AnvilSec
We can identify and guide you with sustainable solutions to your security needs.
22/01/2022
The U.K. Paid $724,000 For A Creepy Campaign To Convince People That Encryption is Bad. It Won’t Work. This week, the U.K. government launched an unprecedented and deceptive effort to kill off end-to-end encryption. They’ve hired a fancy ad agency to convince people that encrypted messages are dangerous to children.The explicit goal of the “No Place to Hide” campaign, launched on Tuesday, is to...
17/11/2021
Exploit-as-a-service: Cybercriminals exploring potential of leasing out zero-day vulnerabilities New approach echoes the depressingly successful ransomware-as-a-service business model
27/04/2021
Flubot: Warning over major Android 'package delivery' scam
The message - which pretends to be from a package delivery firm, prompts users to install a tracking app - but is actually a malicious piece of spyware.
Called Flubot, it can take over devices and spy on phones to gather sensitive data, including online banking details.
Network operator Vodafone said millions of the text messages were already being sent, across all networks.
"We believe this current wave of Flubot malware SMS attacks will gain serious traction very quickly, and it's something that needs awareness to stop the spread," a spokesman said.
Customers should "be especially vigilant with this particular piece of malware", he said, and be very careful about clicking on any links in a text message.
Other networks, including EE and Three, followed with warnings of their own.
The BBC is not responsible for the content of external sites.
View original tweet on Twitter
The National Cyber Security Centre (NCSC) later issued guidance about the threat, including advice on what to do if you have already downloaded the attacker's application by mistake.
"If users have clicked a malicious link it's important not to panic - there are actionable steps they can take to protect their devices and their accounts," the NCSC said in a statement.
The malware also has the ability to send more text messages to an infected user's contacts, helping it spread.
"The seriousness of these malicious text messages is underlined by Vodafone making the decision to alert its customers," said Ben Wood, chief analyst at CCS Insight.
"This has the potential to become a denial-of-service attack on mobile networks, given the clear risk that a rogue application can be installed on users' smartphones and start spewing out endless text messages.
"The broader risk for users is a loss of highly sensitive personal data from their phones," he added.
While text message scams claiming to be about a package delivery firm are common, they have mostly focused on phishing - trying to trick the user into filling in a form with bank details and other information.
This newest wave differs because it tries to install malicious software on the phone itself - and because of the scale of its spread.
One version of the scam reported online pretends to be a text message from DHL, with a link to a website for parcel tracking.
If someone using an Android phone clicks on the link, they will be taken to a page "explaining" how to install the parcel tracking app using something called an APK.
APK files are a way of installing Android apps outside of the secure Google Play store. By default, such applications will be blocked for security reasons, but the scam page includes instructions on how to allow the installation.
That can be confusing, as there are some niche genuine cases for installing those kind of apps - such as downloading the Fortnite video game, which was removed from the official app store amid a major legal row between its owner and Google.
Apple iPhone users are not affected as those phones cannot install Android APKs.
In a blog post detailing the scam, security researcher Paul Morrison wrote that he expects the "success rate would be low" due to the hurdles involved.
But he said: "With the number of SMS being sent out, just a 0.1% success rate could be very profitable."
The Flubot malware has also spread in other countries in recent months - notably Spain, Germany and Poland.
Kate Bevan, computing editor at consumer magazine Which? said people have to be "wary" of texts.
"If you're not sure, contact the delivery company's official customer service helpline," she said.
"As ever, it's important to make sure that your mobile phone is up to date with security patches. Consider also installing mobile security software from a trusted brand."
Industry body Mobile UK said users who receive a suspicious message should forward it to 7726 to report it, a spokesman said - and then delete the message.
https://www.bbc.co.uk/news/technology-56859091
08/04/2021
Online Fraud in the UK Up 179% in the Last Decade
Internet and e-commerce fraud in the UK rose by 179% during the period from 2010 to 2020, according to an analysis by Uswitch.com.
In 2020 alone £376.5m was lost to internet and e-commerce fraud in the UK, which was more heavily impacted by this type of crime than any other country in Europe. Across the previous decade, more than one in nine (12%) of Brits have been affected by this kind of fraud, with a value of £8908 lost per 1000 inhabitants.
According to the research, internet fraud losses increased significantly from 2010, reaching a peak in 2018 of £394.2m. This dipped in 2019 to £359.3m, but went up again in 2020 to £376.5m.
It was also calculated that people in the UK are now more likely to fall victim to fraud or cybercrime than many other offences; for example, they are 20-times more likely to be a victim of fraud than robbery.
