DHS Giving Firms Free Penetration Tests

facebooktwittergoogle_plusredditpinterestlinkedinmail

The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).

Organizations participating in DHS's "Cyber Hygiene" vulnerability scans. Source: DHS

Organizations participating in DHS’s “Cyber Hygiene” vulnerability scans. Source: DHS

KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.

DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokesperson Sy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly includes scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

Among the findings in that report, which drew information from more than 100 engagements last year:

-Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);

-More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).

-RVA phishing emails resulted in a click rate of 25 percent.

Data from NCATS FY 2014 Report.

Data from NCATS FY 2014 Report.

 ANALYSIS

I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners.  According to data provided by DHS, the majority of the program’s private sector participation come from the financial services and energy sectors — typically at regional or smaller institutions.

DHS has taken its lumps over the years for not doing enough to gets its own cybersecurity house in order, let alone helping industry fix its problems. In light of its past cybersecurity foibles, the NCATS program on the surface would seem like a concrete step toward blunting those criticisms.

I wondered how someone in the penetration testing industry would feel about the government throwing its free services into the ring. Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product.

cyberhygiene

Aitel said one of the major benefits for DHS in offering NCATS is that it can use the program learn about real-world vulnerabilities in critical infrastructure companies.

“DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies.”

Of course, the downsides are that sometimes you get what you pay for, and the NCATS offering raises some interesting questions, Aitel said.

“Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability.”

As far as the potential legal ramifications of any mistakes DHS may or may not make in its assessments, the acceptance letter (PDF) that all NCATS customers must sign says DHS provides no warranties of any kind related to the free services. The rules of engagement letter from DHS further lays out ground rules and specifics of the NCATS testing services.

Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations.

But what about previously unknown vulnerabilities found by DHS examiners?

“This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.

And then there are potential legal issues with the government competing with private industry.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training group, isn’t so much concerned about the government competing with the private sector for security audits. But he said DHS is giving away something big with its free assessments: An excuse for the leadership at scanned organizations for not doing anything after the assessment and using the results as a way to actually spend less on security.

“The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”

According to Paller, despite what the NCATS documents say, the testers do not do active penetration tasks against the network. Rather, he said, they are constrained by their rules of engagement.

“Mostly they do architectural assessments and traffic analysis,” he said. “They get a big packet capture and they baseline and profile and do some protocol analysis (wireless).”

Paller said the sort of network architecture review offered by DHS’s scans can only tell you so much, and that the folks doing it do not have deep experience with one of the more arcane aspects of critical infrastructure systems: Industrial control systems of the sort that might be present in an energy firm that turns to NCATS for its cybersecurity assessment.

“In general the architectural reviews are done by younger folks with little real world experience,” Paller said. “The big problem is that the customer is not fully briefed on the limitations of what is being done in their assessment and testing.”

Does your organization have experience with NCATs assessments? Are you part of a critical infrastructure company that might use these services? Would you? Sound off in the comments below.

Tags: , , , , , , , ,

Dell certificates vulnerability: How to protect your Windows systems

securityistock000074977085leowolfert.jpg

 Image: iStock/LeoWolfert

Dell announced earlier this week that some of its homegrown digital (SSL) certificates used by Dell Foundation Services and Dell System Detect programs (which are intended to enhance support functions) have generated a significant security vulnerability for Windows systems. Essentially, if either certificate exists on a given computer, that computer can be lured to trust malicious systems, which might then expose it to malware or hacking attempts.

Before I go into specifics about where the threat may apply and how to protect your systems against it, here’s a quick background on how certificates work.

A primer on digital certificates

A digital certificate ensures the identity of a site that is connected to by an application such as a web browser. Its purpose is to assure the visitor (or application) that the site really is who it claims to be to prevent misrepresentation, which can assist in criminal or malevolent wrongdoing. Traffic is then encrypted to and from the site to protect the data it contains.

For instance, Twitter uses the following certificate to ensure site authenticity (Figure A).

