COVID-19 Related Cyber Attacks

Wednesday, March 25th, 2020 | Mark Bedford | Comments Off on COVID-19 Related Cyber Attacks

While it is unfortunate and tasteless in the light of COVID-19’s impact on the world, we are seeing that criminals are using the pandemic as an opportunity to exploit peoples goodwill and need for information or help.

Our wider cyber security community is reporting campaigns using the following propagation methods,often endeavoring to gain the trust of victims using branding associated with the U.S. Centres for Disease Control and Prevention (CDC) and the World Health Organization (WHO), as well as country-specific health agencies such as the Public Health Centre of the Ministry of Health of Ukraine and China’s Ministry of Health, and companies such as FedEx. Examples include:

Emails

There are a range of emails using COVID-19 to grab peoples interest. Examples include:

  • working from home statements from supervisors/managers (Director of Milan University)
  • requesting donation to fake WHO COVID-19 response fund
  • recommendations to avoid infection
  • blackmailing people to pay ransom or risk family member being infected
  • statements from health authorities (WHO, CDC, MoH, etc)

Often these will include attachments with malware or links that take you to a website or file download or ask you to login.

Phone

Receiving phone calls

  • Impersonating an authority to carry out a variety of scams, from gaining access to your account to phony donation requests and spreading of malware.
  • pretending to be a hospital looking for payment for treatment of a friend or relative
  • scams similar to the previously seen “microsoft” calling to clean a virus off your computer.

Receiving TXT message

  • text messages that have a link that claims to direct people to testing facilities. This link is not legitimate and instead may install malicious software on your device that’s designed to steal your personal information, such as banking details

Web Sites

Criminals are cloning or crafting websites to facilitate their scams

  • Fake anti-virus website promising coronavirus protection is actually delivering malware
  • fake shops, websites, social media accounts, and email addresses claiming to sell medical supplies currently in high demand, such as surgical masks.
  • clone of the (legitimate) Johns Hopkins University coronavirus map used to spread malware.
  • offering to sell or provide fake cures, vaccines, and advice on unproven treatments for COVID-19

Please be careful about which websites you go to. Our advice is to to only use trusted and verified information sources from government and research institution’s websites. Ideally by going directly to them rather then clicking off links in unsolicited emails.

Social Media Sites

  • Be cautious of legitimate fundraising sites like GoFundMe that are used to solicit donations as this is a common tactic of criminals
  • Watch for fake investment schemes using stocks being promoted via social media where there is a claim about having a product or service that is able to prevent or treat COVID-19
  • the obvious stupid or fake ‘trolls’ trying to get social attention by offering potentially dangerous advice
  • offering to sell or provide fake cures, vaccines, and advice on unproven treatments for COVID-19

Malware and Mobile Apps

Criminals are associating branding from authoritative sources or creating apps that provide coronavirus information to get people to install apps that include malware / spyware on mobile devices.

  • Coronavirus tracking apps like ‘corona live 1.1’ includes spyware that gives to attacker remote control over your device and the data it has access to.
  • COVID19 tracker – another tracking app that includes ransomware and encrypts the users devices demanding bitcoin.

Think carefully about whether you really need an app, especially where you have no idea that it will actually provide accurate information. Please ensure that you download apps only from official app store for your phone and always check the permissions apps request on your device make sense.

Summary

Expect to see a wide range of COVID-19 related phishing emails, text messages, dodgy apps and fake web sites. These scams will likely focus on the our interest in COVID-19 virus spreading by informing of infections in your local area, vaccine and treatment offers, and supply shortages that have become critical.

If you are unsure about the website, do not proceed with any login procedures. If there is some general information that can be found searching through an online search, do that instead of clicking the link from a suspicious sender.

If there is any doubt to a received item, then you should contact AskOtago like normal.

Firefox and Safari Leading in Website Security

Thursday, March 12th, 2020 | Mark Bedford | Comments Off on Firefox and Safari Leading in Website Security

Firefox

With TLS 1.0 and TLS 1.1 considered vulnerable to various types of attacks, including BEAST, CRIME and POODLE, Mozilla last month announced plans to disable them in its popular browser and allow only connections made using TLS 1.2 and TLS 1.3.

