Following the recent declaration by the U.S. National Security Agency that Russian hackers tried to infiltrate the electronic voting machines used in the last U.S. presidential election, many people are calling for a lot of things especially for the electronic voting machines to be scrapped. Although the Russians did not succeed, more questions are still left on the table.
Bipartisan bill to secure voting machines
U.S. senators looking for answers have constituted a committee and is hoping to pass a bipartisan bill called the Securing America’s Voting Equipment (SAVE) Act. The bill will enlist help from the Department of Homeland Security to organize an event like the one held at the DEFCON hackers conference in July, themed the “Voting Machine Hacking Village.”
That DEFCON event exposed vulnerabilities in the electronic voting machines used in the last U.S. election. Hackers took less than two hours to break into the 25 voting machines that were brought to the DEFCON conference, and the first machine was penetrated in minutes. Theresultsof the findings released at an event at the Atlantic Council in October was one of the key provocations for the US senators to introduce the SAVE bill.
Interestingly, some of the significant findings after the alleged Russian breach were centered on the use of foreign materials in the production of these voting machines. Hackers at the DEFCON event pointed to the possibility of having malware embedded into the hardware and software along the entire supply and distribution chain. It was also believed that hackers could have tampered with voters’ registration on the touch screen voting machines.
Hackers enlisted to hunt for vulnerabilities in voting machines
Called the “Cooperative Hack the Election Program”, the initiative mirrors the bug bounty programs previously ran by the U.S. Department of Defense (DoD) where friendly hackers were invited to hack the Pentagon, Army and Air Force. The program is set to swing into motion one year after the bill is in play.
The stated objective of the program is “to strengthen electoral systems from outside interference by encouraging entrants to work cooperatively with election system vendors to penetrate inactive voting and voter registration systems to discover vulnerabilities of, and develop defenses for, such systems.”
Just like past U.S. DoD programs, the “Hack the Election” competition will offer incentives for hackers to find security weakness in the election system. Hackers playing by the rules will also be waived from the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA).
Hackers to replicate past successes against voting machines
Looking at past results, we can expect excellent outcomes for the new program. The first of these bug bounties was the ‘Hack the Pentagon’ program where hackers found 138 vulnerabilities. This was quickly followed by the ‘Hack the Army’ program which yielded 118 vulnerabilities and ‘Hack the Air Force’ program with a bountiful harvest of207 vulnerabilities.
While it is not clear if the hacking program is a one-off event, the bill does propose a requirement for integrity audits to be performed every four years on the voting machines starting from 2019. There is also the provision for grants to be given to help states enhance the security of their voting systems.
An auction house is blaming a paid, deliberate attack that originated from Ukraine for a computer meltdown that shelved a multimillion dollar sale of artwork on Tuesday night.
Scores of people had gathered at Chifley Tower in Sydney’s CBD for an art auction hosted by online start-up Fine Art Bourse, created by Tim Goodman, a former chairman of Sotheby’s, and Adrian Newstead, the founder of Cooee Art.
Buyers were competing for more than 80 artworks, including Emily Kame Kngwarreye’sEarth’s Creation I,which wasexpected to fetch at least $2 million.
But the auction was postponed after what was described as “an unusually high surge of traffic” overloaded the auction site’s server, which is based in Hong Kong.
William Ehmcke, a director of the online auction house, said in a statement on Thursday that the timing and size of the attack suggested it was paid and deliberate.
“There is also evidence that the auction platform database was hacked, just prior to the auction launch, to further disrupt the sale process,” he said. “All client data has now been removed from the FAB (Fine Art Bourse) database.”
Mr Goodman said: “Someone out there does not want us to succeed.”
On Wednesday, the company’s IT project manager Carl Welsby said: “The flood of interest on the site resulted in over 170,000 server processes at once, meaning the server had to put all these requests and users in a queue to process, causing the web page to stop loading.”
Mr Welsby might have expected stern words from his bosses over the embarrassing computer fail, but Mr Goodman suggested sinister forces might have derailed the auction, which has been rescheduled to Thursday.
“We are trying to find the source of the people that logged on at 6pm that caused the overload to the server,” Mr Goodman said. “More specifically we are looking to determine if there is an unusual number of people logging on from one particular country.
“At 6pm, we had 60,000 cached requests. The web server did not crash but as a result of this massive traffic it took too long to serve requests so to the general public it appeared like a crash.”
Asked who he suspected of the alleged IT mischief, Mr Goodman said: “I don’t believe it to be an auction house. I suspect a dealer in Aboriginal art or an auction house aggregator. The former is more likely than the latter. The art business is competitive and can be cut-throat especially when the stakes are high just like any industry.”
Mr Goodman later conceded it might not be sabotage. “However, 1000 people all logging on within minutes of each other seems very odd, hence our investigations,” he said.