Figure A

dellecertfiga113015.jpg

dellecertfiga113015.jpg

 Image via Twitter

How do we know the certificate is legitimate? Because it’s issued (or signed) by a certificate authority called a root certificate authority (or root CA) that we trust. That authority has its own certificate (called a root certificate) that is often included by default in operating systems and common web browsers, but which can also be installed separately.

In Figure B we see the root certificate from a well-known and trusted agency called VeriSign, which was responsible for signing Twitter’s certificate.

Figure B

dellecertfigb113015.jpg

dellecertfigb113015.jpg

 Image via Twitter

As long as your application trusts the root CA, it will trust any certificates issued by that entity. It’s much the same as your friend Michael the police officer telling you he’ll refer customers to your business, and you can trust if they say he sent them that they’re legitimate law enforcement personnel and not grifters, scammers, or other bad elements.

When the browser doesn’t trust the certificates it sees, you will receive prompts warning you as such, indicating it may be dangerous to access the site. Some browsers may even refuse to let you connect entirely.

An important note: Certificates rely on encryption involving private and public keys, which are sort of like signatures that link together like two pieces of a jigsaw puzzle. The private key is held only by the issuer — the root CA — and used to sign certificates to state “This came from me.” Client computers utilize the public key (which is publicly available) to confirm the certificate is legitimate.

If the root CA private key becomes compromised, a hacker can impersonate the root CA and issue their own certificates for malicious websites. They can then entice users to access the site for criminal, mischief, or other nefarious purposes — or write malware to do so silently, as well as read encrypted data. As long as the operating system or browser trusts that root certificate, it will accept any related certificates without question.

That’s what happened with Dell, and that’s what makes this such a big deal. The programs Dell put out had accompanying root CA certificates that were installed on the computers running this software. The problem is that the private keys were made public. It’s very similar to the Superfish incident from earlier this year.

Tim Erlin, the Director of IT Security and Risk Strategy for Tripwire, a well-known security organization, provided the following comments regarding the situation:

“It can be tough for consumers to understand not only how SSL certificates work, but also how they may present serious security vulnerabilities in the real world…. the system of certificates we rely on for encrypting communications also provides authentication of the parties involved. When a certificate is compromised, not only does it allow for an attacker to intercept communications, but it also allows an attacker to impersonate another party, such as a software vendor, in order to plant malicious software on your system.”

Dell has a helpful blog page that addresses the issue, and the comments section also provide further useful feedback and information.

The impact of the Dell certificates vulnerability

Certificates are trusted by operating systems (using a local certificate store) and within applications such as web browsers. Therefore, computers that have installed the Dell Foundation Services or Dell System Detect programs, or upon which a web browser was configured to trust the relevant root certificate authorities — called eDellRoot and DSDTestProvider, respectively — may be at risk.

Note: Systems with Dell System Detect upon which the “detect product” function was run between October 20, 2015 and November 24, 2015 may be affected; this may not apply if that function was never used. However, it’s important to be vigilant.

Unfortunately, it’s not just a matter of figuring out whether you’ve installed these programs on a system — Dell released them automatically since August 15, 2015, so it may be on your system(s) without your knowledge.

Dell has released a link that can automatically tell you if your system is vulnerable, but it’s worth confirming the results for yourself since this sort of thing can and will be useful knowledge down the road.

It’s not likely that anyone out there has manually set up Firefox to trust these certificates, but I’ll show you how to check a bit further anyhow. First, let’s look at how to examine the local certificate store to see if these certificates are trusted by the operating system.

1. Run the command mmc (Figure C).

Figure C

dellecertfigc113015.jpg

dellecertfigc113015.jpg

 Image: Scott Matteson

2. Click File and then choose Add Or Remove Snap-ins (Figure D).

Figure D

dellecertfigd113015.jpg

dellecertfigd113015.jpg

 Image: Scott Matteson

3. Double-click Certificates (Figure E).

Figure E

dellecertfige113015.png

dellecertfige113015.png

 Image: Scott Matteson

4. Choose Computer Account and then click Next and Finish.

Certificates installed on your local system will be displayed based on category: Personal, Trusted Root Certification Authorities, and so on. Access the Trusted Root Certification Authorities section to review the installed certificates (Figure F).

