feeds

by zer0x0ne — on

cover-image

some of my favourite websites: null byte the hackers news hackaday pen test partners cso online infosec writers security week xkcd



xkcd

Retrieved title: xkcd.com, 3 item(s)
Allow Captcha

To prove you're human, please click all the number pairs that appear together in your Social Security number.

Solar System Compression Artifacts

Most of our universe consists of dark matter rendered completely undetectable by our spacetime codec's dynamic range issues.

Pulsar Analogy

The #2 cause of astronomer hand injuries is trying to do vector math when the second axis points off to the right.

security week

Retrieved title: SecurityWeek RSS Feed, 3 item(s)
Chipmaker Intel Corp. Blames Internal Error on Data Leak

The computer chipmaker Intel Corp. on Friday blamed an internal error for a data leak that prompted it to release a quarterly earnings report early. It said its corporate network was not compromised.

read more

SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws

[UPDATE] Cybersecurity firm SonicWall said late on Friday that some of its internal systems were targeted by “highly sophisticated threat actors” exploiting what appear to be zero-day vulnerabilities affecting some of the company’s products.

read more

Microsoft Edge Adds Password Generator, Drops Support for Flash, FTP

Microsoft has shipped the stable version of the Microsoft Edge 88 browser, featuring a brand new Password Generator and the ability to alert on compromised credentials.   The browser refresh also drops support for the FTP protocol and for the Adobe Flash plugin.

read more

pen test partners

Retrieved title: Pen Test Partners, 3 item(s)
Three Word Passwords

Introduction

The National Cyber Security Centre (NCSC) have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords?

Before we go there, we should acknowledge that most people have one or two weak passwords that they use on multiple sites & systems. One of those is breached, which results in other accounts being compromised through password stuffing. The NCSC advice is good in comparison to that low bar.

But we were surprised to see that password managers weren’t in the top 5 actions from NCSC. Here’s why they are so important:

The numbers

The English language has a huge number of words – the online Oxford English Dictionary has over 600,000 words however only around 171,000 are in current use. If we chose three random words from the words in current use, we’d have a search space of around 5,000 trillion. Yes, that is a lot, but modern GPUs are fast… really fast. One of our dedicated password crackers can search about 20 billion passwords every second from a disk-based wordlist (hashcat benchmark is about 185 GH/s). At that speed we could crack a three-word password in around 4 days.

The problem with this advice is that no one knows 171,000 words. Estimates for the number of words that a university-educated person knows is around 40,000 words, so we created a dictionary with the 66,000 most commonly-used words hoping that would cover most of the words that most people would tend to choose, and this reduced our search space by about 17 times allowing us to search all likely three word passwords in only 6 hours! Hmmm, it’s not looking good for ThreeRandomWords…

Official recommendation

Source: https://www.ncsc.gov.uk/cyberaware/home

 

We took an interest in the example password of “RedPantsTree” given on the NCSC site. All of these words are easily in the top 30,000 most common words, but we decided to attack it with our big dictionary to simulate a more realistic attack time. We also added in the NTLM hash for “SuperfluousExonerateSerendipity” to show that even choosing less commonly thought of words is still an issue.

The NCSC password was cracked in about 4 hours, with the whole search space, including our uncommon three-word password, completed in around 6.5 hours.

MMMSession..........: papa_WWW
Status...........: Running
Hash.Name........: NTLM
Hash.Target......: /home/papa/threerandomwords.ntlm
Time.Started.....: Wed Jan  6 12:28:06 2021 (4 hours, 8 mins)
Time.Estimated...: Wed Jan  6 19:15:33 2021 (2 hours, 38 mins)
Guess.Base.......: File (/opt/dictionaries/papa/english-66k-upperupper.txt), Left Side
Guess.Mod........: File (/opt/dictionaries/papa/english-66k-upper.txt), Right Side
Recovered........: 0/3 (0.00%) Digests
Progress.........: 272600599101440/427621521183219 (63.75%)
Rejected.........: 0/272600599101440 (0.00%)
Restore.Point....: 3616604160/5675964921 (63.72%)
Candidates.#1....: OwainLawyersAugury -> OwenSuckedAvertir
Candidates.#2....: OviedoClaudianLatex -> OwainLawyerLeahy
Candidates.#3....: OverysselSightedPreviously -> OviedoClaudiaProclamations
Candidates.#4....: OverworkInterrogationsWiry -> OverysselSightWo

de947fd0bbd9f4f5c65a5d802cae1597:RedPantsTree
.
.
f654100d842b2f6f68efeddcec2973bb:SuperfluousExonerateSerendipity

CorrectHorseBatteryStaple

Source: https://xkcd.com/936/

 

What about using four words… does that work? Well, it does make things more difficult, but again it depends on how commonly used the words are, and how big the attackers dictionary is. The first three words of the xkcd example are really common and appear in the top 5,000 of every frequency list that I’ve seen. Staple is less common and is usually in position 18,000 to 20,000. So to actually crack that specific four word password encoded as an NTLM hash, would take about 5 months on one of our password cracking servers.