But one art commentator told Fairfax Media: “Well, of course they are trying to maximise publicity for their gig and if it looks like sabotage rather than their own IT stuff-up then someone else is to blame I suppose. They must have been very pissed off, that’s for sure.”
Kaspersky Lab has updated its investigation on the hacking of a home computer used by an NSA employee.
MOSCOW (Sputnik) — Kaspersky IT security company has announced that access to information on the home computer of the employee of the US National Security Agency (NSA) could have been obtained by an unknown number of hackers.
According to the Kaspersky Lab probe that is linked to media reports about the company’s software allegedly having been used to search and download classified information from the home computer of a NSA employee, the user’s computer was infected with Mokes backdoor, a malware that allows the hackers to obtain access to a device.
“The malware… was a full blown backdoor which may have allowed third parties access to the user’s machine,” the Kaspersky Lab has stated.
However, it is possible that Mokes was notthe only malwarethat infected the computer in question, the company said, adding that while Kaspersky software on the computer was enabled, it reported 121 alarms on different types of malware.
“The interesting thing about this malware is that it was available for purchase on Russian underground forums in 2011. Also noteworthy is that the command-and-control servers of this malware were registered to a (presumably) Chinese entity going by the name ‘Zhou Lou’ during the period of September to November 2014,” the statement explained.
Allegations Against Kaspersky Lab
The internal investigation by Kaspersky Lab was launched after The Wall Street Journal reported in October that a group of hackers allegedly working for the Russian officials had stolen classified data through the National Security Agency (NSA) contractor, which used antivirus software made by the Russian software producer.
Shortly later, the New York Times reported that Israeli intelligence services have hacked into the network of Kaspersky, and warned their US colleagues that the Russian governmentwas allegedly usingKaspersky software to gain access to computers around the world, including in several US government agencies.
Both reports came a month after the US Department of Homeland Security ordered state agencies and departments to stop using Kaspersky Lab software within the next 90 days, with the company’s CEO Eugene Kaspersky refuting all the allegations spread by the media regarding the Russian cybersecurity company’s involvement in spying on US users through its products and calling suchclaims groundless and paranoiac.
When commenting on the situation in an interview to Die Zeit newspaper, Eugene Kaspersky has, “There is a feeling that we just had been doing our job better than others, that we had been protecting our clients better than others … Probably, someone in the United States is very unhappy about it.”
Most recently, Wikileaks has revealed that the CIA had written a code to “impersonate” Russia-based Kaspersky Lab, which had been used at least three times.
READ MORE: WikiLeaks: CIA Wrote Code to ‘Impersonate’ Russia-Based Kaspersky Lab
Kaspersky Lab is one of the largest private cybersecurity companies in the world, with its technologies protecting over 400 million users and 270,000 corporate clients.
Experts agree that it’s long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latestVerizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.
First, let’s talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.
Breaking passwords from hashed password files
If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.
These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.
Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.
Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”
As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”
This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.
Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.
“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”
Botnets enable mass-market attacks
For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.
According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.
Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.
Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”
They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.
The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.
Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updatedDigital Identity Guidelinesthat specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”
The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.
In addition to the standards, there are also new “frictionless” technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.
Is your password already stolen?
To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”
The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.
“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised athave I been pwned?.)
Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”
If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.
Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.
Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.
The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.
For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses in particular are very easy to guess because they are standardized.
How to check the strength of your password
Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.
Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.
But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’sHowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is theEntropy Testing Meterby software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.
For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?
“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”
Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.
Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote, or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”
For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”
Hackers can empty your bank account and you’re helping them.
Jason Grandeo and his family have several smart devices such as laptops, tablets, iPhones, smart TVs, the list goes on. He was worried about the security of those devices. So we brought in a cyber expert to see if it’s possible to hack into them.
“We are able to log into your wireless router and your printer,” Dr. Mark Shaneck said.
Dr. Shaneck is a professor at Liberty University who runs the cyber security club. So how did he do it? Turns out the Grandeo’s were using the device’s default password, which is listed right on their router.
“We could even turn on remote administration for the wireless router so we could connect to it from anywhere on the internet,” Shaneck said.
Shaneck went on to explain that once he was connected to the Wi-Fi, the hacker could do hacks he wasn’t even in the house. But before he could do more hacking, he hit a bit of a roadblock. So he connected to the Grandeo’s devices using a pineapple Wi-Fi. The device tricks your computer into thinking the pineapple Wi-Fi is the main one and automatically connects your computer to it. Shaneck says that’s when things get really dangerous.
“I was in control of the network traffic and I was able to redirect the requests to the banking website to my computer, which served up a similar look alike banking login page,” Shaneck said.
Shaneck was able to make clone websites that looked like the real thing. When Jason typed in his username and password on the website, Shaneck got it instantly.
