...#ftag=RSSbaffb68

[harrybarracuda]

Google Chrome 71 is out with 43 security fixes

by Martin Brinkmann on December 05, 2018 in Google Chrome - Last Update: December 05, 2018


Google released Google Chrome 71 to the stable channel yesterday. The new version of the web browser is a security update first and foremost as it includes 43 security fixes.

Google Chrome 71 will roll out to all desktop installations on Windows, Mac and Linux over the coming days and weeks according to Google.

Users and administrators who don't want to wait days or weeks can load chrome://settings/help in the browser's address bar to run a manual check for updates.


https://www.ghacks.net/2018/12/05/google-chrome-71/

[cisco999]

wonder how long it will be before the realization occurs to people that all this computer security threats is created by the people who then provide the solutions to it.

That exactly what I said to a rep from Webroot.com 15 years ago when they kept sending me discs which they the said were outdated as soon as I received them. Never did get the malware eliminated from that machine.

[harrybarracuda]

That exactly what I said to a rep from Webroot.com 15 years ago when they kept sending me discs which they the said were outdated as soon as I received them. Never did get the malware eliminated from that machine.

Well in fairness clearly neither of you have much of a fucking clue how it works.

[harrybarracuda]

Researchers create AI that could spell the end for website security captchas

Researchers have created new artificial intelligence that could spell the end for one of the most widely used website security systems.


The new algorithm, based on deep learning methods, is the most effective solver of captcha security and authentication systems to date and is able to defeat versions of text captcha schemes used to defend the majority of the world’s most popular websites.


Text-based captchas use a jumble of letters and numbers, along with other security features such as occluding lines, to distinguish between humans and malicious automated computer programmes. It relies on people finding it easier to decipher the characters than machines.

Developed by computer scientists at Lancaster University in the UK as well as Northwest University and Peking University in China, the solver delivers significantly higher accuracy than previous captcha attack systems, and is able to successfully crack versions of captcha where previous attack systems have failed.

The solver is also highly efficient. It can solve a captcha within 0.05 of a second by using a desktop PC.

It works by using a technique known as a ‘Generative Adversarial Network’, or GAN. This involves teaching a captcha generator programme to produce large numbers of training captchas that are indistinguishable from genuine captchas. These are then used to rapidly train a solver, which is then refined and tested against real captchas.

By using a machine-learned automatic captcha generator the researchers, or would be attackers, are able to significantly reduce the effort, and time, needed to find and manually tag captchas to train their software. It only requires 500 genuine captchas, instead of the millions that would normally be needed to effectively train an attack programme.

Previous captcha solvers are specific to one particular captcha variation. Prior machine-learning attack systems are labour intensive to build, requiring a lot of manual tagging of captchas to train the systems. They are also easily rendered obsolete by small changes in the security features used within captchas.

Because the new solver requires little human involvement it can easily be rebuilt to target new, or modified, captcha schemes.

The programme was tested on 33 captcha schemes, of which 11 are used by many of the world’s most popular websites – including eBay, Wikipedia and Microsoft.

Dr Zheng Wang, Senior Lecturer at Lancaster University’s School of Computing and Communications and co-author of the research, said: “This is the first time a GAN-based approach has been used to construct solvers. Our work shows that the security features employed by the current text-based captcha schemes are particularly vulnerable under deep learning methods.
“We show for the first time that an adversary can quickly launch an attack on a new text-based captcha scheme with very low effort. This is scary because it means that this first security defence of many websites is no longer reliable. This means captcha opens up a huge security vulnerability which can be exploited by an attack in many ways.

Mr Guixin Ye, the lead student author of the work said: “It allows an adversary to launch an attack on services, such as Denial of Service attacks or spending spam or fishing messages, to steal personal data or even forge user identities. Given the high success rate of our approach for most of the text captcha schemes, websites should be abandoning captchas.”

Researchers believe websites should be considering alternative measures that use multiple layers of security, such as a user’s use patterns, the device location or even biometric information.

https://www.helpnetsecurity.com/2018...rity-captchas/

[harrybarracuda]

I suppose if you aren't into Bitcoin....

A Russian company that claims to specialize in decrypting ransomware is actually just secretly brokering deals with the malware distributors and charging victims for this middle-man service, researchers say.

The so-called IT consulting firm, known as Dr. Shifro, advertises that it can fix systems affected by such malicious encryptors as Cryakl, Scarab, Bomber, and Dharma/Crisis. But in reality, the company simply asks the ransomware’s creators to hand over a decryption key for a discounted price, according to Bleeping Computer, citing findings from Check Point Software Technologies.

During its investigation, Check Point observed Dr. Shifro allegedly charging a minimum of $1,000 for its imaginary IT services, plus the cost of paying for the decryptor. Check Point estimates that Dr. Shifro has earned at least $300,000 in revenue from this operation since it began in 2015.

https://www.scmagazine.com/home/secu...rchers-report/

[harrybarracuda]

So it seems that the Anonymous script kiddies launched another one of their laughable "ops" again this week, targeting banks.

They managed to launch a few DDOS attacks on the websites of such banking titans as the Central Bank of Dominica and the Central Bank of the Maldives. Whoop de fucking doo

They really are a bunch of wankers.

