Oh yes it does.Quote:
Originally Posted by Dragonfly
https://www.trustwave.com/Resources/...TGEAR-Routers/
Printable View
Oh yes it does.Quote:
Originally Posted by Dragonfly
https://www.trustwave.com/Resources/...TGEAR-Routers/
could explain why my passwords to logon into the AdminCP doesn't work anymore :p
A new alternative to Google DNS or Open DNS:
https://adguard.com/en/adguard-dns/overview.html
good one harry, could be a nice alt to spying Google and crappy OpenDNS
*Faints*
10 Things You Need To Know About 'Wikileaks CIA Leak'
Wednesday, March 08, 2017
Yesterday WikiLeaks published thousands of documents revealing top CIA hacking secrets, including the agency's ability to break into iPhones, Android phones, smart TVs, and Microsoft, Mac and Linux operating systems.
It dubbed the first release as Vault 7.
Vault 7 is just the first part of leak series “Year Zero” that WikiLeaks will be releasing in coming days. Vault 7 is all about a covert global hacking operation being run by the US Central Intelligence Agency (CIA).
According to the whistleblower organization, the CIA did not inform the companies about the security issues of their products; instead held on to security bugs in software and devices, including iPhones, Android phones, and Samsung TVs, that millions of people around the world rely on.
One leaked document suggested that the CIA was even looking for tools to remotely control smart cars and trucks, allowing the agency to cause "accidents" which would effectively be "nearly undetectable assassinations."
While security experts, companies and non-profit organizations are still reviewing 8,761 documents released as Vault 7 archive, we are here with some relevant facts and points that you need to know.
Here's Everything You Need to Know About Vault 7:
Vault 7 purportedly includes 8,761 documents and files that detail intelligence information on CIA-developed software intended to crack any Android smartphone or Apple iPhone, including some that could take full control of the devices.
In fact, Wikileaks alleges that the CIA has a sophisticated unit in its Mobile Development Branch that develops zero-day exploits and malware to "infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads."
Some of the attacks are powerful enough to allow an attacker to remotely take over the "kernel," the heart of the operating system that controls the smartphone operation, or to gain "root" access on the devices, giving the attacker access to information like geolocation, communications, contacts, and more.
These types of attacks would most likely be useful for targeted hacking, rather than mass surveillance.
The leaked documents also detail some specific attacks the agency can perform on certain smartphones models and operating systems, including recent versions of iOS and Android.
CIA Didn't Break Encryption Apps, Instead Bypassed It
In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA "cracked" the encryption used by popular secure messaging software including Signal and WhatsApp.
WikiLeaks asserted that:
"These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied."
This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken.
No, it hasn't.
Instead, the CIA has tools to gain access to entire phones, which would of course "bypass" encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.
The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.
It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he's still typing, this doesn't mean that the security of the app the target is using has any issue.
In that case, it also doesn't matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.
But this also doesn't mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, "This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem."
CIA Develops Malware to targets Windows, Linux & MacOS
The Wikileaks CIA dump also includes information about the malware that can be used by the agency to hack, remotely spy on and control PCs running Windows, macOS, and Linux operating systems.
This apparently means that the CIA can bypass PGP email encryption and even Virtual Private Network (VPN) on your computer in a similar way. The agency can also see everything you are doing online, even if you are hiding it behind Tor Browser.
Again, this also does not mean that using PGP, VPNs, or Tor Browser is not safe or that the CIA can hack into these services.
But the agency's ability to hack into any OS to gain full control of any device — whether it’s a smartphone, a laptop, or a TV with a microphone — makes the CIA capable of bypassing any service spy on everything that happens on that device.
CIA Borrowed Codes from Public Malware Samples
Yes, in addition to the attacks purportedly developed by the CIA, the agency has adopted some of the code from other, public sources of malware. Well, that's what many does.
One of the documents mentions how the agency supposedly tweaks bits of code from known malware samples to develop its custom code and more targeted solutions.
"The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware," the WikiLeaks document reads. "The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions."
Some of the exploits listed were discovered and released by security firms, hacker groups, independent researchers, and purchased, or otherwise acquired by the CIA from other intelligence agencies, such as the FBI, NSA, and GCHQ.
One borrowed exploit in "Data Destruction Components" includes a reference to Shamoon, a nasty malware that has the capability to steal data and then completely wipe out hard-drives.
Another acquired attack by the CIA is SwampMonkey, which allows the agency to get root privileges on undisclosed Android devices.
Persistence, another tool in the CIA arsenal, allows the agency to gain control over the target device whenever it boots up again.
CIA Used Malware-Laced Apps to Spy on Targets
The leaked documents include a file, named "Fine Dining," which does not contain any list of zero-day exploits or vulnerabilities, but a collection of malware-laced applications.
Fine Dining is a highly versatile technique which can be configured for a broad range of deployment scenarios, as it is meant for situations where the CIA agent has to infect a computer physically.
CIA field agents store one or more of these infected applications -- depending upon their targets -- on a USB, which they insert in their target's system to run one of the applications to gather the data from the device.
Developed by OSB (Operational Support Branch), a division of the CIA's Center for Cyber Intelligence, Fine Dining includes modules that can be used to weaponize following applications:
VLC Player Portable
Irfanview
Chrome Portable
Opera Portable
Firefox Portable
ClamWin Portable
Kaspersky TDSS Killer Portable
McAfee Stinger Portable
Sophos Virus Removal
Thunderbird Portable
Opera Mail
Foxit Reader
LibreOffice Portable
Prezi
Babel Pad
Notepad++
Skype
Iperius Backup
Sandisk Secure Access
U3 Software
2048
LBreakout2
7-Zip Portable
Portable Linux CMD Prompt
The CIA's Desperation To Crack Apple's Encryption
This is not the first time when the CIA has been caught targeting iOS devices. It was previously disclosed that the CIA was targeting Apple's iPhones and iPads, following the revelation of top-secret documents from the agency's internal wiki system in 2015 from the Snowden leaks.
