Tweet

First and foremost, they stress that there’s no public decryption tool currently available to recover files encrypted by RobbinHood and that they are monitoring the situation to make sure that the company impacted by the malware does not contact law enforcement.  Any attempt to do so “will damage your files,” the warning reads.

Those two recent additions are bad enough on their own, but the hackers took an additional step. They are now directing victims to a web search highlighting an incident that occurred in Greenville North Carolina and another that impacted servers in the city of Baltimore.

Robbinhood was used in both attacks, and while the ransoms demanded in both cases weren’t excessive (less than $100,000 initially demanded), the aftershocks arising from those attacks wound up costing the city millions.  In fact, according to CBS Baltimore, the city “put more than $18 million into the attack.”

Clearly, the recent changes to the ransom note used by the attackers is aimed at convincing those impacted by their malware to pay up and keep quiet.  How well that will ultimately work remains to be seen, but at this point, the hackers are correct.  There is no public decryption tool.

What they don’t mention, of course, is the fact paying the ransom isn’t the only way to recover encrypted files.  If your company is in the habit of making good, complete backups at regular intervals, then a ransomware attack doesn’t have to be devastating.  With a proper, timely response, it could be little more than an inconvenience.  Naturally, the hackers don’t want to draw attention to this, but it is something you and your IT staff should keep very much in mind.

Used with permission from Article Aggregator

Tweet

In late 2018, the company disclosed a bug that shared a variety of private user data with third party app developers.

Then in January 2019, the company disclosed the existence of a bug that had been sharing a small percentage of private tweets going back more than five years.

Then in May 2019, the company disclosed a new bug that shared the location data of an unknown number of iOS users with “a trusted partner.”

On top of that, the month of August 2019 saw the company fess up to two separate issues. One issue involved sharing user data with advertising partners without their users’ express consent. The other was where advertisers made inferences about a user’s device in order to custom-tailor advertising. That, again, was without the express consent of the users.

Which brings us to this most recent blunder.  According to a spokesperson for Twitter, the company used phone numbers provided by its user base for two-factor authentication, along with email addresses, to display targeted ads.  This is the exact behavior that Facebook recently got raked over the coals for.

It gets worse though, because the company apparently has no data, and no way to tell exactly how many of its users saw their information exposed and misused in this manner.

The company issued a formal statement, apologized for the error, and said that the issue had been fixed as of September 17^th.  That’s small consolation to their users, for whom this kind of thing is fast becoming the norm.  It’s enough to make some people rethink using the platform altogether, and rightly so.

Used with permission from Article Aggregator

Tweet

If so, Microsoft recently issued a reminder you’re not going to like hearing.

Extended Support for Office 2010 expires on October 13th, 2020, so time is running out to upgrade. The company’s official recommendation is to upgrade to either Office 365 ProPlus, or Office 2019.

In addition to that, “We also recommend business and enterprise customers use the deployment benefits provided by Microsoft and Microsoft Certified Partners, including Microsoft FastTrack for cloud migrations and Software Assurance Planning Services for on-premises upgrades.”  This, according to the Office 2010 End of Support Roadmap, published by Microsoft.

Elsewhere on Microsoft’s site, the company seems to be pushing hard for Enterprise users to upgrade to Office 365 ProPlus. In particular, they added the following information:

“Upgrade to Office 365 ProPlus, a product built for today’s challenges and literally getting better all the time, as we continue innovating across–and investing in–the experience.  Consider just a few benefits:  AI and machine learning to advance creativity and innovation, real time collaboration across apps, and Microsoft Teams as the hub for teamwork.”

All of that is well and good, and certainly true. However, for some Enterprise users, office 2019 might simply be the better fit, even if the company isn’t pushing it as hard. In any case, the takeaway is simply this:  Support is ending for Office 2010.  If you’re still using it, you need to be making migration plans now and begin using one of the two aforementioned products before the support period ends.  You’ll find detailed instructions on how to migrate on the company’s website if you don’t already have a clear understanding of the process.

In a related vein, note that the Windows 10 Creators Update (version 1703) has now reached end of service and will no longer receive any quality or security updates.

Used with permission from Article Aggregator

Tweet

Do you have the new Windows 10?

If you’re not sure, the most recent version (as of the time this article was written) is version 1903, which was the May 2019 update.

Assuming you’ve got that version or later, you should have Microsoft’s Tamper Protection enabled by default.

If you’re not sure what the big deal is, in a nutshell, Windows Tamper Protection blocks scripts, apps and programs from making changes to your security settings and to Microsoft Defender.  That’s a very good thing, but if you’re looking for a bit more detail, keep reading.

