FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.
If you have been infected by the CryptoLocker ransomware and all your files have been encrypted without your consent, go to FireEye and Fox-IT’s decryptcryptolocker website post haste. These noble folks seem to have located the CryptoLocker servers that store the unique private keys (called “master decryption keys”) for infected systems and will allow you to decrypt your encrypted files . . . gratis!
I applaud FireEye and Fox-IT. I’m not sure how they were able to locate the CryptoLocker servers. (New randomly-named servers were created every day.) Also, it seems that CryptoLocker’s claim that the private keys would be destroyed after several days wasn’t true, since FireEye and Fox-IT appear to have found the keys intact on one or more CryptoLocker servers. In any case, FireEye and Fox-IT deserve a big round of applause.
On Friday, South Carolina’s Governor Nikki Haley announced that about 3.6 million taxpayers’ Social Security numbers and related taxpayer data were downloaded by an unknown outside hacker. The Governor reassured worried South Carolina residents that “the problem has been fixed”.
Unfortunately, that’s like locking the barn door after the horses have fled. For the 3.6 million SSN theft victims, it’s too late to fix it.
According to a Computerworld news article, “Another 387,000 credit and debit card numbers were also exposed in the September attack, the state Department of Revenue said in a statement Friday.”
It sounds like the Social Security numbers were stored in unencrypted form. (The I.T. department may have thought that the server and database systems’ authentication procedures provided sufficient security.) I’d guess that this could expose the state to liability for breach of fiduciary responsibility. South Carolina’s failure to encrypt these critical numbers is about as dumb as Yahoo’s recently exposed failure to encrypt users’ passwords.
Cracking of passwords has moved from an esoteric exercise for geeks to something that any kid can do.
Three developments in cracking passwords for fun and profit:
Hash Cat, a new open-source GPU-based cracking program has become available for free download at HashCat.net. It’s available in both Windows and Linux versions and can run 16 graphics processing units in parallel.
Do you recall last June’s theft of 6.5 million password / email pairs from LinkedIn? Those passwords weren’t in plaintext — they had been hashed by Linkedin using the (now discredited) SHA-1 hashing algorithm, so were presumably still pretty secure. Hash Cat was let loose on the purloined Linkedin hashed passwords by Jeremi Gosney. Using a homebrew PC with multiple GPUs, he was able to crack 20 percent of the 6.5 million hashed passwords within thirty seconds. He used a dictionary attack with a 500 million word dictionary. His machine makes 15.5 billion guesses per second. Two hours later, he had cracked an additional 33 percent of the passwords. After one day, he had cracked 64 percent of the passwords. After five days, he had cracked 88 percent of the passwords.
Jeremi benchmarked Hash Cat on his $12,000 machine containing eight AMD Radeon HD7970 GPU cards. He ran a brute force attack on an 8-character password, trying all 96 characters for each character, in twelve hours. Add one more character, and it will require 96 times as much time to crack, or 1,152 hours. Add another character (making a ten-character long password) and it will require 110,592 hours to crack by brute-force.
And the conclusion is?
Use completely random passwords whose characters are drawn from the a-z, A-Z, 0-9 and punctuation mark character set (which contains 96 characters).
Use passwords that are at least ten characters long.
The best way to create and manage strong passwords is with a password management program. I like Keepass.
Graphics Processor Unit: restricted instruction set single-chip processor that’s dedicated to graphics functions. GPUs may be used for other dedicated tasks, such as decryption.
This scam rewarded hard work with huge income, while it lasted.
I’m not smart enough to have dreamed up this scam: hi-jack millions of users’ clicks and redirect them to ads that pay the crooks for each click. Allegedly, over 14 million dollars of income was collected since 2007. Six of the 7 indicted people reside in Estonia, where they have been arrested by the Estonian police. The US Department of Justice (DOJ) is seeking their extradition for trial in US federal court on charges of wire fraud and computer intrusion. The seventh suspect has not yet been located.
Part of the scheme employed a piece of malware that’s named DNSChanger. These guys spent serious time fabricating this scam: they had to first set up 2 bogus DNS (Domain Name Service) servers in the U.S., create and propagate the malware, create affiliate relationships with advertisers, create bogus websites, arrange payment with advertisers, etc. Basing the bogus DNS servers in the U.S. would guarantee fast DNS lookups for hijacked American victims.
Last year I wrote about one instance (of many that I see) of DNS hijacking (Malware hi-jack of DNS address). A computer whose DNS record points to a malicious DNS server is “owned” by the bad guy who installed the redirection. My first thought was that the bad guy could harvest on-line banking login credentials. These Estonians fabricated a much more elaborate scheme, which was probably harder to detect than the scam that I’d imagined.
