IT NEWS

Massive increase in XorDDoS Linux malware in last six months

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

“Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

microsoft xorddos attack flow
XorDDos’s attack vector (Source: Microsoft)

Security IoT devices

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

  • Change your device’s default password to a strong one
  • Limit the number of IP addresses your IoT device connects to
  • Enable over-the-air (OTA) software updates
  • Use a network firewall
  • Use DNS filtering
  • Consider setting up a separate network for your IoT device(s)
  • When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media

Ransomware does what the name implies: holds your files or network to ransom. Pay the authors, typically in cryptocurrency, and you may get your files back. Refuse, and the files could be lost forever or even leaked to the far corners of the net.

Sometimes creators of ransomware try different things. In this case, a proof of concept called GoodWill ransomware’s approach is to force victims into performing seemingly nice tasks instead of pay a ransom.

Hunting for GoodWill

GoodWill ransomware functions like any other, at least in terms of basic functionality. It encrypts the most common file types: videos, documents, photos, databases. Without the decryption key, you won’t be able to recover your locked files.

There’s one key difference, however. The people behind this attack want victims to get out there and do some public good. Perform three good deeds, and you get your files back. That’s right: No cryptocurrency payment, no gift card codes required.

Hoop jumping as kindness

Things quickly become a bit disturbing.

Imagine: you’ve just had your computer locked up with ransomware. You’re told you must perform three acts of kindness to get your files back. The catch: you have to film and upload these good deeds to social media. Is this already beginning to creep you out? Because it should.

To be clear: criminals are asking victims of crime to humiliate themselves on social media to recover things stolen from them.

The three “activities” that victims are asked to do in order to get their files back are as follows:

“Activity 1”

“That we all know Thousands of people die due to sleeping on the roadside in the cold because they do not have clothes to cover their body.
So, your 1st task is to provide new clothes/blankets to needy people of road side and make a video of this event.
Later post this video/photo to your Facebook, Instagram and WhatsApp stories by using photo frame provided by us and encourage other people to help needy people in winters. Take a screen shot of your post and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.
It’s Does not costs you high but matters for humanity.”

“Activity 2”

“Thousands of poor children have to sleep hungry in the long cold nights, because those ill-fated people have no luxury to have dinner every night in this cruel world. You cannot feed them food for life, but you can give them 2 moments of happiness!
How!! Hmm, Listen. In the evening, pick any 5 poor children (under 13 years) of your neighborhood and take them to Dominos Pizza Hut or KFC, then allow them to order the food they love to eat and try to make them feel happy. Treat those kids as your younger brothers. Take some Selfies of them with full of smiles and happy faces, Make a beautiful video story on this whole event and again post it on your Facebook and Instagram Stories with photo frame and caption provided by us. Take a screen shot of your posts, snap of restaurant’s bill and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.
Help those less fortunate than you, for it is real human existence.”

“Activity 3”

There are so many people in the world who have suffered the pain of losing their loved ones due to lack of money. Lack of money is the biggest misfortune to get medical treatment at the right time.
Hmm, what’s your duty now! Hmm, Listen again! Visit the nearest hospital in your area and observe the crowd around you inside the hospital premises. You will see that there will be some people who need certain amount of money urgently for their medical treatment, but they are unable to arrange due to any reason. You have to go near them and talk to them that they have been supported by you and they do not need to worry now, Finally Provide them maximum part of required amount. Again, Take some Selfies of them with full of smiles and happy faces,
Record Audio while whole conversation between you and them and send it to us.
Write a beautiful article in your Facebook and Instagram by sharing your wonderful experience to other peoples that how you transform yourself into a kind human being by becoming Victim of a Ransomware called Good Will.

Once the victim has performed all three tasks, they must send the links and the gang promises to “verify the whole case” and hand over the decryption keys.

No good will for GoodWill

Aside from anything else, this is incredibly invasive of people’s privacy. Do the people in the videos get a say in this? It seems they do not.

This is genuinely one of the most disturbing infection-themed attacks I’ve seen in a long time. Turning people into some sort of game show contestant, complete with performative acts of kindness which are only occurring because of blackmail, flies in the face of their alleged intended goal.

We also have no indication if the authors intend to change their tasks at a later date. Reports mention the file attempts to geolocate victims. Could we see location-themed tasks which account for differences in rules, funding, social norms? Or is it a dice-roll in terms of hoping you’re assigned tasks you’re actually able to complete?

Despite the file name, there’s not a lot to feel good about here. Asking for cryptocurrency payments to release files and hope they’re not leaked is bad. Making people upload videos of themselves performing baffling and potentially dangerous tasks feels even worse.

Malwarebytes detects GoodWill as Ransom.FileCryptor.MSIL.Generic.

ransomfilecryptormsilgenericblock 1

We are yet to see anyone being infected with the ransomware, so can only hope this never makes it off the drawing board in any significant capacity.

