Official website of NIC-CERT(Computer Emergency Response Team)

14th-April-2018

NIC-CERT eNewsletter

Microsoft Outlook Bug Allowed Hackers To Use .Rtf Files To Steal Windows Passwords

A vulnerability in Microsoft Outlook allowed hackers to steal a user’s Windows password just by having the target preview an email with a Rich Text Format (RTF) attachment that contained a remotely hosted OLE object.

The bug was patched by Microsoft as part of its April Patch Tuesday fixes, over a year after it was first identified.“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash,” according to the CERT description of the vulnerability, found by Will Dormann, a researcher with the CERT Coordination Center.

The vulnerability (CVE-2018-0950) is tied to how Windows Object Linking and Embedding (OLE) Automation works in the context of .RTF files. OLE is a Windows protocol that enables applications to share data.

Reference:https://threatpost.com/outlook-bug-allowed-hackers-to-use-rtf-files-to-steal-windows-passwords/131169/

 

      Leading telecom companies launch global cyber security alliance

 

The Global Telco Security Alliance has been launched in response to growing cyber security concerns and the requirement to protect valuable assets from ransom and malware attacks in a time where security has become increasingly complex. 

The Alliance will be one of the largest global partnerships with more than 1.2 billion customers in over 50 countries across Asia Pacific, Europe, the Middle East and the Americas.The group will aim to help support and offer companies a comprehensive portfolio of cyber security services drawing on their combined resources and capabilities. 

Members of the Alliance hope to achieve operational synergies and economies of scale that they say will ultimately lower costs for their customers.The group’s founding members operate 22 security operations centres (SOC) with more than 6,000 cyber security experts employed.

Reference:https://www.ibc.org/tech-advances/leading-telcos-launch-cyber-security-alliance/2768.article

Android security: Your phone's patch level says you're up to date, but that may be a lie

Google has spent the past two years building momentum behind its Android monthly patch level system, but a study has found critical patches that should be on devices displaying a patch level aren't actually present. The 'hidden patch gap' in Android devices was discovered by researchers Karsten Nohl and Jakob Lell of German security firm Security Research Labs.

The pair are presenting the results of their two-year analysis of 1,200 Android phones today at the Hack in the Box conference in Amsterdam. The results, shared with Wired, show that some popular Android devices are missing as many as a dozen patches that users would expect to be there, based on the patch level string displayed in settings in date format.

Google introduced the monthly Android updates in 2016, shortly after the Android-wide Stagefright bugs emerged. Ever since, it has been pushing the industry to adopt the regular updates as part of an effort to clean up Android's image and improve security. Google usually releases two patch levels each month: one just for Android bugs, and another for bugs in kernel and chipset drivers.

Google reported in its 2017 Android security review that the system had resulted in 30 percent more devices receiving security patches compared with 2016.

Reference:https://www.zdnet.com/article/android-security-your-phones-patch-level-says-youre-up-to-date-but-that-may-be-a-lie/

 

Privacy Advocates Blast Facebook after Data Scraping Scandal

Privacy advocates are up in arms after CEO Mark Zuckerberg said this week a Facebook reverse search tool may have compromised the data of the social network’s two billion users.

The feature in question was designed to enable users to enter a Facebook user’s phone numbers or email addresses into the social network’s Search tool to find friends. But new revelations from Facebook indicate the feature was also used by malicious actors to scrape the data of millions of Facebook users. The company has since disabled the feature, said Zuckerberg on Wednesday, speaking at a press conference about the company’s data privacy policies.

“Many Facebook users are naturally upset about this situation, but in the end, the moral of the story here is that people need to be more considerate about what data they are sharing and with whom,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team. This is one of those situations that should be an eye opener to people on the importance of reading before clicking ‘OK’.

Reference:https://threatpost.com/privacy-advocates-blast-facebook-after-data-scraping-scandal/131000/

Uber &Federal Trade Commission agree to expanded settlement after second breach

Uber and Federal Trade Commission agree to expanded settlement after second breach.

Uber Technologies Inc. has agreed to broaden its proposed settlement with the Federal Trade Commission (FTC) over its deceptive privacy and data security practices after the commission discovered that the car-sharing company had failed to disclose a major 2016 breach.The agency had already announced the settlement last August over a previous incident in 2014 when it discovered that Uber had been less than forthcoming about a second breach.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach,” Acting FTC Chairman Maureen K. Ohlhausen said in a release.

