Support

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Backdoor Found in Firmware of Some Android Devices

November 21, 2016 , 3:20 pm

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Credentials Accessible in Siemens-Branded CCTV Cameras

November 21, 2016 , 12:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Regulation May Be Best Answer to IoT Insecurity

November 16, 2016 , 1:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

Microsoft Intune to support Android for Work Credit: Alexander Shirokov

Microsoft announced late Tuesday that it has joined Google's Android for Work program and will support Google's container technology for mobile application management in a future release of Intune, Microsoft's own enterprise mobility management (EMM) server. The Microsoft blog post gave no timeline.

Android for Work, initially released in winter 2015 as part of an Android 5.0 Lollipop update, brought to Android the same level of enterprise-grade protection for mobile apps that had previously been available only to Apple's iOS devices or Samsung's Android devices running Samsung's own Knox technology.

[ Android is now ready for real usage in the enterprise. Read InfoWorld's in-depth guide on how to make Android a serious part of your business. | Get the best office apps for your Android device. ]

Among the Android for Work capabilities that Microsoft said Intune would initially support are the following:

  • Support for work policies, those that apply to the separate container for corporate apps that Android for Work creates on Android devices.
  • Unified deployment of Android apps both from the Google Play Store and of private corporate apps developed by or for an enterprise. 
  • Support for Android for Work policies, which go beyond what the standard Android application policies provide for consumer apps, in IT-developed apps.

Until recently, Intune seemed designed to force enterprises to ditch their existing EMM tools in favor of Microsoft's, such as by not letting other EMM tools access Microsoft's proprietary information management APIs. Intune also did not support Macs, which compete with its Windows operating system.

However, this summer Microsoft began quietly supporting some Mac management APIs in Intune. And since last fall it has allowed enterprises to use its Enterprise Management Suite, of which Intune is an optional component, in concert with other vendors' EMM servers.

That shift let enterprises keep their existing EMM vendor relationships while being able to use the proprietary Office 365 information management APIs. Microsoft has also worked with the leading EMM providers to have them support Azure Active Directory in their identity management capabilities.

First things first, we do not recommend that you screw around with crooks.

That includes fake support calls, 419 scammers and fake tech support outfits.

If you’re talking to them on the phone, they know your phone number. If somebody in the scam outfit got your number via a data breach, the caller might even know where you live.

All you really know for sure is that they’re crooks.

Our advice is to just hang up, lest you be on the receiving end of threats to, say, chop you up and feed you to the fishes.

Having said that, there’s a set of people who most certainly don’t hang up.

Damn the potential risk, full speed ahead. They do things like draw out the conversations to waste the crooks’ time. One guy even cooked up an autobot to do the work for him: he’d forward calls to it, thereby automatically (and hilariously) wasting the fraudsters’ time.

There’s a new one to add to that turn-the-tables genre. His name is Ivan Kwiatkowski, and his modus operandi was to infect the caller with Locky ransomware.

As Kwiatkowski tells it, earlier in the month, his parents somehow managed to land on a page (now defunct, but here’s a screenshot) telling them that their brand-new system – it had been in use for only 30 minutes! – had somehow been infected with the notorious Zeus malware.

As tech support scams go, this one was replete, blinking and flashing like the Strip in Las Vegas on a Friday night:

This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.

Kwiatkowski decided to mess with the crooks. So he fired up an old Windows XP virtual machine (VM), got in touch with “tech support,” got past a prerecorded message, and eventually reached a human who identified herself as “Patricia.”

The typical tech support scam ensued:

She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.

In these scams, the caller won’t take no for an answer until you give them remote access to your computer and let them “fix” the “threat” – for a fee, of course.

You also need to buy their super duper antivirus software, of course, and open up whatever executable files they want you to click on.

It used to be that these fake tech support callers would call us, but nowadays, as more and more people refuse to take calls from unknown numbers, the crooks have been adapting.

Instead of them calling you, it’s increasingly common that they’ll use a web ad or popup that simply runs the scam in reverse: like what happened to Kwiatkowski’s parents, the crook will display a warning and advise you to call them, typically on a toll-free number.

Toll-free! Hey, they’re paying for the call, so they’ve got skin in the game, right? Well, that’s what they’re hoping you’ll figure, at any rate.

So “Patricia” got access to Kwiatkowski’s VM, typed in commands that returned results that she knew would frighten the naïve and supposedly give her tech cred – “1452 virus found!” or “ip hacked!” – and yet, in spite of her purported tech sophistication, missed the fact that the VM had a few interesting icons kicking around: OllyDbg, a 32-bit assembler level analyzing debugger for Windows, as well as IDA: a hosted multi-processor disassembler and debugger.

Oops! Your 15 minutes of free support are over, Mr. Kwiatkowski. She’ll call back so you don’t have to pay for more of this benevolence.

And that’s just what she did: she called back, berated him for not running antivirus software (which he told her he wasn’t), and encouraged him to buy ANTI SPY or ANTI TROJAN, “for the measly sum of $ 189.90.”

As a matter of fact, there’s somebody connected to your system right now! she says.

The conversation that ensues:

Isn’t that you? I ask. This says it’s someone from Delhi.
An awkward pause follows. She tells me that she’s actually the “localhost” line, because localhost means secure connexion. I fight back:
— Are you sure? I thought localhost meant the local machine.
She mumbles a little then proceeds to read me that whole section of her script again, asserting once again that this other IP belongs to [someone] who lives in Delhi like her but is a totally different person – a malicious hacker.

Back to the software sale, Patricia booted her uncooperative “client” up to her boss. Kwiatkowski sent the guy test credit card numbers that were sure to fail payment processing.

