Microsoft acquires LinkedIn, in a deal worth $26.2 billion dollars

News has broken that Microsoft has acquired LinkedIn, in a deal worth $26.2 billion dollars. Microsoft believes the acquisition will expand the market for both LinkedIn and Microsoft’s Office products, with the software giant having made a significant push over the past few years to make its products more connected.

Michael Callahan, Vice President at FireMon, provided the following insight to @DFMag on the implications the acquisition may have on the data security at both companies.

“With this acquisition, where millions of peoples’ personal data is involved, users of LinkedIn are naturally going to want to know if their information is safe.  When two different environments are integrated, the complexity and security implications increase dramatically.  To avoid putting the end user at risk from a data breach or other security incident, one would hope Microsoft has an overarching solution in place that can view the IT environments from a holistic perspective.  This will ensure the safe and secure transition so that the end user experience remains positive and we don’t see these companies making headlines again, but for all the wrong reasons.”



5 myths about fighting child sexual abuse material

The 2015 NetClean report revealed that the numbers of crimes involving child sexual abuse material (CSA) are increasing, the violence is becoming more severe and the victims are getting younger. Despite these alarming numbers, the public, and in many cases also business owners and decision-makers, remain unaware of the full extent of the problem within the workplace or their communities.
It was to fight this evil that NetClean was formed in 2003 with the aim of making use of the latest technical inventions to stop the spread of CSA. However, despite being in operation for more than a decade there still exists misunderstandings about the technologies available to do so.
We debunk 5 myths about fighting CSA material:
1    Myth: There are no available technologies to block CSA material
It is a common misconception that technologies that can track and block CSA material does not exist, for example in this recent campaign It is immensely important that the public report any material that they come across, but it is not the sole solution.
Fact: There are advanced technologies available, designed to selectively identify and block CSA content to secure the corporate network. At NetClean, we have been cooperating with law enforcement and business leaders to develop the ProActive solution that tracks and blocks images that law enforcement has identified as CSA material.
2    Myth: Regular web filters are enough to block CSA content
Fact: You cannot rely on a web filter alone which only blocks URLs. CSA offenders are fully aware of the need to keep moving content around different websites in order to evade being blocked by filters and found by law enforcement. Most of the material is also shared through other methods, such as the Darknet, anonymisation techniques, peer to peer, etcetera. Therefore, the only effective way to stop the spread of CSA content is to track and block the image itself as soon as it is downloaded onto a network or opened on a computer.
3    Myth: Our networks are secure and will block and detect CSA content
Fact: CSA content does not typically infiltrate the workplace directly through the network. Instead, portable USB devices and mobile storage means that offenders typically bring illegal images or videos into the workplace on external devices. Therefore the actual work devices need to be secured, not just the networks. 
4    Myth: ‘Child pornography’ is correct terminology
Fact: Child sexual abuse images and videos are not pornography, they are documentation of actual sexual abuse crime against children, and should be referred to as such. The term ‘child pornography’ only serves to ‘normalise’ the material’s existence and create confusion. As an example, some people even mistake the term ‘child pornography’ for children that watch pornography.
5    Myth: Installing technology to block CSA runs the risk of also blocking legal content
Fact: NetClean technologies only track and block CSA material. It is for this reason that our solutions are employed by millions of users including multinational organisations, government agencies, police authorities and Internet providers looking to protect their network and digital content. The technology is designed in collaboration with law enforcement agencies around the world, and uses digital fingerprints to classify and track each and every image or video file containing CSA evidence.
It is only through education and awareness that we will be able to highlight the sheer scale of the problem that is child sexual abuse. We need to work together, if we are to make a difference.



Hacker is selling a massive cache of 51 million user credentials from now defunct iMesh

Following the recent breaches at LinkedIn and Myspace, a hacker is now selling a massive cache of 51 million user credentials purporting to be from the now-defunct iMesh – once the third-largest peer-to-peer filesharing website in the US. Listed on a dark web-based marketplace called The Real Deal, the hacker, under the pseudonym Peace, is attempting to shift the dataset containing 51,310,759 records for 0.5 bitcoin, which is the equivalent of £245 ($350).