Additionally, Uswitch.com highlighted survey data showing that more than half (51%) of UK residents have suffered financial loss as a result of fraud, while 45% have had their personal information stolen online.
Of all the various forms of fraud, impersonation scams had the highest financial impact in the UK in 2020, with £96.6m lost from impersonation of police or bank staff and £53.7m to other types of impersonation scams.
Encouragingly, over half (56%) of the value lost to impersonation scams last year was reimbursed. However, other types of fraud had a much lower reimbursement rate: for purchase scams it was just 29%.
Nick Baker, broadband expert at Uswitch.com, commented: “Fraudsters are becoming ever more sophisticated in their methods, creating scams for all types of products and services, such as loans, dating, holidays and business opportunities.
“Sadly, people of all ages can fall victim to fraud. Not only do online scams target vulnerable individuals, but they also go after major corporations, smaller businesses and the public sector.”
27/02/2021
Parents alerted to NurseryCam security breach
A we**am system that lets parents drop in and watch their children while at nursery school has written to families to tell them of a data breach.
NurseryCam said it did not believe the incident had involved any youngsters or staff being watched without their permission, but had shut down its server as a precautionary measure.
The Guildford-based company said its service was used by about 40 nurseries across the UK.
It said it had also notified the ICO.
Under UK rules, the Information Commissioner's Office must be told of a breach if it has "significant impact" within 24 hours.
NurseryCam said it first became aware of the incident shortly after 17:00GMT on Friday.
It added the service would remain suspended until a security fix was in place.
The firm said that a "loophole" in its systems had been used to obtain data from parents' viewing accounts including:
usernames
passwords
names
email addresses
"The person who identified the loophole has so far acted responsibly," said NurseryCam's director Dr Melissa Kao.
"He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures."
The company had earlier been involved in a public spat with a cyber-security consultant who had claimed to have found problems in its systems, which the company had played down.
The consultant, Andrew Tierney, stated he had also been contacted by the hacker, who had passed on a redacted copy of the stolen data.
Mr Tierney said he had made follow-up checks with some of the parents involved to check the details were real, and had contacted NurseryCam to offer his help.
"I don't know who this guy is," he said.
"But what I've done is send NurseryCam the weak points in its system that I had spotted over the last couple of weeks."
He added that ex-users of the system had not been included on the list he had seen.
Ms Kao said she did not believe the breach had been related to the previous alleged flaws that Mr Tierney had sought to bring to her attention.
"NurseryCam sincerely apologises to all our parent users and nurseries for the incident. We are very sorry," she added.
27/02/2021
Apple users targeted by 'mysterious' malware
About 30,000 Mac devices have been infected with a mysterious piece of malware.
The "unusual" Silver Sparrow strain silently affected systems in more than 150 countries around the world.
It was discovered by researchers at security company Red Canary, who have yet to determine its purpose.
Apple says it has taken steps to restrict the potential damage the malware, which targets devices with its new M1 chip, could cause.
Its actions effectively prevent any new devices from being infected.
The BBC News in the UK has asked Apple to clarify how existing users can tell if they are affected.
Researchers said Silver Sparrow "did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems".
It appears to call a command-and-control server every hour, from an infected machine, to check for "further instructions".
It also has a system in place to self-destruct and hide its existence entirely.
This is a 'Wake-up call' to Mac users.
"Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” the researchers said.
Lisa Forte, from Red Goat Cyber Security, told the BBC News the attack should be a wake-up call to Mac users who assumed they were not at the same risk as Windows users of being infected by malware.
"The malware doesn’t appear to have done anything nasty," she said.
"But the fact it spread so fast and infected so many devices is alarming in itself.
"No device is immune from viruses."
Computer security expert Alan Woodward said the attack appeared to be an effort to disprove this long-standing myth.
"It is as if someone was trying a proof of concept of how to move harmful code on to Macs and to control it once there," he said.
"But they didn’t include the truly damaging elements."
25/02/2021
Do you have an Amazon Alexa in your home?
After reading this you might just throw it in the bin..... because those developing apps for the chatty AI assistant can bypass security measures and can double-cross their users
Computer security bods based in Germany and the US have analyzed the security measures protecting Amazon's Alexa voice assistant ecosystem and found them wanting.
In research presented on Wednesday at the Network and Distributed System Security Symposium (NDSS) conference, researchers describe flaws in the process Amazon uses to review third-party Alexa applications known as Skills.
