IT NEWS

October is Cybersecurity Awareness Month, formerly known as National Cybersecurity Awareness Month. The idea is to raise awareness about cybersecurity, and provide resources for people to feel safer and more secure online.

The month is a collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) and it focusses on four themes, in turn: “Be Cyber Smart”, “Phight the Phish”, “Explore. Experience. Share”, and “Cybersecurity First”. Some of these are perhaps a little interchangeable or vague, but it’s certainly a dedicated effort. The questions is, is anybody listening?

Cybersecurity Awareness Month is a fixture of the calendar now, as are Data Privacy Day, World Password Day, and a host of other well-intentioned privacy and security themed events. There are so many of them now, and they come around so often, that some of the Malwarebytes Labs team were feeling a little jaded about this month’s event.

So, in the spirit of the event’s first theme, “Be Cyber Smart”, we asked two of our Malwarebytes Labs blog team, Chris and Jovi, whether the smart thing to do was forgot about it altogether.

The pros and cons of awareness campaigns

Jovi: I don’t see that anyone can have a problem with events such as this. It’s good to have regular reminders about our responsibility to keep ourselves and our families safe. It’s also a good opportunity to learn something new about security and privacy.

Chris: I mean, are they really learning something new? From experience, the content in these events doesn’t tend to differ much from year to year. A lot of it is the same basic information you see on mainstream news reports, or blogs. I’ve been involved with events like this since 2005, and one time at a panel with reps from the FTC and the NYAG…

(several minutes of completely unrelated factoids from the dawn of time follow)

Jovi: …I’m surprised that didn’t end with you tying an onion to your belt.

Chris, oblivious to onions: If it was worthwhile, you’d think there’d be some tangible, visible improvement in security by this point. Or at least a bunch of people saying “Wow, that ‘event-name-goes-here’ really helped me with this one problem I had. Hooray for ‘event-name-goes-here’.

Jovi: True, but then again, not everyone sees every relevant news report or even reads blogs. Some people get a lot of their security information from sources like Twitter, direct from infosec pros. Who then end up directing them to events like this anyway. There’s always a churn of new people who haven’t seen any of this before, so I don’t think it’s a problem to repeat some of the basics every year. Not everything has to be groundbreaking. If it’s easy to understand and helpful, that’s okay too.

Chris: Possible, but I also think many people have burnout from this kind of thing. How many times can you hear a major event, backed by Homeland Security, say “watch out for suspicious links” before you start to demand something a bit more involved? Admittedly, we don’t know what specifically is going to be covered during the month itself yet. It might be a mix of basic information and more complicated processes, which would be great! Another major event saying “don’t run unknown files”, though? Do we really need that? Or is there still a place for it?

Jovi: I once again direct you to “a churn of new people who haven’t seen any of this before”.

Chris: Ouch.

Jovi: You may be right about the fatigue aspect, though. I imagine it’s likely very difficult for anyone to really care that much about a month-long event. If you’re directly involved in some way, then fine. If you’re one of the many random people it’s aimed at? I think it’s probable they simply won’t care very much by week 3.

Chris: It may also be exacerbated if the thing they really want to do or look at happens during the final week. Will they even remember to go back by the tail-end of October to check it out?

Jovi: This is where the web resources for the event will be crucial, alongside lots of activity on social media. Handy little reminders to go back and check it out will work wonders.

Chris: Might work wonders.

Jovi: Ouch.

Chris: One novel thing I’ll definitely highlight is that they’re doing a whole bit about careers in tech. This is good. Not every event does this. There’s a lot of resources available and the opportunity for security companies, researchers, and anyone else to give tips on how to break into the industry. This will be particularly helpful for students about to graduate, and people thinking about a change in career.

Jovi: I’m mostly interested in the phishing week. You can’t go wrong with phish advice, especially when so many people are still working from home and potentially isolated from their security teams.

Chris: Is that any better than any other event doing a phish week though?

Jovi: It certainly doesn’t hurt to have them. I reckon big organisations and governments saying “we’re interested in this and you should be too” ultimately helps more than it hurts. We’d definitely feel their absence.

Chris: I’ll give you that. I’m not 100% convinced these events are making as much impact as some may think. This is what, the 18th one of these now? I’d be interested to know what the organisers think about how successful they are, what difference they’ve made. Even so, you’re likely right that we’re better served by having them than not at all.

Jovi: Amazing—did we finally agree?