The move should have no impact on websites that support TLS 1.2 and up, but will result in an error message being displayed when the newer protocol iterations are not supported. An override button on the error page will provide users with the option to fallback to TLS 1.0 or TLS 1.1.

The deprecation of older TLS iterations was initially announced a couple of years ago, but some website administrators have yet to upgrade to newer versions of the protocol. The change introduced in Firefox 74 is expected to encourage them to improve the security of their sites and users

Safari

Apple has unveiled a policy for Safari at the CA/Browser forum that it will not trust any website certificates valid for more than 398 days. This will flow on to all iOS and macOS devices and that this starts on September 1, 2020. This is aimed at improving website security by making site developers are using certificates with up to date cryptographic standards.

Clearly the improved security is going to have some draw backs such as increasing the frequency of certificate deployment will increase the workload for IT staff. The suggestion is that companies need to look to automation to manage certificates and compliance.

Master password bug in Firefox

Friday, August 16th, 2019 | Mark Bedford | Comments Off on Master password bug in Firefox

The Mozilla Foundation have advised of a  bug (Bug 1565780) in the use of stored passwords.

August 14, 2019; CVE-2019-11733: Stored passwords in ‘Saved Logins’ can be copied without master password entry

When a master password is set, it is required to be entered before stored passwords can be accessed in the ‘Saved Logins’ dialog. It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

Passwords

Wednesday, May 8th, 2019 | feiri87p | Comments Off on Passwords

We’ll be issuing some guidance around usernames, passwords and how to manage them soon. The XKCD comic below is indicative of the direction.

Password Strength

 

Man in the Inbox

Thursday, July 19th, 2018 | Mark Bedford | Comments Off on Man in the Inbox

There are criminals who when they compromise an email account use their access to undertake a “Man in the Inbox” attack. Such attacks are highly successful as antispam systems are not tuned to look for insider attacks and therefore less likely to catch them.

The attackers purport to be the owner of the account and use the already established trust relations to better their own bank balance. They do this in obvious ways such as sending change of bank account notices to all customers, this way they get the victims clients to make their remittance payments to a money mule’s bank account who then transfers it to the criminals account.

In any commercial relationship, the previously agreed terms and conditions about payments should include a statement about how to confirm a change in bank account. If your business includes sending or receiving invoices and making associated financial transactions then your bank account details should also be published on your website as this provides and alternative means of confirming it.

The interpretation of the law is somewhat grey on who is liable if you are the victim of such a scam. This should be reported to law enforcement, your bank and your insurance company. You should also take steps to preserve any forensic evidence (buy a new computer rather than wipe the old one and keep it powered off) as this might be useful in attribution.

To defend against these you need to be vigilant and not get hooked from phishing emails. If the messages’ date/time stamp is outside what you would expect, the bank account looks odd, or the request seems out of sequence (like sending an invoice that updates a previous one), or there is a minor difference in the email address such as “accounts” rather than “account” then phone them to confirm the change details. The criminals have allayed suspicions by responding to skeptical emails advising that the change is legit.

For further information see Cofense article

Everyday cyber crime

Thursday, November 2nd, 2017 | Mark Bedford | Comments Off on Everyday cyber crime

I recently discovered a very good TED presentation by James Lyne, it is definitely a goodie. In his presentation, “Everyday cybercrime – and what you can do about it” https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it he provides an excellent introduction into internet security. His entertaining style fits well with the content and the 17 minute presentation covers key material. This should be on everyone’s play list as he debunks common myths about cybercrime. A Sophos page with some helpful followup tips can be found over at https://sophos.com/wifi with the emphasis wifi services.

Increase in Office Documents Using DDE to Distribute Malware

Thursday, October 26th, 2017 | Mark Bedford | Comments Off on Increase in Office Documents Using DDE to Distribute Malware

I note from our monitoring that we have seen an uptick in tainted Office attachments or inline RTF documents that use DDE to launch malware or a downloader. The edge email gateway is now detecting the current batch of these as “Troj/DocDl-xxx” and Sophos end point is detecting these as “Torj/DocXX-xxx”.