The boffins – Christopher Lentzsch and Martin Degeling, from Horst Görtz Institute for IT Security at Ruhr-Universität Bochum, and Sheel Jayesh Shah, Benjamin Andow (now at Google), Anupam Das, and William Enck, from North Carolina State University – analyzed 90,194 Skills available in seven countries and found safety gaps that allow for malicious actions, abuse, and inadequate data usage disclosure.
The researchers, for example, were able to publish Skills using the names of well-known companies, which makes trust-based attacks like phishing easier. And they were also able to revise code after it had been reviewed without further scrutiny.
"We show that not only can a malicious user publish a Skill under any arbitrary developer/company name, but she can also make backend code changes after approval to coax users into revealing unwanted information," the academics explain in their paper, titled "Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem." [https://anupamdas.org/paper/NDSS2021.pdf]
By failing to check for changes in Skill server logic, Amazon makes it possible for a malicious developer to alter the response to an existing trigger phrase or to activate a previously approved dormant trigger phase. A Skill manipulated in this way could, for example, start asking for a credit card after passing Amazon's initial review.
The researchers also found that the permission system Amazon uses to protect sensitive Alexa data can be bypassed. The problem is that just because a developer doesn't declare the intent to use an API for a sensitive data type like a credit card number, that doesn't preclude a developer's Skill from asking for or collecting that information.
"We tested this by building a skill that asks users for their phone numbers (one of the permission-protected data types) without invoking the customer phone number permission API," the paper explains. "Even though we used the built-in data type of Amazon.Phone for the intent, the skill was not flagged for requesting any sensitive attribute."
The boffins identified 358 Skills capable of requesting information that should be protected by a permission API.
They also found that Skill squatting – e.g. Skills that try to get people to invoke them inadvertently by implementing invocation and intent names that sound similar to the invocation and intent names of legitimate Skills – is common.
At the same time, they observe that this isn't being done maliciously, to their knowledge. Rather, it appears mainly to be a way for developers to piggyback on the popularity of their own existing Skills – having two Skills activated by nearly identical phrases increase the likelihood some of their software will run.
Finally, the researchers found that almost a quarter (24.2 per cent) of Alexa Skills don't fully disclose the data they collect. They contend this is particularly problematic for Skills in the "kids" and "health and fitness" categories due to the higher privacy standards expected by regulators. Along similar lines, they say about 23.3 per cent of Alexa Skill privacy policies don't adequately explain the data types associated with the permissions being requested.
Problems add up
These findings coincide with the arrival of another paper exploring Alexa security, from computer scientists Yanyan Li, Sara Kim, Eric Sy at California State University, San Marcos. Their work, titled, "A Survey on Amazon Alexa Attack Surfaces," looks at Alexa more broadly.
It doesn't unearth previously unknown vulnerabilities. Rather it provides an overview of various attack vectors related to voice capturing, voice traffic transmission, Alexa voice recognition, Alexa skill invocation, Lambda functions and Amazon S3 buckets. It also proposes a variety of potential mitigations, all of which would require Amazon to invest additional time and resources to lock its ecosystem down.
The researchers from Germany and the US say Amazon has confirmed some of its findings and is working on countermeasures.
Amazon couldn't quite bring itself to acknowledge that when asked to comment, admitting only that it's always working on security. A company spokesperson said the company was aware of the work by Lentzsch and colleagues and is still reviewing the second paper.
"The security of our devices and services is a top priority," Amazon's spokesperson said in an email to The Register. "We conduct security reviews as part of skill certification and have systems in place to continually monitor live skills for potentially malicious behavior."
"Any offending skills we identify are blocked during certification or quickly deactivated. We are constantly improving these mechanisms to further protect our customers. We appreciate the work of independent researchers who help bring potential issues to our attention."
24/02/2021
Microsoft president asks Congress to force private-sector orgs to publicly admit when they've been hacked.
Senate intelligence committee hears ideas in light of SolarWinds disaster.
The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith.
Speaking at a Senate Intelligence Committee hearing on Tuesday regarding the SolarWinds backdoor, through which suspected Russian agents infiltrated the computers of US government departments and Fortune 500 companies, Smith argued it was “time not only to talk about but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector.”
He noted it was “not a typical step” for a company to ask the United States Congress to “place a new law on ourselves and on our customers, but I think it’s the only way we’re going to protect our country and I think it’s the only way we’re going to protect the world.”