Cracking characteristics

Although it only takes about 6 hours to run through all of the three-word passwords, that is exclusively for words with an uppercase first character. If we want to crack all lowercase, that would be an extra 6 hours, add a “1” or a “!” at the end, and that’s an extra 6 hours. So, if an attacker compromised your Windows domain and everyone was using NCSC recommendations would it take forever to crack? Well, counterintuitively, it takes the same amount of time to crack 1,000 passwords as it takes to crack just 1, so if your NTLM hashes are compromised, within a couple of days, an attacker would have compromised most of your passwords. With the NCSC advice to also not expire passwords, cracking even a four-word password in 5 months could still be an issue.

What to do?

At Pen Test Partners, our IT team install a password manager by default on all managed devices. A password manager creates randomly-generated passwords that are super strong, and encrypts them for secure storage. I have no idea what 99% of my passwords are – they are all stored in my password manager, and it really doesn’t matter that I don’t know what they are. The password manager logs me into any system I need, quicker than I could type amonie and Password1!

For more sensitive systems, and anything that’s internet-facing, we also advise the use of Two-Factor Authentication (2FA). That means that even if your password is compromised, an attacker still can’t log in without your secondary authentication.

If you manage a Windows domain, we also recommend doing regular password audits. Our password auditing tool, Papa, now checks for three random word passwords in various formats and we spend several days of cracking time now, just on the three-word passwords.

The post Three Word Passwords first appeared on Pen Test Partners.

Cyber Security advice for Finance staff

Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and  finance training and education.

When I was studying for my AAT qualification we did a whole module on finance fraud; our obligations, how to spot fraud, etc. but there was nothing on security or hacking.

FYI Jasmine Fiscal is not my real name 😉

However, pretty much from my first day here I was shown just how important my cyber vigilance and understanding are to the business. Why? Because people working in finance are the ideal target for hackers; we’re a direct conduit to the money.

To fill that cyber / finance knowledge gap I thought I’d share some things that will reduce the risk of you being exploited by hackers. These are some basic questions to ask yourself in your daily finance role:

  • When you receive an invoice do you check the bank details?
  • If it’s an invoice from someone you’ve not paid before; new supplier, the plumber that came to fix your boiler, do you search the web for contact details then phone to confirm the bank details?
  • Do you know how to spot a dodgy email that, on the face of it, looks legitimate?
  • Do you click on a link in an email, or open an attachment without stopping to think first?

Let me help you answer those questions.

Validating bank details

A simple task, that everyone in Finance or Accounting should get used to, is validating bank details.

If you’re going to be making a payment or regular payments it’s essential that you check the exact account name, sort and account code of every new payee. Trusting the info in an email without checking has led to countless losses for companies, and continues to be a problem.

Make it part of your client on-boarding process.

It only takes a phone call.

Email trust and domain checking

I’ve seen just how easy it is for a hacker (Ms X) to create an email address that looks incredibly similar to an email address you should recognise.  For example; if I had a supplier called EcoGreen and their domain (the bit after the @ symbol) could be ‘ecogreen.co.uk’.

If I received an email from ‘finance@ec0green.co.uk’ I may not spot that the letter 0 has been replaced with the number zero.

If the content and details of that email didn’t cause suspicion I might act on the email, making it a successful hack by Ms X and she will now be receiving all the money I think I’m sending to Eco Green. Errors like this can go unnoticed for months.

Instincts are definitely your friend. Often I’ll get an email that just looks odd. Maybe the language is not what I’d expect, the greeting isn’t the usual greeting, and what the email is saying or asking isn’t right or as you’d expect.

Sometimes an email that looks dodgy will actually be genuine BUT if your spidey senses do tingle then check it out before doing anything.  If in doubt, get in touch with the contact by a trusted phone number, or do an internet search to find the details – DO NOT SIMPLY TRUST THE DETAILS IN THE EMAIL.

It’s always better to ask the question and be wrong than ignore it and be the cause of the company being hacked or held to ransom.  Also, an email phish or hack will often threaten something; “if you don’t do that then this will happen!”.  This is especially common in private or personal emails. They will try to frighten you to elicit a reaction before you can stop to think or look closely.