The documents described that the CIA had been "targeting essential security keys used to encrypt data stored on Apple's devices" by using both "physical" and "non-invasive" techniques.
In addition to the CIA, the FBI hacking division Remote Operations Unit has also been working desperately to discover exploits in iPhones, one of the WikiLeaks documents indicates.
That could also be the reason behind the agency's effort to force Apple into developing a working exploit to hack into the iPhone belonging to one of the terrorists in the San Bernardino case.
Apple Says It Has Already Patched Most Flaws Documented in CIA Leak
Besides vulnerabilities in Android and Samsung Smart TVs, the leaked documents detail 14 iOS exploits, describing how the agency uses these security issues to track users, monitor their communications, and even take complete control of their phones.
However, Apple is pushing back against claims that the CIA's stored bugs for its devices were effective.
According to Apple, many iOS exploits in the Wikileaks CIA document dump have already been patched in its latest iOS version, released in January, while Apple engineers continue to work to address any new vulnerabilities that were known to the CIA.
Here's the statement provided by an Apple spokesperson:
"Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates."
Hacking 'Anyone, Anywhere,' Thanks to Internet Of 'Insecure' Things
Besides hundreds of exploits, zero-days, and hacking tools that targets a large number of software and services, Vault 7 also includes details about a surveillance technique — codenamed Weeping Angel — used by the CIA to infiltrate smart TVs.
Samsung smart TVs are found to be vulnerable to Weeping Angel hacks that place the TVs into a "Fake-Off" mode, in which the owner believes the TV is off when it is actually on, allowing the CIA to covertly record conversations "in the room and sending them over the Internet to a covert CIA server."
"Weeping Angel already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off," the leaked CIA document reads. "Since the implant is already hooking these events, the implant knows when the TV will be entering Fake-Off mode."
In response to the WikiLeaks CIA documents, Samsung released a statement that reads: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."
WikiLeaks' CIA Leak Isn't Bigger than Snowden's NSA Leaks
WikiLeaks claims the massive CIA hacking leak is larger than the Edward Snowden revelations about NSA's hacking and surveillance programs, but it is much much smaller.
While the Snowden revelations disclosed the global covert surveillance through text, the voice of people using hacking tools that permitted mass data gathering and analysis, the CIA data dump so far just shows that the CIA gathered and purchased tools that could be used to target individual devices.
However, there is no evidence of mass surveillance of smartphones or computers in the leaked documents. Technologically, the NSA is much more forward in sophistication and technical expertise than the CIA.
Ex-CIA Chief Says Wikileaks dump has made US 'less safe'
Former CIA boss Michael Hayden said the latest leak of highly sensitive CIA documents and files by Wikileaks is "incredibly damaging" and has put lives at risk, BBC reports, while the CIA has not yet commented on the leaks.
The CIA revelations by the whistleblower organization are just beginning. People will see more revelations about the government and agencies from the WikiLeaks in coming days as part of its Year Zero leaks.
10 Things You Need To Know About 'Wikileaks CIA Leak'
Amazing what web sites get up to....
www.urlscan.io
not working...Quote:
Originally Posted by harrybarracuda
Worked for me;
https://urlscan.io/result/e9d9da7f-3...909754#summary
teakdoor.com 119.81.0.75
URL: TeakDoor: The Thailand Forum
Submission: 3 minutes ago via manual, finished a few seconds later (March 14th 2017, 7:24:49 am) Lookup Browse Rescan
Summary
HTTP 39
Links 14
Console 0
Cookies 9
Security 0
IoCs
API
JSON
Map
DOM
39
Requests
9
Ad-blocked
0
Malicious
13%
Secure
17%
IPv6
7
Domains
7
Subdomains
7
IPs
4
Countries
1,282kB
Transfer
1,309kB
Size
9
Cookies
This website contacted 7 IPs in 4 countries across 7 domains to perform 39 HTTP transactions. Of those, 5 were secure (13 %) and 17% were IPv6.
The main IP is 119.81.0.75, located in Singapore, Singapore and belongs to SoftLayer Technologies Inc..
In total, 1 MB of data was transfered, which is 1 MB uncompressed. It took 3.865 seconds to load this page. 9 cookies were set, and 0 messages to the console were logged.
IP/ASNs
IP Detail
(Sub)Domains
Domain Tree
Links
Certificates
IP Address AS Autonomous System
27 119.81.0.75 36351 (SOFTLAYER - SoftLayer Technologies Inc.)
3 2a00:1450:400f:803::200e 15169 (GOOGLE - Google Inc.)
2 163.47.178.206 24482 (SGGS-AS-AP SG.GS)
1 151.101.112.193 54113 (FASTLY - Fastly)
1 68.232.35.169 15133 (EDGECAST - MCI Communications Services)
4 35.161.97.15 16509 (AMAZON-02 - Amazon.com)
39 7
Summary by...
Type
Domain
IP
Protocol
TLS
Server
Type # X-Fer Size IPs
Image 28 1 MB 1 MB 1.0x 6 4
Script 7 93 KB 121 KB 1.3x 2 2
Other 1 894 B 894 B 1.0x 1 1
Stylesheet 1 7 KB 7 KB 1.0x 1 1
Document 1 65 KB 65 KB 1.0x 1 1
Total 39 1 MB 1 MB 1.0x 7 4
Screenshot (click to see full image) ExpandImage
Server locations
Server locations
Ubiquity router web server has security issues - I guess you might want to think about patching when ubiquity releases new firmware
https://www.theregister.co.uk/2017/0...king_php_hole/Quote:
Security researchers have gone public with details of an exploitable flaw in Ubiquiti's wireless networking gear – after the manufacturer allegedly failed to release firmware patches.
Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, California – via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we're told. After repeated warnings, SEC has now shed light on the security shortcomings.
Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.
A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access – yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we're told.
Saw that. Using a 1997 PHP FFS.
Yeah but you're not very bright, are you.Quote:
Originally Posted by Dragonflynot working...Quote:
Originally Posted by harrybarracuda
works the best though,Quote:
Originally Posted by harrybarracuda
the flaw was to run it as root, not a jailrooted dedicated user
I am sure some fools to this day still do, even with latest PHP7 :rofl:
and your shit link didn't work previously because deemed unsecured by Google DNS :p
Maybe worth doing a backup, not that I care, I don't own any of that shit.
https://motherboard.vice.com/en_us/a...le-pays-ransomQuote:
Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom
Joseph Cox
Mar 21 2017
A hacker or group of hackers is apparently trying to extort Apple over alleged access to a large cache of iCloud and other Apple email accounts.
The hackers, who identified themselves as 'Turkish Crime Family', demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.
"I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing," one of the hackers told Motherboard.
The hackers provided screenshots of alleged emails between the group and members of Apple's security team. One also gave Motherboard access to an email account allegedly used to communicate with Apple.
"Are you willing to share a sample of the data set?" an unnamed member of Apple's security team wrote to the hackers a week ago, according to one of the emails stored in the account. (According to the email headers, the return-path of the email is to an address with the @apple.com domain).
The hackers also uploaded a YouTube video of them allegedly logging into some of the stolen accounts. The hacker appears to access an elderly woman's iCloud account, which includes backed-up photos, and the ability to remotely wipe the device.
"We firstly kindly request you to remove the video that you have uploaded on your YouTube channel as it's seeking unwanted attention, second of all we would like you to know that we do not reward cyber criminals for breaking the law," a message allegedly from a member of Apple's security team reads. (Motherboard only saw a screenshot of this message, and not the original). The alleged Apple team member then says archived communications with the hacker will be sent to the authorities.
Now, the hackers are threatening to reset a number of the iCloud accounts and remotely wipe victim's Apple devices on April 7, unless Apple pays the requested amount.
According to one of the emails in the accessed account, the hackers claim to have access to over 300 million Apple email accounts, including those use @icloud and @me domains. However, the hackers appear to be inconsistent in their story; one of the hackers then claimed they had 559 million accounts in all. The hackers did not provide Motherboard with any of the supposedly stolen iCloud accounts to verify this claim, except those shown in the video.
By reading other emails included in the account, it appears the hackers have approached multiple media outlets. This may be in an attempt to put pressure on Apple; hackers sometimes feed information to reporters in order to help extortion efforts.
Apple did not respond to multiple requests for comment.
I wondered how long it would take for stuff like this to start coming out....
Cisco Issues Advisory On Flaw In Hundreds Of SwitchesQuote:
Cisco Issues Advisory On Flaw In Hundreds Of Switches
Vulnerability was discovered in WikiLeaks' recent data dump on CIA's secret cyber-offensive unit.
Cisco has issued a security advisory that a bug in the cluster management protocol code of its IOS and IOS XE software may have affected 300 of its switches and can be exploited by a malformed protocol-specific Telnet command, reports ZDNet. Though the company is yet to issue a patch, it says disabling Telnet could remove some risks.
The flaw was discovered by Cisco on Vault7, WikiLeaks’ recent disclosure of CIA’s secret Center for Cyber Intelligence. WikiLeaks faces criticism for not having edited out all sensitive information in its disclosures and is also under fire for reportedly not providing details of vulnerabilities to affected companies.
However, a WikiLeaks spokesman said that "Fortunately, WikiLeaks' Vault7 has permitted Cisco's security team to identity the vulnerability without releasing the exploit code."
Cisco was involved in a similar issue last year when two vulnerabilities found in hacking tools, allegedly created by the National Security Agency, were identified to impact its products.
Click here for details.
awesome, let's hope they do :)Quote:
Originally Posted by harrybarracuda
itards super owned !!! :rofl:
Holiday Inn hotels hit by card payment system hack
5 hours ago
The owner of the Holiday Inn and Crowne Plaza hotel brands has disclosed that payment card-stealing malware has struck about 1,200 of its franchisees' properties.
UK-based Intercontinental Hotels Group (IHG) said all but one of the locations affected were in the US, with the other being in Puerto Rico.
Guests have been warned they could have had money stolen as a consequence.
One expert said there might be further hotels affected.
Buckinghamshire-based IHG had previously reported in February that a dozen US hotels that it managed itself had been affected by the same attack.
"Individuals should closely monitor their payment card account statements," a spokeswoman told the BBC following the latest discovery.
"If there are unauthorised charges, individuals should immediately notify their bank.
"Payment card network rules generally state that cardholders are not responsible for such charges."
Other affected brands include Hotel Indigo and Candlewood Suites.
Hijacked card data
IHG said an investigation had detected signs the malware had been active at front-desk payment locations at the hotels between 29 September and 29 December 2016.
However, it only has confirmation that the threat was definitely eradicated last month.
The attack hijacked information taken from the payment cards' magnetic strips as it was being routed through the hotels' computer servers, said the hotel group.
This could include the card number, expiration date and verification code.
IHG does not believe other guest information was stolen.
It has published a tool for visitors to check if hotels they stayed at are among those affected.
The firm notes that other franchisees that had adopted an encryption-based security measure would not have been affected.
But one cybersecurity expert said that the list might not be comprehensive.