Chris: Yes, please inform the DHS I’ve given permission for the event to go ahead.

Jovi: I’m sure they’ll be relieved.

Chris: This somehow feels like sarcasm.

Jovi: Definitely not.

Winding down

Whether you think events like this are a big boon to security discourse or too much like repeating ourselves for diminishing returns, they’re here to stay. We can all play a part in ensuring these annual reminders stay relevant. Whether you’re flying solo at home, an organisation, a security vendor, an SME, or a collection of interested students? Get involved!

Let the organisers know what you’d most like to see—if not at this event, then perhaps the next one. If these awareness campaigns exist in a vacuum, they’ll assume they’re getting everything right. Let’s help them along to fix the bits we’re not sure about and make it work for everyone.

The post Does Cybersecurity Awareness Month actually improve security? appeared first on Malwarebytes Labs.

One of the world’s ransomware groups appears to be a couple of members short today—and about two million dollars less rich—but nobody is sure which one. Police are staying tight-lipped about who’s short-handed following the arrest of two individuals in Kyiv, Ukraine. The arrests are part of a joint operation by the FBI, the French National Gendarmerie, and the Ukrainian National Police.

What little we do know comes by way of a terse Europol press release—which says that police seized $375,000 in cash, a further $1.3 million in cryptocurrencies and two “luxury vehicles”—and a press release and video by Ukrainian police.

The video shows police searching a surprisingly clean and tidy apartment. Among the usual ransomware gang paraphernalia of mobile phones, laptops, a fancy-pants computer “rig”, gaming chairs, and wads of cash, we also get a peak at some of the more surprising and mundane aspects of life as (or perhaps with) a modern day digital criminal. The video reveals enough flowers and little gift boxes to suggest it was a special day for somebody, as well as the occupants’ fondness for both Capri Sun, and brands like Louis Vuitton and Senso.

Of course what we really want to know is which ransomware group has taken a hit. There, we’re getting only crumbs from the police and guesswork from Twitter sleuths. Europol has divulged that the people arrested belong to an organised crime group “suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards.” It says the criminals “would deploy malware and steal sensitive data from these companies, before encrypting their files”, a fairly vanilla description of modern-day ransomware. It describes the people arrested as “two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million)”.

The individuals could belong to one of the well known ransomware groups, but it’s worth remembering that lots of ransomware is operated “as a service”, by affiliates. In either case, it’s fair to say that others will be along shortly to fill the void they leave, should those arrested be required to occupy a jail cell.

Europol says it helped the joint operation with analytical, malware, forensic, and crypto-tracing support. The last item is the least surprising on the list. The modern ransomware phenomenon is entirely reliant on cryptocurrencies like Bitcoin, and many observers have identified it as ransomware’s Achilles heel.

Why? Because cryptocurrency payments are very public. While the identities of payers and payees are hidden behind pseudonymous IDs, the actual payments happen in broad daylight and are recorded forever in giant distributed databases called blockchains. If real people can be linked to those IDs, then their role in ransomware transactions can be revealed.

A few years ago, we were all fond of describing the analysis of relationships in very large databases as Big Data, and the Bitcoin blockchain is the biggest of Big Data. It contains every transaction ever made with the cryptocurrency, nothing can ever be removed from it, anyone can own a copy, and law enforcement’s ability to analyse the patterns within it improve with time, and every additional payment.

The US government has been turning up the heat on ransomware gangs this year and has been quite open about its intention to follow the money. So it won’t surprise you to learn that one of the people arrested in this recent raid is believed to be involved in money laundering. And no surprise that a similar raid against the Clop ransomware gang earlier this year that was also carried out by police in Ukraine, also in the area of Kyiv, also targeted the gang’s money laundering operation.

The post Police take a piece out of a ransomware gang, but won’t say which one appeared first on Malwarebytes Labs.

Millions of Neiman Marcus customers have had their personal and financial information exposed in a data breach. In a press release the company confirmed unauthorized access to customer online accounts.

According to the press release 4.6 million customers of Neiman Marcus Group stores, specifically Neiman Marcus and Last Call, are being notified about the data breach by email.

What information was stolen?

For affected customers, it’s always important to know what information the threat actor may have gotten hold off. The personal information for affected Neiman Marcus customers varied and may have included:

• Names and contact information
• Payment card numbers and expiration dates (without CVV numbers)
• Neiman Marcus virtual gift card numbers (without PINs)
• Usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.