Microsoft has all of this to say about the feature:

“Tamper protection prevents unwanted changes to security settings on devices.  With this protection in place, customers can mitigate malware threats that attempt to disable security protection features.  Here are some examples of services and settings that are protected from modification, either by local admins or by malicious applications:

• Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next generation protection and should rarely, if ever be disabled.
• Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before-seen malware within seconds.
• IOAV (IE Downloads and Outlook Express Attachments initiated), which handles the detection of suspicious files from the internet.
• Behavior monitoring, which works with real-time protection to analyze and determine whether active processes are behaving in a suspicious or malicious way, and then blocks them.
• Security intelligence updates, which Windows Defender Antivirus uses to detect the latest threats.”

All that to say, it’s a solid feature and a fairly robust means of protecting your computer.  Kudos to Microsoft for making it a priority.  If you’re a home user, you can check the status of your system’s Tamper Protection in the Windows Security app.  Just check to see if Tamper Protection is enabled and you’re all set.

Used with permission from Article Aggregator

Tweet

Recently, the company announced a significant feature addition that will allow users to take calls made to an Android phone from their Windows-based PC.

The new feature is currently only available to Windows Insiders for testing, but will be generally available to all users in an upcoming build in the unspecified, but not too distant future.  It makes use of your PCs speakers, microphone and computer screen. Using the new feature, you’ll be able to answer an incoming call from your PC, decline calls from the PC with a custom text, transfer calls between your PC and Android phone, and access your recent call history.

In order to make use of the feature, three conditions must be true:  You must be using Windows 10 Build 19H1, version 1903 or higher, and the Android phone must be running version 7.0 Nougat or higher.  In addition to that, the PC needs to have Bluetooth radio installed. Once those conditions are met, you’re all set and can turn your trusty PC into a substitute for your Android phone.

Initially, when news of the feature first leaked, it was to be available only to certain Samsung Galaxy devices. However, in the weeks since the leak, Microsoft has broadened their horizons, although a few of the features are still exclusive to Samsung’s phones.  How long that remains true is yet to be determined.

In any case, it’s a good move and a genuinely valuable addition to Windows 10’s capabilities, allowing Windows/Android users to communicate in new ways and more efficiently, to boot.  Kudos to Microsoft and Google for bridging the divide, and if you’re not a Windows Insider, stay tuned.  You’ll be able to experiment with the new functionality before you know it.

Used with permission from Article Aggregator

Tweet

Unfortunately, they’re also prone to abuse and exploits by hackers and unsavory developers. They can be used to spy on and even steal sensitive information from unsuspecting users.

This is not new in and of itself.  Security researchers around the world have, at various points over the last couple of years, sounded the alarm about weaknesses and exploits.  To the credit of both companies, any time this has happened, both Amazon and Google have responded promptly, plugging gaps and shoring up the security of their devices.

Unfortunately, every few months or so, new exploits are discovered.  The two companies are essentially playing Whack-A-Mole with security flaws, which appear to have no end.

Recently, security experts published two videos, one for Alexa and one for Google Home. Each demonstrated a simple back-end exploit that anyone with a DevKit could employ.  The exploits revolve around inserting a question character (U+D801, dot, space) to various locations in the code. Then they introduce a long pause during which the assistant remains active and listening.

To give you an idea of how this could be exploited, one of the example videos shows a horoscope app triggering an error, but the presence of the special character introduces a long pause during which the app is still active.

During the long pause, the app asks the user for their Amazon/Google password while faking a convincing looking update message from Amazon or Google itself.  Given the long pause, few users associate the poisoned horoscope app with the password request.  It seems like it’s coming from the device itself.

It’s both sneaky and troublesome, and worst of all, even when both companies move to address this issue. By this time next month if history is a guide, there will be others.  We’re not saying not to use them, but when you do, be very mindful.

Used with permission from Article Aggregator

Tweet

Security researchers have recently discovered an undocumented (until now) backdoor designed for Microsoft SQL servers.

It will allow a hacker working remotely to stealthily take control of a previously compromised system.

Worse, this is not theory or conjecture.  Researchers have found malware strains in the wild that take advantage of the backdoor, allowing attackers to remotely connect to any account on the server running MSSQL version 11 or 12 by using a “magic password.”

As bad as that sounds, it gets worse.  The Skip-2.0 malware contains code that disables the compromised machine’s logging functions, audit mechanisms and event publishing every time the “magic password” is used so that it leaves no trace, which is why it’s so difficult to detect.

This gives the malware the freedom and flexibility to move seamlessly through the target system, where it can copy, change, or delete any content stored on it. That is, all while keeping the system’s owner or user blind and in the dark as to what’s happening. In their most recently published cybersecurity report, the security firm ESET attributed the Skip-2.0 backdoor to an organization known as the Winnti Group, which is a state-sponsored threat actor with Chinese backing.

