Krebs

now browsing by tag

 
 

#nationalcybersecuritymonth | The Web’s Bot Containment Unit Needs Your Help — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

https://krebsonsecurity.com/

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.

The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.

“These reports notify our constituents ​about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.

The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.

“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”

Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.

“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”

Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

Update 10:46 a.m., ET: Added comment from Cisco.



Tags: Cisco Systems, Richard Perlotto, Shadowserver Foundation

Source link

The post #nationalcybersecuritymonth | The Web’s Bot Containment Unit Needs Your Help — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

Microsoft Patch Tuesday, February 2020 Edition — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

Another flaw fixed this month in Microsoft Exchange 2010 through 2019 may merit special attention. The bug could allow attackers to exploit the Exchange Server and execute arbitrary code just by sending a specially crafted email. This vulnerability (CVE-2020-0688) is rated “important” rather than “critical,” but Liska says it seems potentially dangerous, as Microsoft identifies this as a vulnerability that is likely to be exploited.

In addition, Redmond addressed a critical issue (CVE-2020-0618) in the way Microsoft SQL Server versions 2012-2016 handle page requests.

After a several-month respite from patches for its Flash Player browser plug-in, Adobe has once again blessed us with a security update for this program (fixes one critical flaw). Thankfully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year.

Other Adobe products for which the company shipped updates today include Experience Manager, Digital Editions, Framemaker and Acrobat/Reader (17 flaws). Security experts at Qualys note that on January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.

“While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed,” said Qualys’s Jimmy Graham.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.



Tags: Alan Liska, CVE-2019-1280, CVE-2020-0618, CVE-2020-0674, CVE-2020-0688, Jimmy Graham, Microsoft Patch Tuesday February 2020, Qualys, Recorded Future

The source of this story comes from click here!

The post Microsoft Patch Tuesday, February 2020 Edition — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

The nine-count indictment names Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) as members of the PLA’s 54th Research Institute, a component of the Chinese military. They are each charged with three counts of conspiracy to commit computer fraud, economic espionage and wire fraud.

The government says the men disguised their hacking activity by routing attack traffic through 34 servers located in nearly 20 countries, using encrypted communications channels within Equifax’s network to blend in with normal network activity, and deleting log files daily to remove evidence of their meanderings through the company’s systems.

U.S. Attorney General Bill Barr said at a press conference today that the Justice Department doesn’t normally charge members of another country’s military with crimes (this is only the second time the agency has indicted Chinese military hackers). But in a carefully worded statement that seemed designed to deflect any criticism of past offensive cyber actions by the U.S. military against foreign targets, Barr said the DOJ did so in this case because the accused “indiscriminately” targeted American civilians on a massive scale.

“The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information,” Barr said. “But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens.”

FBI Deputy Director David Bowdich sought to address the criticism about the wisdom of indicting Chinese military officers for attacking U.S. commercial and government interests. Some security experts have charged that such indictments could both lessen the charges’ impact and leave American officials open to parallel criminal allegations from Chinese authorities.

“Some might wonder what good it does when these hackers are seemingly beyond our reach,” Bowdich said. “We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up, and when they do we’ll be there. We in law enforcement will not let hackers off the hook just because they’re halfway around the world.”

The attorney general said the attack on Equifax was just the latest in a long string of cyber espionage attacks that sought trade secrets and sensitive data from a broad range of industries, and including managed service providers and their clients worldwide, as well as U.S. companies in the nuclear power, metals and solar products industries.

“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret thefts cases in recent years involved some connection with China,” he said.

The indictments come on the heels of a conference held by US government officials this week that detailed the breadth of hacking attacks involving the theft of intellectual property by Chinese entities.

“The FBI has about a thousand investigations involving China’s attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector,” FBI Director Christopher Wray reportedly told attendees at the gathering in Washington, D.C., dubbed the “China Initiative Conference.”

