Summing it up...

Here we are, finals week. This will be my last post for this class.

Over the last 10 weeks I have posted on many things but the overall theme seems to be regarding security flaws and malware attacks, including DDoS. For the most part, I chose topics that have or could easily affect myself or my friends. I did this because it is easier to write about what you know and I needed all the help I could get since I despise blogging/writing.

To find my topics I used several InfoSec news sites including Ars Technica, C|net, and ZDnet. For the most part I would look at the SANS ISC InfoSec News Feed and see if a headline caught my eye. I would then read the article and blog my opinion about it. I would usually insert some snark as well. There can never be too much snark.

Overall I am not sure if something like this blog would be useful to others. Maybe if the blogger was someone that is actively working in the industry and can report about specific cases and tips/tricks. But for me it would be just as easy to read the articles. If you are interested in creating your own blog I can only suggest to choose what you enjoy. If that means to focus solely on malware attacks, so be it. Just find what you are comfortable with and let the words flow. I let me dislike for what I was doing make this way more of a chore than it needed to be.

How to scare a gamer to death...

TeslaCrypt...that one word can scare gamers and mediaphiles to death. A relatively new threat, seen first in late February, is ransomware and can encrypt a large amount of file types, including those associated with popular video games. The malware is distributed through a compromised WordPress website setup to redirect visitors to a page hosting the Angler exploit kit.

Once it infects a system, the malware informs victims that their photos, videos and documents have been encrypted. Unlike other ransomware, TeslaCrypt also encrypts files associated with video games, including Call of Duty, Diablo, Fallout, Minecraft, Warcraft, F.E.A.R, Assassin’s Creed, Resident Evil, World of Warcraft, League of Legends, and World of Tanks.

In addition to profile data, saved games, mods, and maps, the ransomware encrypts files associated with Steam and game development software such as Unity3D, Unreal Engine, and RPG Maker. The malware targets a total of 185 file extensions, including iTunes-related files.

To be free of this victims are given a "free decryption" button. When the button is clicked users are taken to a site where they can pay 1.5 Bitcoin (about $415) or pay $1,000 through PayPal.

“Bitcoin is the preferred method of payment as it is a untraceable secure method of receiving payment from you so they give you a better price of only $415. If you wish to use payment systems like PayPal My Cash Card, then the price increases to $1000 (this is because they lose a percentage through the middleman). The choice is very clear that they want the hefty discount to sway you into using bitcoin as payment,” Webroot researchers wrote.

Overall a crappy situation. Watch  what you click on folks!

10 years later...

A security flaw has been discovered that is 10 years old that can leave users vulnerable to attack via Apple's Safari or Androids browsers. Apple is working on a fix and Android is as well but the fix has to be sent out to users via their wireless providers so who know if/when they will ever receive it.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available, according to the newspaper. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including the web browsers.

One would think that if this was known about 10 years ago, it would have been in the queue to fix as soon as they could...not in 2015.

 Researchers have been alerting affected government and commercial websites for a few weeks in hopes of taking corrected measures before the vulnerability was publicized, the newspaper reported. Whitehouse.gov and FBI.gov have been repaired, but NSA.gov remains vulnerable, researchers told the newspaper.

Just wanted to make sure y'all saw the last part...the NSA website remains vulnerable...LOL! How's that for a backdoor you turds.

Morse code, really?

In super happy awesome news, the FCC announced that Net Neutrality has won! Well until the dirty stinking paid-off-by-Comcast-Congress gets a hold of it...

In a very partisan vote, 3-2 democrats over republicans, the vote passed and the new rules mean that companies cannot discriminate against traffic (except for exceptions for reasonable network management.)

The core net neutrality provisions are bans on blocking and throttling traffic, a ban on paid prioritization, and a requirement to disclose network management practices. Broadband providers will not be allowed to block or degrade access to legal content, applications, services, and non-harmful devices or favor some traffic over others in exchange for payment. There are exceptions for "reasonable network management" and certain data services that don't use the "public Internet." Those include heart monitoring services and the Voice over Internet Protocol services offered by home Internet providers.