@DFMag has obtained several comments from security experts;

David Gibson, VP of strategy and market development at Varonis:

“John Oliver from Last Week Tonight bought $15M USD worth of bad debt for $60,000 and forgave it during his show.  It is unfortunate that John Oliver cannot spend $350 and make these 51M records disappear – these large-scale data dumps continue to chip away at our privacy. While specifics like account data, passwords and user preferences may have comparatively low value in the short term, over a longer time horizon data dumps will continue to make it easier for hackers to aggregate and establish a clear identity of their victims, especially as the sophistication of the aggregated data dumps advance.

Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs. Spear phishing attacks that provide hackers with valid credentials are increasing in frequency and sophistication, so administrators and security practitioners should assume that if their networks aren’t already breached, there’s a good chance they may be some day.

When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.

Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”

Lisa Baergen, director at NuData Security:

“Once again, more news of a big breach hits the wire. We all have to start accepting that breaches are happening and our personal records are being shared on the dark web – sometimes years after the breach occurs. This one, in particular, is hitting hard for a lot of professionals – and sr. level professionals that tend to avoid social media outlets, except for LinkedIn or at times Twitter for business. If you, like me, use these outlets for professional usage, do you use the same password across this as you do at work? If yes. Stop. Think. These hackers want to gain access to big corporations, and sometimes it can be as simple as one executive password gaining entrance to a backdoor into your organisation. 

While it’s good practise to change your usernames and passwords often, victims of a breach need to understand that every single piece of identifiable information exposed is important. Credentials from various breaches are sold in packages on the dark web used, and used to build a “Fullz”, or full online identify profile. These full profiles are sold for higher value than just pieces, because the more complete the information, the more fraud can (and likely will) take place.  

For example, if I’m a hacker and gain access to geographical data on John Smith from breach one e.g. LinkedIn, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. OR more frighteningly, gain access to your work credentials, where the damage could be colossal. 

Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. We saw in our own database of nearing 81 billions of behavioural events annually, a 10% month-over-month increase in new account fraud.

Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and trust it is not the hacker using our identity information online.  

User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by learning over time how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information ripped from all these breaches.  Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.  The only way to achieve this is by truly being able to identify the identity of the user behind the device.  

So, hackers like “Peace” can keep trying to get a “ pieces” of our data, but we are going to make it irrelevant because they can’t steal our behaviours!”

Mark Bower, global director at HPE Security – Data Security:

“Even though this breach appears to have happened in 2013, the message still resonates in 2016: enterprises need to follow best practices of encrypting all sensitive personal data as it enters a system. Encryption stays with the data whether at rest, in motion or in use, so if an attacker accesses the data, they get nothing of value. The ability to neutralise a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure. Credentials that never need to be recovered in clear form should be strongly protected with state-of-the art methods, for example, strong standards based keyed hashing.

Hackers will steal anything of value and this story is no exception. Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen.

We have a saying in security, it’s not a matter of if a breach will happen, but when. Beyond the threat to sensitive data, companies need to be concerned with the impact a data breach can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyber attacks and other attempts to get this sensitive information.”

Javvad Malik, Security Advocate at AlienVault: 

Why is such a huge amount of data being sold for only £245?

“I assume there are several contributing factors to this. Primarily it would be down to the fact that iMesh is now defunct, so the value is only in seeing if users have reused the passwords elsewhere. The other factors would boil down to market pressures. There are other big breaches out there so in order to sell, it needs to be priced competitively.”

Any advice?

“At the risk of sounding like a broken record (corrupted MP3?), for users, the only advice is to avoid reusing passwords across different sites. If in doubt, use something trustworthy like to see if your details are out in the wild anywhere.