Figure F

dellecertfigf113015.png

dellecertfigf113015.png

 Image: Scott Matteson

I don’t have the offending certificates on my computer, but here are two examples of what you might find on a system that does have them (Figure G).

Figure G

dellecertfigg113015.jpg

dellecertfigg113015.jpg

This is the second example (Figure H).

Figure H

dellecertfigh113015.jpg

dellecertfigh113015.jpg

 Image: Dell

Double-clicking the eDellRoot certificate shows the following information (Figure I).

Figure I

dellecertfigi113015.jpg

dellecertfigi113015.jpg

How to check web browsers in Windows

The good news is that Internet Explorer and Google Chrome running on Windows rely on the local certificate store, so if you’ve followed the above steps the remediation advice below will apply.

Firefox has its own certificate store and must be inspected manually. Click Tools | Options | Advanced | Certificates and then select the Authorities tab. Scroll down the list to check for the root certificates described above.

The remediation

Dell has provided a page outlining the issue and offering an automatic removal tool as well as the manual steps involved. A full write up is here (PDF). In a nutshell, you can rely on their tool or, if you’d prefer to handle things yourself, manually remove the certificates and their related programs.

To manually remove the offending root certificates via the Certificate console I displayed previously, right-click each of them and choose Delete. For Firefox, select the certificate and then click Delete Or Distrust. To remove the Dell Foundation Services and Dell System Detect programs, you can uninstall them via the Control Panel. Note: If these programs remain on the computer, the problematic certificates may be reinstalled later.

Dell is also supposed to have released a software update last week to correct this and, as of November 27, 2015 the company stated it will take “several days to reach everyone,” so I feel it’s best to use one of the above options or at the very least have each system inspected to confirm the certificates have been flushed.

So what if you have to remove the certificates from multiple systems? These remediation steps may get exhausting. If you’re a system administrator, I recommend scripting their removal tools through whatever means you may have employed at your organization: Microsoft’s Configuration Manager (aka SCCM), PowerShell, Group Policy, or even batch files within login scripts. User comments on the Dell page indicate that this process may result in system notifications informing the user they’re either not affected or the problem has been fixed, so advanced warning to employees is a must.

In addition, it’s possible to centrally store the tools on your network and ask users to run them manually, though as an IT professional I prefer to handle things directly since it’s our job to protect systems and confirm as such.

Looking ahead

Mr. Erlin of Tripwire had this to say about the road before us:

“As long as we’re using the existing certificate-based system of encryption, we’ll continue to see these kinds of issues surface.”

That’s the problem with this sort of arrangement; if we trust root CAs, we are vulnerable to manipulations of this trust. In the meantime, what can we do to reduce their impact?

Well, if you followed along carefully, you may have noticed that Firefox, using its own certificate store, was invulnerable to this threat so long as no one manually configured it to trust those root certificates. But don’t let that lull you into a false sense of security and think that simply using Firefox will be an instant remedy for all future incidents; malware might be engineered to configure Firefox to do what hackers want it to do. I am aware of ways to use Group Policy, for instance, to get Firefox to trust specific root CAs.

Ultimately, what it comes down to is reducing your attack footprint to present as small a target as possible.

I’ve researched this, and I’m not aware at this time of any methods to lock down certificate stores within operating systems or browsers so they cannot be changed, or to report on changes (this would be a great notion if it could be brought into practice), but it is possible to use centralized tools like Group Policy to trust specific root CAs, so as to maintain a consistent environment. This won’t prevent applications from installing their own root CAs, but it can at least help admins know what to expect when they examine root CAs on client systems and servers. And, hopefully, Dell will lead by example here, and this business of silently installing root CA certificates will cease among reputable software companies.