The post Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media appeared first on Malwarebytes Labs.

Update now! Multiple vulnerabilities patched in Google Chrome

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is Critical.

The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux.

Critical

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

Google does not disclose details about vulnerabilities until users have had ample opportunity to install the patches, so I could be reading this wrong. But my guess is that an attacker could construct a specially crafted website and take over the visitor’s browser by manipulating the IndexedDB.

Other vulnerabilities

Of the remaining 31 vulnerabilities, Google has rated 12 as High. High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate, other origins.

Another 13 vulnerabilities were rated as Medium. Medium severity bugs allow attackers to read or modify limited amounts of information, or which are not harmful on their own but potentially harmful when combined with other bugs.

Which leaves six vulnerabilities that were rated as Low. Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or a highly limited scope.

How to update

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome up to date

You should then see the message, “Chrome is up to date”.

Affected systems:

  • Google Chrome for Windows versions prior to 102.0.5005.61/62/63
  • Google Chrome for Mac and Linux versions prior to 102.0.5005.61

Stay safe, everyone!

The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

General Motors suffers credential stuffing attack

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

Credential stuffing

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

The attack

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

Victims

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

Stolen information

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

  • First and last name
  • Email address
  • Physical address
  • Username and phone number for registered family members tied to the account
  • Last known and saved favorite location information
  • Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

Mitigation

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

The post General Motors suffers credential stuffing attack appeared first on Malwarebytes Labs.

Instagram verification services: What are the dangers?

Instagram, like other social platforms, has a verification system for high profile accounts. A verified badge means Instagram has confirmed that the account is the authentic presence of a public figure, celebrity or brand.

Have you ever wanted to get your own account verified? We noticed a large number of Instagram accounts all claiming to offer this as a service. Quick, easy, guaranteed. Or so they claim. After digging into it, we had a few questions of our own.

Setting the scene

Here’s just some of the identical profiles we’ve seen promoting one specific verification service.

multiple verify instagram accounts

Most of the profiles contain the same information in the bio section. Here’s a typical example:

instagram verify service

The verification process “takes 1-2 hrs”, has a 100% success rate, and payment is required before processing. You can send a direct message, or visit their shortened link for more information.

Forming an orderly line

The link in the bio section leads to a Google Docs form. Unless you view the document while signed into a Google account, you won’t be able to see the content or fill it in.

The service says it will submit your profile to Instagram for verification. Given the only way to do this as a regular user is submit it yourself via the app, this means the service would presumably need your login details to do it. This is highly relevant to our next line of investigation.

Of media partners and promotional agencies

One section of the form notes the slick, professional approach it has in relation to verification and third-parties:

  • We would like to share everything about our service and marketing strategy. We are the only legitimate agency that provides a guarantee of verification. If we are not able to get you the blue badge, we will refund your entire payment.
  • As you know we have a few talented Instagram media partners agencies. They will do everything for your verification with maintaining all the terms of Instagram authority. They are highly qualified to do that and have a high success rate.

As this article mentions, celebrities may work with agencies with access to Facebook’s Media Partner Support for verification instead. Incidentally, that’s another approach filled with booby-traps. Do we think any of these identical profiles are working to that level?

The form also lists several Instagram accounts which have been “successfully verified” as a result of its guidance. This includes one account which no longer exists, and a well known brand of cheese spread which doesn’t appear to post content anymore. We reached out to the two Instagram accounts which accept direct messages, but didn’t receive a reply.

With all of this in mind, it’s time to ask one of these accounts some questions directly.

Question time for an Instagram verification service

I sent a message to the profile highlighted up above.

instagram dm conversation

I asked the following:

Hi, I have some questions about the verification process and was hoping you could answer before I sign up.

1) What are the fees, and which payment method do you use

2) The form says you use a “few talented Instagram media partner agencies”. Who are the agencies?

3) If there’s a 100% success rate, why is there a money back guarantee for unsuccessful applications?

4) How did you help to verify several accounts which are much older than your own?

5) Why is your own account not verified?

Thanks!

Question 5 is particularly important: with so many identical profiles, how do we even know which one is the real deal? If verification is so easy, where is their own verified profile badge?

At any rate, they only replied after a follow-up message, promised to answer my questions immediately, and promptly disappeared again. It seems my verified status is not to be, but on the evidence seen so far, I think I can live without paying someone money for the privilege.

How verify me scams on social media usually end

There’s a few likely final destinations for respondents of detail-free, evasive operations nestled inside dozens of spam accounts.