I am always suspicious if I receive a threatening email like that, if I ignore it then guess what . . . nothing happens.

How are emails spoofed?

How does Ms X get the information she needs in order to spoof an email like this?  Mostly with by internet research. Looking at the company website can provide information, names and even email addresses. There’s also Facebook, Twitter, Linked In; these days it just takes one careless post by an employee and that’s all Ms X needs.  For example, a Twitter post by an employee saying something like this:

Now, with just 2 sentences Ms X has found out the size of the company, and the sort of bills the company will be expecting to receive and from whom.  With a little more digging Ms X finds another employee on Linked In with the job title “Finance Assistant”.

So all Ms X needs to do now is to create a domain that looks like the hotel’s domain, and who would question it?

There’s a phone call for you…

It’s not all IT though, you have the good old fashioned telephone.  Ms X just has to call  and ask for finance. She could pretend to be from HMRC, for example. If someone phoned you saying they were HMRC who wouldn’t be a rabbit in headlights?  This happened to me a while back, the person had done their research and had enough information to sound plausible.

One thing that really should’ve made me suspicious is that he was offering help with a tax issue.  Those that have had any dealings with HMRC will know that they NEVER offer help.  Just because someone says they’re an authority figure doesn’t mean you can’t challenge them. We teach our children about Stranger Danger, this is not that different.

Potentially in that telephone call Ms X can find out the name or names of the finance team, directors, partners, email addresses, what finance software the company uses, and possibly much more that can be used in CEO fraud or Business Email Compromise.

CEO / invoice fraud

Here is another scenario; if you received an email that, on first glance, appeared to be from the CEO asking you to “just pay this invoice for me”, would you question it?  Would you double check the email address it came from?

You receive an email supposedly from the CEO, Mr Smith:

Why would you doubt an email like this?  They’re at the top, it’s their business, so you go ahead and pay it.

This kind of fraud is on the rise, helped by the current isolation of workers. In normal circumstances you may ask the person next to you or shout over to the boss, but, with remote working you are less likely to want to bother someone with a call or email and as a result will pay it.

What can you do?

It’s on businesses to ensure that systems are put in place to protect from fraud, phishing etc, but it is also our responsibility as gatekeepers to be vigilant and question everything and everyone, no matter their seniority level.

We have a right to expect our employers to do everything in their power to protect us from fraudsters.  We also have a responsibility to do everything in our power to protect our employers from fraudsters.

I think the key things for us in finance teams is (sadly) to have a suspicious mind.  Thinking about the business you are in:

  • Does your company have email security filters?
  • Do you and your team have checks and safety procedures in place?
  • Is there a culture of accountability?

If sharing my fails and the lessons I’ve learnt helps just one person out there then I’m happy.  Remember;

  • Stranger Danger
  • EVERYONE is accountable
  • Listen to your spidey senses
  • Find contact details on the internet – not from the documents sent to you
  • If you’re not sure then share your concerns or question it anyway.

Don’t be isolated, especially at the moment during the lockdowns. Use the company messaging software if there is one. If not, consider setting up a WhatsApp group or similar. If you do get caught out then share your experience so others can learn the lesson.

The post Cyber Security advice for Finance staff first appeared on Pen Test Partners.

Azure AD. Attack of the Default Config

Uncloaking dangerous and default configurations within Azure.

TL; DR

There are several default configurations within the admin portal of Azure. The main affected area is Azure Active Directory (Azure AD) which is the primary area that controls user authentication, group memberships and privileges. The utilisation of these configurations can create several attack vectors that could be chained together to compromise the environment. The most significant issues concern app registrations that allow users to register and give permissions to third-party apps.

Introduction

With the cloud taking over the information technology world, it is easy to overlook the default, out of the box configurations that can be hard to find or appear innocent and low risk/impact. Pilgrims on the cloud journey are often aware and regularly reminded of the risks that come with such accessible technology. Are there enough clear, concise and updated resources on how to mitigate these new dangers? Is it possible when the platform undergoes as many updates and feature releases such as Microsoft’s cloud platform?

This blog will outline and discuss several troublesome default configurations that can undermine the security and control of your environment(s). It should be noted that this is not a step-by-step tutorial on how to attack Azure tenants – it is a guide on how defenders can improve their security to restrict their ever-growing threat landscapes. Lastly, I am not aiming for this to be a definitive list, but a list of the most significant configurations/issues.