“It was pretty scary, how quickly things could be set up on a web page, homeowner Jason Grandeo said.
Shaneck admitted chances are you won’t have a hacker inside your house.
But this could happen anytime you are connected to a wifi service that’s not encrypted.
“Always be cautious when you are at a hotel or something like that, so you probably don’t want to be logging into your bank account in the hotel wireless,” Shaneck said.
Shaneck said the most common way hackers attack is simply by sending you an email.
“That would then compromise your computer and then from there they could infect the rest of the network,” Shaneck said.
To protest yourself, the one thing you must do right now is change your default password on your wifi router. Jason Grandeo says he plans to do that right away.
“Probably, as soon as everybody leaves,” Grandeo said.
Hacking dangers don’t stop there.
There is also a way hackers can get into your iphone and Amazon Echo. It’s called a dolphin attack and a hacker will use ultrasound commands that the human ear can’t hear to communicate with the device.
To protect yourself, Joe Klein, a tech expert, based outside of Washington D.C. has this advice:
• Apple and Google both allow their “wake words” to be switched off so the assistants cannot be activated without permission.
• Validate that your device has been patched and updated.
• Inform visitors that you have a voice assistant is in the room, ask if that is ok.
• Some TV/Internet Streaming advertising includes Dolphin Attack during breaks, consider disabling voice assistant.
• If you are work at home, disable voice assistant during your working day – avoids accidental disclosing company confidential information.
Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches, because of the additional information phishers collect.
Hardly a week goes by without a new data breach being discovered, exposing victims to account hijacking if they used the same username and password on multiple online accounts.
While data breaches are bad news for internet users, Google’s study finds that phishing is a much more dangerous threat to its users in terms of account hijacking.
In partnership with the University of California Berkeley, Google pointed its web crawlers at public hacker forums and paste sites to look for potential credential leaks. They also accessed several private hacker forums.
The blackhat search turned up 1.9 billion credentials exposed by data breaches affecting users of MySpace, Adobe, LinkedIn, Dropbox and several dating sites. The vast majority of the credentials found were being traded on private forums.
Despite the huge numbers, only seven percent of credentials exposed in data breaches match the password currently being used by its billion Gmail users, whereas a quarter of 3.8 million credentials exposed in phishing attacks match the current Google password.
The study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that falls to 10 times for victims of a data breach. The difference is due to the type of information that so-called phishing kits collect.
Phishing kits contain prepackaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking. They’re often uploaded to compromised websites, and automatically email captured credentials to the attacker’s account.
Phishing kits enable a higher rate of account hijacking because they capture the same details that Google uses in its risk assessment when users login, such as victim’s geolocation, secret questions, phone numbers, and device identifiers.
The researchers find that 83 percent of 10,000 phishing kits collect victims’ geolocation, while 18 percent collect phone numbers. By comparison, fewer than 0.1 percent of keyloggers collect phone details and secret questions.
The study finds that 41 percent of phishing kit users are from Nigeria based on the geolocation of the last sign-in to a Gmail account used to receive stolen credentials. The next biggest group is US phishing-kit users, who account for 11 percent.
Interestingly, the researchers found that 72 percent of the phishing kits use a Gmail account to send captured credentials to the attacker. By comparison, only 6.8 percent used Yahoo, the second most popular service for phishing-kit operators. The phishing kits sent were sending 234,887 potentially valid credentials every week.
Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study. Yahoo phishing victims follow at 12 percent. However, Yahoo and Hotmail users are the largest group of leaked credential victims, both representing 19 percent, followed by Gmail at 12 percent.
They also found most victims of phishing were from the US, whereas most victims of keyloggers were from Brazil.
The researchers note that two-factor authentication can mitigate the threat of phishing, but acknowledges that ease of use is an obstacle to adoption.
Hackers have done the unthinkable by making off with a charity’s funds right before the start of the 2017 Christmas season.
The Utah Association for Intellectual Disabilities (UAID) first noticed something was wrong when it had not received any new email applications for help since 22 October. Typically, the charity gets numerous applications in preparation for the Christmas season. It’s when UAID buys and distributes gifts for between 1,200 and 1,400 adults who are intellectually disabled, who often don’t have family, and who live in assisted living facilities.
Suspicious of the lack of activity, UAID decided to look into the matter. Laura Henderson, who serves as vice president of the charity, says she realized the full extent of the hack shortly thereafter. As shetoldGood4Utah:
“As we investigating the email issue, I opened the bank statements and started seeing things that just weren’t right.”
According to their bank records, unauthorized individuals had used multiple apps and services to transfer or steal $5,000 from the charity. They also took over its PayPal account, opened new accounts, and seized control of its website and email. Even when Henderson and her staff attempted to reset thepasswordsfor those compromised services, the hackers regained control in no time.