At a time when increasingly combative trade relations with China combined with public fears over the ongoing Coronavirus flu outbreak are stirring Sinophobia in some pockets of the U.S. and other countries, Bowdich was quick to clarify that the DOJ’s beef was with the Chinese government, not its citizenry.

“Our concern is not with the Chinese people or with the Chinese American,” he said. “It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn’t mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. What it does mean is when China violates our criminal laws and international norms, we will hold them accountable for it.”

A copy of the indictment is available here.

ANALYSIS

DOJ officials praised Equifax for their “close collaboration” in sharing data that helped investigators piece together this whodunnit. Attorney General Barr noted that the accused not only stole personal and in some cases financial data on Americans, they also stole Equifax’s trade secrets, which he said were “embodied by the compiled data and complex database designs used to store personal information.”

While the DOJ’s announcement today portrays Equifax in a somewhat sympathetic light, it’s important to remember that Equifax repeatedly has proven itself an extremely poor steward of the highly sensitive information that it holds on most Americans.

Equifax’s actions immediately before and after its breach disclosure on Sept 7, 2017 revealed a company so inept at managing its public response that one couldn’t help but wonder how it might have handled its internal affairs and security. Indeed, Equifax and its leadership careened from one feckless blunder to the next in a series of debacles that KrebsOnSecurity described at the time as a complete “dumpster fire” of a breach response.

For starters, the Web site that Equifax set up to let consumers check if they were affected by the breach consistently gave conflicting answers, and was initially flagged by some Web browsers as a potential phishing site.

Compounding the confusion, on Sept. 19, 2017, Equifax’s Twitter account told people looking for information about the breach to visit the wrong Web site, which also was blocked by multiple browsers as a phishing site.

https://krebsonsecurity.com/

And two weeks after its breach disclosure, Equifax began notifying consumers of their eligibility to enroll in free credit monitoring — but the messages did not come from Equifax’s domain and were in many other ways indistinguishable from a phishing attempt.

It soon emerged the intruders had gained access to Equifax’s systems by attacking a software vulnerability in an Internet-facing server that had been left unpatched for four months after security experts warned that the flaw was being broadly exploited. We also learned that the server in question was tied to an online dispute portal at Equifax, which the intruders quickly seeded with tools that allowed them to maintain access to the credit bureau’s systems.

This is especially notable because on Sept. 12, 2017 — just five days after Equifax went public with its breach — KrebsOnSecurity broke the news that the administrative account for a separate Equifax dispute resolution portal catering to consumers in Argentina was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

https://krebsonsecurity.com/

A partial list of active and inactive Equifax employees in Argentina. This page also let anyone add or remove users at will, or modify existing user accounts.

Perhaps we all should have seen this megabreach coming. In May 2017, KrebsOnSecurity detailed how countless employees at many major U.S. companies suffered tax refund fraud with the IRS thanks to a laughably insecure portal at Equifax’s TALX payroll division, which provides online payroll, HR and tax services to thousands of U.S. firms.

https://krebsonsecurity.com/

Equifax’s TALX — now called Equifax Workforce Solutions — aided tax thieves by relying on outdated and insufficient consumer authentication methods.

In October 2017, KrebsOnSecurity showed how easy it was to learn the complete salary history of a large portion of Americans simply by knowing someone’s Social Security number and date of birth, thanks to yet another Equifax portal.

Around that same time, we also learned that at least two Equifax executives sought to profit from the disaster through insider trading just days prior to the breach announcement. Jun Ying, Equifax’s former chief information officer, dumped all of his stock in the company in late August 2017, realizing a gain of $480,000 and avoiding a loss of more than $117,000 when news of the breach dinged Equifax’s stock price.

Sudhakar Reddy Bonthu, a former manager at Equifax who was contracted to help the company with its breach response, bought 86 “put” options in Equifax stock on Sept. 1, 2017 that allowed him to profit when the company’s share price dropped. Bonthu was later sentenced to eight months of home confinement; Ying got four months in prison and one year of supervised release. Both were fined and/or ordered to pay back their ill-gotten gains.