AZURE AD

PORTAL ACCESS

Configuration Name: ‘Restrict access to Azure AD administration portal’

Configuration Location: Azure Active Directory -> User settings

Default Setting(s): No

This configuration restricts access to the Azure AD administrative portal within the Azure Portal (https://portal.azure.com). However, the default value is ‘No’, which allows any user within the tenant to enumerate various configurations, users, groups, devices and interconnected apps. This information may not result in a direct compromise, but it would assist an attacker as they can see what safeguards are in place, who to target and what avenues are available.

This unrestricted access is not typically necessary in daily operations as users who require access can be granted via administrative roles/groups.

On another note, this configuration only restricts access to the Azure AD section of the Azure Portal, meaning that users can still browse to https://portal.azure.com. This is not ideal if you do not use Azure or if you have not correctly configured RBAC (Role-based Access Control) on your Azure management groups/subscriptions. I have had several experiences where I have managed to sign customers up to the free trial of Azure using a non-privileged account without having to specify billing information as the clients had active Office 365 subscriptions.

Signing up for a trial will give the attacker full admin rights to the Azure environment, which can be utilised to implement various services such as Azure Virtual Machines. The repercussions of this can lead to financial and/or reputational damage as an attacker could create VMs to mine cryptocurrencies, to attack other targets or to host malicious files/resources. Restricting access to the entire portal can only be achieved with the use of Conditional Access Policies within Azure. Please see external references for a link on how to implement such a policy.

GUEST INVITE SETTINGS:

Configuration Name: ‘Members can invite’

Configuration Name: ‘Guests can invite’

Configuration Location: Azure Active Directory -> External Identities -> External collaboration settings

Default Setting(s): Yes

This setting allows anyone in your Azure AD tenant to create guest accounts for external users, which adds to the theme of the IT department losing control of their platform. Guest users could be utilised to view sensitive data if there are lax data protection configurations and/or if other misconfigurations exist in the environment. Guest user accounts are typically used as ‘backdoor’ accounts if their access is detected and blocked. Furthermore, these users can also enumerate users, groups and various other information if abused.

Remediating this issue is as easy as switching the toggle to ‘No’. This setting will not entirely remove this functionality as admins and users with the ‘guest inviter’ role can invite guests.

GROUP CREATION:

Configuration Name: ‘Users can create security groups in Azure portals’

Configuration Name: ‘Users can create Microsoft 365 groups in Azure portals’

Configuration Location: Azure Active Directory -> Groups -> General

Default Setting(s): Yes

This might appear innocent but infuriating to organised IT departments with a well-designed AD structure, however, this issue can be leveraged with another default configuration to cause mass exploitation of the environment(s). An attacker could create a security group that contains all Azure AD users or just a handful of administrative users to start a chain-of-attack, which will be expanded upon in the next section.

APP REGISTRATION + CONSENT:

Configuration Name: ‘Users can register applications’

Configuration Location: Azure Active Directory -> User settings

Default Setting(s): Yes

Configuration Name: ‘Users can consent to apps accessing company data on their behalf’

Configuration Name: ‘Users can consent to apps accessing company data for the groups they own’

Configuration Location: Azure Active Directory -> Enterprise applications -> User settings

Default Setting(s): Yes

Configuration Name: ‘User consent for applications’

Default Setting(s): ‘Allow user consent for apps’

Configuration Name: ‘Group owner consent for apps accessing data’

Default Setting(s): ‘Allow group owner consent for all group owners’

Configuration Location: Azure Active Directory -> Enterprise applications -> Consent and permissions

These default settings open the users and environment up to dangerous attack vectors, which can easily be manipulated and leveraged to compromise users and your platform. There are two main angles I want to cover – the insider threat and the outside phishing threat, but ultimately these can go hand-in-hand.

INSIDER THREAT:

Insider threats could access the ‘Microsoft Azure Management’ app (Azure portal, Azure PowerShell and others) to create a security group (already mentioned in the past point) and consent to a malicious app on behalf of the organisation and group members. “It’s just an app, nothing that serious can happen?”. These applications can request whatever permissions they want. For example, the app could demand read and write permissions to your mail, profile, files, calendars — the list goes on. The repercussions could be massive if the attacker has the right imagination.

PHISHING/SOCIAL ENGINEERING:

Similar to before, an attacker can create a publicly accessible Azure app and pass the URL to a victim via several methods such as vishing, phishing, and DNS tampering on a local network. Once the user is directed to the page, they are presented with an official Microsoft page that lists the permissions and has an ‘Accept’ or ‘Cancel’ button. Users are more than likely to click accept due to several factors. For example, the UI pushes the user into clicking the vibrant blue button on the page, and because it is an official Microsoft page. All it takes is for one user to click accept then the account is compromised, and the environment is in danger.