What has Neiman Marcus done?

To investigate the matter Neiman Marcus has engaged Mandiant, an American cybersecurity firm, and notified law enforcement. The investigation is ongoing.

Neiman Marcus has also informed the affected customers, and forced an online account password reset for affected customers who haven’t changed their password since May 2020. Neiman Marcus promised to continue to take actions to enhance its system security, and safeguard information.

The company has set up a phone number—(866) 571-9725—and web page for concerned customers, although at the time of publishing the website is not currently working.

What you can do

If you know or suspect you may have been affected by this data breach there are a few things you can do.

The most important one is to change your password and make sure you have not re-used the same login credentials elsewhere online. If you have, you’ll need to change that too. The same is true for any security questions.

Scammers like to make the most of data breaches like this by sending out fake emails trying to trick you into giving them your login credentials, so make sure you go directly to the website to change your password.

Unlike Neiman Marcus, other companies have offered free credit and identity monitoring services as a conciliatory measure after a data breach. In this case you would have to pay for that yourself. Credit monitoring services can’t actually stop cybercriminals from stealing your identity, but they can alert you if someone opens up a line of credit under your name.

Think about it this way, these services alert you to changes on your credit report if you can’t be bothered to check your own credit report. If that’s the case, then you may want to consider signing up and paying someone else to monitor your credit file for you, but the bottom line is that these credit monitoring services are just that—monitoring services, not protection.

If you find any unauthorized transactions involving your payment cards then immediately contact the relevant payment card company or financial institution.

Customers are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order a free credit report, you can visit www.annualcreditreport.com or call 1-877-322-8228.

Attribution

As this is an ongoing investigation, there is not much information to be had about any details that may point to a certain threat actor. The stolen data may at some point surface for sale on underground forum or dark web marketplace.

If you are wondering if the login credentials have been made publicly available, you may be able to find them at the website Have I been pwned? The same is true for other credentials. In fact, it doesn’t hurt to check your email address there every so often.

There’s no reason to be ashamed if you find your email address there, as long as you don’t use it in combination with the same password anymore. If you do, then make sure you change it as soon as you can. You can use a password manager or password book to keep track of all your different passwords.

Stay safe, everyone!

The post Neiman Marcus data breach affects millions appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Teaching cybersecurity skills to special needs children with Alana Robinson: Lock and Code S02E18
• Phone screenshots accidentally leaked online by stalkerware-type company
• FoggyWeb, analysis of a Nobelium backdoor
• Instagram Kids put on hold
• Microsoft, CISA and NSA offer security tools and advice, but will you take it?
• Vaccine passport app leaks users’ personal data
• Telegram-powered bots circumvent 2FA
• Android Trojan GriftHorse, the gift horse you definitely should look in the mouth
• Apple Pay vulnerable to wireless pickpockets
• The FCC moves to curb SIM swap attacks

Malwarebytes released the Demographics of Cybercrime Report.

Other cybersecurity news

• Cambodia’s prime minister is Zoombombing opposition meetings. (Source: Rest Of World)
• Apple ignored 3 Zero-Day iPhone attacks for months, claims researcher. (Source: Forbes)
• When you ‘Ask app not to track,’ some iPhone apps keep snooping anyway. (Source: The Washington Post)
• Microsoft was warned about the Autodiscover flaw five years ago. (Source: The Register)
• Mission accomplished: Security plugin HTTPS Everywhere to be deprecated in 2022. (Source: The Daily Swig)
• Fake Amnesty International Pegasus scanner used to infect Windows. (Source: BleepingComputer)
• Google pushes emergency update for Chrome zero-days, the latest in a hectic year for vulnerabilities. (Source: CyberScoop)
• Mozilla rolls out fission to a fraction of users on the release channel. (Source: Mozilla blog)
• Paying hackers’ ransom demands is getting harder. (Source: DataCenter Knowledge)
• Hackers bypass Coinbase 2FA to steal customer funds. (Source: The Record)

Stay safe, everyone!

The post A week in security (Sept 27 – Oct 3) appeared first on Malwarebytes Labs.

Researchers have shown that it is possible for attackers to bypass an Apple iPhone’s lock screen to access payment services and make contactless transactions. The issue, which only applies to Apple Pay and Visa, is caused by the use of so-called magic bytes, a unique code used to unlock Apple Pay.