While Equifax’s stock price took a steep hit in the months following its breach disclosure, shares in the company [NYSE:EFX] gained a whopping 50.5% in 2019, according to data from S&P Global Market Intelligence.

KrebsOnSecurity has long maintained that the 2017 breach at Equifax was not the work of financially-motivated identity thieves, as there has been exactly zero evidence to date that anything close to the size of the data cache stolen from that incident has shown up for sale in the cybercrime underground.

However, readers should understand that there are countless other companies with access to SSN, DOB and other information crooks need to apply for credit in your name that get hacked all the time, and that this data on a great many Americans is already for sale across various cybercrime bazaars.

Readers also should know that while identity theft protection services of the kind offered by Equifax and other companies may alert you if crooks open a new line of credit in your name, these services generally do nothing to stop that identity theft from taking place. ID theft protection services are most useful in helping people recover from such crimes.

As such, KrebsOnSecurity continues to encourage readers to place a freeze on their credit files with Equifax and the other major credit bureaus. This process puts you in control over who gets to grant credit in your name. Placing a freeze is now free for all Americans and their dependents. For more information on how to do that and what to expect from a freeze, please see this primer.



Tags: Coronavirus, Equifax breach, FBI Deputy Director David Bowdich, FBI Director Christopher Wray, Jun Ying, Liu Lei, Sudhakar Reddy Bonthu, U.S. Attorney General Bill Barr, U.S. Justice Department, Wang Qian, Wu Zhiyong, Xu Ke

The source of this story comes from click here!

The post U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

Dangerous Domain Corp.com Goes Up for Sale — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\drive1” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

INSTANT CORPORATE BOTNET, ANYONE?

That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.”

THE EARLY ADVENTURES OF CORP.COM

Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

https://krebsonsecurity.com/

Archive.org’s index of corp.com from 1997, when its owner Mike O’Connor briefly enabled a Web site mainly to shame Microsoft for the default settings of its software.

O’Connor said he also briefly enabled an email server on corp.com, mainly out of morbid curiosity to see what would happen next.

“Right away I started getting sensitive emails, including pre-releases of corporate financial filings with The U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things,” O’Connor recalled in an interview with KrebsOnSecurity. “For a while, I would try to correspond back to corporations that were making these mistakes, but most of them didn’t know what to do with that. So I finally just turned it off.”

TOXIC WASTE CLEANUP IS HARD

Microsoft declined to answer specific questions in response to Schmidt’s findings on the wayward corp.com traffic. But a spokesperson for the company shared a written statement acknowledging that “we sometimes reference ‘corp’ as a label in our naming documentation.”

“We recommend customers own second level domains to prevent being routed to the internet,” the statement reads, linking to this Microsoft Technet article on best practices for setting up domains in Active Directory.

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

But both O’Connor and Schmidt say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time. Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations.

Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low, O’Connor said.

“The problem is that when you read the instructions for doing the repair, you realize that what they’re saying is, ‘Okay Megacorp, in order to apply this patch and for everything to work right, you have to take down all of your Active Directory services network-wide, and when you bring them back up after you applied the patch, a lot of your servers may not work properly’,” O’Connor said.

Curiously, Schmidt shared slides from a report submitted to a working group on namespace collisions suggesting that at least some of the queries corp.com received while he was monitoring it may have come from Microsoft’s own internal networks.

https://krebsonsecurity.com/

Image: JAS Global Advisors

“The reason I believe this is Microsoft’s issue to solve is that someone that followed Microsoft’s recommendations when establishing an active directory several years back now has a problem,” Schmidt said.

“Even if all patches are applied and updated to Windows 10,” he continued. “And the problem will persist while there are active directories named ‘corp’ – which is forever. More practically, if corp.com falls into bad hands, the impact will be on Microsoft enterprise clients – and at large scale – paying, Microsoft clients they should protect.”

Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said the software giant ought to be accountable for its products and mistakes.

