Computer News & Safety – Harry Waldron Rotating Header Image

July, 2017:

Malware – New SMB SlowLoris vulnerability can create DoS attack

A newly discovered SMB protocol weaknessness was demonstrated during the DEFCON 25 conference last week

While studying the infamous EternalBlue exploit about 2 months ago, researchers Sean Dillon (zerosum0x0) and Zach Harding (Aleph-Naught-) found a new flaw in the Server Message Block (SMB) protocol that could allow an adversary to interrupt the service by depleting the memory and CPU resources of the targeted machine on a Denial of Service (DoS) attack.

As announced, some bug details were presented yesterday during a presentation at DEFCON 25 in Las Vegas. The attack is similar to another called SlowLoris  (hence also the similarity of the name) by allowing an attacker with a single machine and low bandwidth to be able to interrupt a service through a DoS attack. The difference is that SlowLoris affected Web servers.

Technically speaking, the problem occurs with the accumulation of a 4-bytes buffer called NBSS used during SMB session establishment which are allocated in the physical RAM and can not be swapped out. Triggering this, an attacker who initiates a large amount of connections to the service will be able to deplete the memory resources and after the CPU on the target.

There is no update from Microsoft to fix the problem – so it has been considered a zero-day. For now, as a mitigation measure, the recommendation is to use a packet filter, like a Firewall, to limit the number of connections from a same source to the Windows servers on port 445 (SMB).

Oracle – 308 vulnerabilities in product lines patched in JULY 2017

A total of 308 vulnerabilities were patched in the Oracle product families during the JULY 2017 updates, with 168 deemed as highly critical to patch right away due to remote exploit potential

Then there is Oracle’s gargantuan Critical Patch Update (CPU), which fixed a whopping 308 vulnerabilities across its entire product portfolio. Over half, or 168, of the fixes address vulnerabilities that could be remotely exploited without needing any kind of user authentication.  Oracle hasn’t been “just” a database company in a long time, and nowhere is that more evident than in its quarterly critical patch update release, where the bulk of the fixes are in business applications like PeopleSoft and E-Business Suite.

Data Breach – HBO future show content stolen in cyber-attacks

The Home Box Office (HBO) has reported a few of their future shows have been stolen in recent cyber-attacks as shared below

HBO today confirmed that it was hit by a cyber attack, which has resulted in upcoming episodes of its original shows as well as content from its hit drama Game of Thrones leaking online.  HBO did not immediately respond to a request for comment, but a spokesperson told Entertainment Weekly that it “recently experienced a cyber incident, which resulted in the compromise of proprietary information.”

The company did not reveal what was stolen, but in a memo to employees, HBO CEO Richard Plepler confirmed that the haul included “some of our programming,” EW says.  Hackers contacted journalists on Sunday night via email to notify them of the breach. They’ve reportedly stolen 1.5TB of data from HBO

Mozilla Security – IRL podcast on Ransomware JULY-2017

Mozilla features a new podcast series hosted by Veronica Belmont on relevant web topics.  Episode #3 is excellent in sharing impacts of a ransomware attack

Have you been hacked, or been the victim of malware or ransomware? Humans make the internet vibrant, but we’re also the weakest link — we’re predictable and often easily fooled. This episode of IRL focuses on our internet insecurity. Meet the unsung heroes fighting to keep us safe. Stay safe online! Here’s more on how to not be a ransomware victim.

Transcript: Speaker 1: Hello, you need to make the bitcoin payment to unlock your files. Do you know how to purchase bitcoin?

Speaker 2: Hi. No, I do not. What happened to my files? How much do I have to pay?

Veronica: What you’re hearing is part of an online chat one of my guests actually had with a ransomware criminal.

Speaker 1: Your files are encrypted. Go and purchase 125 US dollars worth of bitcoin. Send them to the address below and we will send you the decryption password and go on the chat if you need and help you.

Veronica: Do you know what ransomware is? It’s when you turn on your computer and an image says something like, “Surprise! Your files are encrypted. Send us money.”

Blackhat Security Conference – Automotive Hacking JULY-2017

The Tesla Model “S” is one of most advanced and innovative automobiles available and a group of security researchers shared vulnerabilities at the recent Blackhat Security Conference.  These findings were shared with the manufacturer who strengthened security and likely has a little more work in this area (as do many other automotive firms)

With a handful of self-driving vehicles already on the road, the car is poised to be the next vanguard for high technology. And Tesla’s all-electric vehicles are among the most advanced consumer vehicles on the road.   At Black Hat 2016, researchers from Tencent KeenLab demonstrated how to remotely take control of a Tesla Model S. Tesla quickly patched those vulnerabilities, but the Tencent team returned to Black Hat 2017 with a new slew of Tesla attacks.

But the researchers said they believed hacking should be fun, which is why their grand finale was a syncronized light show using the Tesla’s exterior lighting systems synched to music. Flashing patterns covered the vehicle, with the lights clearly operating in a way not intended by the manufacturer. The gull-wing doors even opened and bobbed up and down like rhythmic rabbit years

The researchers notified Tesla of their findings, and the company released an update package within 10 days that fixed many of the vulnerabilities in the long, complex chain required to gain control of a Model S.   The researchers praised Tesla, which updated the kernel to a much newer version, making it harder to exploit. Tesla also hardened its browser, with multiple ways to protect vehicle systems even when the browser was compromised. The company also added code signing, which ensures that only legitimate code can be accepted as an update and installed by the vehicle.