As evidence in support of this conclusion, the researchers involved with drafting the report point to numerous similarities between Skip-2.0 and other tools developed and used by the Winnti Group, including PortReuse and ShadowPad.

In addition to that, Skip-2.0 utilizes an encrypted ‘VMProtected’ launcher, an ‘inner-0loader’ injector and hooking framework and a custom packer to install its payload, which again, is identical to the structure of other Winnti Group tools.

In basic terms, this is just another malware threat to emerge in the tech world. If there’s a silver lining in all of this, it is the fact that MSSQL 11 and 12 are not the most recent versions, so the fix is fairly simple.  Just upgrade to a version beyond 12 and you can avoid the risks associated with this new threat.

Used with permission from Article Aggregator

Tweet

Unfortunately, they recently disclosed that a server in one of their data centers was breached back in March of 2018.

According to the details released, the server was located in a data center in Finland.

It was compromised due to an insecure remote management system that was left in place by the data center provider. Worse, this was a system that NordVPN never even knew existed. The company said that they learned of the breach some months ago but withheld disclosing the details until they could be sure that their systems were secure.  In the meantime, though, they quietly terminated their contract with the provider in question and shredded the servers that company had been renting from them.

As the official statement released by the company explained:

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

Researchers also discovered that NordVPN had an expired private key left inadvertently exposed.  This would have allowed anyone who gained access to it to set up a server that imitated NordVPN.

The company addressed this point as well, saying:

“…the key couldn’t possibly have been used to decrypt the VPN traffic of any other server.  On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

Assurances aside, the fact that it happened at all is troublesome.  In any case, according to the official statements released by the company and informed by their ongoing investigation, it doesn’t appear that any sensitive user data was exposed. So if you’re a NordVPN user, you can breathe a sigh of relief about that.  Stay tuned for additional updates from the company.

Used with permission from Article Aggregator

Tweet

Unfortunately, the company did not notify any of their customers about the incident.

Instead, one of their customers, Wittichen Supply Company, noticed issues with Billtrust’s services and posted information about the outage on their company’s website. That prompted Billtrust to reach out to them and provide additional information.

Wittichen’s notice reads, in part, as follows:

“We were notified late yesterday that BillTrust (our third party vendor for customer invoice and online bill payment) was the subject of a Malware attack. BillTrust is working with federal law enforcement and cyber security firms to investigate and remediate the attack.”

BillTrust went on to assure Wittichen Supply Company that none of its customers’ data was compromised and that they were working around the clock to restore services. Wittichen’s announcement finally did prompt the company to provide some additional information, which it made available to its customers.

On October 18th, Billtrust posted the following overview of their services and their operational status:

• Billtrust Credit (former Credit2B) – up and operational
• Billtrust eCommerce (Second Phase) – up and operational
• Billtrust Virtual Card Capture – scheduled to be up and running on Saturday, October 19 with a plan to work through the weekend to begin catching up on back log.
• Billtrust Cash Application – Over the next 12-24 hours, we intend to bring Cash Application customers live starting with processing of lockbox and open balance files.
• Billtrust Billing & Payments – Billing and Payment websites will be turned on this evening followed by FTP connectivity. We expect card payment processing to resume this evening and ACH processing to resume on Monday, October 21 but will update you if anything changes.
• Billtrust VueBill – Please contact your account representatives for specific details.
  It’s good information. It’s just a pity that the company didn’t see fit to start providing it until they were forced to do so by one of their own customers. In any case, if you use Billtrust, be aware. No further details about the attack have been forthcoming to this point.

Used with permission from Article Aggregator

Tweet

The scammers structured their email so that they appeared to come from the Human Resources department of their victims’ companies.

They asked the recipient of their phishing email to open an Excel spreadsheet bearing the name “salary-increase-sheet-November-2019.xls.” A shortcut to the remotely hosted spreadsheet was naturally provided.

The body of the email explained that “The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.” Needless to say, this tends to catch most people’s attention. After all, who doesn’t want a raise, right?

If a recipient clicked on the link, he or she would then be asked to provide Office 365 login credentials in order to see the file. Of course, the file contains dummy data and has nothing to do with getting a raise; it’s simply a useful hook to get an unwitting user to hand over their credentials.

The scammers not only constructed a convincing looking email, but the Office 365 login screen looks exactly like a legitimate login screen. This goes far in explaining the campaign’s unusually high success rate.

The researchers who have been following the issue urge Office 365 users to enable multi-factor authentication via Office 365 or a third-party solution. They also encourage business owners to enroll their staff in phishing awareness training programs designed to help employees spot and report phishing attempts more easily.

Be on high alert for this one. So far it has proved to be a highly effective campaign.

Used with permission from Article Aggregator