Legacy authentication

This section I want to dedicate to Legacy Authentication, which is supported by default* but cannot be remediated without an Azure AD license that grants access to ‘Conditional Access policies’. There are several available licenses, but the primary ones are Azure AD P1 and P2. Please refer to Microsoft’s official documentation (one listed in ‘External References’) for a full list of each subscription and its features.

Conditional Access policies’ are a fundamental part of cloud security in Azure as it allows you to set strict rules and restrictions within your tenant. For example, you can dictate authentication and access to specific resources by IP address, geographical locations and other factors.

Legacy authentication is the support for users to authenticate against Azure AD and other services using less secure and legacy protocols/applications, which typically lack modern security capabilities such as multi-factor authentication (MFA). For example, Autodiscover, Exchange Online PowerShell, MAPI and POP3 are a sample of legacy authentication protocols. Therefore, this makes it the most popular victim for brute-force attacks as Azure cannot enforce modern security implementations.

There are a few different ways to detect the usage and support for legacy authentication. My preferred method is heading to this location Azure AD -> Sign-ins and adding two filters (Client App and Status). Once you have selected the necessary information, it will show you a list of all sign-ins using such protocols.

Microsoft announced the end of support for Basic/Legacy Authentication back in 2019 but Microsoft and the world (COVID) had different plans, which has resulted in it still being supported (partially). Microsoft has planned a soft date for the second half of 2021, but more news is yet to come. I have created the below table to easily explain this partial support.

Tenant Type/Creation Support by Default?
Tenant created before October 2019 Yes
Tenant w/o any recorded legacy usage from October 2020 No

 

Either way, I would not trust Microsoft to secure your environment for you – I would recommend that you implement these configurations yourself.

Conclusion

There is a lot of information here regarding dangerous default configurations that come with every new Azure tenant – it is baffling but it also understandable from a high-level perspective. It seems like Microsoft give you (the customer) a blank slate that is fully customisable to your needs and your risk appetite. However, the lack of guided instructions when you create an account, or the lack of clear and concise documentation fertilises the growth of unsecured cloud environments.

Following on from the section regarding social engineering, I personally believe that cloud-focused social engineering attacks such as phishing are more successful than generic pretexts due to the lack of awareness and training around ‘the cloud’ and social engineering attacks using Microsoft apps.

The same advice applies for cloud platforms as it does for other areas of IT security – regular penetration testing, monitoring and auditing form a major part of cloud security. There’s more about cloud and DevOps security here.

External References

Conditional Access to Azure Management
https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

Conditional Access to Azure Management by Named Location
https://docs.microsoft.com/en-us/answers/questions/112173/can-we-restrict-azure-portal-httpsportalazurecom-a.html

Azure AD License Comparison and Price
https://azure.microsoft.com/en-gb/pricing/details/active-directory/

Blocking Legacy Authentication
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

The post Azure AD. Attack of the Default Config first appeared on Pen Test Partners.

tech-wreck infosec blog

Retrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
Security Flaws & Fixes - W/E - 1/22/21

 

Apple Removes Filter that Let Its Apps Avoid Firewalls (01/18/2021)
A feature that allowed Apple apps to bypass third-party firewalls, security tools, and VPN apps in macOS is being removed by the firm. Approximately 50 apps including the App Store, Apple Music, and software updates were part of a "ContentFilterExclusionList" that allowed these programs to be routed around computer security tools. Security researcher Patrick Wardle, who first identified the list, stated on his Patreon blog, "Many (rightfully) asked, `What good is a firewall if it can't block all traffic?' I of course also wondered if malware could abuse these `excluded' items to generate network traffic that could surreptitiously bypass any socket filter firewall. Unfortunately, the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items and generate undetected network traffic." The company says that with the release of macOS Big Sur 11.2, Apple apps will no longer be able to bypass firewalls and other security tools.

Cisco Fixes RCE Bugs in SD-WAN and Cloud Manager Software (01/20/2021)
Cisco has released security updates to address remote code execution vulnerabilities affecting multiple SD-WAN products and the Smart Software Manager for Cisco cloud licenses. Unauthenticated attackers can remotely exploit buffer overflow and command injection bugs to execute arbitrary code or to run arbitrary commands on operating system running vulnerable releases of the software packages. "The vulnerabilities are not dependent on one another," Cisco explains. "Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability." The company says that the issues were found by Cisco security researchers during internal testing of the affected products, stating they are not aware of any public announcements or malicious use of the vulnerabilities described in the advisory.