Ultimately, what it comes down to is reducing your attack footprint to present as small a target as possible. This is where standard methods for best security can help, such as reducing administrator access, eliminating unnecessary programs, and “whitelisting” applications so only those specifically permitted can run. Utilizing standard operating system images that can be deployed and redeployed with ease can also be helpful.

In short, knowing and managing a predictable environment — and preparing automation tools in advance to control it — will go a long way towards mitigating a threat or at least responding to it as rapidly as possible.

Also see

State & Local Government Hit By Malware, Ransomware More Than SMBs

Localities and education networks suffered twice as many infections of the infamous CyptoWall ransomware than other sectors.

Small- and midsized businesses (SMBs) aren’t the only ones in the bulls eye of ransomware and other malware attacks: worldwide, nearly 70% of state and local government networks triggered malware or ransomware alerts, as did more than 70% of education networks.

Intrusion prevention firm Sentinel IPS found that about 39% of its other customers in its IPS sensor-based network sounded alerts for malware or ransomware between July 1 and November 9 of this year, among some 30 million alerts. An alert signals that malicious traffic is attempting to leave the organization, such as malware trying to “phone home” to its command and control server, for example. The IPS then blocks that traffic.

“We would think that SMBs would map fairly well with state and local government customers and education. You’d think security would be similar across the board,” but the alerts show otherwise, says Ted Gruenloh, director of operations for Sentinel IPS.

State & local government agencies studied in the data include not only agencies but water districts, utilities and police departments, for example. These localities and education sector institutions and departments suffered twice as many infections of the infamous CyptoWall ransomware, according to the sensor data. Overall, state & local governments and education networks made up just 32% of all the of the traffic alerts, but they encompassed 77% of critical alerts of attempted “extrusion,” according to Sentinel IPS’s data.

The older, more rudimentary Kovter ransomware was spotted as well, 95% of the time in the state & local government and education networks.

Tim Francis, cyber enterprise lead at Travelers, says it’s no surprise that ransomware is on the rise, nor that state and local governments are becoming a big target for it. “What we saw CryptoLocker do a couple of years ago … was fairly game-changing,” Francis says. “Prior attacks, were [typically]  an individual singular attack at a time. CryptoLocker obviously changed that” with its massive botnet infrastructure and ability to hit multiple targets, he says.

State and local municipalities are often cobbling together different systems with few security resources, so it makes them more vulnerable to ransomware attacks, he says.

“If I’m an SMB,” he says, “a class action or other lawsuit is something I’d be worried about if it’s significantly expensive. That could cause me to have to close my doors.”

Cyber-extortion is becoming part of some cyber insurance policies, he says.

Another big and well-known malware annoyance, BrowseFox, was found on 67% of education networks and 23% of state and local government networks, amassing some 1.3 million alerts. Gruenloh says that’s a bit surprising because it’s one of the easiest ones to manage and prevent. “But a lot of stuff gets inside” these smaller organizations, he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

VTech hack gets worse: Chat logs, kids’ photos taken in breach

If you thought the cyberattack on childrens’ technology firm VTech couldn’t get any worse, it just did.

Motherboard reports that the hacker who obtained personal data on almost 5 million parents and more than 200,000 children also took hundreds of gigabytes worth of profile photos, audio files, and chat logs — many of which belong to children.

Tens of thousands of pictures — many blank or duplicates — were thought to have been taken from from Kid Connect, an app that allows parents to use a smartphone app to talk to their children through a VTech tablet.

Motherboard was able to verify a portion of the images, and the chat logs, which date as far back as late-2014.

Details about the intrusion are not fully known yet. The hacker, who for now remains nameless, told Motherboard that the Hong Kong-based company “left other sensitive data exposed on its servers.”

​Cyber Monday 2015

The important question is why the data was stored on VTech’s servers in the first place.

VTech did not immediately respond to a request for comment. (If that changes, we will update the piece).

The company confirmed the breach earlier on Monday, adding that it suspended various app stores and websites.

While the data stolen doesn’t include credit card and Social Security information, some have begun to question why so much data and information was not only collected but also stored in an insecure way.