For companies, the message could not be clearer. They need to not only implement strong measures to secure the password database of their users; but put in place effective threat detection and monitoring controls so that they are aware of when an attack is attempted. The current controls most companies have in place are inadequate as most are only made aware of a breach once the details appear for sale.”

Brian Spector, CEO of MIRACL:

“There has been a flurry of these mass data breaches recently, with MySpace, LinkedIn and now iMesh, falling victim. Each announcement demonstrates that data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant.

The sad truth is that passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today. They don’t scale for users, they don’t protect the service being used and they are vulnerable to a myriad of attacks.

Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by replacing the password with more rigorous authentication technologies. For now, anyone affected should change their password, not only for this account but also for any other website where they may have used the same password. But unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web and as long as we use this outdated username and password system, we will be reading a lot more of these headlines.”

Lamar Bailey, Sr. Director, Security R&D at Tripwire:

“Many people reuse passwords so a breach that publishes credentials can be an issue if they have been reused. Users should create strong unique passwords for each site they visit and that is harder than it sounds given the sheer number of sites people visit every day. The best way to accomplish this is to use a password generator and vault to keep track of your passwords. Many of the products have very minimal costs and they will remind you to change passwords and alert you of breaches to sites you access.”

Mark James, Security Specialist at ESET:

“With so much data being available on the internet it’s getting more and more common for caches of this information being sold for small manageable sums. When data is originally harvested its value is based on the ability to reuse the information for financial gain, after a while this gets less and less until its value is almost worthless for its intended use. At this point its value is moved from a unique status with the intention of gaining access to other resources to just being part of a larger database and a “spam” type worth. Also as time goes on databases are able to be cracked and the data extracted.

As in all these cases just relying on passwords is not sufficient, you need to consider where possible to use 2 factor or 2 step verification processes to protect your logins along with a good internet security product that updates regularly. Keeping your operating system and applications on the latest versions and patched will also help to keep your data safe. There is no single solution for doing this, you have to use multi-layered protection these days if you want to stay safe.”

Itsik Mantin, ?Director of Security Research at Imperva:

“In this case it is likely that the seller wasn’t responsible for the actual breaches, but only gathered the stolen credentials from various sources. Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.

The ease of acquiring stolen credentials, combined with the fact that users continue to reuse passwords, make brute force attacks more effective than ever and therefore encourage application providers to take proper measures to protect their users.

To prevent brute force attacks security officers should not only rely on password policies, but should also take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, being cautious about logins from unexpected countries and anonymous sources and comparing login data to popular passwords and stolen credentials.”



Q1 2016 Sees 93% of Phishing Emails Contain Ransomware

PhishMe’s Analysis of phishing campaigns in first three months of 2016, shows an intensified 789% year-over-year spike in malware and phishing threats.

PhishMe, a global provider of phishing-defense solutions for the enterprise, today revealed that its analysis of phishing email campaigns from the first three months of 2016 has seen a 6.3 million increase in raw numbers, due primarily to a ransomware upsurge against the last quarter of 2015. That is a staggering 789% jump. PhishMe’s Q1 2016 Malware Review identified three key trends previously recorded throughout 2015, but have come to full fruition in the last few months:

Encryption Ransomware
Soft Targeting by Functional Area
Downloader/Ransomware: the one-two combination
“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber criminal enterprises,” explains Rohyt Belani, CEO and Co-Founder of PhishMe.

Rohyt continues, “Another 2015 trend that emerged into fuller fruition during the first quarter of 2016 is threat actors’ use of soft targeting in phishing. In contrast to both broad distribution and the careful targeting of one or two individuals via spear phishing emails, soft targeting focuses on a category of individuals based on their role within any organization anywhere in the world. Criminals target this subset with content relevant to their role . Such malicious emails are typically accompanied with Microsoft Office documents laden with malware or the ability to download the same.”

