​WA Auditor General recommends inter-agency cooperation to counter malware

Western Australia’s Office of the Auditor General (OAG) has made six recommendations to state government agencies after it was found six agencies had previously been the target of malware campaigns.

According to the OAG, the six agencies probed — which included the Department of the Attorney General, Department of Mines and Petroleum, Department of Transport, Main Roads Western Australia, and the Office of the Government Chief Information Officer (OGCIO) — were under constant threat, which it said highlighted the need for improved central governance arrangements to identify, warn of, and prevent attacks.

In its report [PDF], Malware in the WA State Government, the OAG said as a result of the audit, it made “detailed recommendations” to each agency that came under the microscope. The explicit details were not published, but instead, the OAG offered up the broader six recommendations it made, which included an in-depth assessment of the risk to the agency malware poses, improving any controls the OAG identified as ineffective, and that each agency consider additional controls to better secure its networks, systems, and data against malware.

“The government spends AU$1 to AU$2 billion on IT and this needs to be strongly managed to ensure we deliver the best value to West Australians,” the premier said at the time. “Nunis has the right combination of professional skills and practical experience, with a fundamental understanding of the private and public sectors and how to negotiate and deliver large IT projects.”

Yahoo fixes flaw allowing an attacker to read any user’s emails

Yahoo has fixed a severe security vulnerability in its consumer email service that could have allowed an attacker to read a victim’s email inbox.

The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail.

The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty,

OWASP OWTF – Offensive Web Testing Framework

OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.

OWASP OWTF - Offensive Web Testing Framework

The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.

By reducing this burden we hope pen testers will have more time to:

  • See the big picture and think out of the box,
  • Find, verify and combine vulnerabilities efficiently,
  • Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short time-frames we are typically given to test.

 

This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.

Features

  • Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
  • Exposes RESTful APIs to all core OWTF capabilties.
  • Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
  • Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
  • Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
  • OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
  • Tool paths and configuration can be easily modified in the web interface.
  • Fastest Python MiTM proxy yet!
  • Crash reporting directly to Github issue tracker
  • Comprehensive interactive report at end of each scan
  • Easy plugin-based system; currently 100+ plugins!
  • CLI and web interface

You can download OWASP OWTF here:

Dailymotion Said to Suffer Massive Data Breach With Over 85 Million Accounts Compromised

One of the popular video streaming websites, Dailymotion has been hit a cyber-attack that is said to have led to a massive data breach of more than 85 million user accounts. The data breach occurred on October 20, according to data breach monitoring company LeakedSource. After its report, Dailymotion on Tuesday came into action to issue an advisory to its users to change their passwords, in addition to denying any compromise of user data.

Dailymotion, owned by the media group Vivendi, took this event to its blog, where it has said that the hack is limited and there has been no data breach. “It has come to our attention that a potential security risk, coming from outside Dailymotion may have compromised the passwords for a certain number of accounts. The hack appears to be limited, and no personal data has been comprised.” the blog post said. The data breach is said to have supposedly stolen 85.2 million usernames and email addresses, along with 18 million scrambled passwords on October 20, LeakedSource said, BBC reports.

However, just to mark its users safe, Dailymotion has advised them to change their passwords to something that is not obvious and as easy as ‘password1234’ or some other letter-number combination that can be hacked with some guesswork. For its partners, Dailymotion has laid down a recommendation to use its refresh-token method to authenticate their apps and services.If you use Dailymotion, you should change your password by following these simple steps:

  1. Go to Dailymotion website either on the Web or mobile
  2. Log into your account, as you normally do
  3. You’d see the Settings option in the drop-down menu on the top right corner, click or hover on it
  4. Now, select the Account Settings
  5. Replace the old password with a new and stronger password, and you’re set

With this latest cyber-attack, the number of Internet security rupture has risen to an alarming number. LinkedIn, TalkTalk, Indian payment card system are some of the recent examples of cyber-attacks.

Ransomware blamed for cyber attack which forced hospitals to cancel operations and shut down systems

An NHS hospital trust which was forced to shut down systems and cancel operations as a result of a cyberattack has revealed that a ransomware infection was the source of the problem.