In the full paper, researchers from two UK universities—the University of Birmingham and the University of Surrey—show how this feature makes it possible to wirelessly pickpocket money.

The underlying issue

What happens often is that a feature designed to make our lives easier, also makes it easier for clever attackers to use that same feature against us. The vulnerability identified by the researchers is only present when Visa cards are set up using Express mode in an iPhone’s wallet. Express mode allows iPhone owners to use transit or payment cards, passes, a student ID, a car key, and more, without waking or unlocking their device, or authenticating with Face ID, Touch ID, or a passcode. The user may even be able to use their card, pass, or key when their device needs to be charged.

Transport mode

Contactless Europay, Mastercard, and Visa (EMV) payments are a fast and easy way to make payments, particularly at a time when we’re all much more wary about the hygiene of the surfaces we touch.

Normally, payments via smart-phone apps need to be confirmed by the user via a fingerprint, PIN code, or Face ID. Apple Pay elevated the EMV standard for usability, by introducing a feature that allows it to be used at a ticketing barriers (like those used to access the London underground railway network) without unlocking the phone. And Apple is not alone. Samsung has introduced the same “transport mode” feature as well.

The researchers found that Transport for London (TfL) ticket barriers broadcast a non-standard sequence of bytes—so-called “magic bytes”—which bypass the Apple Pay lock screen. Apple Pay then checks that its other requirements are met (which are different for Visa and Mastercard) and if they are it allows a payment to be performed with no user interaction. In this way it allows underground passengers to move through the barriers without stopping, in the same as they do with Oyster cards.

Taking payments

For Apple Pay Visa, the researchers were able to craft messages that resulted in fraudulent payments from a locked iPhone to any EMV shop reader, for any amount. The tests were made for payments up to £1,000 (roughly US$ 1,350). Mastercard is stricter, requiring readers to have a transit merchant code before allowing this functionality.

The researchers also found that Samsung Pay does not use magic bytes, but it was always possible to perform an EMV transaction with a locked Samsung phone. However, they also found that locked Samsung Pay would only allow a zero-value payment. Transport providers (which is only TfL right now) must have an arrangement with their banks to make good the value of the tickets. According to the researchers, “this makes it impossible to relay Samsung Pay to shop readers to buy goods, but it is still possible to relay Samsung Pay to other transport readers”.

Pointing fingers

When the attack was disclosed to Apple and Visa, Apple reportedly said that the problem was with Visa (stop us if you’ve heard this one before), and Visa said it was with Apple. Apple insisted it was up to Visa to implement additional fraud detection checks. Visa pointed out that the same problem did not exist in the Samsung Pay and Visa combination.

For now, as the academics stated, while the problems are acknowledged by both parties, who have been spoken to extensively, the issue remains unfixed. Apparently, when two industry parties each have partial blame, neither are willing to accept full responsibility. Needless to say, while nobody fixes the problem, all users are vulnerable.

It seems unlikely that transport modes will be removed from phones, so the researchers have proposed an EMV relay-resistant protocol.

Where does that leave you?

The attack has only been demonstrated in a lab and there is no evidence that criminals are currently exploiting the vulnerability.

However, if you are worried about falling victim to this type of attack, you should disable the Express Mode if you don’t need it. When you add an eligible transit card to an Apple Wallet, Express Mode is turned on by default.

Should you lose your phone or have it stolen, there is now—in theory at least—a way for thieves to extract funds from it without having to guess your passcode. To avoid that, we suggest that you inform your bank or payment provider if your phone is stolen so they can block your cards.

Stay safe, everyone!

The post Apple Pay vulnerable to wireless pickpockets appeared first on Malwarebytes Labs.

The Federal Communications Commission (FCC) is going to set new rules to curb the rising threat of SIM swapping, also known as SIMjacking.

SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. Once this happens, the scammer can use the device to receive calls and messages intended for the victim. SIM swapping is often used to intercept codes sent by SMS that are used in some forms of two-factor authentication (2FA).

SIM swapping is difficult to scale up into large attacks against lots of people at the same time, but it is often used to target specific, high-value individuals.

Early last year, US senators wrote a letter to the FCC urging it to do something about the rising problem of SIM swapping:

The impact of this type of fraud is large and rising. According to the Federal Trade Commission, the number of complaints about SIM swaps has increased dramatically, from 215 in 2016 to 728 through November 2019, and consumer complaints usually only reflect a small fraction of the actual number of incidents.

