Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Cybersecurity in the ...

 Business

Obi-Wan Kenobi is set ten years after the proclamation of the Galactic Empire, and nine years before said Galactic Empire left the critical infrastructure facility DS-1 Orbital Battle Station (more commonly known as the Death Star) so scandalously vulnerable that it was attacked and largely destroyed by the Rebel   show more ...

Alliance. I watched the series in the hope of tracing the development of the Empires information security; however, degradation turned out to be the more appropriate descriptor. (By the way: As usual, Ill try not to reveal any major plot twists, but some spoilers are unavoidable; beware!) Cybersecurity and Empire employees Overall, the main item of interest from a cybersecurity perspective is when outsiders penetrate the Inquisitors secret facility and gain access to the Imperial computer systems. Before that, however, we see a skirmish on the planet Mapuzo that also arouses our curiosity. Lets start with that. Checkpoint on Mapuzo This despoiled mining planet is believed to be home to the Empires most wanted Jedi, Kenobi. Stormtroopers at the checkpoint apprehend a suspicious-looking man and call in the Viper Probe Droid equipped with a facial recognition system to identify him. And guess what? It works! One question: why didnt these brainy machines take part in the search for droids in Episode IV nine years later? If, instead of asking passers-by silly questions, the patrol in Mos Eisley had used face recognition, they would have found and arrested Obi-Wan. The Empire couldnt have known that he was being played by another actor! Underwater Fortress Inquisitorius and Mustafars moon Nur In terms of information security the secret fortress of the Inquisitors (which everyone knows about) has to be one of the Empires most advanced facilities we see in the Star Wars universe. Its similarly well-secured physically too… Quite incredibly — by the Star Wars universe standards — people here have their IDs checked at the entrance, the doors are opened with authentication devices called code cylinders, and the underwater gateway is controlled entirely from a computer console — not from a panel by the entry hatch as is usually the case. And theres also something totally unheard-of: the corridors are patrolled by mobile security cameras. Its a mystery, why just nine years later these security practices were entirely abandoned by the Empire. In Episode IV, the selfsame Kenobi walks freely around the Death Star and doesnt even need to log in to access the tractor beam control unit! But, as youve probably guessed, all these security measures dont do any good. And as usual, its all down to the carelessness of a single employee — the so-called lead security on this level. The fact is that Kenobi is assisted by an insider — Captain Tala Durith — a bona fide Imperial officer with excellent social-engineering skills whos become disillusioned with the Empire. When Talas documents are checked at the fortress entrance, it turns out that shes assigned to a different sector entirely and has no business being at the secret facility. However, Tala pulls rank and convinces the officer on duty — that same lead security we mentioned earlier — that shes brought secret intelligence for the Inquisitors, so shes allowed in. Once inside, she enters some kind of control room and logs in to one of the terminals, passing authentication with her code cylinder. Theres something clearly flawed with the delimitation of user rights: why would she have any rights in the system at all if she genuinely has nothing to do with this sector?! Anyway, Tala gains access to both the fortresss schematics and the underwater gateway control unit, which she uses to let Kenobi in. The senior officer in the control room eventually grasps that theres an outsider at the terminal — though it takes him about 20 minutes to do so. But his subsequent actions defy logic: for some reason he takes Tala to a secluded corner behind some units to check her entry pass, in which corner he stays — laid-out with a broken neck for the rest of the series! Clearly, the staff at this secret facility are totally unprepared for incidents of this nature. Generally speaking, this problem could have been solved with regular pen testing. That said, there probably arent that many specialists in this field on Mustafar. Empire opponents cybersecurity methods Lets talk about the Empires opponents as well. There are no rebels as such in this series: the forces of conventional good are represented only by opposition-minded Alderaan and the underground anti-Imperial network The Path, which doesnt so much fight the Empire as shelter and transport dissidents (surviving Jedis and Force-sensitives). And theres, of course, Ben Kenobi himself. In terms of information security, things are, unsurprisingly, not great. The ruling house of Alderaan Alderaans rulers — the Organa family — have very weird attitude to security (information and otherwise), which raises many questions. Since the very beginning of the Empire, Senator Bail Organa has been actively involved in all sorts of anti-Imperial endeavors. Whats more, the existence of his adopted daughter, Leia, must be kept secret from Vader. Youd think hed be concerned for the safety of his own family at least. But no, Flea from RHCP the mercenary Vect Nokru has no trouble snatching the princess right from inside the palace walls. It should be mentioned, that Leia is inseparable from the mini-droid Lola (L0-LA59). So why doesnt Bail install a solution like Kaspersky Safe Kids on her beloved gadget? Then at least hed know where the princess had been taken! Especially since remote droid-location technologies do exist and are actively used in the series. L0-LA59 droid security In one episode, the Inquisitors, having droid-napped L0-LA59, fit her with a malicious surveillance device that lets them control the machine remotely. Its not clear why the Empire doesnt exploit this technology later on: it could have, for example, in Episode V, seized control of C-3PO in Cloud City instead of sending him to the smelter. Even more baffling is why the House of Organa doesnt use droids built on the basis of a cyber immune operating system, which would simply block both connections to untrusted devices and external malicious commands. Bail Organa and communications The biggest mystery of all is how Bail Organa, with all his oppositionist views, even lived to see the destruction of Alderaan. Not only does he repeatedly reach out to Obi-Wan Kenobi (which in itself is a death sentence), he does so over an unsecure communication channel, laying out secret information with references to Luke and Tatooine in cleartext. Note, too, that the messaging system doesnt only lack encryption: the receiving device even has no basic authentication. In other words, anyone can pick up the device and listen to the last message. Now theres someone who could definitely use some cybersecurity awareness training! The Path shelter on planet Jabiim The Paths shelter has barely a nodding acquaintance with cybersecurity. The hangar door controller — without which there can be no quick evacuation — is a strange contraption teeming with wires and located in the ventilation ducting. The malicious droid easily gains access to this device and physically disables something in it, making the door uncontrollable. Whats more, because the critical system is so conveniently located, its practically impossible to get to the door controller and fix it. Of course were talking here about heroic oppositionists with no funding of any kind. Still, seeing how difficult it is even for a ten-year-old child to squeeze their way through to the device, its hard to imagine who the designers thought would maintain and repair the system. Takeaway As you can see, nine years before the first Star Wars movie, the Empire was far, far better at information security than it was later on, while its opponents were lacking even a basic understanding of such. Perhaps the reason why the Empire ditched most of its progressive security measures is because in any case they did nothing to actually prevent intrusions and other incidents.