Towards the end of 2015, PhishMe’s Research team hinted toward the growing prevalence of JavaScript downloader applications as a malware delivery mechanism. During the first three months of 2016, most notably through its prolific use by the distributors of Locky, this prediction did indeed materialize as expected. Rohyt confirms, “During the first quarter, JavaScript applications even surpassed Office documents with macro scripts to become the most common malicious file type accompanying phishing emails. JSDropper applications were present in nearly one third of all phishing email analyses performed by PhishMe.”

Whether threat actors execute encryption ransomware attacks via phishing messages, deliver personalized messages to a functional area of an organization, combine Dridex or Locky with JSDropper or Office documents with macros for delivery, the impact on the victimized organization is significant as they have to expend scarce incident response resources on the clean up effort, manage a potential public relations nightmare, and in some cases even cave in to hacker demands of paying the ransom being demanded.

Rohyt concludes, “As the frequency and magnitude of such phishing attacks increase, the importance of empowering humans to avoid and report them, and giving incident response teams the ability to rapidly react to such reports has never been more acute.”

To download a full copy of the Q1 2016 Malware Review, click here.



Expert Opinion on #OpSilence attack on CNN email servers

Earlier this month a group of hackers claimed to have taken down the email servers of CNN, a company with about 4,000 employees globally. It’s the first attack for #OpSilence, hacking group Anonymous’ impending month-long assault on the media for allegedly ignoring the crisis in Palestine.

Looking reflectively at this incident, Stephen Gates, chief research intelligence analyst at NSFOCUS provided @DFMag with the following expert opinion;

“According to reports, a suspected faction of Anonymous, called Ghost Squad Hackers, is targeting quite a few news media outlets with their new operation call #OpSilence. Apparently they believe they are fighting against a “New World Order”; which is a theory claiming a small group of Zionists run the world using banks, the media and corporations. You can read more about the previous Anonymous operation called OpIcarus in a blog I posted last month.

This sounds like another day in the world of DDoS attacks, and the motivations within. What is interesting in this case is the amount of reconnaissance about the victims that was provided in the Pastebin post.   Each target listed has a link to another post in Pastebin showing their victims domains, IP addresses, mail servers and more information that could be of value to any would-be hackers. You can find out more about Ghost Squad’s targets on Pastebin.

One noteworthy activity this time around is the attacks on mail servers.  I’ve often wondered why they’re not targeted more frequently. Almost every mail server that receives email from the outside-in is completely exposed to the Internet.  Although often protected by firewalls, they do little if anything to block DDoS attacks on mail servers. Launch a SYN flood on TCP port 25, and watch your mail server roll over. All of the attack packets will fly right through the firewalls, or the firewalls will begin blocking legitimate email.

Attacks on websites are a pain for the victim.  They normally make the news and can marginally impact an organization’s operations. However, attacks on mail servers can be disastrous for organisations who rely on email for their daily operations; notably the news media. I would suspect that journalists use email quite heavily for their daily activities. In other words, the Ghost Squad Hackers are going for the attacks that will cause the most impact for their victims. If you don’t have purpose-build DDoS defences protecting your mail server, if attacked… you’re likely going to see it go offline.”



A year-old flaw is still being exploited in Ubiquiti home router devices

In light of the recent discovery that a year-old flaw is still being exploited in Ubiquiti home router devices, Cesare Garlati, chief security strategist for the prpl Foundation had the following to say about securing IoT in the home:

“Consumers need to understand that security problems don’t end with their laptops and phones, the same concerns are valid for any connected device in the home and the same security rationale must be applied, especially for routers where it is the first, last and only line of defence to every device in the home.  It’s like leaving a door unlocked to your house, inviting cybercriminals in to access information on your life, family and finances.

When it comes to securing IoT in the home, people can take a number of actions to improve security:

– Update the software of the device at least once per quarter.  As soon as vulnerabilities are publicised, hackers will be scanning these devices almost instantly to take advantage of them.