It went on to say that SIM swapping “may also endanger national security”:

SIM swap fraud may also endanger national security. For example, if a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency.

According to its recent release, the FCC “has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud. In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”

Currently, the proposals boil down to requiring better checks, and quicker notifications:

[The FCC] proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”

Many are already happy upon receiving this news, vague as it is.

Of course, specifics need to be laid out as so to how carriers can help potential SIM swap victims and how they generally safeguard all their users.

The post The FCC moves to curb SIM swap attacks appeared first on Malwarebytes Labs.

Two-factor authentication is a great way to protect your online accounts, and we always recommend you turn it on. But where users put up walls, you can be sure there are cybercriminals trying to break them down.

Yesterday, security intelligence firm, Intel 147, revealed it had noticed an uptick of activity in threat actors providing access to services in Telegram that circumvent two-factor authentication (2FA) methods. These services include calling their target victims, appearing to be from their bank, and socially engineering them into handing over a one-time password (OTP)—or other verification code—to the bot operators.

Other services target “other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”

Intel 147 has been observing these activities since June when services like these started operating.

“[They] either operate via a Telegram bot or provide support for customers via a Telegram channel,” Intel 147 wrote, “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts.”

The two bots that are becoming criminal favorites are SMSRanger and BloodOTPbot, according to Intel 147. Another bot, SMS Buster, was mentioned, but the researchers said operating it requires more effort on the part of the threat actor.

Those looking to operate these bots are expected to shell out $300 USD monthly. For additional services on top of the bot, they need to hand over an extra $20-$100 USD more.

2FA isn’t foolproof

These 2FA threats only further highlight the problem we already know about SMS-based and phone-call-based authentication OTP methods: they have weaknesses that can be easily exploited by threat actors.

Make no mistake: using 2FA is still better than not using it. But if companies start using better authentication methods, such as Time-Based One-Time Password (TOTP) codes—e.g. Google Authenticator and Authy—or push notifications—e.g. Okta or Duo—then such bots wouldn’t be much of a problem.

What to do

If you have sent your OTP to what you now believe is a scammer, call your bank and report it. Note that this might be a new scheme that banks have never heard of, so please do your best in explaining what happened. Remember that the more people report of the same or similar instances, the more aware banks will be of the fraud attempts.

Share your experience with friends and family to raise awareness on the matter, in order to prevent them falling for the same trick.

Remember that your bank won’t call you to ask for your OTP—ever—so if you receive similar requests in the future, just hang up.

Trust us: they won’t think you’re being rude.

Stay safe!

The post Telegram-powered bots circumvent 2FA appeared first on Malwarebytes Labs.

Researchers at Zimperium have discovered an aggressive mobile premium services campaign with over 10 million victims all over the world. The stolen amount could amass hundreds of millions of Euros.

The scam was hidden behind malicious Android apps, and the researchers have named the Trojan GriftHorse. They estimate the group has been active since November 2020.

Distribution

These malicious Android apps were initially distributed through both Google Play and third-party application stores. After the researchers reported the findings to Google, the malicious applications were removed from the Google Play store. However, the malicious applications are still available on third-party app stores, once again proving the potential dangers involved in sideloading applications to mobiles.

To enhance the effectiveness of the campaign, the group showed pages to users based on the geolocation of their IP address and addressed them in the local language. This social engineering trick is very successful, since users are always more comfortable sharing information on a website in their local language.

How it works

The GriftHorse Trojan subscribes unsuspecting users to paid services, charging a premium amounting to around 36 dollars per month.

Immediately after installing the malicious app, the user is bombarded with popups telling them they have won a prize and need to claim it straight away or they will miss the opportunity. When the user accepts the offer, the malware redirects them to a geo-specific website where they have to submit their phone number for “verification”.

Instead of any verification taking place, the user is actually signed up for a premium SMS service that starts charging their phone bill over €30 per month.

Applications of this kind are often referred to as fleeceware. By definition, fleeceware is a type of malware for mobile devices that comes with hidden, excessive subscription fees. These applications take advantage of users who do not know how to cancel a subscription by charging them long after they have deleted the application.

Detection

The threat actors use a few different methods to avoid detection. While some users may get suspicious by an extra charge on their phone bill, it may take others months to notice. If and when they notice they need to find out how to cancel the subscription, and there is no chance of getting their money back.