“Don’t collect data because it might be useful at some point,” said Mark Nunnikhoven, vice-president of security firm Trend Micro, said in a LinkedIn post on Monday. “This opens the organizations up to unnecessary risk.”

Nunnikhoven previously criticized the company for its “unacceptable” response by acting after it was informed by reporters of the hack.

Troy Hunt, a Microsoft MVP for developer security and founder of breach notification website Have I Been Pwned, who helped Motherboard to confirm the breach, said the attack pushes the number of accounts in his database past the quarter-billion mark.

A Week in Security (Nov 22 – Nov 28)

Last week, we at Malwarebytes Unpacked celebrated with our CEO, Marcin Kleczynski, after hearing news from London on Black Friday that V3.co.uk honored him the “Technology Hero of the Year” award. He joined the ranks of Steve Jobs, Mark Zuckerberg, and Eugene Kaspersky.

Senior security researcher Jérôme Segura documented some interesting finds during the last several days. First, he spotted a number of compromised WordPress sites containing conditional site scripts that likely target users of Internet Explorer. These sites were redirecting to sites harboring the Angler and Flash Player exploits. Second, he found, as per our telemetry, more notable sites like the Reader’s Digest pushing out exploit kits. Lastly, he touched on a ransomware variant that asks for Bitcoin ransom amounting from $50 to $999. Segura also theorized on a possible future of malvertising, and it involves ads on videos.

For our PUP Friday post, our researchers discussed about FrameFox, an application that is capable of disabling security software installed on user systems.

Notable news stories and security related happenings:

