IT NEWS

Passwords are a hot topic on social media at the moment, due to the re-emergence of a discussion about good password management practices.

There’s a wealth of password management options available, some more desirable than others. The primary recommendation online is usually a software-based management tool. Some include online syncing alongside web browser extensions. Others involve syncing passwords with services such as Dropbox.

That’s before we get to the notepad on desktop aficionados, or the time-honoured tradition of the Post-It note on the office monitor. Today, we’re here to talk about perhaps the most controversial method of password storage though.

The big book of passwords

There’s one password management tool which experiences more than its fair share of derision—the oft-maligned Internet password book. These are, as you may expect, physical books which are little more than empty notepads with “Internet password book” written on the front. Some allow owners to group logins by category, or add additional notes as they see fit.

For various reasons, you’ll usually see them being rubbished on social media as the worst thing around for password management. It’s a passionate debate, and one which comes back to life every 6 months or so. The most recent bi-annual flurry of excitement was kicked off by BBC technology reporter Zoe Kleinman:

One important aspect of whether these books should be used at all is something called a threat model. If you’re hoping for a brief run down of what a threat model is, then great news…that’s exactly what we’re going to do.

Threat models

The best description I’ve seen of what threat modelling consists of, is in an article by Katie Nickels who says it’s “the process of figuring out what you have that adversaries care about”.

We don’t all face the same risks, and we don’t all need to take the same precautions as a result. When you see the latest sophisticated nation state attack in the news, it’s bad. But, like most people, you can probably go on as if nothing has happened. That clever spearphishing attack targeting a dozen or so individuals worldwide?

It’s targeting a dozen or so individuals worldwide.

You’ll never see it, and you almost certainly won’t receive messages from Google about it. It’s not in your threat model.

My personal security concerns are based around what’s important to me, what I want to secure, which bits I’m not bothered about, and what is absolutely mission critical at all costs. That’s my threat model.

Sizing up your adversary

You may not need to worry about nation state attacks, but you’ll almost certainly have something in place for the 600^th fake tax return invoice landing in your mailbox. That’s an aspect of your threat model you know your business is up against, you know what they’re after, and you’ve put solutions in place to ward it off. It may or may not be the single most important threat your organisation faces…or it might be mid-tier. It will differ from place to place, and that’s fine.

What tends to happen when we see the infamous password book on display, is we apply a one-size-fits-all approach and dismiss it as silly or bad practice.

Well, it could definitely be sub-optimal for someone working with sensitive data. There’s far better ways for those individuals to secure their digital demands, in ways that scale up to the likely threats they face. On the other hand, there’s many people out there who the books will be a perfect fit for:

• People who are simply unfamiliar or uncomfortable with computers. This isn’t uncommon.
• Those with accessibility or cognitive issues.
• Folks who feel a lack of control at placing all their password eggs in one (digital) basket.

Password managers

The two pillars of bad password practices are reuse, and poor password selection. Software-based password managers are excellent tools for dealing with both problems, which is why they are so widely recommended. They are great for creating increasingly complex passwords all gated behind a variety of secure login methods. Everything from 2FA, to regional login lockouts are yours for the taking. That’s great! The more choice, the better.

Even so, many people won’t ever bother with password managers.

Maybe they’re overwhelmed for choice, or the tools they know of don’t meet specific operational requirements. Perhaps the tool they really want to use has no browser extension, or it’s offline only instead of syncing online. It’s also possible they may just find the whole thing too fiddly or complicated, or simply not know they exist.

Depending on OS, type of device, and feature set, something that should be easy can very easily become a chore. From there, bad habits can start to set in, including the eventual removal of the password manager. It’s then a short hop back to Password123.

Password management books: what works and what doesn’t

Some common objections to password books are as follows:

• If you lose the book while out and about, you’ve lost access to everything.
• Having to type in your passwords while reading them from a book, instead of having a password manager do it for you, could encourage people to use simple passwords instead of complex ones.
• Books become a form of abandonware over time, with missing entries, torn pages, logins which have been changed online and not updated, and other logins which never end up in the book at all.

The counters to these points are lengthy, so they get their own sections:

Loss or theft of a password book

Losing the book while outside the home isn’t that different from losing access to a password vault because of technical problems, forgotten master passwords, or other unforeseen happenings. In both cases, something has gone wrong. At least in the case of the book, it’s likely to be kept at home and is reliant on multiple real-world layers of physical security.

