Security Protection – Harry Waldron MVP Rotating Header Image

Ransomware – VIRLOCK polymorphic worm has file infection capabilities

Trend Labs documents a new Ransomware attack that is designed to spread as both a file infector and worm for an infected computer.  As documented, it can spread rapidly in a network setting.  It is noted that code stubs are present for incomplete coded routines and it is believed that future variants will be even more advanced in their capabilities.

Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.  VIRLOCK variants may arrive bundled with other malware in infected computers. We have even seen one VIRLOCK variant in the CARBANAK/ANUNAK targeted attack campaign.

As mentioned, VIRLOCK also has file-infecting routines. Once in the computer, PE_VIRLOCK checks for specific file types, including the following:

  • Executable files (*.exe)
  • Common Document files (*.doc, *.xls, *.pdf, *.ppt, *.mdb)
  • Archive files (*.zip, *.rar)
  • Audio/Video files (*.mp3, *.mpg, *.wma)
  • Image files (*.png, *.gif, *.bmp, *.jpg, *.jpeg, *.psd)
  • Certificate files (*.p12, *.cer, *.crt, *.p7b, *.pfx, *.pem)

VIRLOCK does not use any of those methods to infect systems. Instead, its very nature is more damaging: a polymorphic worm with file infecting capabilities. It bears stressing that file infectors and worms are two malware types that can effectively and efficiently spread malware—and VIRLOCK can be considered both.

If the infected system is not properly cleaned, even the presence of a single infected file will trigger the infection chain all over again. Once VIRLOCK gets into a system network, it will be all over the place; it can infect a whole network system without notice.

Apple iPhone Security – IP BOX Password cracking device

For a few hundred dollars, a specially built device can brute force crack iPhone PIN numbers which are 4 or less characters. It even works around the “Erase all data after 10 failed attempts control”. A best practice is to use PIN codes that are longer and more complex codes to lock the device.

We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. This obviously has huge security implications and naturally it was something we wanted to investigate and validate. For as little as £200 we were able to acquire one of these devices and put it to work.

Although we’re still analyzing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially bruteforces every possible PIN combination. That in itself is not unsurprising and has been known for some time. What is surprising however is that this still works even with the “Erase data after 10 attempts” configuration setting enabled. Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to 111 hours to bruteforce a 4 digit PIN.

Website Security – Abandoned Subdomains create Risk

Occasionally unique subdomains are built for special business and technology needs. When alternative techniques or a discontinuation of services occur, these sites may still remain open and active at the hosted ISP site.  As a best practice, companies should also ensure they are discontinuing the subdomain at the same time special support needs change

Many companies set up subdomains for use with external services, but then forget to disable them when they stop using those services, creating a loophole for attackers to exploit. Because many service providers don’t properly validate the ownership of subdomains pointed at their servers, attackers can set up new accounts and abuse subdomains forgotten by companies by claiming them as their own.

Removing or updating DNS entries for subdomains that are no longer actively used sounds like something that should be common procedure, but according to researchers from Detectify, a Stockholm-based provider of website security scanning services, this type of oversight is actually quite widespread among companies. “We’ve also identified at least 200 organizations which are currently affected,” the researchers said. “In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains that basically allowed us to set up a Hello World on their domains.”

The risk to website owners depends on what can be done on a third-party service once a domain is pointed to it. If the service allows users to set up Web pages or Web redirects, attackers could exploit the situation to launch credible phishing attacks by creating rogue copies of the main website.

Microsoft Office 2016 Preview announced

Microsoft has announced launch of preview version for Office 2016

Microsoft is improving Outlook 2016 search, storage footprint, and email delivery performance, alongside some improvements to image insertion in Word 2016 and Excel 2016. While Microsoft has previously added new ways to extend Office for developers, the software maker says it’s not touching add-ins or macro abilities in Office 2016, leaving things the same way for existing documents. This approach will please enterprise customers who typically run into issues with older spreadsheets and complex macros. You can sign up for Microsoft’s Office 2016 preview right here.

Alongside the Office 2016 preview, Microsoft is also launching a test version of Skype for Business. This new version of Skype is a replacement for Lync, Microsoft’s primary communications tool for businesses. Skype for Business looks very similar to the consumer version of Skype, with the ability to integrate closely into various Office apps. A final version of Skype for Business will be available in April, and you can sign up to the preview over at Microsoft’s evaluation site.

USB Flash Drive – Destructive model created as proof of concept

This USB Flash Drive proof of concept experiment highlights a special re-engineering process that could permanently damage the BIOS, motherboard, and other circuitry of the system. It is designed to store electricity until a maximum harmful amount is collected and then surge it back into the computer to fry componenets. If this were physically mailed to someone as a limited “targeted” attack and as a disguised update, there would be no way to detect it in advance. It is hopeful this concept stays in the laboratory only.

You arrive at work and find a USB flash drive on your desk; it’s not yours but would you plug it in? Over the years you’ve heard a plethora of security-related reasons not to plug in random USB drives, yet as penetration testers know, curious people who know better still plug in a USB drive found in a parking lot. The scenario about finding a drive on your desk at work is one asked by an engineer who developed a USB drive that could turn your laptop or desktop into toast.