Most people are “macro” savvy but DDE (which has been around for a long time) is a new method of propagating malware.

So if you receive an Office attachment via email and when you view it or open it you get a warning such as:

Clicking No will prevent the DDE attack from launching.

For those who click “Yes” at the first dialog then you will get another dialog warning that a command is about to be started similar to:

The “No” option is the way to prevent the attack.

If you do get documents that contain these, you should validate the senders email address and use an alternative method (not email) of contacting the sender to confirm their intent in sending the DDE documents.

Sophos Security Facebook video (no authentication required to view) https://www.facebook.com/SophosSecurity/videos/10155119823700017/

Naked Security article on the DDE attack https://nakedsecurity.sophos.com/2017/10/22/office-dde-attack-works-in-outlook-too-heres-what-to-do/

Also this Microsoft article on how to view all email messages as plain text https://support.microsoft.com/en-ca/help/831607/how-to-view-all-e-mail-messages-in-plain-text-format

 

KRACK WiFi Vulnerability

Tuesday, October 17th, 2017 | Mark Bedford | Comments Off on KRACK WiFi Vulnerability

You may have heard about a recent WiFi security problem nicknamed KRACK which was uncovered by a group of researchers early 2017. They discovered that there is a problem with the way WiFi devices negotiate their encrypted connections and this leads to some serious issues, so you should be worried but don’t panic. Your wireless password is safe as it is not disclosed (as long as it is not used elsewhere).

The issues are present in ALL devices that use the WiFi WPA protocol and include Android, Apple iOS, OSX, Windows, Linux, IoT devices. Because the vulnerability can only be exploited by an attacker in your WiFi coverage area you wont be attacked by a bad actor from the other side of the world at 3:00 am but you might by your local neighborhood hacker.

Patched or un-patched, if you use HTTPS or SSH (or anything with SSL/TLS encryption), whatever you send is secure and cannot be plainly seen or intercepted (as far as this vulnerability goes). An attacker will see that there is traffic but not the contents of the traffic. If you use a VPN (no NOT Hola or its ilk) then traffic traversing the VPN is also secure. So there maybe some privacy issues here but not confidentiality issues. In many ways this is no different than using an open WiFi network at the airport or hotel, assume that your traffic is being watched therefore sensitive information should be protected with encryption. Note for Otago VPN users, only the traffic to/from Otago is secure, other traffic may not be.

There is only one remediation at present, patch your device with the security update for this specific vulnerability when it becomes available. Vendors are currently working on patches, or have already released them. This includes lots of devices that are still working after many years of active service (the vulnerability is some 10 years old). Many older devices will never receive security updates so if you continue to use these devices you should assume that all of your traffic is being spied on and potentially altered. Time to dispose of them responsibly and upgrade them to a newer supported device.

For those wanting a more technical discussion, here is a Information Security blog article https://blogs.otago.ac.nz/infosec/2017/10/17/wpa2-krack-technical-notes/

 

Is my home Wifi network ok?

Tuesday, October 17th, 2017 | Mark Borrie | Comments Off on Is my home Wifi network ok?

What is it KRACK?

You may have heard about the latest security problem with wifi networks and be wondering what this is all about.

Yes this is a serious problem, and YES your home network is vulnerable. Every network is currently vulnerable to this new issue. More importantly, you computers, laptops, phones and other devices are also vulnerable.

What impact is there?

Potentially this impacts an extensive range of devices including Apple, Android, OpenBSD, Linux, Microsoft, smart computers, smart phones, access points, IoT devices etc. The attack cannot be executed remotely; the attacker must be within range of your wireless network ie physically near your Wi-Fi.

So what can happen? An attacker can insert themselves into your network conversations and listen to what is going back and forth. They could also potentially start changing things. If you are communicating over an encrypted link such as using https then an attacker cannot see your information. This means that your passwords will continue to stay secure.