image for Breach Exposes Users ...

 A Little Sunshine

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the   show more ...

breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles. The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io. Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes. The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online. In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.” Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “Shifter.io.” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group. From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs. Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service. Proxy traffic related to top Microleaves users, as exposed by the website’s API. The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly. One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post. “User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.” Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user. “While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote. In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously. “We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!” WHO IS ACIDUT? The exposed Microleaves user database shows that the first user created on the service — username “admin” — used the email address alex.iulian@aol.com. A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service bit.ly under the name Alexandru Florea, and the username “Acidut.” [Full disclosure: Constella is currently an advertiser on this website]. According to the cyber intelligence company Intel 471, a user named Acidut with the email address iulyan87_4u@gmail.com had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites. The user Microleaves (later “Shifter.io”) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to Shifter.io. In a 2011 post on Hackforums, Acidut said they were building a botnet using an “exploit kit,” a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit. By November 2013, Acidut was advertising the sale of “26 million SOCKS residential proxies.” In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or “PPI” schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites. Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs. “For those of you who are doing PPI I have a global offer that you can bundle to your installer,” Acidut wrote. “I am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.” Asked about the source of their proxies in 2014, the Microleaves user responded that it was “something related to a PPI network. I can’t say more and I won’t get into details.” Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username “nevo.julian.” That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company. ONLINE[.]IO (NOW MERCIFULLY OFFLINE) There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites microleaves.com, shrooms.io, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains. Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the company’s services were brazenly pitched to investors as “a cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.” A teaser from Irish Tech News. “Online[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,” reads the rest of that help wanted ad. Microleaves CEO Alexandru Florea gave an “interview” to the website Irishtechnews.ie in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer. “Online[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,” Alexandru enthused. “By staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.” “At the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,” he continued. “The time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.” Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer — or as an exploit kit on your website — we’ll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too. It’s unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]io’s annoying ads and search hijackers — and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of “online-guardian.exe.” Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have gone…offline, for good. SUPER TECH VENTURES? Until this week, Shifter.io’s website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go, or how complete they are. The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed. Shifter’s Gupta said he’d been with the company for three years, since the new owner took over the company and made the rebrand to Shifter. “The company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,” Gupta said. “We are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.” Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifter’s customer information. Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner — Super Tech Ventures, a private equity company based in Taiwan. “Our CEO is Wang Wei, he has been with the company since 3 years ago,” Gupta said. “Mr. Florea left the company two years ago after ending this transition period.” Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifter’s own PR person claimed that he, too, was in the dark on this subject. “I would love to help, but I really don’t know much about the mother company,” Gupta said, essentially walking back his “fully transparent” statement. “I know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.” Adware and proxy software are often bundled together with “free” software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes. But just as often, these intrusive programs will include some type of notice — even if installed as part of a software bundle — that many users simply do not read and click “Next” to get on with installing whatever software they’re seeking to use. In these cases, selecting the “basic” or “default” settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. It’s always best to opt for the “custom” installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation. Either way, it’s best to start with the assumption that if a software or service online is “free,” that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last week’s story on a China-based proxy service called 911, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Further reading on proxy services: July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’ June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark Aug. 19, 2019: The Rise of “Bulletproof” Residential Networks

