Security News

If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a ‘supercookie’ to surreptitiously track users of almost every modern web browser on-line without their knowledge even when they use “private browsing.”

Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after discovering that theoretical attacks demonstrated in 2015 were recently deployed in the wild against Safari users.

HSTS—HTTP Strict Transport Security—is a great feature that allows websites to automatically redirects user’s web traffic to secure page connections over HTTPS if the user accidentally opens an insecure URL and then remembers to route that user to the secure connection always.

Since HSTS does not allow websites to store any information/value on users web browser except remembering the redirect information about turning it on/off for future use, using this information, someone interested in tracking web users can create a so-called supercookie that can then be read by cross-site tracking servers to mark users across websites.

Here’s How HSTS-Based Tracking Works:

To understand how HSTS supercookie tracking works, here’s a simple example:

  • To track each user, sites assign a unique random number to each visitor, for example, 909090, where 32 character binary conversion for 909090 is 00000000000011011101111100100010.
  • To set this binary number for a specific user, the site sets HSTS policy for its 32 subdomains (tr01.example.com, tr02.example.com……and tr32.example.com) accordingly, where if HSTS for a subdomain is enabled then the value is 1 and if not then the value is 0.
  • Now each time the user visits the same website, it silently opens invisible pixels from 32 of its subdomains in the background that represent the bits in the binary number, signalling the server which subdomains are opened via HTTPS (1) and which via HTTP (zero).
  • Combining the above value reveals the user’s unique binary value to the server, helping websites/advertisers to mark users across sites.

However, Apple has now added two mitigations to its Safari’s WebKit engine that addresses both sides of the attack: where tracking identifiers are created, and the subsequent use of invisible pixels to track users.

Mitigation One addresses the super cookie-setting problem, where attackers use long URLs that encode the digits in subdomains of the main domain name and the practice of setting HSTS across a wide range of sub-domains at once.

Safari will now limit the HSTS state to either the loaded Hostname, or the Top Level Domain plus one (TLD+1), and “WebKit also caps the number of redirects that can be chained together, which places an upper bound on the number of bits that can be set, even if the latency was judged to be acceptable.”

“This prevents trackers from efficiently setting HSTS across large numbers of different bits; instead, they must individually visit each domain representing an active bit in the tracking identifier,” says Brent Fulgham, a developer who works on Safari WebKit engine.

“While content providers and advertisers may judge that the latency introduced by a single redirect through one origin to set many bits is imperceptible to a user, requiring redirects to 32 or more domains to set the bits of the identifier would be perceptible to the user and thus unacceptable to them and content providers.”

In Mitigation Two, Safari ignores HSTS State for Subresource Requests to Blocked Domains, where WebKit blocks things like invisible tracking pixels from forcing an HSTS redirect, causing HSTS supercookies to become a bit string of only zeroes.

However, Apple does not name any individual, organisation, or any advertising firm that was using HSTS supercookie tracking to target Safari users.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Malware

After a significant drop last month, the email malware rate rose again in February. However, at 1 in 645 emails, the current rate is still quite a bit lower than what was generally seen in the second half of 2017. This is likely due to lower levels of email activity by the Necurs botnet, little of which served up malware during February.

Figure 1. The email malware rate rose again in February to 1 in 645 emails
Figure 1. The email malware rate rose again in February to 1 in 645 emails

The Chafer attack group has been observed carrying out further operations against organizations in the Middle East, according to new research by Symantec. The group has been seen working its way further into targets in the telecom and transport industries, using new tools to traverse the networks, primarily to carry out surveillance activities. This recent activity indicates that the group remains highly active, working to hone its tools and tactics.

Spam

The global spam rate declined slightly in February, dropping to 55.1 percent. However, the rate remains above 55 percent, as it has for 6 of the last 7 months. The Finance, Insurance, & Real Estate sector tops our list of industry spam rates, while last month’s top sector, Mining, dropped to fifth place.

Figure 2. The global spam rate declined slightly, dropping to 55.1 percent
Figure 2. The global spam rate declined slightly, dropping to 55.1 percent

While quiet on the email malware front, there were a couple large spam runs sent by the Necurs botnet during the month. The first run was a continuation of a run we mentioned last month: a classic fake romance-themed scam, using a simple subject line of “hi”. This scam continued into February and the lead-up to Valentine’s Day, offering the semblance of a romantic encounter in order to scam the user.

Hi [YOUR EMAIL HANDLE],

My name is [RANDOM NAME] and i’m writing you to tell you that you are super cute from your photos on Facebook.

I myself am from Russia, but now I live in the USA.

I want to get to know you more! If you have the same, email me, this is my email [PREDETERMINED DOMAIN].

Lets know each other better.

Cheers,

[RANDOM NAME]

The second major Necurs campaign came later in the month and contained an attached PDF with advertisements for online pharmaceuticals. The subject lines were a random “Offer”, “Discount”, “Sale”, “Coupon”, or “Final sale”, followed by a random 7- to 9-digit number.