UAID co-founder Katherine Scott can’t believe someone would take from a charity that provides for individuals who mostly don’t receive anything else at Christmas. In her mind, the worst part is the seizure of the charity’s email. Without access, she can’t determine who needs assistance this year:
“That’s one of the things that’s making us real sad this year is we don’t know who needs help.”
It’s unclear how the hackers first struck UAID or what security measures the charity had in place at the time of attack.
Overall, charities can do more to ensure the resilience of their services. A 2016 survey of non-profit organizations conducted by US accounting firm CohnReznick found that nearly half of respondents had not performed a security risk assessment in the past year. Two-thirds also said they had no plans to increase their spending on digital security.
Ken Montenegro, IT director at advocacy group Asian Americans Advancing Justice,tells Financial Timesthat’s not a good thing:
“That puts us in a precarious position because we’re not used to spending on something like apatch managementtool that keeps our software up to date.”
Organizations of all sizes need to protect themselves against digital attackers by patching their systems. To learn how Tripwire’s solution can help safeguard your organization’s financial accounts and critical services, please clickhere.
In the meantime, UAID is asking for donations of money and clothes so that it can still serve people this holiday season. Anyone wishing to donate should call its main telephone number: 385-887-4145.
Source: National Cyber Security – Produced By Gregory Evans US federal prosecutors in Minnesota have charged a 46-year-old man with hiring a cyberhitman – well, technically, three hacking services – to launch a year-long campaign of distributed denial of service (DDoS) attacks on his former employer. Prosecutors say that John Kelsey Gammell, 46, contacted seven […]
View full post on AmIHackerProof.com | Can You Be Hacked?
Cyber crooks are taking advantage of a recently discovered vulnerability in Microsoft Office to hide malicious code in Word documents, the software giant has warned.
Furthermore, the flaws are being taken advantage of by a Russia-linked hacking group called APT28, who are expoiting a vulnerability in the Dynamic Data Exchange (DDE) component of Office.
According to the researchers, the hackers have been exploiting the flaw for around a month.
This is responsible for transporting data and messages between applications. The exploit affects Outlook email accounts, Word documents and Excel spreadsheets.
The hackers, also known collectively as Fancy Bear and linked with the Russian government, have benefited from the protocol because it doesn’t warn users to enable macros. However, pop-ups asking users to update files may sometimes appear.
Security firm McAfee claimed that the hacking group has been taking advantage of the recent New York terror attack to propagate its malicious code, inserting malware into a document talking about the incident.
“McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research,” it claimed.
“This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system, regardless whether macros are enabled.
“APT28, also known as Fancy Bear, has recently focused on using different themes. In this case it capitalised on the recent terrorist attack in New York City.
“The document itself is blank. Once opened, the document contacts a control server to drop the first stage of the malware, Seduploader, onto a victim’s system.”
Microsoft has since released a specialist advisory detailing the vulnerability and how it affects users. It is now working on a patch, but the Advisory effectively serves notice to other hacking groups of a glaring flaw in Office that others will now seek to exploit.
“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email,” it said.
“The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.
“Microsoft strongly encourages all users of Microsoft Office to review the security-related feature control keys and to enable them. Setting the registry keys described in the following sections disables automatic update of data from linked fields.”
With hackers hitting everyone from Equifax to HBO, you’d imagine something more advanced than lava lamps is protecting your information—but you’d be wrong.
With high-profile hackers stealing headlines, credit card numbers, andGame of Thronesscripts in the last six months, there’s no doubt been very important meetings called across the world to figure out how to keep hackers at bay.
So, what ingenious, impenetrable systems are keeping the world safe?
The folks atCloudflare, which handles encryption for around 10 percent of the internet’s total traffic, have to say “lava lamps” with a straight face.
Well, to be fair, that’s actually100lava lamps, a swinging pendulum in London, and a chunk of radioactive material in Singapore.
It might sound like little more than a slightly more complex version of Mouse Trap, but together this weird assortment of junk keeps Cloudflare’s traffic encrypted through the magical, mathematical concepts of randomness and unpredictability. Also, Linux is involved.
It’s interesting to see how encryption and chaos theory overlap—the pendulum mentioned in the video is probably similar to a double pendulum, which is a classic example of chaos theory (you probably learned about that in Jurassic Park).
A double pendulum is very sensitive to “initial conditions,” or what position it starts in, to the point that a small fraction in difference in two starting points can yield incredibly different swing patterns. This seeming unpredictability to outside observers makes it a great way to simulate randomness, and therefore create the basis for an extremely difficult encryption.
Still, lava lamps give Cloudflare way more style points.
We like to imagine the Chinese scientists who launched the world’s first quantum encryption satellite covertly including a lava lamp in their next satellite, just for that extra layer of security. Groovy, man.