"IHG has been offering its franchised properties a free examination by an outside computer forensic team," wrote Brian Krebs.
"But not all property owners have been anxious to take the company up on that offer.
"As a consequence, there may be more breached hotel locations yet to be added to the state look-up tool."
Other hotel chains to have been struck by payment system hacks in recent years include Hyatt, Mandarin Oriental and Trump Hotels.
The US has been slower to switch to a chip-and-pin system than many other countries, which makes it more difficult to carry out such attacks.
Holiday Inn hotels hit by card payment system hack - BBC News
One of those things you would think someone would have thought of earlier....
Unicode trick lets hackers hide phishing URLs
Some perfectly authentic looking web addresses are not what they seem and not all browsers are taking the problem seriously
https://www.theguardian.com/technolo...-trick-hackersQuote:
Here’s a challenge for you: you click on a link in your email, and find yourself at the website https://аррӏе.com. Your browser shows the green padlock icon, confirming it’s a secure connection; and it says “Secure” next to it, for added reassurance. And yet, you’ve been phished. Do you know how?
The answer is in that URL. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A, Er, Er, Palochka, Ie. The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not.
The proof-of-concept domain was put together by Xudong Zheng, a security researcher who wanted to demonstrate the problem with the way domain names can be registered and displayed. For a long time, domain names could only be written in Latin characters without diacritics, but since 1998 it’s actually been possible to write them in other alphabets too. That’s useful if you want to register a domain name in Chinese or Arabic script, or even just correctly spelled French or German – anything that can be represented with the Unicode standard can be registered, even emoji – but it’s also opened up a whole new avenue of misdirection for malicious actors to take advantage of, by finding characters in other alphabets which look similar to Latin ones.
“From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters,” Zheng writes. “It is possible to register domains such as ‘xn--pple-43d.com’, which is equivalent to ‘аpple.com’. It may not be obvious at first glance, but ‘аpple.com’ uses the Cyrillic ‘а’ (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.”
Some browsers will keep an eye out for such tricks, and display the underlying domain name if they sense mischief. A common approach is to reject any domain name containing multiple alphabets. But that doesn’t work if the whole thing is written in the same alphabet.
Apple’s Safari and Microsoft’s Edge both still spot that Zheng’s spoof domain is a fraud, but Google Chrome and Mozilla Firefox don’t, instead displaying the Cyrillic domain name. And though it may be obvious in the Guardian’s font that something’s up, the sans serif typeface used as standard by those browsers leave the two indistinguishable.
Zheng says: “This bug was reported to Chrome and Firefox on January 20, 2017…The Chrome team has since decided to include the fix in Chrome 58, which should be available around April 25.” Mozilla, however, declined to fix it, arguing that it’s Apple’s problem to solve: “it is sadly the responsibility of domain owners to check for whole-script homographs and register them”. Google didn’t comment beyond referring to Zheng’s blogpost, and Mozilla didn’t comment at publication time but a spokesperson later said: “We continue to investigate ways to further address visual spoofing attacks, which are complex to fix with technology just in the browser alone.”
Itsik Mantin, director of security research at Imperva, said that common advice to web users falls down when such simple attacks work. “In order to protect website users, forcing them to use strong passwords and to replace them frequently is insufficient, since in this case it would be completely ineffective to prevent the attack.
Instead, he said, a better approach begins by assuming that phishing attacks will succeed: “Site administrators should assume that the credentials of some of their users were stolen (which in almost 100% of the cases will be true), and take adequate measures to identify account takeover, like irregular device, irregular geo-location or abnormal activity in the account.”
Zheng himself offers advice to users: use a password manager, and try and spot phishing attacks before you click on any links. “In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, users should manually type the URL or navigate to the site via a search engine when in doubt.”
Mastercard introduces card with built-in fingerprint scanner
By Sead Fadilpašić Published 1 day ago
https://teakdoor.com/images/imported/2017/04/1472.jpg
Mastercard has unveiled a new card that comes with a fingerprint scanner, allowing consumers to make purchases without the card ever leaving their hands. It builds on fingerprint scanning technology currently available in smartphones, and can be used at EMV terminals worldwide, the company says.
The technology was tested in South Africa, in two separate trials. One was with Pick n Pay, while the other one was Absa Bank, a subsidiary of Barclays Africa.
The process is simple. You go to your financial institution and enroll for the card. Once registered, your fingerprint is converted into an encrypted digital template and stored on the card.
When shopping, dip the card into the terminal while holding the finger on the sensor. If the fingerprint is a match, the transaction is approved.
"Consumers are increasingly experiencing the convenience and security of biometrics," said Ajay Bhalla, president, enterprise risk and security, Mastercard. "Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected."
Additional trials are being planned in Europe and Asia Pacific in the coming months.
Said Richard van Rensburg, deputy CEO of Pick n Pay: "We are delighted that this innovation has been trialled for the first time at Pick n Pay stores in South Africa. Biometric capability will mean added convenience and enhanced security for our customers. The technology creates a platform on which we can further our strategy of personalizing the shopping experience in a meaningful way. We have been extremely impressed with the robust and secure nature of the technology."
https://betanews.com/2017/04/21/mast...+News+Articles
Researchers discover security flaws in over 20 Linksys router models
The vulnerabilities could be used to create a botnet
By Rob Thubron on Apr 21, 2017, 6:15 AM
Security researchers have discovered a number of vulnerabilities in various models of Linksys routers that hackers could potentially exploit to create a botnet.
Senior security consultant Tao Sauvage and independent researcher Antide Petit discovered the bugs late last year. In a recent blog post, Sauvage reveals they identified ten vulnerabilities that range from low- to high-risk issues, six of which can be exploited remotely by attackers.