The cyberattack against Northern Lincolnshire and Goole NHS Foundation Trust took three hospitals offline after what has now been confirmed as a Globe2 ransomware infection. The incident led to the cancellation of 2,800 patient appointments the NHS Trust.

Hospitals are an appealing target for cybercriminals to infect with ransomware not only because of the crucial role of IT in healthcare, but also because the data held by hospitals is so vital.

Google patches Dirty Cow vulnerability in latest Android security update

Google’s latest Android security update includes a fix for the Dirty Cow security flaw as one of 11 critical issues now resolved in the mobile operating system.

The latest Android security bulletin, posted on Monday, fixes over 50 security flaws, 11 of which are deemed critical. A separate round of patches from Dec 1 also fixes an additional 10 bugs of high importance.

Android users have had to wait for a solution to the problem, of which exploit kits utilizing the security issue have been found in the wild.

Google says there are no current reports of these issues being exploited in the wild.

The tech giant thanked researchers from companies including Alibaba Mobile Security Group, Qihoo 360, Tencent, Baidu X-Lab and Trend Micro for reporting bugs now fixed in the last update of the year.

Updates will be sent over the air to Android products including Pixel and Nexus devices, of which Android 7.1.1. was released this week. The security patch has also been uploaded to the Google Developer website.

What is malvertising?

What is it?

Malvertising is the name we in the security industry give to criminally-controlled adverts which intentionally infect people and businesses. These can be any ad on any site – often ones which you use as part of your everyday Internet usage. It is a growing problem, as is evidenced by a recent USSenate report, and the establishment of bodies like Trust In Ads.

Whilst the technology being used in the background is very advanced, the way it presents to the person being infected is simple. To all intents and purposes, the advert looks the same as any other, but it has been placed by a criminal.

Without your knowledge a tiny piece of code hidden deep in the advert is making your computer go to criminal servers. These then catalogue details about your computer and its location, before choosing which piece of malware to send you. This doesn’t need a new browser window and you won’t know about it.

The first sign will often be when the malware is already installed and starts threatening money for menaces, logging your bank details or any number of despicable scams.

How do they get there?    

It’s common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own adverts, bidding a certain amount of money to ‘win’ the right for more people to see them.

This often provides a weak point, and cyber criminals have numerous clever ways of inserting their own malicious adverts into this self-service platform. Once loaded, all they have to do is set a price per advert, to compete with legitimate advertisers, and push it live.

Why is it a threat to me?

People nowadays are aware of practices that look or feel ‘wrong’ on the Internet, be it odd-looking links, requests to download strange programs or posts on social media which set the alarm bells ringing. The real danger with malvertising is that user judgement isn’t involved at all. People don’t have to click anything, visit a strange website or follow any links.

Rather, you go to a website you trust (like a news site or similar) and the adverts are secretly injecting criminal software onto your computer. This means infections can happen just by browsing the morning headlines, visiting your online dating profile or watching a video.

How do I stop it?

There are a few things which people can do to minimize the risk of being caught out by malvertising:

  • Those reminders to update things like browsers, flash, Java etc? Don’t ignore them.
  • Run a specialist anti-exploit technology (we provide one for free)
  • There are programs which block advertising that can help

Safe surfing and don’t get caught out!

Dutch police get OK to exploit zero-days

Zero-day vulnerabilities can be unknown or known to manufacturers. In either case, the public is not aware of them until the manufacturer issues a software or firmware patch or update.

Manufacturers usually issue swift updates, but sometimes end users do not download them right away. The Dutch government will also allow law enforcement to exploit known vulnerabilities that users or manufacturers have left untreated for a period.

Still, the market is heavily unregulated, a point the government brief also acknowledged. Offenders can anonymously acquire and use zero-day vulnerabilities for criminal purposes on the internet, making them difficult to track.

Both the Dutch government and the European Commission are now taking steps to standardize regulation in the zero-day vulnerability market.