  1. They (eventually) send you a request for payment and a link to their processing tool of choice. Once you pay, you never see them or the money again. If you had as much difficulty as I did trying to get basic information from a supposed Instagram verifier, would you trust them with your money?
  2. You’re sent a link to a website asking you to fill in your details. The website is nothing more than a phishing page, grabbing personal details and login information. Worth noting that although the “service” I encountered above made use of a Google Docs form, it did not ask for logins.

  1. Either of these methods may involve a request for scans of identification. Sending scammers copies of your passport pages is never going to be a good idea. One of the most brazen combinations of most of these tactics can be seen in this CNET article from last year.

Safe verification practices

There’s a bit of mystery as to how certain sites verify individuals. Instagram is refreshingly straightforward and direct in its approach. It pretty much all boils down to preventing impersonation of “notable” individuals. If you’re in a big pile of press links, articles about you, things which have gained column inches somewhere, then you’re probably going to be verified.

Here’s some more information from the Head of Instagram, Adam Mosseri:

Follower count doesn’t matter. If you see someone claiming to offer verification based on follower count, you can safely disregard that entity. If you’re asked to login somewhere then don’t do it. And don’t send scans of identification documentation either.

The allure of verification on social media is too powerful for many people to resist, and that’s what scammers are banking on. If you believe you need it, by all means send in an application to your platform of choice. By the same token, think very carefully about entrusting non-verified spam accounts with your personal details, money, or even identity documents. It almost certainly won’t turn out to have been worth it.

The post Instagram verification services: What are the dangers? appeared first on Malwarebytes Labs.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

Google

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

Vulnerabilities

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973CVE-2021-37976CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

Cytrox

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

Government spyware

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

A week in security (May 16 – 22)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (May 16 – 22) appeared first on Malwarebytes Labs.

Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers

Multiple NVIDIA graphic card models have been found to have flaws in their GPU drivers, with six medium-and four high-severity ratings.

Last Monday, the company released a software security update for NVIDIA GPU Display Driver to address the vulnerabilities. If exploited, they could lead to denial of service, code execution, privilege escalation, and data tampering.

NVIDIA GeForce software, Studio, RTX/Quadro, NVS, and Tesla running Windows and Linux are all affected by this update, covering driver branches R450, R470, and R510. Here are the lists for Windows and Unix/Linux for reference for driver branch histories.

The latest release also covers updates for already unsupported GTX 600 and GTX Kepler-series cards. This is NVIDIA honoring its promise of continuing to provide support for these cards until September 2024—three years after the October 2021 end-of-support date.

Let’s look at each of the vulnerabilities up-close.

High-severity NVIDIA vulnerabilities

  • CVE-2022-28181. A malformed executable or shader file (a program that runs on the GPU) exploiting the DCL_INDEXABLE functionality could lead to memory corruption, code execution, data tampering, denial of service, privilege escalation, and information disclosure. Virtual machines and (theoretically) web browsers can trigger this vulnerability. This is exploitable over the network.
  • CVE-2022-28182. A malformed executable or shader file exploiting the DCL_INDEXRANGE, DCL_RESOURCE_STRUCTURED, and DCL_UNORDERED_ACCESS_VIEW_STRUCTURED functionalities could lead to memory corruption, data tampering, denial of service, information disclosure, and privilege escalation. Virtual machines and (theoretically) web browsers can trigger this vulnerability. This is exploitable over the network.
  • CVE-2022-28183. An unprivileged user could cause an out-of-bounds read (a flaw that allows parts of the memory, which are allocated to more critical functions, to be manipulated), leading to a denial of service and information disclosure. This is exploited with local access.
  • CVE-2022-28184. An unprivileged user could access registers available only to administrator accounts, leading to data tampering, denial of service, and information disclosure. This is exploited with local access.

Medium-severity NVIDIA vulnerabilities

  • CVE-2022-28185. An out-of-bounds write in the ECC (error correction code) layer could lead to data tampering and denial of service.
  • CVE-2022-28186. A validation flaw in the kernel mode layer (nvlddmkm.sys) could lead to data tampering and denial of service.
  • CVE-2022-28187. A memory management software flaw in the kernel mode layer (nvlddmkm.sys) could lead to denial of service.
  • CVE-2022-28188. A validation flaw in kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where input is not correctly validated for being able to process data safely, which could lead to denial of service.
  • CVE-2022-28189. A NULL pointer dereference in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape could lead to a system crash.
  • CVE-2022-28190. A validation flaw in kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where improper input validation could lead to denial of service.

Patch as soon as possible

NVIDIA users are advised to download and apply the patches ASAP. The updates can also be applied via NVIDIA’s GeForce Experience suite.

The post Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers appeared first on Malwarebytes Labs.

Chicago students lose data to ransomware attackers

Chicago Public Schools (CPS) disclosed on Friday that students may have had their data taken in a ransomware incident involving one of its vendors.