Is your anthem the 1984 pop single “I always feel like somebody’s watching me“? You may be right. Dmitri Alperovitch, in his recent article Revealed: Operation Shady RAT states, “. . . I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly).“
He should know. Mr. Alperovitch and McAfee have been studying what they call “Operation Shady RAT”. (RAT is an abbreviation for remote access tool.) Its depth, breadth, and audacity are impressive. They coyly call the perpetrator “a state actor”, but it’s an open secret that China uses the Internet to aggressively spy on governments, defense contractors, and even seemingly benign targets.
Most commercial organizations — especially banks — are reluctant to publicize any security breaches, so it’s unlikely that we’ll ever know just what’s been compromised, damaged, or stolen by Operation Shady RAT.
If you think that this isn’t really happening, just check the unfiltered log files of an Internet-facing router / firewall that protects any organization. It’s amazing to see how many port scan attempts hammer these routers 24 hours a day. And a fair number (maybe 50 percent) originate from IP addresses within China. Not convinced? Log into your own router as its admin and check activity on its WAN port: you’ll see many uninvited guests knocking on its door all day long. Most are just random testing of defenses, roughly the same as a burglar who walks down the street, knocking on doors to find a weak target to break into.
(My apologies to UB40 for my allusion to their reggae hit, Rat in Mi Kitchen. Great tune.)
ATMs spew cash on command from attacker at Black Hat conference demonstration
Barnaby Jack, director of security research at IOActive Labs, demonstrated last week at the annual Black Hat conference just how vulnerable ATMs are. He demonstrated on two ATMS, both using the Microsoft Windows CE operating system. This disappoints me: I don’t use Windows computers to do on-line banking because I don’t trust their security. (To be safer, you should download a bootable Linux CD and boot from it when you wish to bank on-line. Reboot Windows when you’re done banking.)
Mr. Jack demonstrated two attacks on standalone or “hole in the wall” ATMs: one remote and one local. (He’s unsure if these attacks work on bank ATMs.) The remote attack required that the attacker know the phone number of the ATM’s dial-up modem. Many ATMs use a dial-up modem to communicate with their banks. (A simple war-dialing program would get you started on this attack.) Some ATMs have IP addresses: if they reside behind NAT (Network Address Translation) routers and firewalls this would help protect them. Then he showed that he could bypass the ATM’s authentication program to gain control of the ATM.
The local attack began by entering a supervisory sequence of keystrokes through the ATM keypad, which brought up an administrator menu that allowed him to eject banknotes from the ATM. Some ATMs allow a specially coded card to gain supervisory access.
One principle of system security is that the owner restrict physical access to the system. The ATM would be more secure from local attack if it required that service personnel first open a locked panel before punching in a security code to gain supervisory control. This raises another principle: there will always be a security versus convenience compromise.
ATMs are immobile shared devices; the bad guys have moved to individual users’ mobile devices. Smartphones are a new playground for criminals: during one Black Hat presentation, a wallpaper application for the Android smartphone installed its spiffy self and promptly uploaded its user’s personal data to a site in China. Maybe the fact that Apple insists that it certify every iPhone app makes sense, after all.
Just what we needed: ANOTHER form of malware! This one has been called the porn virus.
A new trojan horse has appeared, from Japan. It masquerades as a game installation program, then grabs the target computer’s web browsing history, publishes it on its own website, and demands a payment to remove the browser history from that website. The BBC has done a good job of describing this example of ransomware, as well as ransomware associated with Koobface and Zeus (both are very bad news.): http://news.bbc.co.uk/2/hi/8622665.stm.
Today’s bad guys on the web jeopardize on-line shopping, bank accounts . . . even national security.
A good estimate of the cost of cyber-crime is over 1 trillion dollars a year.
Has your computer ever been infected by a virus and slowed to a crawl? Maybe it had become a member of a botnet and was busily sending spam or participating in a denial of service attack on a website, under the control of someone on the other side of the globe.
Think twice before sending money to a stranded friend. You might be the target of an email scam.
I found the message below in my mailbox. I hadn’t heard from this person in over a year and barely knew him. I phoned him to advise him that his gmail mailbox had been compromised. One tip-off that this plea is bogus: the email@example.com is not the same as firstname.lastname@example.org.
Subject: get back to me ASAP pls
I really don’t mean to inconvenience you right now but I
made a quick trip to the UK and I lost a bag which contains my passport and credit cards. I know this may sound odd, but it all happened very fast. I’ve been to the US embassy and they’re willing to help me fly without my passport but I just have to pay for my ticket and settle some bills. Right now I’m out of cash plus i can’t access my bank without my credit card over here. I have contacted them but they need more verification. I’m just gonna have to plead with you to lend me some funds right now? I’ll pay back as soon as I get home. I need to get on the next available flight home. Please reply as soon as you get this message so I can forward the details as to where to send the funds. You can reach me via the hotel’s desk phone if you can, the numbers are, 011447024065511 or 011447024064567 You can also email me via my yahoomail, as I can easily access it here f——email@example.com
I await your response…