Uber compensated a 20-year-old Florida hacker $100,000 to destroy data taken in the hack, which exposed the personal data of 57 million drivers and passengers. The payment was made through the company's bug bounty program.In addition to compelling Uber to in addition to compelling Uber to disclose certain future incidents involving consumer data, the new provisions in the proposed settlement will require Uber to disclose any future such events, provide the commission with all reports from third-party audits of the company's privacy program and compel it to retain specified records pertaining to bug bounty reports that detail vulnerabilities related to unauthorized access, actual or potential, of consumer data.

 

Reference:https://www.scmagazine.com/uber-ftc-agree-to-expanded-settlement-after-second-breach/article/758248/

 

How Karnataka Police is being trained to tackle cybercrime

Personnel from nearly 1,000 police stations in Karnataka will be trained to handle cybercrime as the state plans one cybercrime station per district by 2019. “We are starting from zero,” Praveen Sood, director-general of police (CID), who has begun an intensive two-stage training programme on how to deal with hacking, online harassment, credit/debit card fraud, data theft etc, for ranks till the level of constable. He maintains that training personnel remains the challenge when it comes to dealing with digital crime. 

Karnataka was the first to establish a dedicated police station to handle digital crime 15 years ago. Other states, including Uttar Pradesh and Maharashtra, have stepped up police training, including seeking out experts from industry. 

“We are now setting up a predictive unit, which will analyse data points from across the web and try to predict the areas that need more vigilance and crimes that are more common,” said Balsing Rajput, superintendent of police, cyber, Maharashtra. The ministry of electronics and information technology (MeitY) has collaborated with the Data Security Council of India (DSCI) to set up cyber forensic labs in all metro cities for training and building awareness of cybercrime investigation. 

Reference:https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-aims-to-have-one-cyber-crime-post-per-district-by-2019/articleshow/63653447.cms

 

HTTP injectors used to steal mobile internet connectivity

Flashpoint researchers have come across several Telegram messaging channels being used to exchange HTTP injectors which can be used to obtain free mobile internet access.

The research firm noticed a spike in this activity conducted by threat actors in Brazil, Columbia and other Latin American countries. Those interested in obtaining or exchanging an HTTP injector are using encrypted Telegram channels as their marketplace with one such Portuguese channel boasting more than 90,000 members and the injectors being offered here target telcos located in Latin America.

An HTTP injector works by connecting to an SSH/Proxy with a customer header. Flashpoint said in the cases it has observed the connection is made using a device with a zero remaining balance on its SIM card. Then using the device's mobile browser they connect to a data-free website to avoid connecting to a captive portal where payment would be required. The next is to establish a connection using the SSH proxies, thus obtaining free internet access.

“One possible reason cybercriminals share their HTTP injector files so freely is to generate a larger footprint on the compromised infrastructure being utilized as a proxy by the HTTP injectors, thereby masking their own illicit activities,” the report said.      

Reference:https://www.scmagazine.com/http-injectors-used-to-steal-mobile-internet-connectivity/article/757706/

 

Best Practices for Securing Devices by Making Simple Changes

What can the user do to secure the devices so the user does such as enabling a password or changing the default password to something only you know.Below is a list of these basic recommendations and some effective ones that may be less obvious choices.

Network access or Internet access may be enabled on a device by default. Disable network/Internet access for devices that do not need it.

Update the device operating system or firmware. The default operating software installed on a device may be out of date and/or contain many vulnerabilities. Updating or patching your device’s software will reduce the chances of a successful attack.

Wireless access points (APs) are oftentimes configured to broadcast the SSID, or network name, Consider changing these settings to turn this feature off, which can better secure your WiFi network.

Create two different Wi-Fi networks on your wireless router, if your router supports it. Creating separate WiFi networks, using different SSIDs, allows for the ability to separate smart devices from other networked computers, smart phones and tablets. The goal of the separation is to limit the impact a compromised smart home device will have on the rest of the devices on the network.

Oftentimes, Wireless access points or routers are set up by default to not use encryption and to not require a password. It is always recommended to turn on WPA2 encryption for your wireless networks, and to establish a strong password with our next recommendation in mind.

Change passwords on all network devices, especially from default “admin” accounts, and be sure to use strong passwords of at least 8 characters including uppercase and lowercase letters, special characters, and numbers.

Many mobile devices have no PIN or unlock pattern (where you swipe your finger in a specific pattern on the screen) enabled when sold. Be sure to enable PINs or unlock patterns for all your mobile devices to secure them from unwanted entry by others.

Automatic updates are often disabled by default. Be sure to turn on this setting to ensure your device receives important security updates when they are released.

Many mobile devices support remotely wiping the device if the device is lost or stolen. Be sure to enable the remote wipe functionality in case the device is ever lost or stolen.