– Don’t be afraid to purchase a new one if you suspect the vendor has not been taking security seriously.

– Make sure the admin console on your home router is password protected.  This is separate to the password used to sign in to the wi-fi.

– Make sure you use the WPA2 protocol and protect it with a meaningful, strong password.

– Activate Media Access Control (MAC) filtering – you can set up your devices on your router using this unique identifier so that rogue devices will not be able to connect.

– Turn off wi-fi protected set-up (WPS) after initial set up as it is not required, nor it is robust or reliable.

– Do not open any ports on the router firewall – there is no reason for a household to be reached by the outside – no matter what the advice may be from the vendor.

– Never enable the Universal Plug ‘n Play (UPnP) feature on a device – it opens a port which can enable malware and attackers to get in.

– Practice security by separation and take advantage of the “guest network” feature on modern routers.  Use this for people coming into your home and even for all of your high risk devices.  Make sure this network has a different password.

Ultimately, users need to understand that their homes are becoming mini-data centres without an administrator.  They need to take more responsibility for the security in the connected home and realise that it’s not just about the box, but all the ways that they are exposed through that box.”




Warning issued about scam targeting WhatsApp users

Users of popular messaging app, WhatsApp, are being warned of a new scam where they are tricked into downloading and apparently exclusive version of the app, called ‘WhatsApp Gold’. In fact, installing this will infect user’s mobile devices with malware.

@DFMag obtained a selection of comments from the following security experts;

Adam Vincent, CEO at ThreatConnect:

“The general public needs to appreciate that criminals use social engineering, using tricks to get them to break security best practices, to their advantage at every opportunity. Social engineering can come in the form of pretending to be a loved one or your credit card company, or in this case, promising them an elite, secret status. To prevent from being trapped in one of these scams, consumers should know to do at least these three things:

Never click on a link in a message from someone you don’t know. You definitely should only go to trusted sites like Play Store, App Store or the providers website.
Do a quick Google search to check to see if the offer or email is real. When a scam is out there, you may be able to find out.
Question everything. Criminals are very good at making messages look like they are from a real company, or even worse, a loved one. So, keep your eyes out for clues as to whether the message is trustworthy – typos, slightly different email addresses or website addresses, and unusual wording are all indicators that the message may be from a criminal.
If you are unfortunate enough to be a victim of a scam, turn to the experts to get help. Go to your mobile service provider and ask for help getting your phone scrubbed of malware. Then, ask for help setting up safeguards so it doesn’t happen again. We’re all in this together. Don’t be ashamed of being a victim. Ask for help and stop the spread of the problem as quickly as possible.”

Paul Fletcher, cyber security evangelist at cloud-security firm, Alert Logic:

 What should people do if they’ve installed it and their phone has been compromised?

“The best option is to perform a restore from the latest backup.  If it’s been a while since a user’s last backup operation, this may cause some issues, but at least it will return their device to a known un-compromised state.  If a normal restore is not an option, the next best course of action is to perform a factory default restore.  This may take time to complete the restore and add back all their data and apps, but at least they remove this threat.”

How can they stop this happening in the future?

“Upgrading apps and operating systems are generally a good security practice, however we should all verify the update as legitimate before updating software.  Also, it’s always a best practice to read what the updates include before completing the installation.”

David Gibson, VP of strategy and market development at Varonis:

“In general, it is difficult for most iPhone users to install software on their phones outside of what’s available on the app store. It seems as if this particular scam is tricking iPhone users into handing over their account credentials, rather than tricking them into downloading malicious code. If you’ve fallen for this scam and your AppleID credentials have been stolen, change your password and enable multi-factor authentication as quickly as you can. If you’ve got a jailbroken phone, or you think you’ve really downloaded malicious 3rd party code, (Have you shared your UDID with anyone? If you don’t know what a UDID is you probably haven’t.) then it might be best to reset the phone to factory defaults and restore it from a prior backup.”