NSA Warns that Enterprise Use of DNS over HTTPS Is Not Secure (01/18/2021)
The US National Security Agency (NSA) is warning businesses that the use of encrypted DNS services can lead to a false sense of security and even disrupt their own DNS-monitoring tools. According to the NSA's guidance, DNS over HTTPS (DoH) can improve consumer privacy and integrity by protecting DNS traffic between a client and a DNS resolver from unauthorized access. This can help to prevent eavesdropping and manipulation of DNS traffic. "For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information." External DNS resolvers, such as those relying on outside DoH servers, should be disabled and blocked.

Researchers Win $50k Bug Bounty for Finding Apple Flaw (01/18/2021)
Two security researchers earned a $50,000 bug bounty from Apple after uncovering a critical flaw in the company's internal travel portal. Rahul Maini and Harsh Jaiswal discovered three exposed Apple servers, including two apparently used by Apple employees to make travel arrangements. This portal is designed to be accessible only to users with valid credentials, but the researchers discovered a misconfiguration in the open source Lucee script that gave them access to files without being authenticated. Ultimately, they were able to exploit the flaw to create a webshell on the Apple servers to execute arbitrary code. According to Security Week, the tests were conducted without triggering Apple's Web application firewall. Jaiswal and Maini said Apple decided to award them a $50,000 bug bounty after being informed about the vulnerabilities. Lucee developers were also contacted and they have also taken steps to mitigate this type of attack.

Malware Watch - W/E - 1/22/21

 

164 Adware Apps Removed from Google Play Store (01/18/2021)
Google has removed 164 apps from its Google Play Store for delivering out of context ads. In total, the apps were downloaded 10 million times according to researchers with WhiteOps Satori Threat Intelligence. The apps mimic legitimate apps in both name and functionality "only to then trick the user into seeing a whole bunch of unexpected ads," the researchers report. The ads from these "CopyCatz" apps are controlled by a command-and-control JSON program hosted on Dropbox, with the open-source Evernote job scheduler embedded and used as a persistence mechanism. The WhiteOps team clarifies that both Dropbox and Evernote are not willing partners in the operation.

FreakOut Botnet Uses Recently Discovered Exploits (01/19/2021)
A new botnet has been uncovered that uses three recently discovered vulnerabilities to attack unpatched applications running on Linux systems. After being implanted, the botnets can later be used for several purposes such as DDoS attacks or cryptomining. Check Point first observed the FreakOut botnet in November 2020 and says that the attacks are aimed at devices that run the TerraMaster Operating System that manages TerraMaster NAS servers, the Zend Framework used to build Web applications and services, and Liferay Portal, a free, open-source enterprise portal. The three CVEs being used by the hackers attack these specific programs and are fairly recent, which means there's a high chance that exploitation attempts are succeeding since many systems could still be lagging behind on applying the patches.

CyberCrime - W/E - 1/22/21


 Classified Ad Scammers Seen Expanding Lucrative Operation (01/18/2021)

A Russian-based online classified ad scam raked in more than $6.5 million from consumers in the US and Europe during 2020. Cybersecurity firm Group-IB has named the "scam-as-a-service" operation Classiscam and says it has been in business since the summer of 2019. The scheme involves publishing ads for non-existing products on online marketplaces. "The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices," Group-IB said. When a potential buyer expresses interest in a product, the Classiscam operator would use a Telegram bot to generate a phishing page that mimicked the original marketplace but was hosted on a look-a-like domain. The scammer would send the link to the buyer, who would fill in their payment details. Once the victim provided the payment details, the scammers would take the data and attempt to use it elsewhere to purchase other products. "In the summer of 2020, we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages," Group-IB reports. The Classiscam model is also seen popping up in other countries as well, with groups now operating out of Bulgaria, the Czech Republic, France, Poland, and the US.

Google Forms Used to Target Executives in E-Mail Campaign (01/20/2021)
Proofpoint Threat Research has observed attackers using Google Forms to bypass e-mail security content filters in a campaign that combines the use of Google Services with social engineering attempts. "We observed thousands of messages predominantly delivered to retail, telecommunications, healthcare, energy, and manufacturing sectors," the company's report says. The subjects are often C-level executives with the message simple but conveying a sense of urgency. Proofpoint suspects that the primary goal of the campaign is to elicit a reply from the victim that identifies potential targets for follow-on threat activity.