That’s much more reliable than “password management tool has their database broken into by anonymous criminals, and there’s nothing you can do about it”. If your home is burgled, you have bigger fish to fry than worrying about your logins. Also, realistically, burglars are looking for expensive items they can take and then sell on. They do not care about the password book in your clothes draw.

Password books: encouraging simple passwords?

Could books encourage simple passwords? It’s quite possible. Some may find it rather aggravating to hammer out dozens of complicated passwords from page to screen whenever they log in. In my experience, people writing passwords down tend to take more of an interest in making everything unique. After all, nobody is filling 30 pages of a password book with “password123”. What’s the point? Sure, we could end up with a variety of password1234/5/6 instead, but it’s still a bit more varied than the alternative.

I’ve also seen people write passwords only – not usernames or service / website on the pages. What they do instead, is associate certain pages with certain services. This is a great defence against theft or loss, but I’d be worried about forgetting the order. This is also a major negative if the book owner dies and family members need to attempt some form of data recovery. Where would you even begin?

Abandonware in paper format?

Abandonware books, what a concept. I think there’s some merit to this one, but I also think it offers a glimmer of hope. I know someone who did this, and what was happening was a slow transition to software password managers. If filling in some passwords in a book is the stepping-stone someone needs to feel more confident about moving logins to the PC, more power to them. It’s also possible some folks have typed out passwords from books so many times that they can remember the important ones anyway.

This concludes my lengthy counterpoint section.

Maybe they’re not the worst idea after all

The takeaway here is we’re dealing with an imperfect, messy solution for a messy, imperfect requirement to use our accounts. In situations where friends or relatives simply won’t entertain a password manager, it could be a decent (if not the only!) alternative. It really depends on the individual, and how safe it’ll be to drag their logins from screen to page. The password book won’t work for everybody, but it will definitely work for somebody and I think that’s perfectly fine.

The post Relax. Internet password books are OK appeared first on Malwarebytes Labs.

A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps—it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data—but the infrastructure behind the malware obscures its developer’s primary motivations.

First spotted by the research team at Zimperium zLabs, the newly found malware is already detected by Malwarebytes for Android. It does not have a catchy name, but because of its capabilities and its method for going unnoticed, we are calling it Android/Trojan.Spy.FakeSysUpdate, or in this blog, “FakeSysUpdate” for short.

FakeSysUpdate is not available on the Google Play store, and it is currently unclear how it is being delivered to Android devices. Even more obscured is the visibility of the app to victims.

Once FakeSysUpdate is implanted on a device, it disguises itself to its victims by masquerading as a generic “System Update” application. In fact, when a threat actor uses FakeSysUpdate to steal targeted information from an infected, asleep device, FakeSysUpdate will also send a fraudulent notification posing as a “System Update” that is “Searching for update.”

Beneath the surface, FakeSysUpdate can let a malicious actor steal highly sensitive information while also granting them dangerous control of a victim’s device.

According to Zimperium zLabs, the malware can allow a threat actor to monitor GPS locations, record phone calls, record ambient audio, take photos from the front-facing and rear-facing cameras on a device, observe the device’s installed applications, inspect bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser, and steal SMS messages, phone contacts, and call logs.

If you’ve read our coverage on these types of capabilities in the past, you might think that FakeSysUpdate is just the latest stalkerware-type app on the market. After all, the threats of stalkerware are near identical—pinpointed GPS locations that can reveal a domestic abuse survivor’s location after escape, stolen text messages that can uncover a survivor’s safety planning, and broad, non-consensual invasions of privacy that can harm anyone.

But the inner workings of FakeSysUpdate potentially betray the common uses of stalkerware.

First, according to the researchers at Zimperium zLabs, once the malware is installed on a device, the device is registered with the Firebase Command and Control (C2), upon which a threat actor can send commands through the Firebase messaging service to, for instance, steal a device’s contacts list, record microphone audio, or take a picture using the device’s cameras.

At issue here is who can send the C2 commands. If the commands can be sent by the apps users’, so they can spy on their victims, then it looks like a stalkerware-type app. If the commands can only be issued by the app’s creators, then there’s a good chance that FakeSysUpdate is not stalkerware, but information-gathering spyware. Unlike stalkerware, most (but not all) spyware doesn’t care who its victims are—it is simply looking for information that can be used for extortion or to facilitate further attacks with malware.