 Incident Response, Learnings

“The criminals would impersonate a service company to inform their victims that the service company now had a new bank account to which the payments for the provided services should be sent,” Europol explained.

 Govt., Critical Infrastructure

China's cyber espionage activities are extensive and sophisticated but when the Middle Kingdom tried to steal sensitive economic data from the US Fed, poor security meant its operatives didn't have to dip too far into their bags of tricks.

 Identity Theft, Fraud, Scams

The cybercriminals are trying to gather credentials by creating phishing websites that look similar to the Chase login page. The criminals do this as the stolen credentials can give them access which, in order, allows them to utilize the funds.

 Identity Theft, Fraud, Scams

These websites have the capability to change their background and logo depending on the user’s domain. The phishing sites are stored in the InterPlanetary File System (IPFS).

 Malware and Vulnerabilities

Software cracks and keygen sites could be attractive but it’s extremely unsafe. A malware campaign by SmokeLoader operators was spotted dropping the Amadey Bot, a rarely used malware since 2020, via similar lures. Users should avoid downloading from unauthenticated sources and double check domains they are accessing for software downloading.

 Threat Actors

APT37 is targeting high-value organizations in Poland, the Czech Republic, and other European countries, with Konni RAT. The campaign is dubbed STIFF#BIZON. The attacked phishing document is a decoy and seems to be a report from a Russian war correspondent, Olga Bozheva. Researchers have shared some recommendations to mitigate threats.

 Feed

Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.

 Feed

Ubuntu Security Notice 5535-1 - Joseph Nuzman discovered that some Intel processors did not properly initialise shared resources. A local attacker could use this to obtain sensitive information. Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel processors did not prevent test and debug logic from being activated at runtime. A local attacker could use this to escalate privileges.

 Feed

The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems. Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of

 Feed

The U.S. State Department has announced rewards of up to $10 million for any information that could help disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. "If you have information on any individuals associated with the North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or

 Feed

With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs). "The use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022," Proofpoint said in a report shared with The Hacker News. In its

 Feed

A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the

 Feed

MSSPs must find ways to balance the need to please existing customers, add new ones, and deliver high-margin services against their internal budget constraints and the need to maintain high employee morale.In an environment where there are thousands of potential alerts each day and cyberattacks are growing rapidly in frequency and sophistication, this isn’t an easy balance to maintain. Customers

 Feed

Google on Wednesday said it's once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. "The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox, said.

 Data loss

Uber may not face prosecution over its handling of a 2016 data breach - but its former chief security head does; how to defend your digital devices' data while on vacation, and how to change your accent with artificial intelligence. All this and much much more is discussed in the latest edition of the   show more ...

"Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin. Plus don't miss our featured interview with Ian Farquhar of Gigamon.

2022-07
Aggregator history
Thursday, July 28
FRI
SAT
SUN
MON
TUE
WED
THU
JulyAugustSeptember