The invitation was certainly unusual but it was notably not challenged by the other panelists at the hearing: the CEO of SolarWinds, and of security experts FireEye – which first spotted and blew the lid off the tampered-with network monitoring software – and CrowdStrike. All of them agreed that there needed to be more information sharing across business and government, although only Smith proposed an actual legal obligation.
The experts were also agreed on a number of other aspects of the hack: that it was carried out by a “very, very sophisticated” team that was undoubtedly state-sponsored. CrowdStrike’s CEO George Kurtz noted the hackers’ “superb tradecraft,” and “very unique” approach. And while only Smith was willing to say categorically that it was Russia, FireEye’s CEO Kevin Mandia noted that following an intensive investigation by his team, which included looking for clues in reams of decompiled code, they had concluded that the hack was “not consistent with China, North Korea or Iran, and was most consistent with Russia.”
They also agreed that the manner of the attack – in which the hackers compromised the build stage of SolarWind's Orion software to hide a backdoor in the product before it was released for users to download and install – was itself problematic. Both Smith and SolarWinds’ CEO Sudhakar Ramakrishna called that approach “reckless” as it not only exposed a vast number of businesses but also undermined people's faith in the critical process of regularly updating and patching software.
Smith argued that it was also time to start identifying and punishing the perpetrators of such hacks, with the White House acknowledging this week that was it was considering naming and punishing Russia for its actions.
Carefully planned
Mandia made it clear that the hackers had prioritized not being discovered over other goals, suggesting that the Russian government was also aware that it was crossing a dangerous line.
For instance, the hidden backdoor activates around 11 days after the tainted version of Orion is installed to make it harder to connect any future discovery to a SolarWinds update. They also carried out a test run against SolarWinds systems months before the real hack, and waited to see if their approach would be discovered. And they used different IP addresses for each attack, none of which had been used in any previous sorties.
Once the miscreants entered the network of an organization that had installed the backdoored Orion builds, they would seek out ways to access systems as real employees, minimizing suspicion. They also connected into their victims' networks from Amazon Web Services servers, as traffic to and from that cloud platform tended to look legit.
In other words, it had been a meticulously planned attack. Microsoft’s investigative team concluded that it had taken a team of over 1,000 “very skilled engineers” to pull it off. Mandia said the hack had been “exceptionally hard to detect,” and Smith said the whole attack was in a “different category” to any other previous hacking effort. Yes, Smith doubled down on his earlier 1,000 estimate, meaning either Redmond is way off but sticking to its guns, or that the US intelligence services were caught off-guard by another nation wielding effectively the engineering and operations force of a non-trivial-sized software business.
Smith also said Microsoft had warned 60 of its customers that they were likely compromised by the SolarWinds hackers, who, according to Smith, "may have used up to a dozen different means of getting into victim networks during the past year." It's understood Microsoft's antivirus telemetry picked up signs of intrusion in at least some of those cases.
All of this inevitably led to a discussion about what to do to prevent such future invasions. Everyone agreed that sharing information was essential, and that too much information was currently being held in “silos,” either in government or the private sector. There’s nothing new in this, or in calls for everybody to share more intelligence.
But the reason why businesses don’t like that idea was apparent in the form of SolarWinds’ Ramakrishna who read from a script and offered only bland generalizations, almost certainly because his company faces potential ruin from lawsuits heading his way and the lawyers locked down anything he would say in a public hearing.
Future headaches
That’s why Smith suggested a compulsory disclosure law. It was also said that the nature of computer security changes, and that therefore more focus should be put on the software build processes to ensure there has been no tampering with code prior to release, and – in a suggestion liable to induce migraines – that users be required to reauthenticate every time they shifted from one internal or external service or machine to another, to prevent hackers from skipping around inside networks.
Smith couldn't resist pushing his company’s interest, however: he argued that the size and scope of the hack meant that it was more important than ever that everyone move their computing to the cloud. Every hack in this case, he noted, had started with on-premises servers before migrating to Microsoft’s cloud systems. A global shift to the cloud would suit Microsoft down to the ground.
However that pitch for the glory of Microsoft was undermined by CrowdStrike’s Kurtz who pointed out that the spread of the hack was in large part thanks to “systemic weaknesses in Windows,” and pointed to “traditional authentication methods and legacy security technologies” as the biggest problem.
"Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms," he said pointedly.
As for insights from the other major tech company that was embroiled in the hack, Amazon Web Services, a representative for the company refused to attend the hearing; something that didn’t sit well and was repeatedly raised by Senators, including the committee’s chair and vice-chair.
20/02/2021
20/02/2021
20/02/2021