A look at the top HackerOne bug bounties of 2016

Bug bounty programs are a way for software vendors to outsource web domain, app and network security beyond their own in-house security teams and acquire as many eyeballs on potential security problems as possible before they become exposed and exploited by attackers.

Apple, Microsoft, Google and others run their own invite-only and open bug bounty schemes, with rewards sometimes reaching as high as $200,000 for the most severe flaws which could jeopardize users.

1. PornHub

PornHub’s bug bounty program, launched in May this year, has already accepted reports and thanked 311 hackers for their efforts in finding security flaws in the porn provider’s web domains.

The top reward for this program, $20,000, was awarded to researcher Static for reporting a remote execution flaw in July.

2. LocalTapiola

The Finnish insurance giant’s bug bounty scheme, launched roughly eight months ago, has resulted in hackers being awarded some of the most competitive lures on the platform.

One security researcher recently received $18,000 for the disclosure of a critical flaw, and $50,000 is on offer for any hacker able to find serious, out-of-scope bugs.

3. Twitter

Microblogging platform Twitter’s bug bounty program has proven to be a popular avenue for security researchers looking to make some extra cash.

Over 365 hackers have submitted security flaws with 549 issues resolved. Six months ago, one hacker was awarded $15,120 for reporting a critical bug.

What is Typosquatting ?

Sometimes misspelling in the address bar of a URL of a popular website takes us to a similar looking but different website altogether. Most of the cases these similar looking websites are controlled by hackers, who exploit this for illegitimate purposes. This is called Typosquatting.
Typosquatting is a type of cybersquatting, where an attacker uses an internet domain name with the intent of illegitimate profit from the goodwill of a trademark belonging to someone else. Most of the cases Typosquatting is done by the attackers with the intent of spreading malware, get revenue from website traffic or phishing.
Typosquatted URL’s
Study says, mainly five types of URL’s are used for Typosquatting :
  • Foreign language spelling of a popular website
  • Common misspelling or typing error of a popular website, e.g. goggle.com
  • A differently phrased domain name, e.g. apples.com
  • A different top level domain, e.g. amazon.org
  • Abuse of Country Code Top Level Domain, e.g. Google.cm
A user is more likely to wrongly type these types of URL’s in the address bar and the typosquatters exploit that.

Why is Typosquatting done

There are several reasons for which attackers do Typosquatting. To name a few :
  • To earn revenue from website traffic visited by the visitors with miss-typed URL.
  • To redirect the typo-traffic to the competitor of the actual website.
  • To try to sell the typosquatted domain to the actual website and earn money illegitimately.
  • To redirect the typo-traffic to the actual website, but through the affiliate program, and thus illegitimately earning revenue from the brand-owner’s affiliate program.
  • To steal sensitive data from the visitors. Sometimes the attackers makes a website looking very much similar to the actual website. As a result, if a visitor visiting the website provides his name, credit card numbers etc by mistake, the information gets stolen.
  • Sometimes, these fake websites are used in phishing.
  • With a drive-by-download, malware can be installed in a computer by just visiting the website, though the user does not click or initiate installation of any software from the website. Sometimes, these fake websites are used to spread malware.
  • To expose users to internet pornography.
From 2006 to 2008, a typosquatted domain of Google called Goggle.com was used to spread malware and even rogue anti-malware.
Defenses
One possible defense of Typosquatting may be to buy variants of domain names that can be used by typosquatters. For example the following variants of domain names can be considered :
  • Replacement of letter ‘O’ with number ‘0’
  • Domain names with missing dot (.) between www and the actual domain name. For example, wwwexample.com
  • Singular and plural versions of domain names.
  • Hyphenated and non-hyphenated versions of domain names.
  • Domains with other domain extensions like .net, .org, .com etc.
There are also a number of tools available which can suggest variants of domains that can be typosquatted. One such tool can be found here .
Also, there are a number of tools available to detect Typosquatting. One such example may be Microsoft Strider. One can use the tools for mitigating the risks.

 

There are more ways to scam people in internet than ever before. You need to be aware of all these scams and stay educated and use your common sense.