Eventually, claiming bad eyesight, Kwiatkowski sent a “photo of his credit card” and told the caller to try inputting the number himself.

That was no photo of a credit card.

He’d gone into his junk email folder and found samples of the latest Locky campaign: .zip files with a script that downloads ransomware.

Kwiatkowski had already noted that the remote-assistance client was a two-way street: he could use it to upload to the scammer’s PC as well as to download.

He grabbed a piece of malware at random and uploaded it, telling the caller that…

Look, Dileep, I’m old and my sight is not so good. It’s starting to hurt, having to squint to read those tiny numbers. Also, we’ve established I’m no good with computers, how about you give me a hand here?

That was followed by silence, after which the caller said that he had tried to open it, but nothing happened.

The scammer was wrong, of course: there was indeed something happening.

In the background, a process was running to encrypt the files on the tech support scammer’s system. The only way to get them back: to buy the decryption key from the crooks via the dark web.

As of February, we were seeing prices to decrypt Locky-ransomed files that varied from 0.5 to 1.00 bitcoin, with one bitcoin being worth about $ 400/£280.

Kwiatkowski says he’s contacted the scammer’s ISP to report abuse, as well as their webhost and authorities.

He’s considering this a solid win in the war against tech support scammers and is recommending that others do the same, even listing a phone number to call.

But I’m not so sure. It’s a great story, but we don’t tend to give hip-hip-hurrays to people who inflict ransomware.

Do two wrongs make a right?

Let us know your thoughts in the comments section below.

In the meantime, if you’re wondering…

What to do?

  • If you receive a cold call about accepting support – just hang up.
  • If you receive a web popup or ad urging you to call for support – ignore it.
  • If you need help with your computer – ask someone whom you know, and like, and trust.

In this case, when we say “someone you know,” we mean “someone you’ve actually met in person,” as opposed to just online.

You know that old truism that on the internet, nobody can tell you’re a dog? Just take out “dog” and substitute “Donald Trump himself,” “Justin Bieber,” or “legitimate tech support,” and that equation’s still solid.

In the case of PC technical support, especially to do with malware or any sort of cyberattack, don’t look for help online. In fact, if you use Bing, you can’t look online: in May, they threw out the whole lot of tech support offers, instituting a blanket ban on all online tech support ads.

Were there any babies in that bath water? Sure, probably. There might well have been legitimate tech support outfits that got banned from the search engine.

But how can you find them? Scammers have ruined it for everyone, turning that bath water into a toxic swamp.

DEALING WITH FAKE SUPPORT CALLS

Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.

(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)


Information Security Podcasts

SAP’s Monthly Patches Dominated by Hot News and High Priority Flaws

To date, SAP has issued more than 3,660 Security Notes and Support Package Implementation Notes to address thousands of vulnerabilities in its business critical applications, a new report from ERPScan reveals.

Of the total of 3,663 Security Notes that SAP has issued through June 2016, 212 were rated Hot News and 2,383 were rated High Priority, meaning that only around 25% of the flaws were Medium (798) and Low (145) priority.

Cross-Site Scripting (20.47%), Missing authorization (20.45%) and Directory traversal (11.96%) were the most common types of flaws, accounting for 52% of all vulnerabilities, ERPScan’s report shows. Configuration issues (10.52%) and SQL-injection (7.64%) round up top five issue types, followed by Information disclosure (7.33%) and Cross-Site Request Forgery (6.57%).

The approximate number of monthly SAP Security Notes has dropped to only 22 in 2016, but it was at 61 in 2011. It dropped to 53 notes in 2012 and registered a significant decrease in 2013, when it was of only 30 per month. However, the number of vulnerabilities resolved in SAP products is higher than that, because SAP fixes multiple flaws with a single patch now, ERPScan says.

Three years ago, the company used to issue a patch for each discovered vulnerability, but the newly adopted approach makes it easier to apply the security updates that arrive on the second Tuesday of each month. However, SAP doesn’t offer information on the number of vulnerabilities each patch resolves, and analysis and correlation with CVE is more difficult now, the report says.

What’s more, around 85% of vulnerabilities are usually closed internally, meaning that information about them and the patches themselves are released to customers and partners only. Furthermore, of the remaining 15% of vulnerabilities, which are discovered by external researchers, some are not assigned to CVE.

Over the past few years, SAP also extended the list of vulnerable platforms and it now includes modern cloud and mobile technologies such as HANA. Cloud and mobile technologies rendered SAP systems more exposed to the Internet, meaning that every vulnerability discovered in these services could affect thousands of multi-national companies (after all, 90% of the Fortune 2000 companies use SAP).

“For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA,” ERPScan notes.

The report also says that almost every SAP module has vulnerabilities, with CRM being in the lead, followed by EP and SRM. However, it appears that researchers and hackers were more attracted by the vulnerabilities affecting SAP HANA and SAP Mobile apps when compared to the traditional modules.

There was also a growth in the number of vulnerabilities in industry-specific solutions, with over 160 vulnerabilities detected in SAP’s products designed for particular industries. The SAP industry-specific solutions for Banking, Retail, Advertising Management, Automotive, and Utilities are the most vulnerable products.

There are more than 36,000 SAP systems worldwide, yet most of them (69%) should not be available directly via the Internet. However, there are numerous unnecessarily exposed services that render systems vulnerable, and almost half of them “are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China),” the report claims.

Related: SAP Patches Critical Clickjacking Vulnerabilities

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: Five-year-old SAP Vulnerability Haunts Global Businesses

view counter

Previous Columns by SecurityWeek News:

Tags:


SecurityWeek RSS Feed

Microsoft Windows with Apple QuickTime installed

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1]

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] [3]

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. [4]


US-CERT Alerts