The ransomware attack happened last December at Battelle for Kids (BfK), based in Columbus Ohio, which develops services to provide innovation in schools for students and teachers.

Breaching education

Around 490,000 students and 56,000 employees found their data breached by those responsible for the ransomware. The data accessed by criminals, stretching from 2015 to 2019, included a variety of information potentially including:

  • Name
  • School
  • CPS email
  • Employee ID number
  • Battelle for Kids username

The notification breach says that home addresses, health/financial information, and social security numbers were not exposed.

Chicago Public Schools is offering free credit monitoring for those affected.

A late notification

The breach occurred in December but the notification did not, which raises several questions related to lateness of notification for those impacted. According to Bleeping Computer, the CPS contract with BfK means immediate notification of any data breach.

Despite this, it took no fewer than four months to get word out that something had occurred. Letters pertaining to the breach were sent out towards the end of April. The reason for this is that it took this long to verify the breach had actually taken place. That isn’t all, however. Other breaches related to the compromise of Battelle for Kids suggests private student data was revealed “as far back as 2011”.

According to the Chicago Sun Times, a spokesperson for CPS says the breach was “caused [and] exacerbated by BfK’s failure to follow the information security terms of their contract”. They go on to single out a failure to encrypt data and purge old records. We talk about ransomware breaches often, and frequently mention the benefits of having a sensible back-up plan. This sounds like a case which may well have benefited greatly from this approach.

Schools: a ripe target for ransomware

All forms of education are an increasingly popular place to be for ransomware criminals. Schools, Universities, and (as we see above) third-party organisations are all valid targets. Even if the schools have a watertight security setup, it may not be the case for external suppliers and other entities interacting with the data in some way.

Outbreaks in schools and universities may not be life-threatening in the way attacks on the healthcare sector can be. However, severe delays to applications, operations, and teaching generally can have a big impact on students.

Tips to avoid ransomware

  • Keep devices updated. Secure your devices with the latest updates and patches. It’s not just the Operating System you have to consider here. Outdated software and applications are frequently the launchpad for exploits leading to ransomware attacks.
  • Update your security software. Often your first line of defence, help it to help you by automating updates and scans.
  • Strengthen remote access. A common ransomware pitfall is leaving remote services unsecured. Provide a limit on password guess attempts for remote desktops. You can also combine remote services with multifactor authentication.
  • Avoid strange attachments. Booby-trapped Word/Excel documents are a big threat in these realms, especially where Macros are concerned.
  • Browser controls for bad ads. Malvertising is another method for dropping ransomware onto systems. Restricting certain features like JavaScript will help, though this may make some sites unusable in places. Dedicated extensions which control scripts more generally, tracking, or untrustworthy ad networks will also help.
  • Encrypt and back it up. Keep your data encrypted whenever possible, and get into the habit of backing up regularly. Store backups externally, away from the main network. Ensure your backups are stored in a logical way and not a confused mess of folders and files, so you can easily find and restore files if you need to.

The post Chicago students lose data to ransomware attackers appeared first on Malwarebytes Labs.

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over.

Whether the company will abide on time, however, is a different story.

In the European Union, the United Kingdom, and California, consumers have a leg up in understanding what data is collected about them, largely thanks to several laws passed in those regions in the last few years. And at least in California, people can request that a company hand over the data it has collected about them, even if they are not an active user of that company’s product or a customer of that company’s services.

That’s because in today’s world, your data is not collected only by the companies you directly interact with, but also by the companies that your friends and families interact with.

In February of last year, Whitney Merrill proved this was true when she requested her data from the then-popular app Clubhouse. Though Merrill did not have an account with the company and was not a user of the app, she proved that Clubhouse did have her phone number, which had been shared with Clubhouse by Merrill’s contacts who were active users.

Merrill, who has requested her data from several more companies since then, learned more about data privacy compliance than about just what is being collected about her. Each request, Merrill said, can be different from another, and each request is done separately, forcing users who want to learn more about how their data is collected to spend increasingly more of their own time—time which they may not realistically have. The entire model right now, Merrill said, has many flaws.

“We all interact with thousands and thousands of websites and providers that collect our data—maybe hundreds is probably a better number—in any given week or year. And, as a result, you have to go to each individual one and ask for access to your data… The burden is really on the end user.”

Whitney Merrill, Data Protection Officer and Privacy Counsel at Asana

This week on the Lock and Code podcast with host David Ruiz, we speak with Merrill about the difficulties of requesting your own data from a company and why some companies seem to interpret data privacy laws as mere suggestions. We also touch on proposed solutions to today’s problems with cross-border data transfers and what “data localization” may lead to in the future.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)

The post Hunting down your data with Whitney Merrill: Lock and Code S03E11 appeared first on Malwarebytes Labs.