The security flaws could allow hackers to overload a device, force a reboot, deny user access, leak sensitive information about the router, and change restricted settings.
"A number of the security flaws we found are associated with authentication, data sanitisation, privilege escalation, and information disclosure," said Sauvage. "Additionally, 11 per cent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year's Mirai Denial of Service (DoS) attacks."
The flaws are present in over 20 different models of Linksys routers - the full list is available below. An initial scan discovered there were over 7000 vulnerable devices exposed at the time of the search. The majority of affected routers, 69 percent, are located in the US.
IOActive informed Linksys of the issues in January, allowing the company three months to address the problems before going public with its findings.
Benjamin Samuels, an application security engineer at Belkin (Linksys Division), said: "Working together with IOActive, we've been able to efficiently put a plan together to address the issues identified and proactively communicate recommendations for keeping customer devices and data secure."
"Security is a high priority and by taking a few simple steps, customers can ensure their devices are more secure while we address the findings. IOActive has been a great partner throughout what's been a textbook example of researcher and vendor working cooperatively."
In a recent advisory, Linksys advises users to enable automatic updates, disable the Wi-Fi Guest Network feature, and change the default admin password. A firmware update to fix the issues will be released in the coming weeks.
Here is the list of affected products:
WRT Series
WRT1200AC
WRT1900AC
WRT1900ACS
WRT3200ACM
EAxxxx Series
EA2700
EA2750
EA3500
EA4500 v3
EA6100
EA6200
EA6300
EA6350 v2
EA6350 v3
EA6400
EA6500
EA6700
EA6900
EA7300
EA7400
EA7500
EA8300
EA8500
EA9200
EA9400
EA9500
Researchers discover security flaws in over 20 Linksys router models - TechSpot
Ransomware Payout Doesn't Pay Off
About 40% of small- and midsized businesses hit with ransomware paid their attackers, but less than half got their information back.
Ransomware, ironically, is a crime based on trust. Victims pay attackers who compromise their data with an expectation it will be returned to them.
Unfortunately, a growing number of ransomware targets pay thousands of dollars to get their data back, but receive nothing. This was the most surprising result to come from a Bitdefender survey of 250 IT pros working in small and medium businesses (SMBs), says senior threat analyst Bogdan Botezatu.
The survey, conducted by Spiceworks, discovered one in five SMBs was hit with a ransomware attack within the past 12 months. Of the 20% targeted, 38% paid attackers an average of $2,423 to release their data. Less than half (45%) got their information back.
"Until now, ransomware was a business where honesty was key," Botezatu explains. "Everyone paid the ransom expecting they would get their data back … the ransomware space is continuously changing. Honor among criminals is no longer there."
He says this reflects a broader trend across cybercrime as attackers' boundaries change. Many used to avoid healthcare attacks because they could potentially harm patients. Now, healthcare organizations are frequently targeted, and lack the tech and best practices to defend themselves.
Similarly, SMBs represent a growing pool of victims as attackers seek weaker targets. Ransomware had mostly hit consumers until now, says Botezatu. Businesses weren't targeted as often because cybercriminals likely knew about their strong security tools and data backups.
"They're not going to the consumer or enterprise that much," he continues. "They found their sweet spot in the middle."
Researchers found SMBs are appealing targets for ransomware because they handle the same sensitive business information (customer data, financial records, product info) as larger organizations, but lack the strong security measures to protect it.
Attackers know they're more likely to receive payment from SMBs, which have more sensitive data than consumers. An individual may be willing to pay about $1,000 for ransomed files. A business with hundreds of customers will pay far more because they need that information, Botezatu says.
Email, cited by 77% of SMBs, is the most popular vector of attack. Cybercriminals use email to compel victims to open or download attachments, or click malicious links, reported 56% and 54% of SMBs, respectively. Nearly one-third (31%) of attacks occurred via social engineering.
"This is serious," says Botezatu. "Whatever you do, you cannot block email in a company - and hackers have a wide assortment of file extensions they can squeeze ransomware into."
Most SMBs hit with ransomware attacks were able to mitigate the attack by restoring data from backup (65%), or through security software or practices (52%). One-quarter of those targeted could not find a solution to address the problem and lost their data as a result.
Botezatu advises SMBs to "strongly consider" complementing their security strategy with a backup security solution. Ransomware is a highly volatile type of attack, he explains, and it only needs to run once to be effective. Criminals don't need to be persistent to encrypt all your data.
If you are attacked? "Don't pay up," he says. "Try to do without the data."
An attack should serve as a lesson learned, he continues. If people continue paying to get their information, ransomware attacks will continue as a means of easy money for cybercriminals. While Botezatu thinks ransomware is here to stay, he urges victims to avoid paying up.
"Every payment you make keeps the ecosystem alive," he emphasizes.
Ransomware Payout Doesn't Pay Off
Remote security exploit in all 2008+ Intel platforms
Updated: Nehalem through Kaby all remotely and locally hackable
May 1, 2017 by Charlie Demerjian
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened.
Update May 1, 2017 # 3:35pm: Intel just confirmed it, but not to SemiAccurate. You can read their advisory here.
The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.
First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.
Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught.
The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.
While these capabilities sounds crazy to put on a PC, they are there for very legitimate reasons. If an IT organization needs to re-image a system, you need to be able to remotely write to disk. Virus cleaning? Scan and write arbitrary bits. User logging and (legitimate) corporate snooping? That too. In short everything you need to manage a box can be exploited in ugly ways. When Intel told us that a version of AMT could be used to bare metal image a dead machine over a cellular connection, we turned white. We explained to them why SemiAccurate thought this was a bad idea and they respectfully disagreed. I’ll bet they aren’t laughing now.