This is huge because it protects consumers from big bad evil corporations that want to charge Netflix, et al. more to provide "fast lanes" and yet still provides for QoS (Quality of Service) for VoIP (Voice over Internet Protocol) aka using your data lines for telephone calls.

In more ridiculous news, Verizon responded to the FCC's vote by using Morse code in their press release. Classic example of someone not getting their way and having a tantrum. I do believe it is time for their nap...let me go get their blanket and "binky."

This doesn't necessarily have much to do with InfoSec but it is HUGE and IMPORTANT news that just had to be shared...and if it is important for the people and for the freedom of the internet, then it is important for IT professionals and those in security to know about and, hopefully, celebrate.

Lenovo or is it Le Oh No?

There has been a lot of interesting information coming out lately regarding Superfish and man-in-the-middle attacks.

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said. - Ars Technica

The CEO of Superfish maintains in a statement that there is no security flaw in the software, which pretty much every other person with any knowledge of SSL and certificates can see is false. It has now even been found that it is even easier to perform a man-in-the-middle attack than previously thought.

The latest update has Lenovo CTO Peter Hortensius saying in an interview with The Wall Street Journal that they "didn't do enough." They are also in the process of writing software that will completely remove all code and data associated with the adware.

In case you wanted to know, if you bought a Lenovo between October 2014 and December 2014 and it is a model in the list below, you probably have Superfish signing certificates and are vulnerable:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

It was almost the end of the world again...

...and we're back to Facebook and how the world almost ended again.

This time because of a bug that could have opened the door to deleting every single photo on Facebook. While I don't believe it would have happened without a beast of a processor, I do think that it could have caused some major damage.

There was a bug in the code for Graph API, "a developer platform that allows websites and applications to tap into Facebook's data."

The Graph API does not allow one user to delete another person's photos or albums. But by manipulating an access token from his mobile device, he was able to convince Facebook that the album belonged to him -- effectively allowing him access to read, write, and delete the album. - Zack Whittaker, ZDNet

The bug was so potentially damaging that Facebook had a fix out within two hours, and they rewarded the person that discovered the bug the highest reward offered, $12,500. Not a bad days work in my opinion!

Taxes and death...

It is that time of year again; people all over the country are receiving their W-2's and filing their taxes. It is also time for fraudsters to come out of the woodwork and work their magic.

Tax software goliath Intuit had an issue last week with Turbo Tax and state tax filings. The issue had some people logging in to file their taxes and finding their state taxes already completed when they hadn't done so themselves.

The faked filings was not due to a security breach which makes me happy since I have used Turbo Tax for the last 10 years. At this point I have already files and received my returns (however paltry they were this year...damn you scholarships and the American Opportunity Tax Act!!)

Fraudsters can easily go to an underground website to purchase personal data suitable for filing bogus tax claims, an identity-management specialist noted in comments to USA Today.

Intuit has instituted additional security measures and anyone that was affected by the by this tax fraud is being offered identity protection services and free credit monitoring.

The end was nigh...

The world ended for around an hour this past week when *gasp* Facebook, Instagram and Tinder were down. There was mass hysteria on Twitter with people freaking out as if the world was literally ending. We have now reached the moment in time when humans are too dependent on social media.

Facebook says the outage "occurred after we introduced a change that affected our configuration systems."

That's it. A simple thing that companies do every day and this time it didn't work. They were not hacked despite Lizard Squad tweeting about it. But these days it seems easier to blame hackers for DDoS attacks than ever believing that a company can make a mistake.

In other news, we're still rushing headlong into the reality of Idiocracy.

My Buffer Overfloweth...