The threat actors are also very careful to avoid hard-coding URLs in the malicious apps. To create the apps they used the mobile application development framework Apache Cordova. The application displays as a web page that references HTML, CSS, JavaScript, and images. This enables developers to deploy updates to apps without requiring the user to update manually. Using this option the actors were able to let the app fetch the currently active URL that acted as a C&C server.

The criminals used over 200 different Trojan applications in the campaign which, besides avoiding detection, also allowed them to spread the distribution of the applications across multiple, varied categories, increasing the range of potential victims.

The programmers of the malicious apps follow a strict no-reuse policy to avoid detection of all the apps by vendors, who often introduce mass or generic detections by using strings that are typical for a certain malware family.

Victims

By using the geo-specific sites and the spread across multiple categories of apps, the campaign was able to ensnare mobile users from more than 70 countries. Based on the intel collected by the researchers, GriftHorse has infected over 10 million devices in the last few months.

IOCs

A full list of applications and hashes can be found in the blog published by the researchers.

Malwarebytes for Android detects these apps as Android/Trojan.Spy.Joker.gfth.

Stay safe, everyone!

The post Android Trojan GriftHorse, the gift horse you definitely should look in the mouth appeared first on Malwarebytes Labs.

Security and privacy advocates may have cause to worry after all: Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time.

On Monday, Canadian Broadcasting Corporation (CBC) received a tip that “the user profiles on the app’s website could be accessed by members of the public.”

CBC won’t say how or where the data was found but does say it was unencrypted and could be viewed in plain text.

The data it found included email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licences and passports.

Portpass has a registered user base of 650,000 across Canada. CBC says that Portpass CEO Zakir Hussein denied the app had security issues and “accused those who raised concerns about it of breaking the law.”

CBC said Hussein repeatedly claimed the breach only lasted for minutes, even when CBC pointed out to him that it was able view the data for more than an hour. It’s unclear how long the data was exposed to the public.

“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” said Hussein, who seemed generally unsure of what to say. He was quoted as saying, “There’s holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”

Portpass is easy to manipulate

Days before Portpass was notified of the breach, web developer Conrad Yeung tried Portpass out of curiosity. He said he quickly found an issue when he tried to upload not his photo ID but a photo of a random mayoral candidate in Calgary, Canada “just to see if the app would let me”.

Sure enough, Portpass allowed the upload. “It let me upload a random photo for my driver’s licence,” Yeung said.

He was able to create a fake vaccination record using an actor’s name, and Portpass verified this record to be legitimate.

Looking deeper, Yeung found that the website didn’t appear to validate security certificates, with a backend that the public can access. He also found discrepancies in Portpass’s marketing statements from what he was seeing. For example, the app claimed that it uses artificial intelligence (AI) and blockchain to verify records and keep them safe. However, Yeung said he didn’t see any traces of these at the site’s backend.

What worried Yeung more, he said, was that companies endorse the use of apps like Portpass without exercising due diligence. “You have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues,” he said.

There is hesitancy in using vaccine passports

Vaccine passports—sometimes called COVID passports—are mobile apps that have been created to confirm the phone owner has received their COVID-19 vaccine. This, of course, opens doors for them to attend public events and visit other countries. While many think that this could lead to social problems like discrimination, there are also security and privacy risks, such as getting one’s data exposed. Such apps must be secure by design.

In the US, there is no government mandate on whether one should be using a vaccine app or not. But many private companies and airlines have started encouraging people to use these apps.

However, many users, especially in the US, have expressed concerns over the security of their health data when using such third-party apps. According to a survey conducted by cybersecuity firm, Panda Security, 56 percent of Americans do not trust vaccine passports. Those concerned question what type of information these apps would likely collect from them.

“Based on our survey results, we can clearly see the hesitancy many Americans have to make those records accessible to private companies, airlines and other corporations.” the report says.

I’m one of those afraid of using apps. What should I do?

Hold on to your vaccine cards and keep them safe all the time. Right now, this is your only true proof to let establishments know of your vaccine status. Don’t bring them with you every time you go out, as you would a credit card, especially when there is no need to verify your status.

A paper pass may not be the coolest thing to whip out as its not on your phone, but unless the government has endorsed an app everyone can use, you might want to rethink your plans of trying out one.

Stay safe!

The post Vaccine passport app leaks users’ personal data appeared first on Malwarebytes Labs.