Banking Fraud – Realistic Text Scams circulating JULY-2017

The SANS Internet Storm center warns of highly realistic banking scams circulating as text messages for smartphones.  For example, they may substitute a numeric “0” for an alphabetic “O” character — so that URLs appear to be accurately presented.  Users who proceed with these text based scams often log into a fake but realistic looking website where their banking credentials are captured by the bad guys.    However, most banks don’t use text messaging or email to contact customers on important banking matters.

Over the past few days I have been getting a few phone text scams that kind of look realistic except for certain flaws that are fairly easy to pick out, however this is where it is important to read the whole URL. First, if you don’t have a banking account with the bank that appears to be texting you, you would just ignore and delete it. Most bank won’t text or email you regarding issues with your account. However, if you do online banking with this bank you might be tempted to check it out.

Analysis of the site by urlscan shows the site is located in Amsterdam not in Canada but the picture of the scam site looks very realistic compared to the real site.  Most banks have a mechanism to report such scams, BMO has a help page to either call or send them an email about this kind of scams so other don’t get caught. If you are uncertain about your bank fraud policy, they usually have an online page about what to do.

Hardware – Samsung overtakes Intel as largest semiconductor company

Intel has been the world’s largest semiconductor company for 25 years.  On an overall revenue basis, Samsung is now the new #1 company, based on the advent of mobile and IoT technologies.

Intel became the world’s largest semiconductor company by revenue in 1992 when is surpassed NEC. It has held the top spot ever since, but 25 years later and as predicted Intel is now just like NEC, being replaced. The new world’s largest semiconductor company is Samsung.

According to the Associated Press, for the April-June quarter, Samsung earned $7.2 billion on sales of $15.8 billion. Intel earned $2.8 billion on sales of $14.8 billion, pushing it into second place overall. However, Patrick Moorhead, principal analyst with Moor Insights & Strategy, said we will likely see the two companies swapping position a few times. Samsung’s rise to the top is thanks to mobile devices and memory. Consumers can’t get enough of mobile gadgets, which are typically full of Samsung parts

Blackhat Security Conference – Printer Vulnerabilities JULY-2017

Another important finding shared from Blackhat Security Conference

LAS VEGAS—Printers have been part of the modern home and office for decades, despite numerous attempts to go “paperless.” But at the Black Hat conference here, Jens Müller of Ruhr University Bochum reminded attendees that just because something is ubiquitous doesn’t mean it should be trusted

Add the ability to access the printer via USB, local network, or over the internet, and you have the recipe for a devastating attack. In fact, security researchers have warned for years that connected devices like printers, routers, and even VoIP phones could be used as beachheads for an attacker. The phone might not be very useful for an attacker, but perhaps they could use it to pivot to your secure network.

Müller found enough within the humble printer to keep him busy without trying to escalate an attack. The problem, he said, are the printing protocols that translate the files on your computer into something the printer can put to paper. One such protocol—aptly named the Printer Job Language—was developed in the early 90s by HP, and it can make permanent changes to the printer, not just the current print job. Another, called PostScript, was developed by Adobe and was originally intended for document exchange. It’s been largely replaced by the PDF, but is still heavily used in laser printers.

“In the long-term actually we need to get rid of insecure printer languages,” said Müller, but that’s a long-term solution, he conceded.  In the short term, he advised sandboxing network printers into a separate VLAN that is only reachable through a hardened print server. Printer vendors need to “consider undoing some insecure decisions,” and browser vendors could block port 9100.

Security – Fake Microsoft technician scam circulating five years later

This older article from 2012 is still relevant 5 years later.  Scammers use fear to convince users to share sensitive information or charge to fix your PC. And malware can be planted on the PC, when users may not be aware of these tactics.

I’m pretty sure that most of you guys know about the recent phone scam which is circulating right now. The scam is pretty simple; they pretend to be from a department within Microsoft which has received indications that your computer is infected with some malware.

They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected.

I just want to mention that there is no such department at Microsoft, and they would never call up customers offering this. So if you ever get a call from Microsoft stating that there are some indications that your computer is broken or infected – please hang up!

Well, they have called me several times, and finally Ii got fed up with this and started to play along. At the same time I had my virtual machines running and was recording everything that they were doing. The goal was to find out who they were and exactly what the scam was. Luckily I was able to get hold of information such as their internal IP addresses, the PayPal accounts used to wire money and the numbers they are calling from.

After collecting all the information, i have now contacted all the appropriate people such as the security team at PayPal, various law enforcement agencies with the hope that we can stop these people. They are stealing alot of money from innocent people. I know that people have been warned about these scams, but my conclusion is that they are still calling people because they are still making money out of these scams.

The software that they were using was not malicious in any way, which means that no security software can detect these types of scams. This is one of the main reasons for this article and others like it – we need to keep informing people about it until the cybercriminals are forced to stop.

Apple – Discontinues iPod mp3 players – 7 alternative models

As a high-end media player, Apple still has iPod Touch for $199, as it discontinues two of lower end models due to less demand (as smartphones provide capabilies also).  This article shares 7 alternatives to the iPod Shuffle and iPod Nano which were discontinued recently.

Apple’s iconic iPods are going away. But if you’re still in the market for a dedicated music player, there are still some worthy options out there.  Apple didn’t invent the portable music player, but the company’s iPod was the category’s first true mass-market phenomenon. But in the post-iPhone era, iPod sales have continued to plunge — which is why Apple finally pulled the plug on sales of the iPod Shuffle and the iPod Nano yesterday.

So what now? Of course, these models will still be available in retail and online until stock runs out. But we know some of you still want non-phone music player alternatives for workouts, for the beach or just for serious music appreciation. With that in mind, we’ve sorted through the shrinking MP3 player market for some worthwhile alternatives