The news today is more problematic than it seems though, the nuances of security disclosures tend to be lost on those not involved in the field. What we mean by this is if a company knows about a flaw and doesn’t fix it for quite literally years, there usually is a reason why. For a security hole that was present for about a decade that suddenly gets patched, this means an affected party with the leverage to get Intel to act did just that. Again.
We are cheering that the hole is being fixed and Intel is issuing a patch. That and Intel has plans on when to issue “reactive” NDAs to customers several weeks before the “proactive” and “public” disclosures. [Editor’s emphasis] That begs the question of reacting to what? If it isn’t being exploited, there is nothing to react to before it is disclosed, right?
Back to the point, what is the issue? Again we won’t be specific until the fixes are out but on April 25, Intel released a firmware fix for this unnamed issue. It affects every Intel machine from Nehalem in 2008 to Kaby Lake in 2017. The vulnerability affects AMT, ISM, and SBT bearing machines. For those not up on Intel security acronyms, this is every Intel box shipped with an Intel chipset for the past decade or so.
Depending on whether you are a glass half empty or half full type, there is a bit of good news. This flaw is remotely exploitable only if you have AMT turned on, that is the ‘good’ news. The bad news is that if you don’t have it turned on or provisioned the vulnerability is still exploitable locally. If you aren’t the half full type, you might sum this up by saying there is no way to protect a manageable Intel based computer until this hole has been patched, it is that bad. Let me repeat, you can not protect a manageable PC or server with this flaw until there is a patch, period. This flaw is present in ME firmware from version 6.0-11.6, things before and after those numbers are not affected probably because they used the AMT engine with the non-ARC CPU cores in older iterations.
Luckily Intel has some mitigation options for the affected users, that is you, whether you know it or not. They have two fixes for provisioned AMT and non-provisioned boxes, both prevent the issue from happening until the firmware update has been distributed by OEMs. Unfortunately since this issue is not disclosed officially yet, they won’t tell you what it is. Due to the severity of the issue, we highly recommend you make these changes immediately, don’t wait for the official disclosure.
If you have provisioned AMT or ISM on your systems, you should disable it in the Intel MEBx. If you haven’t provisioned these, or have and want to mitigate the local vulnerability too, there are more steps to take. If you have a box with AMT, ISM, or SBT, you need to disable or uninstall Local Manageability Service (LMS) on your boxes. Intel helpfully points out that doing this will mean your box can’t be managed using those services when you disable them. If this makes you think about whether or not to disable those things, trust us, don’t think about it, disable them NOW.
This brings us to a very ugly point. Intel has put AMT and it’s variants into every device they make. Some you can’t see because it is fused off but off is a very strong term. There are several features that AMT provides that are present in consumer systems even though the ‘technology’ isn’t there. This is one of the arguments that SemiAccurate has had with Intel security personnel over the years, we have begged them to offer a SKU without the AMT hardware for just this very reason. Intel didn’t, the pressure to lock corporate customers in to their silicon was too high.
With this exploit, every Intel box for 9+ years is now vulnerable because you couldn’t buy a box without it even if you wanted to other than a few older 4S servers. If you deployed Intel’s management solutions like AMT or SBS, you know the ones we mocked, you now have to turn it off or face remote exploitation. If you are a large corporation with AMT deployed, and most companies have deployed it, turning it off is easy, just a console command or three and it is done. Turning it back on however means going to every desktop, laptop, and server in your organization manually patching the BIOS and ME firmware, then turning the ME features like AMT back on. Manually.
This all assumes that there is a patch for your machine. Intel has a slew of BIOS/ME firmware patches out and in the hands of OEMs now. From here it isn’t Intel’s problem, and we mean that without even a hint of sarcasm. Intel has done their part and delivered the updated firmware to OEMs, it is now up to them to do the right thing. Some will.
The problem from here is twofold starting with no-name PCs. If you have a white-box PC or one from a sketchy vendor, chances are they won’t bother with a firmware update. Security is a cost center and most OEMs run on margins too thin to bother with security patches even if they cared. Most simply don’t care.
On the other hand OEMs who do actually care, that would be most of the big ones like Dell, HP, Lenovo, and so on, will put out patches for their machines. The second problem is for how long? No not for how long will they keep patches up but how far back will they issue the patches for? Most OEMs don’t patch things out of warranty for good reason, this is a fair thing for them to do. Most PCs have a one or three year warranty with five being the rare exception for some boxes like servers. Most of the PCs in this category from tier 1 and 2 vendors should have patches issued in short order. Check for them daily and apply them immediately, really.
At best though this means there will be patches out for less than half of the affected machines. Do you or your organization have any machines in service but out of warranty? I’ll bet you do. What about embedded devices that are increasingly PC based? Digital signage perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air traffic controls. Medical devices. I could go on but all of these are likely PC based and anything infrastructure related is likely networked, management engine enabled, and quite possibly in warranty from the service provider. But quite likely out of warranty from the board vendor who made the underlying PC the service it is based on. Do you know what is in your systems? I’ll bet you think you do.
So this Intel AMT/ISM/SBT vulnerability is the proverbial ‘big one’. It is remotely exploitable if you have Intel’s management solutions in use, locally exploitable if you have them provisioned in your machine. You have them on your machine. You really need to turn them off, uninstall all the pieces, and do it now, don’t wait for the official word on WW26. That is the end of June for non-Intelspeak people, they will officially issue this guidance then along with OEM disclosures.