Lane Thames, Software Development Engineer and Security Researcher Tripwire:

“If a user installs a malicious application, I usually recommend doing a factory reset for mobile devices. In fact, I follow this principle for any type of infected computing device, i.e., laptop, desktop, server, etc. This is because it is often very hard to completely remove all remnants of a malicious application once it is installed. In most cases, it is better to be safe than sorry.

Mobile users should consider taking advantage of various cloud technologies so that their data gets partially decoupled from their physical devices. Yes, there are risks for using cloud services, but to date, using cloud services to decouple data from their devices is not only convenient but also provides ease use, redundancy, and other benefits. Using this type of mobile model, users can safely recover from the impact of a malicious installation that might require a factory reset. Crime organisations will continue to focus on mobile targets for the foreseeable future. Mobile users must remain vigilant and should carefully research any type of ad, notification, email alerts, links, etc. coming into their devices via channels such as SMS, MMS, social media, and especially the web.”

Mark James, Security Specialist at ESET:

What should people do if they’ve installed it and their phone has been compromised?

“If you have actually installed the app you need to uninstall it immediately. If you have not already, I would advise you to install a good internet security product and run a full device scan of your android device. Also, limit any financial or social networking activity on this device until you are completely confident your device is not compromised. You may need to consider a full device reset if you use online banking from this device. If you have not actually clicked any links and are only seeing this message I would advise you delete the message immediately and only download applications from sources you trust.”

How can they stop this happening in the future?

“Making sure you have a good regular updating internet security product and ensure you only download applications from trusted sources will help you to keep safe. If you get an option ‘out of the blue’ to install something new, take a few minutes to  go and research the app and the source; other reviews and information from users are a great way of identifying scams and potential threats.”

Giovanni Vigna, co-founder and CTO at Lastline:

“The problem with these types of scam is that they do not target the platform (that is, a vulnerability in the Android or iOS operating system), but, instead, they target the user.

As Google and Apple have deployed more secure phone operating systems and more strict checks in their markets, cybercriminals have moved to social engineering attacks of all kinds. In addition to promises of “enhanced versions” of popular applications, we have seen applications simply trying to pose as different ones. This is possible because on phones we do not have effective mechanisms to understand which application is actually responsible for capturing the input that we see on the screen. Nothing prevents a recently-downloaded application to simply display a login window on the phone that looks exactly as, for example, a Facebook login page that steals the user’s credentials.”

David Jevans, VP of Mobile Security at Proofpoint:

What should people do if they’ve installed it and their phone has been compromised?

“If you have been compromised, delete the malicious app. Then, from another device, change all your online passwords. If you fear that your device has been jail broken or rooted by a malicious app, you should wipe your device, reinstall a fresh operating system, and restore your data from a backup the was taken before you downloaded the malicious app.”

How can they stop this happening in the future?

“Scammers will continue sending us emails and text messages with links to malicious websites, phishing websites and malicious apps.  Do not click on these links. Do not install apps outside of official app stores.”



DMA Locker Ransomware has been upgraded to 4.0

Researchers have discovered that DMA Locker Ransomware has been upgraded to 4.0 with new features and additional automation.

Lane Thames, software development engineer and security expert for Tripwire shared the following with @DFMag:

“Cyber criminals are getting better by the day. They will continue to learn from their mistakes and optimize their tactics, techniques, and procedures. Ransomware has been on the rise recently. It is a highly profitable approach with high rates of success because, in today’s world, data is king and users are more than willing to pay the ransom if there is even a glimpse of being able to get their data back. Rest assured that cyber criminals will continue to enhance their ransomware architectures. They will evolve and develop more advanced approaches along with possibly very-hard-to-break encryption. These systems will also evolve to include other functionalities that will increase profits for the malware developers. With data being the most important and the most valuable component of our modern cyber devices, users must ensure that they have a data backup and retention process in place.” l

Tyler Reguly, manager of security research at Tripwire further added;