[harrybarracuda]

Shamoon malware destroys data at Italian oil and gas company

About a tenth of Saipem's IT infrastructure infected with infamous data-wiping Shamoon malware.




A new variant of the Shamoon malware was discovered on the network of Italian oil and gas contractor Saipem, where it destroyed files on about ten percent of the company's PC fleet, ZDNet has learned.
The vast majority of the affected systems were located in the Middle East, where Saipem does a vast majority of its business, but infections were also reported in India, Italy, and Scotland.

Shamoon is one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning US flag, body of Alan Kurdi). The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company's activity for weeks.

This new Shamoon attack also has an Aramco connection. Saipem, an Italian oil and gas company specialized in drilling services and pipeline design, is one of Saudi Aramco's main foreign contractors.

This latest Shamoon incident took over the past weekend of December 8 and 9. The company publicly acknowledged the incident on Monday in a press release, calling it a cyber-attack, but without providing any useful information.

On the same day, a never-before-seen version of the Shamoon malware was uploaded on VirusTotal from an IP address located in Italy, where Saipem's main headquarters are located, and other samples were uploaded the next day from an IP address in India, another region that Saipem also said was affected.

Following repeated requests for comments, from both ZDNet and other publications, Saipem admitted in an email that they've been infected with a Shamoon variant.

But while in past Shamoon incidents attackers deleted and replaced files, a source inside the company told ZDNet that this time, attackers chose to encrypt data.

A security researcher who analyzed the Shamoon files uploaded on VirusTotal told ZDNetthat this is somewhat incorrect. This version of Shamoon overwrites original files with garbage data. This garbage data might look like encrypted content to an untrained eye, but it's just random bits of information that can't be recovered with an encryption key.

But despite this news, the Shamoon infection didn't appear to do damage to Saipem's ability to do business. Only regular workstations and laptops connected to Saipem's business network were affected, ZDNet was told, and the company's internal systems for controlling industrial equipment were not impacted.

Currently, Saipem is taking the Shamoon attack in stride, having already restored most of its affected systems using existing backups.

Older versions of the Shamoon malware were also known to come hardcoded with a list of SMB (Server Message Block) credentials that the malware would use to spread throughout a network on its own.

But in a phone call with ZDNet on Tuesday, Brandon Levene, the Chronicle security researcher who first spotted the new Shamoon malware on VirusTotal, said this Shamoon version didn't come with the regular list of SMB credentials that it used to feature in the past for self-propagation.

This might also explain why Saipem's IT staff is currently reviewing RDP (Remote Desktop Protocol) as the primary entry point for the malware into its network.

"You could just load Mimikatz onto the box and away you go to pivot that way," Levene told ZDNet in a phone call about the technical possibility of RDP being the entry point for the hack and the absence of any SMB credentials usually seen in the past.

"They could have encoded them [the SMB credentials] afterward [after obtaining them with Mimikatz]," Levene said, "that would certainly make sense as to why the [SMB] functionality wasn't necessary."

"Additionally, the networking component wasn't there. There's no command and control server configured," the researcher told us. "Older versions had a command and control server configured, and those would report what files were popped or overwritten."

The lack of these two components --SMB spreader and networking component-- fits with the scenario of a manual deployment, where the attacker was present and roaming around the company's network, rather than the malware being delivered via a phishing email, and left to spread on its own.

This theory is also confirmed by the fact that this new Shamoon version was also configured with a trigger date of "December 7, 2017, 23:51." The Shamoon "trigger date" is the date after which Shamoon's destructive behavior starts.

"Trigger dates" are often used for malware deployed to spread on its own, in order to make sure the malware has time to infect as many computers inside an internal network.

By using an old trigger date for this variant, attackers made sure Shamoon's destructive behavior started as soon as they executed the Shamoon payload.

https://www.zdnet.com/article/shamoo...d-gas-company/

[harrybarracuda]

Rumours have abounded for a while. 18305 downloading now.

Microsoft officially took the wraps off a feature expected to come to Windows 10 19H1 early next year that it has rechristened as "Windows Sandbox." This feature, which will be part of Windows 10 Pro and Enterprise editions, creates "an isolated, temporary desktop environment" where users can run potentially suspicious software, officials said in a blog post on December 18.

Earlier this year, Microsoft was rumored to be readying a new security feature for Windows 10 that was called, at that time, "InPrivate Desktop." InPrivate Desktop got a mention in Microsoft's Insider Feedback Hub during a bug-bash quest in August. The codename for InPrivate Desktop was "Madrid."

In today's blog post about Windows Sandbox, Microsoft officials said the feature was available to users of Windows 10 Pro or Enterprise running Build 18301 or later. (Microsoft has not yet made available Build 18301 of Windows 10 to Insider testers, but could potentially do so later this week.) But later, the post said the feature could work with Windows 10 Pro or Enterprise Build 18292. The feature also requires AMD64 (aka x64) and virtualization capabilities enabled in BIOS, the post noted.

Windows Sandbox is a lightweight virtual machine that builds on the technologies used in Windows Containers, according to the post. Windows Sandbox makes use of a new technology Microsoft calls "integrated scheduler," which allows the host to decide when the sandbox runs.


More information on the Windows Sandbox feature is available in the December 18 blog post.

https://www.zdnet.com/article/micros...-in-isolation/

[harrybarracuda]

It's in Windows Features.