Phishing

The phishing rate dropped in February, coming in at 1 in 3,331 emails. While slightly lower than January, overall rates have hovered in the 1 in 2,000-3,000 range for the last 10 months. The Agriculture, Forestry, & Fishing sector had the highest industry phishing rate with 1 in 1,854 emails, followed by Retail Trade at 1 in 2,505 emails.

A phishing scam mimicking a customer service notice from Netflix has been making the rounds, attempting to trick recipients into divulging personally identifiable information such as credit card numbers. The phishing emails attempt to trick a user into believing their Netflix membership will be suspended if they do not validate their billing information.

Mobile & Social Media

Manual sharing topped social media scams in February, comprising 62.78 percent of scams, while Fake Offers dropped more than 10 percentage points, from 29.75 percent to 19.49 percent. Coming in third for February, Like Jacking increased 1.29 percentage points at 17.25 percent.

A newly discovered version of the Fakeapp Android malware family has been discovered by Symantec researchers attempting to log into Facebook accounts in order to steal user names and passwords, as well as a variety of personal details available in the user’s profile. The threat gains access to the user’s account by displaying a fake login page once it has compromised the device. The threat will periodically display this message until the user credentials or the threat is removed.

Figure 3. Fake Facebook login dialog displayed by this Fakeapp variant

 

The information contained in this website is for general information purposes only. The information is provided by SYMANTEC while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control

Microsoft revealed that Windows Defender stopped a massive malware distribution campaign that attempted to infect over 400,000 users with a cryptocurrency miner during a 12-hour period on March 6, 2018.

The Redmond-based OS maker attributes the detections to computers infected with the Dofoil malware —also known as Smoke Loader— a popular malware downloader.

Three-quarters of infection attempts detected in Russia

“Just before noon on March 6 (PST), Windows Defender AV blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods,” said the Windows Defender Research team.

“Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters,” researchers added.

Microsoft credits the immediate discovery of this trojan to its behavior-based and cloud-powered machine learning models included with Windows Defender.

The OS maker claims that its machine learning models picked up the new malware within milliseconds, classified the threat as malicious within seconds, and was actively blocking it within minutes.

“People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer,” the Windows Defender Research team said.

Malware C&C servers located on Namecoin network

Microsoft says this new Dofoil variant attempted to hollow the legitimate OS process explorer.exe to inject malicious code.

The role of this malicious code was to spin off a second explorer.exe process that would download and run a cryptocurrency miner (coinminer) that was masquerading as a legitimate Windows binary —wuauclt.exe.

Microsoft says that Windows Defender picked up this operation as malicious because even though wuauclt.exe was a legitimate Windows binary, it was running from the wrong disk location.

Furthermore, the binary also generated suspicious traffic, as the coinminer attempted to contact its command and control (C&C) server, located on the decentralized Namecoin network infrastructure. This coinminer isn’t the only recent malware family that stored C&C servers on Namecoin’s .bit domains, with the first versions of the GandCrab ransomware doing the same.

Malware tried to mine Electroneum

Microsoft says the coinminer tried to mine the Electroneum cryptocurrency.

Windows 10, Windows 8.1, and Windows 7 users running the Windows Defender AV or Microsoft Security Essentials security software were automatically protected, Microsoft said.

Other antivirus vendors also most likely picked up this threat, as Dofoil (Smoke Loader) is a well-known malware strain that’s been extremely active since 2014.

 

 

The information contained in this website is for general information purposes only. The information is provided by Bleeping Computer and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

IoT attacks, ransomware, industrial malware and steganography appeared to be some of the hottest cybercrime trends in Q4 2017 according to Fortinet’s Global Quarterly Threat Landscape Report.

Attacks increased compared to the previous quarter while in Asia Pacific, new malware variants and ransomware droppers were the most prevalent of malware.

Globally, an average of 274 exploit detections per firm were detected, an 82% increase over the previous quarter. Malware families increased by 25% and unique variants increased 19%.

One of the report’s most striking conclusions included the use of stenography in attacks – this is when an attack embeds malicious code in images.

Fortinet says that stenography as an attack vector has not had too much visibility in the last several years but it could be the start of a resurgence.

The Sundown exploit kit, which uses stenography to steal information, was one of the most reported exploits in Q4. It was found dropping multiple ransomware variants.

Other ransomware continued to be prevalent and the infamous Locky ransomware reigned supreme. A second strain of Locky emerged as part of a spam campaign that eventually resulted in ransom demands.

“The volume, sophistication, and variety of cyber threats continue to accelerate with the digital transformation of our global economy,” comments Fortinet’s CISO Phil Quade.

“Cybercriminals have become emboldened in their attack methods as they undergo a similar transformation, and their tools are now in the hands of many.”

Encrypted traffic using HTTPS and SSL grew as a percentage of total network traffic to a high of nearly 60% on average. While encryption can certainly help protect data in motion as it moves between core, cloud, and endpoint environments, Fortinet says it poses a challenge for traditional security solutions.

Meanwhile, three of the top 20 attacks targeted IoT devices including WiFi cameras. Botnets like Reaper and Hajime are able to target multiple vulnerabilities simultaneously.