  • Australians Among World’s Worst Malware Victims – but the Death of APTs Signals Worse Times Ahead. “Australian users remain among the world’s most likely to click on malicious links, new industry research suggests – but if you thought things were bad now, hold onto your hats: security specialists warn that 2016 is likely to make things even worse as growing desire to commercialise the spoils of data breaches drives a transformation in the way attackers launch already-insidious advanced persistent threats (APTs).” (Source: CSO)
  • How Online Fraud will Evolve in 2016. “While 2015 is drawing to a close, the security fraud community is preparing for more battles ahead in 2016. And next year, consumer-facing web and mobile apps are up against a much more sophisticated and prolific enemy as bad actors continue to evade traditional security defenses, leverage the latest mobile hacker tools to impersonate legitimate users and take control of consumer accounts en masse.” (Source: Help Net Security)
  • Holiday Scams That will be Donning Your Inbox Soon. “Every year someone falls for something that is just too good to be true. Make sure your users are up to date on the latest social engineering scams this holiday season.” (Source: CSO Online)
  • Many Embedded Devices Ship Without Adequate Security Tests, Analysis Shows. “An analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufacturers.” (Source: CSO Online)
  • Patreon Users Threatened by Ashley Madison Scammers. “Over the last few days, the group responsible for extortion attempts and death threats against Ashley Madison users has turned to a new set of targets – Patreon users. The group sending the messages has claimed to be DD4BC, and they have a history of extortion and DDoS attacks.” (Source: CSO Online)
  • Cyber Theft Hits One in Five Consumers, Survey Finds. “Just under 40% had had personal data stolen or deleted because of a computer virus or malware, up from 26% in 2013. More than half (53%) did not know the detail of the personal data that had been collected by organisations, up from 37% in 2013. The Deloitte survey also found companies that failed to safeguard data were more likely to lose custom than those which raised prices.” (Source: The BBC)
  • India and Malaysia Sign Cyber-security Pact. “The cyber-security agreement seeks to promote closer cooperation and the exchange of information pertaining to cyber-security incident management, technology cooperation, cyber-attacks, prevalent policies and best practices and mutual response to cyber-security incidents.” (Source: First Post)
  • Facebook ‘Most Used Words’ Game Accused of Stealing and Selling User Data. “And thanks to a post about the game – which is called Most Used Words on Facebook – from UK-based VPN comparison website Comparitech that recently called it a “privacy nightmare,” I was initially ready to urge friends like her to please not touch the game with a 12-foot pole.” (Source: Sophos’s Naked Security Blog)
  • Cyber Monday: What Retailers & Shoppers Should Watch For. “The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app — or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money — like shipping fraud or chargebacks for fraudulent purchases made with stolen credit cards or gift cards bought with stolen credit card data — are secondary.” (Source: Dark Reading)
  • Researchers Poke Hole in Custom Crypto Built for Amazon Web Services. “In case it’s not clear to some readers, there’s nothing wrong with writing a new implementation of a trusted crypto standard, especially when the work is followed up with the kind of security reviews Amazon sought with s2n. And as noted in the paper, most modern browsers are immune to Lucky 13 attacks.” (Source: Ars Technica)
  • GlassRAT Linked to Earlier Geopolitical Malware Campaigns. “Security researchers at RSA have discovered that the GlassRAT remote administration Trojan (RAT) might have been in the same command and control (C&C) infrastructure shared in geopolitical malware campaigns observed earlier this decade. The authors of RSA’s research paper explain that they linked GlassRAT to other malicious C&C infrastructures using malicious domains that pointed to common hosting.” (Source: Graham Cluley’s Blog)
  • Dell’s Security-shattering PC Root Certificate Debacle: What You Need to Know. “In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers’ computers, apparently without realizing that this exposes users’ encrypted communications to potential spying.” (Source: PC World)
  • Analytics Services are Tracking Users Via Chrome Extensions. “It’s quite possible that, despite your belief that the Google Chrome is the safest browser there is and your use of extensions that prevent tracking, your online movements are still being tracked. The culprits? Popular Chrome extensions like HooverZoom, Free Smileys & Emoticons, Flash Player+, SuperBlock Adblocker and many more.” (Source: Help Net Security)
  • Study Reveals Security Gaps That Could Greatly Impact 2016. “A recent Trend Micro study revealed that in third quarter 2015, a worst-case security scenario occurred when leaked information from a data breach was used for further attacks, such as blackmail and extortion.” (Source: Legal Tech News)
  • Russian Criminals Steal $4 Million in Cash with a New Technique Dubbed Reverse ATM Attack. “According to the experts at security firm GroupIB, the Reverse ATM Attack allowed criminal rings in Russia to steal 252 Million Rubles (roughly US$3.8 Million) from at least five different banks. The theft started in summer 2014 and finished in Q1 2015.” (Source: Security Affairs)
  • Cyberattacks On Firms Posing Credit Risk. “Credit rating agency Moody’s Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services […] According to the report, organizations that house significant amounts of personal data, including financial institutions, healthcare entities, higher education organizations and retail companies, are at greatest risk to experience large-scale data theft attacks resulting in serious reputational and financial damage.” (Source: CXO Today)
  • Black Friday: Cyber-thieves ‘target Christmas shoppers’. “One gang had updated the sophisticated malware it used to target tills in stores, security company iSight said. There had also been an increase in spam and phishing emails crafted to catch out people seeking bargains.” (Source: The BBC)
  • Black Friday Deals? Nope, This Fake Amazon Android App Only Harvests Your Personal Data. “According to a post published by the Zscaler research team, the fake app is being distributed from a URL set up by the malware authors to fool victims into believing it is a legitimate Amazon site. Indeed, as Yahoo! Tech reveals, the app in some ways appears very similar to the real Amazon Underground app, which offers users games and free apps.” (Source: Graham Cluley’s Blog)
  • Hello Barbie, You are a Privacy and Security Threat. “Engineering Miracle Barbie isn’t just an idiot when it comes to computers, she is also something of a loose cannon in terms of security and privacy, according to people who have been playing with their dollies […] Hello Barbie, or Hell Barbie depending on your privacy stance, is new and likely to be heading for the underside of fir trees that are wondering why they are suddenly in urban living rooms. But parents beware: it has raised privacy and security hackles.” (Source: The Inquirer)

Safe surfing, everyone!

The Malwarebytes Labs Team