How Bitcoin and the Dark Web hide SamSam in plain sight

By Mark Stockley

For two and a half years someone has been terrorizing organisation’s by breaking in to their networks and infecting their computers with devastating, file-encrypting malware known as SamSam.

The attacks are regular, but rarer and more sophisticated than typical ransomware attacks, and the perpetrators extort eye-watering, five-figure ransoms to undo the damage they create.

This year alone, victims have included healthcare provider Allscripts, Adams Memorial Hospital, the City of Atlanta, the Colorado Department of Transportation and the Mississippi Valley State University.

By extracting high ransoms from a small number of victims who are reluctant to share news of their misfortune, the SamSam attackers have remained elusive while amassing an estimated fortune in excess of $6 million. Details about the attacks, the victims, the methods used and the nature of the malware itself have been hard to come by.

And yet, for all the mystery, some important aspects of SamSam attacks take place in plain sight.

One of the ways the man, woman or group behind SamSam gains entry to their targets is via RDP (the Remote Desktop Protocol), a technology that companies put in place so their employees can connect remotely. It’s easy to discover companies that use RDP with search engines like Shodan, and weak passwords can be exposed with publicly-available underground tools like nlbrute.

SamSam ransom notes direct victims to a Dark Web website where the victim can exchange messages with the hacker. The website and the conversation are discreet but they aren’t secret – anyone with the Tor Browser can visit the site and watch the conversation unfold.

The ransom note also instructs victims on how to purchase bitcoins, and how to use them to pay their attacker. Like all Bitcoin transactions, the ransom payments happen in plain sight and the inflows and outflows of cash can be easily observed.

Read more at https://nakedsecurity.sophos.com/2018/08/07/how-bitcoin-and-the-dark-web-hide-samsam-in-plain-sight/

iPhone chipmaker blames ransomware for factory shutdowns

By Lisa Vaas

After a weekend in which it had to shut down several factories making iPhone chips, Taiwan chipmaker TSMC is back up and running and pinning the blame on a network virus infection – specifically, one inflicted by a WannaCry ransomware variant.

On Sunday, the Taiwan Semiconductor Manufacturing Company put out a statement saying that it had recovered about 80% of its affected tools after the variant hit production facilities over the weekend.

According to Bloomberg, the chipmaker said on Monday that full operations had been restored.

TSMC traced the virus infection to a supplier having installed tainted software without having first scanned it. When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung.

Nehal Chokshi, an analyst with Maxim Group LLC, told Bloomberg that the incident won’t cause any major delays. It would have been much worse if the production line was affected between raw wafer and finished chips, but it wasn’t. So in this case, the only delay for Apple to get its chips will be the number of days the factories were gummed up: that’s about three days, Chokshi said.

Read more at https://nakedsecurity.sophos.com/2018/08/07/iphone-chipmaker-blames-ransomware-for-factory-shutdowns/

Mozilla faces resistance over DNS privacy test

By John E Dunn

Is Mozilla’s enthusiasm for Cloudflare’s DNS-over-HTTPS (DoH) service getting out of hand?

Cloudflare launched its 1.1.1.1 public DNS resolver on 1 April, one of the first anywhere to support DoH, an emerging technology designed to secure Domain Name System (DNS) queries from prying eyes such as governments, ISPs, and the like.

Because browsers as well as DNS resolvers must support the DoH protocol, Mozilla adopted Cloudflare as its test partner with a view to integrating the technology in Firefox 62, due in September.

But supporting DoH in a browser isn’t as simple as just enabling the protocol. Mozilla must also decide whether this support is enabled by default and, if so, which DoH server, or “Trusted Recursive Resolver” (TRR) it points to when the browser launches.

It turns out that Firefox’s DoH Shield test beta has already embedded Cloudflare as the default TRR, which hasn’t gone down well with everyone on several counts:

• It puts a lot of trust in a company that’s already plugged into a lot of websites.
• Using one service is an obvious single point of failure (SPOF).
• DoH resolvers should be opt-in, not opt-out.
• It silently overrides your existing DNS settings.

From the Ungleich blog:

When Mozilla turns this on by default, the DNS changes you configured in your network won’t have any effect anymore. At least for browsing with Firefox…

The obvious reply is that Mozilla’s developers have set Cloudflare as the default TRR as part of the testing process and are unlikely to impose this setting on users when the capability is offered to the world in Firefox 62.

Read more at https://nakedsecurity.sophos.com/2018/08/07/mozilla-faces-resistance-over-dns-privacy-test/

Fortnite ditches Google Play – will it undermine Android security?

By Lisa Vaas

Well, Google, that’s what you get for having an open platform that makes it easy to install apps on Android phones: Epic Games has tucked its Fortnite game under its arm and leaped out of the Google Play walled garden, saying “Basta!” to that 30% “store tax” on all sales.

…and evidently not being able to do the same to Apple, with its identical 30% App Store cut, given that Apple, unlike Google, doesn’t allow iOS users to download apps that aren’t first approved by its internal review processes and distributed through its proprietary marketplace.

On Friday, Epic Games CEO Tim Sweeney confirmed the rumor about its Play Store exit to The Verge. Besides ditching the Play Store, Sweeney said that Epic would do the same thing for the iOS release of Fortnite, if it were possible. It’s not: Apple’s ecosystem is fully locked down, meaning Epic has no choice but to use the iTunes App Store, same as with the console platforms.