The success of such attacks has been evident in Reaper’s exploit volume, which jumped from 50,000 exploits to more than 2.7 million for a few days before dropping back to normal levels.

In Asia Pacific, the top prevalent exploits detected exhibits a similar pattern, Fortinet says.

“Exploits targeting the Apache Struts and IP camera/DVR vulnerabilities make up some of the top exploits detected in APAC for Q4 2017 as well. IP camera/DVR vulnerabilities in APAC are quite prevalent as these devices are popular, available at low cost, but do not have sufficient security designed into them.”

Exploits against industrial control systems and safety instrumental systems suggest an increase in industrial malware. Fortinet suggests that these attacks are climbing higher on attackers’ radars.

“The stark reality is that traditional security strategies and architectures simply are no longer sufficient for a digital-dependent organisation. There is incredible urgency to counter today’s attacks with a security transformation that mirrors digital transformation efforts. Yesterday’s solutions, working individually, are not adequate. Point products and static defenses must give way to integrated and automated solutions that operate at speed and scale,” Quade concludes.

 

The information contained in this website is for general information purposes only. The information is provided by SECURITY BRIEF and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Data protection and privacy is gaining the spotlight and undergoing a paradigm shift in light of the new General Data Protection Regulation (GDPR), which was adopted on 27 April 2016.

It introduces more stringent and prescriptive data protection compliance challenges, backed by fines of up to 4 % of global annual revenue. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995. It becomes enforceable from 25 May 2018 after a two-year transition period.

GDPR applies to any organization, regardless of geographic location, that controls or processes the data of an EU -citizen. It dictates what data can be collected, the need for explicit consent to gather such data, requirements to disclose any breaches of data, and stronger powers to substantially fine organizations that fail to protect the data for which they are responsible.

GDPR introduces a rigorous and comprehensive privacy framework for businesses that operate, target customers or monitor individuals in the EU. Organizations now have just one year left to meet the suite of new obligations imposed under the GDPR and implement compliance programs to protect data subjects and avoid hefty enforcement penalties.

With GDPR, EU citizens will gain more control of their personal data as organizations will have to provide EU citizens with clear and unambiguous information on how their data is being processed and they will have to obtain explicit consent from citizens to process it. Additionally, any organization that markets or provides products or services to EU citizens will be subject to the GDPR.

As GDPR empowers the data subject with privileges such as the right to be forgotten, right to portability and right to object profiling, organizations will have to ensure that they comply by these new requirements. GDPR also emphasizes on the need of appointing a data protection officer, who will be the single source of contact for the supervising authority and will be required to advise upon, and maintain compliance with the GDPR.

GDPR not only highlights privacy requirements during the day to day operations, but also emphasizes the need for integrating privacy by design. It advocates a risk-based approach that allows organizations to tailor their privacy protection programs based on the risks that are most material to the organization.

Privacy by Design has become an enshrined requirement as it will force organizations to embed privacy protection into every aspect of their business rather than bolting it on as an afterthought. In line with this requirement, organizations will be required to implement security measures that balance the newest technology with the cost of implementation and reflect the severity and likelihood of risks to an individual’s rights and freedoms.

GDPR also underlines that cross-border transfers of data shall be allowed to countries that provide an “adequate” level of personal data protection as determined by the EC. It mandates organizations to report a data breach within 72 hours of the incident. Above all, organizations that violate the basic processing principles of the GDPR may be subject to fines totaling as much as 4% of the organization’s total global annual revenue.

Implications of the new regulation

The implications of the GDPR for organizations can be summarized simply: every affected organization needs to immediately undertake a significant re-examination of its organizational data strategy related to personal and sensitive personal data.

Specific requirements in the GDPR need to be planned for, organizational and technological approaches have to be implemented to resolve problems, and protection policies are to be further strengthened. The regulation makes it difficult for EU businesses to explore outsourcing opportunities and has clauses that can hamper innovation in business and user experience.

Another major implication of the GDPR is for those organizations that were not subject to the earlier EU data protection directive by virtue of not being based in one of the member states. The new, level playing field introduced by the GDPR applies to all firms everywhere if they control or process personal data on EU citizens. For organizations newly impacted by the GDPR, there is a lot of catch-up required.

The proposed regulation brings the Indian service providers directly under the jurisdiction of EU commissioners. Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further lowers the threshold for data transfer outside EU. Following the regulation significantly adds to the compliance costs for the service providers. These costs are already higher when serving EU-based clients as compared to other markets such as the US.

According to EU policymakers, this new regulation is to not merely protect information but also to authenticate legitimate users. In India, where much communication takes place on low-cost systems, end-to-end encryption provides a solution to prevent misuse and ensure security. This shall add to technology implementation cost for the organizations.

The new EU security requirements are complex and demand constant surveillance. It is in this context that companies need to realise that data security is not just an IT problem or a compliance issue, but a significant concern that the entire organisation must work together to address. The EU GDPR has put in place a mechanism where security of data is taken as a given and that businesses work for data protection.

 

The information contained in this website is for general information purposes only. The information is provided by CIO Economic Times and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.