“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it. My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)



Tags: Active Directory, corp.com, DNS name devolution, JAS Global Advisors, Jeff Schmidt, Microsoft Corp., Microsoft Windows, Mike O’Connor, namespace collision, U.S. Department of Homeland Security

The source of this story comes from click here!

The post Dangerous Domain Corp.com Goes Up for Sale — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

When Your Used Car is a Little Too ‘Mobile’ — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

Many modern vehicles let owners use the Internet or a mobile device to control the car’s locks, track location and performance data, and start the engine. But who exactly owns that control is not always clear when these smart cars are sold or leased anew. Here’s the story of one former electric vehicle owner who discovered he could still gain remote, online access to his old automobile years after his lease ended.

Mathew Marulla began leasing a Ford Focus electric vehicle in 2013, but turned the car back in to Ford at the end of his lease in 2016. So Marulla was surprised when he recently received an email from Ford.com stating that the clock in his car was set incorrectly.

Out of curiosity, Marulla decided to check if his old MyFordMobile.com credentials from 2016 still worked. They did, and Marulla was presented with an online dashboard showing the current location of his old ride and its mileage statistics.

The dashboard also allowed him to remotely start the vehicle, as well as lock and unlock its doors.

https://krebsonsecurity.com/

Mathew Marulla turned in his leased Ford EV to Ford 4 years ago, so he is no longer the legal owner of the car. But he can still remotely track its location and usage, lock and unlock it, and start the engine.

“It was a three-year lease from Ford and I turned it in to Ford four years ago, so Ford definitely knows I am no longer the owner,” Marulla said, noting that the dashboard also included historic records showing where the Focus had been driven in days prior.

“I can track its movements, see where it plugs in,” he said. “Now I know where the current owner likely lives, and if I watch it tomorrow I can probably figure out where he works. I have not been the owner of this vehicle for four years, Ford knows this, yet they took no action whatsoever to remove me as the owner in this application.”

Asked to comment on Marulla’s experience, a spokesperson for Ford said all Ford dealerships are supposed to perform a “master reset” as part of their used car checklist prior to the resale of a vehicle. A master reset (carried out via the vehicle’s SYNC infotainment screen by a customer or dealer) disassociates the vehicle from all current accounts.

“A master reset cleans phone data and removes previous Ford Pass and My Ford Mobile connections,” the company said in a statement released to KrebsOnSecurity. “Once complete, a previous owner will no longer be able to connect to the vehicle when they log in to My Ford Mobile or Ford Pass.”

As Marulla’s experience shows, if you’re in the market for a used car you should probably check whether it’s possible to reset the previous owner’s control and/or information before purchasing it, or at least ask the dealership to help you ensure this gets done once the purchase is made.

And if you’re thinking of selling your car, it’s a good idea to clear your personal data from the vehicle first. As the U.S. Federal Trade Commission advises, some cars have a factory reset option that will return the settings and data to their original state.

“But even after a factory reset, you may still have work to do,” reads an FTC consumer privacy notice from 2018. “For example, your old car may still be connected to subscription services like satellite radio, mobile Wi-Fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle.”

By the way, this issue of de-provisioning is something of a sticky wicket, and it potentially extends well beyond vehicles to a number of other “smart” devices that end up being resold or refurbished. This is doubly so for Internet-connected/capable devices whose design may give the previous owner a modicum of access to or control over the device in question regardless of what steps the new owner takes to limit such access (particularly some types of security cameras).



Tags: Focus EV, Ford, Mathew Marulla, MyFordMobile.com, U.S. Federal Trade Commission

The source of this story comes from click here!

The post When Your Used Car is a Little Too ‘Mobile’ — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Russian Cybercrime Boss Burkov Pleads Guilty — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans Aleksei Burkov, an ultra-connected Russian hacker once described as “an asset of supreme importance” to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members […] View full post on AmIHackerProof.com

Phishing for Apples, Bobbing for Links — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud […] View full post on AmIHackerProof.com

#deepweb | Alleged Member of Neo-Nazi Swatting Group Charged — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick […] View full post on AmIHackerProof.com