Because SemiAccurate strongly suspects this vulnerability is being exploited in the wild as we speak, you should take the official mitigation steps as soon as possible. Then contact your OEMs and strongly suggest that firmware patches for every system, including-out-of warranty systems, would be appreciated by you. Then go over every embedded Intel board with a fine tooth comb. Remember it is every Intel system from Nehalem in 2008 to Kaby Lake in 2017, ME firmware version from 6.0-11.6. If you have or suspect you have these, act now. Really. This is the big one but you can take some corrective action before it is too late. Richard Stallman was right about firmware, and there are alternatives now too.S|A
TLDR; Average computer user – If your system is 10 years old or newer it is likely exploitable, check for patches daily and install all patches immediately. If there is no patch, back up data and replace.
Remote security exploit in all 2008+ Intel platforms - SemiAccurate
before anyone freaks out
you are unlikely to have enabled Active Management Technology
cool - but should be limited to access only from subnet machines - can vpn for doing it from the beach
https://en.wikipedia.org/wiki/Intel_...ent_Technology
https://teakdoor.com/images/imported/2017/05/94.jpg
...Take a deep breath and calm down Mr. Mainwaring.Quote:
Originally Posted by baldrick
Then just check.
Oooops....
IBM warns of malware on USB drives shipped to customers | ZDNetQuote:
IBM warns of malware on USB drives shipped to customers
IBM said some flash drives for Storewize initialisation should be destroyed because
they may contain Trojan malware.
By Danny Palmer | May 2, 2017 -- 11:48 GMT (12:48 BST) | Topic: Security
IBM has urged customers to destroy USB drives which shipped with some of its Storewize storage systems because they may contain malware.
In a support advisory, the company has said an unspecified number of USB flash drives containing the Storewize initialisation tool for V3500, V3700, and V5000 Gen 1 systems are infected with malicious code.
All infected USB flash drives were shipped with the number 01AC585, which IBM has told customers should be securely destroyed so it can't be reused.
According to data from Kaspersky Lab, the malicious code is a member of the Reconyc Trojan malware family, which predominantly targets victims in Russia and India, but it has been known to infect systems across the globe.
In the case of the code shipped on the USB drives, the malware gets onto the system when the Storewize initialisation tool is launched from the drive, copying the malicious code into a temporary folder: ' %TMP%\initTool' on Windows systems or '/tmp/initTool' on Linux or Mac systems.
However, the code itself is not actually executed during the initialisation, IBM said.
"Neither the IBM Storwize storage systems nor data stored on these systems are infected by this malicious code. Systems not listed above and USB flash drives used for Encryption Key management are not affected by this issue," the company said.
To rid an infected system of the malware, IBM recommends running antivirus software. Alternatively, it can be removed from the system by deleting the temporary directories which are created when the drive is run.
"IBM recommends ensuring your antivirus products are updated, configured to scan temporary directories, and issues identified by the antivirus product are addressed," IBM said in its notice.
Once the directory is removed from the system -- and even if the infected drive hasn't been used -- IBM recommends destroying the flash drive so it doesn't have the option of installing malware.
Alternatively, IBM says the flash drives can be repaired by deleting the InitTool folder on the USB and downloading a new initialisation tool package from FixCentral, before manually scanning the USB with antivirus software to ensure it's Trojan-free. Those with further questions are urged to contact IBM Support.
Google confirms massive phishing attack targeting millions of Gmail users
Scammers used legit-looking Docs file to fool users into spreading a worm
04 May 2017
GOOGLE HAS SHEEPISHLY CONFIRMED that millions of Gmail users were the target of a global phishing attack that spread rapidly on Wednesday.
The phishing campaign aimed to gain control of Gmail users' entire email histories by spreading a worm to all of their contacts via an emailed invitation asking them to check out an attached "Google Docs," or GDocs link. The invitation not only appeared genuine but also from a trusted contact.
Users that clicked the link were taken to a real Google security page, where they were asked to give permission for the fake app, posing as GDocs, to manage their email account. The worm then sent itself out to all of the affected users' contacts, reproducing itself hundreds of times every time the link was clicked.
Google recognised the phishing scam on Wednesday and warned users to be vigilant.
Enterprise security firm Agari warned that this type of attack is "different and scary "because of its ability to evade common defenses and make use of Google APIs to trick users into granting access.
"The attack didn't directly try to steal usernames and passwords like a typical phishing scam but rather tricked users into allowing complete access to their email account," said the firm in a blog post. "Typically, users have been trained to change their password when they think they have been a victim of a phishing scam. In this case, that would not solve the problem."
The firm also said that the cybercriminals who launched the attack have access to all of the victims' emails until the app is disabled.
"With that access, the criminals can use your identity to scam co-workers or relatives, reset your bank account password and steal money or harvest information to steal the victim's identity. There are an infinite number of ways a cybercriminal can monetise this kind of access."
Google released an official statement late on Wednesday to say it has addressed the issue with the phishing email claiming to be Google Docs and working to ensure no there will be no repeat of it.
"We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
If you think you were affected, Google advises that you visit its security checkup site.
Google confirms massive phishing attack targeting millions of Gmail users | TheINQUIRER
it is quite easy to flash your BIOS on your mobo - you download the correct one from your manuf website , put it on a USB drive , plug it in and boot the computer and go to the BIOS ( normally by tapping the delete key as the comp starts ) - then navigate to the BIOS upgrade section and point it at the USB drive
Quote:
Originally Posted by baldrick
Quote:
Identifying Vulnerable Systems
When Intel publicly disclosed the AMT security flaw, it also released a detection guide. On May 4, the company released a downloadable discovery tool, as well. Considering the short time span between the public disclosure and the release of a discovery tool or the time when PC OEMs will begin shipping fixes, this may be a hint that Intel wasn’t quite ready to disclose the bug on May 1.
Securing Vulnerable Systems
If Intel’s discovery tool reports a vulnerability or is unable to say whether a particular system is vulnerable, the company recommends system administrators take steps to secure their systems in other ways.