Malwarebytes Also Victimized by SolarWinds Hackers (01/19/2021)
Malwarebytes says that it was also a victim of the same hacking operation responsible for the SolarWinds supply chain hack that compromised the US Treasury Department and other government agencies. Company co-founder Marcin Kieczynski said that an investigation found that the attackers, believed to be Russian, gained access to a "a limited subset of internal company emails." Although the firm says it does not use the SolarWinds software, the hackers were able to gain privileged access to the firm's Microsoft Office 365 and Azure connections. Malwarebytes was informed by the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in their Microsoft Office 365 tenant that was consistent with the tactics, techniques, and procedures of the same advanced threat actor involved in the SolarWinds attacks.

the hackers news

Retrieved title: The Hacker News, 3 item(s)
Experts Detail A Recent Remotely Exploitable Windows Vulnerability

More details have emerged about a security feature bypass vulnerability in Windows NT LAN Manager (NTLM) that was addressed by Microsoft as part of its monthly Patch Tuesday updates earlier this month. The flaw, tracked as CVE-2021-1678 (CVSS score 4.3), was described as a "remotely exploitable" flaw found in a vulnerable component bound to the network stack, although exact details of the flaw

Beware! Fully-Functional Exploit Released Online for SAP Solution Manager Flaw

Cybersecurity researchers have warned of a publicly available fully-functional exploit that could be used to target SAP enterprise software. The exploit leverages a vulnerability, tracked as CVE-2020-6207, that stems from a missing authentication check in SAP Solution Manager (SolMan) version 7.2 SAP SolMan is an application management and administration solution that offers end-to-end

Exclusive: SonicWall Hacked Using 0-Day Bugs In Its Own VPN Product

SonicWall, a popular internet security provider of firewall and VPN products, on late Friday disclosed that it fell victim to a coordinated attack on its internal systems. The San Jose-based company said the attacks leveraged zero-day vulnerabilities in SonicWall secure remote access products such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA) that are used to provide

hackaday

Retrieved title: Hackaday, 3 item(s)
Hackaday Links: January 24, 2021

Code can be beautiful, and good code can be a work of art. As it so happens, artful code can also result in art, if you know what you’re doing. That’s the idea behind Programming Posters, a project that Michael Fields undertook to meld computer graphics with the code behind the images. It starts with a simple C program to generate an image. The program needs to be short enough to fit legibly into the sidebar of an A2 sheet, and as if that weren’t enough of a challenge, Michael constrained himself to the standard C libraries to generate his graphics. A second program formats the code and the image together and prints out a copy suitable for display. We found the combination of code and art beautiful, and the challenge intriguing.

It always warms our hearts when we get positive feedback from the hacker community when something we’ve written has helped advance a project or inspire a build. It’s not often, however, that we learn that Hackaday is required reading. Educators at the Magellan International School in Austin, Texas, recently reached out to Managing Editor Elliot Williams to let him know that all their middle school students are required to read Hackaday as part of their STEM training. Looks like the kids are paying attention to what they read, too, judging by KittyWumpus, their ongoing mechatronics/coding project that’s unbearably adorable. We’re honored to be included in their education, and everyone in the Hackaday community should humbled to realize that we’ve got an amazing platform for inspiring the next generation of hardware hackers.

Hackers seem to fall into two broad categories: those who have built a CNC router, and those who want to build one. For those in the latter camp, the roadblock to starting a CNC build is often “analysis paralysis” — with so many choices to make, it’s hard to know where to start. To ease that pain and get you closer to starting your build, Matt Ferraro has penned a great guide to planning a CNC router build. The encyclopedic guide covers everything from frame material choice to spindle selection and software options. If Matt has a bias toward any particular options it’s hard to find; he lists the pros and cons of everything so you can make up your own mind. Read it at your own risk, though; while it lowers one hurdle to starting a CNC build, it does nothing to address the next one: financing.

Like pretty much every conference last year and probably every one this year, the Open Hardware Summit is going to be virtual. But they’re still looking for speakers for the April conference, and just issued a Call for Proposals. We love it when we see people from the Hackaday community pop up as speakers at conferences like these, so if you’ve got something to say to the open hardware world, get a talk together. Proposals are due by February 11, so get moving.