An engineer going by the alias of “Dark Purple” was allegedly inspired to build USB killer, what is basically a USB bomb, after reading about a guy who plugged in a USB and “burnt half” of his laptop down. Within a week, Dark Purple came up with a plan and ordered the components. While testing the prototype, Dark Purple “burnt down everything I could. Then I developed and ordered printed circuit boards in China and made a combat model.”

USB ports can provide power, such as when you charge your phone or other device via USB. The USB killer at first acts like a normal storage USB while it pulls and stores power until it reaches negative 110 volts; then it sends that surge back into the system. Zap! Not only will that power returned sizzle components and overload circuits, but it will also damage processors. Both AMD and Intel have USB controllers in their CPU die, or core of the computer chip.  Thankfully Dark Purple decided against posting step-by-step directions, full schematics and all the app details.

Microsoft Security Updates – MARCH 2015

Critical security updates to Microsoft Windows, Office, IE, and other products became available on Patch Tuesday and users should promptly update for the best levels of protection against new threats

Apple Watch – March 2015 Product announcement

The “Apple Watch” was just announced with following highlights

Apple Watch – Home Page

Highlights from the Apple Watch product launch include:

* Apple Watch will go on sale on April 24, 2015

* Price range $349 to $17,000 (18K Gold model). The larger 42mm (1.7in) models of the Watch will cost about $50 more than than the 38mm (1.5in) version

* Requires iPhone 5 or higher (it is not standalone)

* Battery life for Watch would typically last owners 18 hours between charges

* Apple Watch can be used to make touchless payments (compatible with Apple Pay)

* Apple Watch can receive phone calls.

* Apple Watch in conjunction with user’s iPhone, keeps time within 50 milliseconds of the definitive global time standard

* Apple Watch has built-in GPS tracking

* Sports model can track heart rate, distance walked, and other measures

* Apple watch issues gentle tap with each incoming message & capability to transmit messages.

* Apple Watch can open a compatible hotel room lock as an alternative to a key card

* Checking the name of a song via the app Shazam

* Opening an internet-connected garage door remotely

* Numerous new apps have been developed in advance (The firm said on stage that thousands of new apps had already been developed for the Watch ahead of it going on sale)


Early SALES PROJECTIONS were noted as follows: 

*  Rivals’ smart watches have only seen limited sales to date.

*  “Apple will unquestionably sell millions of these watches because there’s pent-up demand from the loyal super-fans who will buy almost any Apple product,” said Ben Wood from the tech advisory firm CCS Insight.

* CCS Insight forecasts 20 million units will be sold by the end of this year – representing about 7% of the compatible iPhones currently in use. However, other analysts range widely in their predictions, forecasting sales as low as eight million units to as high as 60 million in 2015.

Intel’s Compute Stick – Turn HDMI TV Or Monitor into Windows 8.1 or Linux PC

Later this month, Intel plans to release a 4″ HDMI plug in device that has the form factor of a USB flash drive.  These amazing developments in miniaturization may be beneficial for those who travel, building digital kiosks, or for home users who desire more than just “smart TV” capabilities.

The “Intel Compute Stick,” is a 4-inch long dongle that turns any HDMI display into a Windows 8.1 or Linux machine. If you wanted to transform your TV into a full-blown Windows 8.1 machine? That’s effectively what the Intel Compute Stick is offering for $149 with Windows 8.1 included, or $89 for a Linux version running Ubuntu.

What’s crammed into the Intel Compute Stick ? An Intel Atom quad-core CPU, Windows 8.1, 2GB of RAM, 32GB of onboard storage and a microSD slot to extend that capacity, Bluetooth 4.0, Wireless 802.11b/g/n connectivity, and a full-size USB port. Add something like Logitech’s K400 Wireless Keyboard and Touchpad combo for $19.99 and you have an entry-level, highly portable PC-on-a-stick for a grand total of $169.

Data Breach – Update on Anthem attacks

Security researchers have traced the theft of customer data from health insurer Anthem’s data systems to a professor at a Chinese university with links to a defense contractor. A new open-source intelligence analysis of the breach of health insurer Anthem has reinforced theories that the data theft leads back to a Chinese espionage program, security firm ThreatConnect stated on Feb. 27. In the report, which is based on public sources or “open-source” intelligence, security researchers at ThreatConnect and other companies found technical evidence that linked the malware reportedly used in the Anthem attack to a Chinese espionage group and a professor at Southeast University, which works with a government contractor, Beijing Topsec Technology Co.

Facebook – Bug Bounty Hunters paid $1.3 Million in 2014

Paying security researchers to privately identify areas of vulnerability helps strengthen security overtime and this is a good investment process for Facebook given its huge user base

There’s no doubt that Facebook has a problem with malware, spam and cybercrime on its pages. However, it has gone to great lengths to combat these issues with its bug bounty program, which pays individual security researchers and experts who uncover problems with the site. And according to a recent report on the program from Facebook, it’s only getting bigger and better. Facebook has paid out $3 million to researchers around the world since the site started its bug bounty program in 2011. However, $1.3 million of that came in 2014 alone. That total was paid to 321 researchers in 123 countries for an average prize of $1,788. Overall, submissions increased by 16 percent from 2013 to 2014. India reported the most issues, followed by Egypt and the United States.  “Report volume is at its highest levels, and researchers are finding better bugs than ever before,” Facebook wrote in its post announcing the 2014 results. “We’ve already received more than 100 valid reports since the start of the new year.”