In an email, Sweeney said that Epic had two motivations: first, the game maker’s after a more direct relationship with customers. It doesn’t need Google Play for that, given that players can get Fortnite on PC through its own Epic Games Launcher. Similarly, Epic has chosen to bypass Steam – a video games distribution platform that offers digital rights management (DRM), matchmaking servers, video streaming, social networking services, game installation and automatic updating – and just use its own launcher and account system instead.

Read more at https://nakedsecurity.sophos.com/2018/08/07/fortnite-ditches-google-play-will-it-undermine-android-security/

Windows 10 updates under fire from unhappy security admins

By John E Dunn

Windows 10 is finally within spitting distance of being the most popular version of Microsoft’s OS, and yet at this moment of apparent triumph, some security professionals are not satisfied.

The evidence emerges in a survey of admins by the patchmanagement.org listserv, which uncovered a rich seam of unhappiness at the state of recent Windows updates, especially for Windows 10.

In her open letter to Microsoft, patchmanagement.org moderator and Microsoft Most Valuable Professional (MVP) Susan Bradley, doesn’t sugar coat it:

The quality of updates released in the month of July, in particular, has placed customers in a quandary: install updates and face issues with applications, or don’t install updates and leave machines subject to attack.

Bradley points to glitches with July’s updates after which products failed, particularly in the aftermath of the Security and Quality Rollup updates for .NET Framework. As she notes:

In the month of July 2018 alone there are 47 knowledge base bulletins with known issues.

Forty-seven bulletins with issues sounds like a lot. Asking users of patchmanagement.org to rate how satisfied they were with quality of Windows 10 updates, 64% said they were either ‘not satisfied’ of ‘very much not satisfied’.

The feature updates that have become a defining part of the Windows 10 strategy come in for particular flak, both in terms of their overall business benefit and unhelpful regularity.

In Bradley’s view, the fault lies with the Windows 10 Insider Program, the channel through which developers and enthusiasts test new versions to spot problems before software is let loose on everyone else.

Read more at https://nakedsecurity.sophos.com/2018/08/06/windows-10-updates-under-fire-from-unhappy-security-admins/

Man arrested for blackmailing women with porn fakes

By Danny Bradbury

Revenge porn using real images is a horrific abuse, and the most repeated advice is that you can only stop it by not creating revealing, digital images of yourself in the first place.

That advice is looking increasingly threadbare though, thanks to another kind of threat – faked images that use only your face to create embarrassing photos of you. This week, police arrested a man in India for blackmailing women with digitally manipulated images putting them in compromising positions.

On Tuesday, a resident of Gurugram, a city near Delhi, was arrested for blackmailing women through Facebook. At least one woman has accused the individual, identified in news stories only as “Vijay”, of trying to extort her using fake social media accounts and pictures.

Vijay, a helper at the Indira Gandhi International Airport who had recently lost his job, admitted to police that he created fake Facebook accounts in women’s names, and used them to send friend requests to random women. When some accepted, he would steal images from their accounts.

He would then approach them again using other Facebook accounts registered in men’s names, making lewd propositions. If they refused to interact with him, he would send them altered photographs (presumably of a sexual nature). If they continued to ignore him, he would post the photographs on Facebook to embarrass his victims.

Vijay had been blackmailing over 200 women, police said, adding that one account in his control had 353 ‘friends’ on it.

Read more at https://nakedsecurity.sophos.com/2018/08/06/man-arrested-for-blackmailing-women-with-porn-fakes/

‘Unhackable’ Bitfi hardware rooted within a week

By Lisa Vaas

Whaddya mean there’s no such thing as an unhackable device? John McAfee sputtered last week. I got a $100K bounty for anybody who can hack my spiffy, new, unbreakable breakthrough, the wowee-wow world’s first and only completely unhackable, most advanced digital thingie ever, cryptocurrency wallet!

Then, hardware maker Bitfi upped the ante with its own offer of a 250K bounty.

It allegedly took a week. Whether BS walked or pulled up a chair to discuss that $100K… or $250K… is debatable, though, as McAfee is happy to explain.

Press are indeed claiming that the Bitfi wallet has been hacked. It was released the week prior to the hack/not-a-hack with great fanfare and greeted with great guffaws, as well as by people who decided to give the breakage a go.

As CNet reported on Friday, a “self-described IT geek in the Netherlands” who goes by the Twitter handle @OverSoftNL tweeted on Wednesday that they’d gained root access to the crypto-wallet. @OverSoftNL went on to say they had help from @cybergibbons, also known as Andrew Tierney, a security consultant at Pen Test Partners, and from Graham Sutherland (@gsuberland)… all three of whom got royally peeved at what Sutherland called a “clueless and misleading attitude to security.”

The wallet comes from antivirus software pioneer, former Belize man-about-town/government spy/fugitive, current US fugitive McAfee, together with hardware crypto-wallet maker Bitfi. McAfee (the man, not the brand owned by Intel Security) and Bitfi had claimed that the thing had “absolute” security.

Read more at https://nakedsecurity.sophos.com/2018/08/06/unhackable-bitfi-hardware-rooted-within-a-week/