And finally, everyone will no doubt recall the Boston Dynamics robots that made a splash a few weeks back with their dance floor moves. We loved the video, mainly for the incredible display of robotic agility and control but also for the choice of music. We suppose it was inevitable, though, that someone would object to the Boomer music and replace it with something else, like in the video below, which seems to sum up the feelings of those who dread our future dancing overlords. We regret the need to proffer a Tumblr link, but the Internet is a dark and wild place sometimes, and only the brave survive.

https://commiemartyrshighschool.tumblr.com/post/640760882224414720/i-fixed-the-audio-for-that-boston-dynamics-video

Physically Huge SD Card Technically Has Some Benefits

SD cards were developed and released just before the turn of the millenium. Since then, we’ve seen smaller formats, miniSD and microSD, become popular for portable devices. However, sometimes bigger is better. [Useless Mod] dared to dream that dream, and put together a (physically) gigantic SD card.

In card is a full 10x scale reproduction of a SanDisk Extreme Pro SD card,  complete with packaging, too. Built out of layers of laser cut MDF, it’s spray painted and given a high-quality label to complete the effect. The write protect slider instead serves in this case as a latch to open the assembly. Inside, there’s a simple regular SD card slot, wired up to the bigger card’s giant contacts made with copper tape. These interface with an huge 10x scale SD card slot, which acts as an adapter, allowing the giant SD to be used with regular hardware like cameras.

The giant SD might seem silly, but it has plenty of useful features. There’s flashing LEDs behind the label that make it easy to find if you drop it, along with an Apple Watch hidden inside that means it can be located using the Find My iPhone service. We’d have loved if it featured a RAID array full of 10 or more SD cards, as well, just to justify its enormous size. That said, [Useless Mod] points out that it’s big enough to keep a DSLR dry in a rainstorm when fitted to the hotshoe, so there’s that.

It’s a fun build, not a serious one, but one that we enjoyed on its merits. We suspect that, regardless of the card inside, you’ll have little luck recording at 4K with such long wire lengths in play. If you’ve ever had more normal compatability problems with the format, consider that it could be size causing your issues. Video after the break.

Collapsible Pattern Projector is a Bright Idea

It’s fantastic that we’re living in the age of downloadable PDF patterns, it really is. But printing out a bunch of sheets of paper and taping them together is a tedious and tiresome process that can introduce error right from the start. This goes for any type of pattern, from sewing to R/C planes.

[Quinn]’s quarantine project is designed to cover both of those and everything in between. It’s a pattern projector made from stuff already on hand — a couple of offset projectors to scavenge parts from, and a large, trapezoidal mylar mirror from an old rear projection TV. At maximum zoom it projects a 4′ x 3′ image onto the tabletop, which sounds perfect for a whole lot of sewing patterns. At minimum zoom, the projected image fits on a foam core board.

We love that this dreamy setup can be stowed away so easily on hooks in the ceiling. [Quinn] had to perform a few hacks to make it all work together, including fabricating a bracket and some adjustable ties to hold the mirror aloft at just the right correct angle.

Need something smaller? Check out this Pi-powered pocket projector. Want a cinema-quality setup? You just have to find the right auctions.

CSO Online

Retrieved title: CSO Online, 3 item(s)
BrandPost: Network Security and the Heart of a Zero Trust Architecture

As part of a Zero Trust approach to cybersecurity, network flows should be authenticated before being processed and access determined by dynamic policy. A network that is intended to never trust, and to always verify all connections, requires technology that can determine confidence and authorize connections and provide that future transactions remain valid. 

The heart of any  Zero Trust Architecture (ZTA) is an authorization core involving equipment within the control plane of the network that determines this confidence and continually evaluates confidence for every request. Given that the authorization core is part of a control plane, it needs to be logically separated from the portion of the network used for application data traffic (the data plane).

To read this article in full, please click here

4 ways security has failed to become a boardroom issue

Somewhere around 2015, the security industry adopted a new mantra, “cybersecurity is a boardroom issue.”  This statement was supported by lots of independent research, business press articles, webinars, local events, and even sessions at RSA and Black Hat crowing about the burgeoning relationship between CISOs, business executives, and corporate boards.

To read this article in full, please click here

BrandPost: Fortinet Extends Free NSE Security Training Courses to Close Industry’s Skills Gap

With the unprecedented increase of teleworkers in 2020, the need for securing remote networks and users became a top priority for organizations. IT teams with little manpower found it difficult to fill important security positions, made worse by the challenge of securely transitioning to remote work.

The cybersecurity skills gap continues to pose multiple challenges for organizations dealing with an expanding attack surface and a growing number of security alerts. Organizations simply cannot acquire the cybersecurity talent required to address their biggest security challenges. Between an increasingly complex threat landscape, the growing cybersecurity skills gap, and the importance of securing remote networks, organizations are struggling to ensure effective security across all their infrastructures.

To read this article in full, please click here