“As ransomware developers become smarter and develop better techniques, end users need to grow and learn. One of the biggest problems we continue to have is that the computer is trusted to store important and confidential information but it’s treated like a hammer from the toolbox or a ladle from a kitchen drawer. We need to start treating them more like cars and guns, there’s a reason we have safety classes, training, and licensing around these devices; they are harmful. While it’s unlikely that your personal computer is going to take your life, the loss of financial data or precious memories stored in this “tool” may be just as harmful. While some attacks are unavoidable, maintaining up-to-date software and practicing safe computing is essential to the ongoing security of your computer. Don’t install random software, don’t click unknown links, don’t open random shared URLs on social media. These are steps that are easy for everyone to take but ignored by most. 

A family member makes a great example in this case. A few months back they sent their computer in to have a number of viruses removed. Recently, the same thing was done again. In conversation with them, I learned that they wanted to download a video from a video sharing site, so they started installing browser extensions to accomplish this. We tend to trust our web browsers (Firefox, Chrome, and IE) and, as a result, we have this expectation that we can trust the browser plugins available for them. This is not the case and many browser extensions are malicious. As technology becomes more and more ingrained in our lives, we need to realize that it is not something to trust. After all, haven’t most of us seen Person of Interest or The Terminator at this point.”



Possible Windows zero-day for sale on underground

Security researchers have discovered a Windows zero-day vulnerability that is going for $90,000 on the underground cyber crime market. A post from a cyber criminal on an underground forum, claims to have this vulnerability which could affect almost all Windows users. If the claims are true, the local privilege escalation vulnerability exists in all versions of Microsoft Windows OS starting from Windows 2000, potentially impacting over 1.5 billion Windows users.

If exploited, the vulnerability allows attackers to upgrade any Windows user level account to an administrator account, giving them access to install malicious software, gain access to other machines, change user settings and an array of other potentially damaging acts. Brian Krebs has also blogged on this vulnerability.

Stephen Gates, chief research intelligence analyst at NSFOCUS commented;

“The global vulnerability/exploit market is ever growing and can be quite profitable. Researchers (and hackers the like), search for vulnerabilities in operating systems and applications. Once a vulnerability is found, those that discover it work tirelessly to determine if it can be exploited locally or remotely. 

In this case, the Windows vulnerability appears to allow local privilege escalation. What this means is that an attacker can escalate their privilege from “user” to “administrator” on any Windows machine that they have local access to. Privilege escalation is a critical component to compromising and maintaining access to infected machines; allowing an Advanced Persistent Threat to exist.

If hackers find a way to bundle this with a Remote Code Execution (RCE) exploit, that changes the equation significantly. RCE exploits do not require local access to the machine and systems can be exploited from anywhere in the world.

The person that found the vulnerability is not breaking the law by selling the vulnerability and associated exploit online.  Although their ethics are certainly in question. Ninety grand goes a long way and in this case, money wins over ethics. I would imagine that, if the vulnerability and exploit can be verified, Microsoft will likely buy it. 

As a matter of fact, NSFOCUS researchers have been awarded a total of $200K for finding Windows vulnerabilities, then sharing them with Microsoft.  Earlier this year, NSFOCUS Researchers were honoured with the Microsoft Mitigation Bypass Bounty Award for the third straight year in a row.”



Expert Comment : Police arrest Russian Gang who stole $25m

Following the news of the Russian police arresting 50 people accused of using malware to steal more than 1.7bn roubles ($25m; £18m),

@DFMag was provided the following brief insight from Leo Taddeo, Chief Security Officer at Cryptzone:

“This operation shows what US cyber experts knew all along, that Russia is very capable of finding and stopping cybercriminals operating within their borders.  The remaining question is whether Russia has changed its policy of intransigence on the cybercrime issue for the benefit of US and other victims of Russian cybercrime, or Russian law enforcement targeted this cyber gang because it made the mistake of stealing from a Russian bank.”