Turn off location services if not needed.

Cameras and audio input may be enabled by default on certain devices and applications, giving an attacker access to surveillance. Disable these features if not needed.

Replace unsecure devices with more secure ones.

Reference:http://www.its.ms.gov/Services/CyberTips/2018_4_Newsletter_Securing%20Devices%20by%20Making%20Simple%20Changes.pdf

 

     Tips to avoid becoming a victim of a phishing attack:

Phishing is a type of cyber?attack used to trick individuals into divulging sensitive information via electronic communication by impersonating a trustworthy source. For example, an individual may receive an e?mail or text message informing the individual that their password may have been hacked.

The phishing email or text may then instruct the individual to click on a link to reset their password. In many instances, the link will direct the individual to a website impersonating an organization’s real web site (e.g., bank, government agency, email service, retail site) and ask for the individual's login credentials (username and password).Once entered into the fake website, the third party that initiated the phishing attack will have the individual’s login credentials for that site and can begin other malicious activity such as looking for sensitive information or using the individual’s email contact list to send more phishing attacks.

Alternatively, rather than capture login credentials, the link on the phishing message may download malicious software on to the individual’s computer. Phishing messages could also include attachments, such as a spreadsheet or document, containing malicious software that executes when such attachments are opened. Phishing is one of the primary methods used to distribute malicious software, including ransomware. Tips for avoiding the phishing attack are as follows:

Be wary of unsolicited third party messages seeking information. If you are suspicious of an unsolicited message, call the business or person that sent the message to verify that they sent it and that the request is legitimate.

Be cautious when responding to messages sent by third parties. Contact information listed in phishing messages such as email addresses, web sites, and phone numbers could redirect you to the malicious party that sent the phishing message. When verifying the contents of a message, use known good contact information or, for a business, the contact information provided on its web site.

Be wary of clicking on links or downloading attachments from unsolicited messages. Phishing messages could include links directing people to malicious web sites or attachments that execute malicious software when opened.

Be wary of even official looking messages and links. Phishing messages may direct you to fake web sites mimicking real websites using web site names that appear to be official, but which may contain intentional typos to trick individuals.

For example, a phishing attack may direct someone to a fake website that uses 1’s (ones) instead of l’s (i.e. a11phishes vs. allphishes).

Use multi?factor authentication. Multi?factor authentication reduces the possibility that someone can hack into your account using only your password. OCR’s November 2016 cybersecurity newsletter included information on types of authentication.

Keep anti?malware software and system patches up to date. If you do fall for a phishing scam, anti?malware software can help prevent infection by a virus or other malicious software. Also, ensuring patches are up to date reduces the possibility that malicious software could exploit known vulnerabilities of your computer’s or mobile device’s operating system and applications.

Back up your data. In the event that malicious software, such as ransomware, does get installed on your computer, you want to make sure you have a current backup of your data. Malicious software that deletes your data or holds it for ransom may not be retrievable. Robust, frequent backups may be the only way to restore data in the event of a successful attack.

Also, be sure to test backups by restoring data from time to time to ensure that the backup strategy you have in place is effective.

Reference:https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-february-2018.pdf

 

         Cybersecurity Report: Cryptojacking Remains an Acute Threat in 2018

Cybercrime ran rampant last year, and the cryptocurrency market was no exception, as evidenced by hacks involving bitcoin ransoms and the pervasive use of cryptojacking. Cryptojacking involves using someone’s CPUs to secretly mine cryptocurrency without that person’s permission. And according to a report by the UK’s National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) entitled The Cyber Threat to UK Business, “cryptojacking will likely become a regular source of revenue for website owners.”

 

The price for a cyberattack is high, both reputationally and financially. And while corporations are ramping up their cybersecurity defenses, the threat of a security breach has not abated. If anything it’s intensified with the rise of cloud technology where sensitive data is stored and also cryptocurrency mining, where cybercriminals in 2017 rode the wave of the rise in the cryptocurrency prices.

 

The report reveals that the perpetrators of cryptojacking are two-pronged, stemming both from hackers and website owners who “used the processing power of visitors’ CPUs to mine cryptocurrency for their own financial gain.” For example, earlier this year a US business decided it was okay to user its visitors’ CPUs to mine Monero if that visitor used an ad-blocker. The website, however, informed its visitors of the plan in order to “recoup lost ad revenue.”Cryptojacking remains a security threat as long as the interest surrounding cryptocurrencies remains “strong,” the report suggests.

Reference:https://www.ccn.com/cybersecurity-report-cryptojacking-remains-an-acute-threat-in-2018/

NIC-CERT Knowledge Management Repository