While doing research into the latest assignment I found a pretty cool tutorial so you can try out your own Buffer Overflow attack. While I did not try it myself (I ain't got time for that!) and it looks like I will need a few more skills under my belt, it could be something to play around with in the future.

In other news, the government and law enforcement are corrupt. (But that isn't really news.)

Barrett Brown, a journalist, is now in serving a prison sentence of 5 years for federal charges of obstructing a search warrant, making Internet threats and being an accessory to unauthorized access of a protected computer.

In this case the obstructing a search warrant is for hiding his laptop, making Internet threats (towards the douchebag FBI agent that threatened his Mother and of course no charges were brought against the agent) and the last one is a load of bullshit;

The sentencing ends nearly three years of legal wrangling for Brown, who first attracted the attention of law enforcement officials in 2011 when he copied a hyperlink to data stolen in a hack of security think tank Strategic Forecasting, or Stratfor, from one Internet Relay Chat (IRC) channel to another. The hack reportedly yielded 200 gigabytes of data, including e-mails and credit card information from Stratfor clients, which include the US Army, US Air Force and Miami Police Department. 

Despite Brown's lack of hacking skills, prosecutors argued that the act of posting a link to the data made him a party to the crime. Seeking to have the charge dismissed, Brown's attorneys argued in a court motion (PDF) that Brown did not "transfer" the stolen data but merely republished a public link to information that was already in the public domain.

 Now this is especially worrisome, even for the general public, because copying and pasting links is not a new thing nor is it hard. Anyone can do it and probably has done it.

While the hyperlink charge was ultimately dropped, Brown said the prosecution revisited the link charge during a December sentencing hearing as "relevant conduct" that should be considered in deciding Brown's punishment.

"The fact that the government has still asked you to punish me for that link is proof, if any more were needed, that those of us who advocate against secrecy are to be pursued without regard for the rule of law, or even common decency," Brown said in a presentencing statement to the court.

 We live in a time when we have governments spying on their own people and getting away with it. When whistle blowers are seen as anti-American and a society that values its privacy but condemns those that try to show the corruption. It is about time the people see the what is happening and do something about it.

#JeSuisCharlie: How a terror attack is now a malware attack

Organized malware proponents are using a tragic terror attack as a basis to spread malware. This time they are taking advantage of the tragic shootings in France at Charlie Hedbo and around the country. 

According to this Forbes article the malware is hidden within a picture of a newborn baby with a hospital wrist band that states Je Suis Charlie. The malware contained is a remote access toolkit that gives access to take over the machine.

These type of attacks have happened in the past; the Red Cross in the aftermath of the earthquake in Haiti is a prime example.

Don't click random links folks.

As a follow up to my previous post, it seems that I was not totally off base with my distrust of the FBI and their claim stating the North Koreans were the hackers in the Sony incident. The evidence just doesn't add up.

North Korea and stupid movies...

While on winter break between terms a movie called The Interview was scheduled to be released. It sounded like just another of Seth Rogen and James Franco's stupid movies. Overall it was terrible. I admit it I watched it. However there was no way I'd ever pay for it and I didn't. Which in itself is a good thing because it would have been a colossal waste of money.

The entire controversy surrounding the movie is that, supposedly*, hackers (which the FBI states was the North Korean government) attacked Sony and released a bunch of information including personal information on employees and celebs. (* - I don't believe a damn thing news outlets or the FBI/CIA/NSA say without more proof.) There were also threats of terrorist attacks on theaters that screened the movie domestically. Sony caved in and the movie was not released. Then the actors, President and consumers pressured Sony to release it. They released in some theaters but mostly it was released online. Overall it was a good way to release movies and I hope that Sony will look to that in the future.

Now in the aftermath, the President has imposed sanctions against North Korea. I don't believe for a second that this will stop the hacking of Sony or any other top tier companies. However maybe this attack will strengthen the security measures Sony uses and helps educate their employees on how to protect themselves at work and at home.



C|Net article on the sanctions.