Microsoft offers to help you with patching Exchange servers, CISA offers an insider threat tool, and together with the NSA they offer advice on how to choose and harden your VPN.

These initiatives from major parties aim to help organizations assess and manage their security needs. But will they make an impact with their intended audience?

Microsoft Exchange Emergency Mitigation service

Microsoft will tomorrow roll out a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years.

In the September 2021 Cumulative Update (CU), Microsoft has added a new feature called the Microsoft Exchange Emergency Mitigation (EM) service. This service is not intended to be a replacement for installing Exchange Server Security Updates (SUs), but as a quick and effortless way to mitigate the latest threats against internet-connected, on-premises Exchange servers.

The basic idea is that once Microsoft detects a new attack being used in the wild, it will push out temporary mitigations to all Exchange servers around the world that are running the EM services. And that’ll happen even before they start working on a software patch to thwart the vulnerability. EM runs as a Windows service on Exchange Server, but if an organization doesn’t want to use EM, an admin can disable the service.

Microsoft introduced the EM service after it learned that many of its customers weren’t ready to install SUs because they were not running a supported CU.

CISA Insider Risk Mitigation Self-Assessment tool

The Cybersecurity and Infrastructure Security Agency (CISA) released an Insider Risk Mitigation Self-Assessment Tool, which assists public and private sector organizations in assessing their vulnerability to insider threats.

Insider threats are a serious risk to any organization because of the institutional knowledge and trust placed in the hands of the perpetrator. Insider threats can come from current or former employees, contractors, suppliers, or others with inside knowledge. The tool is designed to raise awareness and help measure the level of risk, and users receive feedback based on their answers to a series of questions.

CISA urges all its partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats. It states that making some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future.

NSA and CISA advise on VPNs

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise.

Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices.

NSA is releasing the VPN guidance as part of its mission to help secure the Department of Defense, National Security Systems, and the Defense Industrial Base. Basically the advice comes down to selecting a secure, standards-based VPN and hardening its attack surface.

You may say “duh” but organizations running National Security Systems are required to use the algorithms in the NSA-Approved Commercial National Security Algorithm (CNSA) and government systems are required to use the algorithms as specified by the National Institute of Standards and Technology (NIST), which includes the algorithms approved to protect NSS.

What is the main problem?

At Malwarebytes Labs, we’ve reported about many vulnerable VPNs, and networking devices that have patchable vulnerabilities. The same is true for Microsoft Exchange vulnerabilities. We’ve also written about the importance of recognizing the danger of insider threats.

But one thing we have learned over the years is that education and raising awareness helps, but it is not picked up by everyone. Knowing that a problem exists and that a patch is available is an important step. But it is useless without the logical next step, patching. Unfortunately, patching cycles are troubled by a few main factors:

• People not knowing a patch was available or even that the problem existed
• Fear that something might stop working, so that needs to be tested first, and all that takes too much time
• No patch being available because the product has reached end-of-life (EOL)
• Not enough staff to keep up with the necessary patching
• Remote and hybrid workforces make patch management more complicated

As a result, critical patches are delayed, often leaving a windows of opportunity for attackers between reverse-engineering the patch and when the patch is widely applied. What that means for all the help provided is that those that need it the most will probably not use it, unless they are compelled to do so.

Microsoft Exchange users that did not have the necessary CUs are unlikely to install the EM service.

Small and medium businesses with limited resources will probably lack the time and staff to use the insider risk mitigation self-assessment tool.

Choosing and hardening an approved VPN may be useful for new customers, but those that already have a working system in place are often content to leave it as is, for all the reasons listed above.

Risks involved in remote mitigation

While some experts applaud the effort by Microsoft to offer a service that can be used as kind of a first aid kit for Exchange, since it can mitigate risks before a patch is available, others see some dark clouds on that horizon.

“Automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches.” This will translate in many a system administrator’s mind to Microsoft making changes on my server that I know nothing about. Will we be able to find the source if these changes cause problems?

Having a first aid kit can give users a false sense of security. But you should still apply that patch as soon as it is made available and not rely on the band aid to hold.

Supply chain attacks have become a big thing and taking over the EM service sounds like an attacker’s dream come true. Imagine having the tool in hand to disable security on every Exchange server running that service. This has to be one of the most secure services in Microsoft’s history to avoid that scenario.

Stay safe, everyone!

The post Microsoft, CISA and NSA offer security tools and advice, but will you take it? appeared first on Malwarebytes Labs.