Intel released a mitigation guide, too, which teaches system administrators how to disable the AMT, the Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) software. Disabling these vulnerable business-oriented features should keep the systems safe against the exploitation of this particular privilege escalation vulnerability.
From May 8, PC manufacturers will begin to release patches for their products, which should fix the issue. However, it remains to be seen if the manufacturers will release a patch for all the vulnerable products they’ve sold since 2010, or whether they’ll only patch more recent systems. Intel was not immediately available to clarify this potential issue.
Microsoft releases emergency patch for 'crazy bad' Windows zero-day bug
The vulnerability has been dubbed the worst Windows remote code execution flaw in recent memory.
By Charlie Osborne for Zero Day | May 9, 2017 -- 08:51 GMT (09:51 BST) | Topic: Security
Microsoft has released a patch rapidly developed to combat a severe zero-day vulnerability discovered only days ago.
Late Monday, the Redmond giant issued a security advisory for CVE-2017-0290, a remote code execution flaw impacting the Windows operating system.
The security vulnerability was disclosed over the weekend by Google Project Zero security experts Natalie Silvanovich and Tavis Ormandy.
On Twitter, prominent vulnerability hunter Ormandy revealed the existence of a zero-day flaw in Microsoft Malware Protection Engine (MsMpEng), used by Windows Defender and other security products.
The researcher deemed the find a "crazy bad" bug which may be "the worst Windows remote code exec [execution flaw] in recent memory."
Ormandy did not reveal anything else at the time, to give Microsoft time to fix the scripting engine memory corruption vulnerability after it was reported privately.
The built-in deployment system and scanner engine in Microsoft's products will issue the patch to vendors automatically over the next 48 hours and so more details have been disclosed.
The vulnerability allows attackers to remotely execute code if the Microsoft Malware Protection Engine scans a specially crafted file. When successfully exploited, attackers are able to worm their way into the LocalSystem account and hijack an entire system.
With such power, they have complete control to install or delete programs, steal information, create new accounts with full user rights, and download additional malware.
The Project Zero team says the vulnerability can be leveraged against victims by only sending an email to users -- without the need for the message to be opened or any attachments to be downloaded. An attack leveraging the exploit could also be conducted through malicious website visits or instant messaging.
According to Ormandy, the vulnerability could not only be exploited to work against default systems, but is also "wormable." In other words, malware using the exploit can replicate itself and spread beyond the target system.
"Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service," the team says.
"If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned," Microsoft said. "If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited."
Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection, Microsoft Security Essentials, Windows Defender for Windows 7, Windows Defender for Windows 8.1 and RT 8.1, Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703, and Windows Intune Endpoint Protection are all affected.
However, Microsoft told the Project Zero team that the Control Flow Guard (CFG) security feature lowers the risk of compromise on some of the latest platforms where the feature is enabled.
Ormandy praised Microsoft for how quickly the emergency patch was issued, saying that he was "blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos."
Microsoft says there have been no reports of the issue being exploited in the wild. System administrators do not need to act as Microsoft's internal systems will push the engine updates to vulnerable systems, however, the update can also be applied manually for a quicker fix.
Microsoft releases emergency patch for 'crazy bad' Windows zero-day bug | ZDNet
Cheeky fuckers.
https://www.modzero.ch/advisories/MZ...-Keylogger.txt
Links on the current Ransomware attack. If you apply Windows Updates, especially:
https://technet.microsoft.com/en-us/.../ms17-010.aspx
you will probably be protected.
Source is not known yet, but it uses the NSA exploits that ShadowBrokers released.
https://www.bleepingcomputer.com/new...-on-a-rampage/
Costin RaiuVerified account @craiu 2h2 hours ago
So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast.
Looks like Vlad's taking it up the arse...
https://teakdoor.com/images/smilies1/You_Rock_Emoticon.gif
Latest on Twatter use the following Hashtags:
#WanaCrypt0r #WCry #WannaCry
I am safe, I am running WinXP :)
and I don't open DOC files from strangers :banana:
fucking awesome !!!
The ransomware appears to be one of several tools belonging to the National Security Agency (NSA) that a hacking group known as The Shadow Brokers has been leaking to the web over the past several months. According to an Arstechnica report last month, The Shadow Brokers leaked around a gigabyte worth of weaponized software exploits, including one that targeted most versions of Windows.
This particular ransomware is called WCry. It's also been called several other names, including WannaCry, WannaCryptor, WannaCrypt, and Wana Decryptor. They're all the same and reference version 2.0 of WCry, BleepingComputer reports.
As the day has gone on, WCry has spread to the U.K. and other parts of the world. Earlier in the day a researcher for Kaspersky Lab noted 45,000 attacks in 74 countries, and said that WCry's list of victims was "growing fast."
There is a live map at MalwareTech that shows WCry spreading to victims in real time. According to Avast security researcher Jakub Kroustek, WCry has claimed over 57,000 PCs in just a few hours, some of the first of which were Spanish companies, such as utility outfits Telefonica, Gas Natural, and Iberdrola.
Forbes says victims have been asked to cough up $300 to remove the infection and decrypt their files. Otherwise, their data remains encrypted and inaccessible. On top of that, victims are being told that after 7 days, their files will be lost forever if the ransom is not paid.
The ransomware is said to have initially spread through spam containing fake invoices, job offers, and other attempts aimed at random email addresses. However, it's also been able to spread through the worm-like EternalBlue exploit.
So then, if you want to be safe from this little bastard:
- Do a Windows Update. Keep doing it until there are more to apply (Microsoft patched this in March).
Having said that, researchers found that, in this particular malware, if a certain domain was available to respond, WannaCry ceases activity, so they registered that domain and the attacks are now subsiding.
So you probably have time to do the patching before some other bright spark issues a newer variant - don't waste it.