At this time, there is no evidence that an attack tool exists in the wild but they will come sooner rather than later. Until then the attack will only be possible from a skilled attacker, however once easy-to-use tools are available the skill factor is no longer a barrier . Expect to see your neighbourhood hackers attacking your old iPhone or Android device.

What to do about it?

With this in mind you should patch all of your devices soon.

If you have an older device then the manufacturer may not release patches for this issue. This is a problem and you will need to consider upgrading your device to one that is supported.

If you need to ensure the privacy of your network usage then use a VPN to encrypt all your traffic. VPN is a protocol for encrypting all network traffic between two network points. The University has a VPN service that allows staff to connect to the internal University network from most places on the Internet. You will need to find a suitable VPN service for you.

The Bleeping Computer site is keeping an up to date list of patched devices at https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

Summary

KRACK is an issue for all wireless networks. You should apply the security patches as soon as they become available.

Older devices may not receive security updates and are now at risk of becoming a gateway into your network and privacy. As such, sensible disposal is the preferred approach.

For devices where no patch is available you should assume that all traffic from that device can be spied on and potentially altered. Using a VPN to help mitigate this for you.

WPA2 “KRACK” – Technical notes

Tuesday, October 17th, 2017 | Jim Cheetham | Comments Off on WPA2 “KRACK” – Technical notes

KRACK (Key Reinstallation Attacks) is an effective attack on the WPA2 802.11i protocol used for protecting WiFi networks, published on October 16 2017 .

Because it is an attack on the protocol itself, every piece of equipment that can communicate over WiFi is affected. The attack must be carried out by a device that is in range of the network; i.e. this is a local attack, not a remote one.

TL;DR

Be WORRIED, but there is no need to PANIC. If there is a PATCH for your device, apply it as soon as possible. Otherwise, worry until there is.

KRACK tricks your wireless devices into resetting their encryption sessions to a known state, after which the attacker can read everything that they do, and can inject their own data into the network (i.e. a Man-in-the-Middle attack). This effectively turns your “private, secure” WPA2 network into a “public, insecure” one.

If you are safe operating your device on a public insecure network (e.g. airport or coffee-shop WiFi), then you will be equally safe operating it on a compromised WPA2 network.

KRACK does NOT steal your WiFi passwords or credentials.

The only effective fix for KRACK is on your client devices. PCs and laptops are likely to be patched quickly, mobile phones much more slowly if at all, and IoT devices are at serious risk.

KRACK References

  • KRACK website, https://www.krackattacks.com/
  • Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, https://papers.mathyvanhoef.com/ccs2017.pdf
  • CERT CVEs, http://www.kb.cert.org/vuls/id/228519
    • CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
    • CVE-2017-13078: reinstallation of the group key in the Four-way handshake
    • CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
    • CVE-2017-13080: reinstallation of the group key in the Group Key handshake
    • CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
    • CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
    • CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
    • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
    • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
    • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

Timeline

In early 2017 the researchers were finishing off another security publication when they realised that part of the OpenBSD network code for WiFi that they were discussing had a potential problem. By July 2017 a wide range of systems had been confirmed with this problem, and the CERT/CC co-ordinated a wider notification to OS and device vendors in late August. The public announcement was made on 16 October 2017.

Many vendors have made announcements and released patches already, more will be coming soon. OpenBSD patched early due to their relationship to the original discovery, some other vendors seem to have issued patches already but many important ones are yet to patch.

Patches

At the moment I’m getting my information from the CERT/CC and the Bleeping Computer website, but I’ll verify from original sources as soon as I can. https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

No Patches

If you have a device using WiFi, and there are no patches for it, you should assume that all traffic from that device can be spied on and potentially altered. If you are encrypting your communications with TLS/SSL or something equivalent like OpenSSH, then all you are at risk from is a lack of privacy. However, you might need to consider implementing a VPN if you rely on plaintext or easily spoofed protocols.

Further Questions

If you have any further questions, please get in touch with the Information Security Office through the usual channels.

 

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.