That’s contrary to many of the stalkerware-type apps that we see, which are, for lack of a better word, “user-friendly.” They do not require a high-tech proficiency to use or understand. They do not have illegible interfaces. Instead, these apps have familiar layouts, intuitive designs, and easy-to-use commands. For many apps, it’s as simple as logging into a web platform, clicking a menu item, and browsing through private photos without any consent.

Which brings us to the second point: If this piece of malware isn’t being advertised—or if it isn’t really known—as a stalkerware-type app, then it’s less likely that it’s been built as one.

Stalkerware-type apps do not hide in the shadows. They flood Google results for anyone searching how to spy on their romantic partners. They place sponsored articles in major city newspapers (yes, really). The more egregious ones even advertise themselves specifically on their so-called abilities to “catch” cheating partners.

Without knowing how FakeSysUpdate is being advertised—which relates to our lacking information on how it is primarily being delivered to devices—we cannot definitively ascertain its purpose.

Despite the uncertainty, though, one thing is clear: This piece of malware could be devastating. Whether for malicious information gathering or for non-consensual surveillance of a romantic partner, these invasions of privacy are flat-out wrong.

We thank Zimperium zLabs for discovering this malware and for bringing it to the public’s attention.

The post Android “System Update” malware steals photos, videos, GPS location appeared first on Malwarebytes Labs.

The popular npm netmask library recently encountered a serious problem, explained as follows:

The npm netmask package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.

Got that?

In case you can’t read mumbo jumbo, hold on, and I’ll try to explain.

The basics

The npm library netmask is used by hundreds of thousands of applications and amasses over 3 million weekly downloads. It is used to read and manipulate IP addresses.

If you understand IP addresses and octals, you can skip the next section.

IP address

An IP address tells us how to find a certain device within a network. For each network a computer is connected to, it has an IP-address on that network. The IP address for this website is 130.211.198.3, for example.

Some things that happen inside a computer rely on an IP address too. For that we can use either 0.0.0.0 or 127.0.0.1, which is why that one is called “home” or “localhost”.

Domains, names used to address computers, are associated with IP-addresses. The Domain Name System (DNS) translates domain names used by people, like blog.malwarebytes.com into the IP addresses used by computers, like 130.211.198.3. The DNS system is often compared to a phone book where you can look up a person’s name to find their phone number.

IPv4 octets

When you see an IP address you will probably recognize it for what it is. The typical format of an IP version 4 address is very familiar: Four numbers between 0 and 255 separated by three dots.

In fact, an IP address is a decimal representation of a 32-bit number. The 32-bit number is grouped 8 bits at a time, each group of 8 bits is an octet. The octets are separated by a dot, and represented in decimal format, this is known as dotted decimal notation. The possibilities range from 0.0.0.0 to 255.255.255.255.

The difference between decimal and octal

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the digits 0 to 9, whereas octal means the number system that uses the eight digits 0, 1, 2, 3, 4, 5, 6, 7.

Since an IP address is a 32 bit number it makes a lot of sense to use the octal number system. In that system the dotted octal 127.0.0.1 looks like 0177.0000.0000.0001. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Using different numerical systems is no problem for computers, as long as it’s clear which one you are using. Allowing mixed input for an application is asking for problems, however.

The netmask vulnerability

Zeroes

To understand the problem it helps to understand how things are supposed to work, copy the octal IP address 0177.0000.0000.0001 into your browser address bar. It should get correctly translated to 127.0.0.1. And try 0177.0.0.1 in the same browser you used before. And act surprised when it still takes you to 127.0.0.1 despite the fact that we did not write out the last three octets in full.

127.0.0.1 and 0177.0.0.1 look like they are in the same notation but they are not. The first zero on 0177.0.0.1 makes all the difference, and your browser knows this.

The bug

The problem with tnetmask was that it stripped leading zeroes from IP addresses. So, if you fed it an address that starts with a zero, like 0177.0000.0000.0001, it will not recognise it as an octal address and turn it into the decimal version, 127.0.0.1 like your browser. Instead it would treat it a decimal address, 177.0.0.1, which is an address for a completely different computer.

While this may seem more of an inconvenience than a security problem at first sight, but when an attacker is able to influence the IP address input being parsed by the application, the bug can give rise to various vulnerabilities.

Private IP or not?

Remember when I wrote that your computer has an IP address in every network it is connected to? Some IP address ranges are reserved for internal networks and can’t be used on the Internet. The most well-known is probably 192.168.1.0 to 192.168.1.255, often written as 192.168.1.xxx. Many home networks use the 10.0.1.xxx network range.

Importantly, many systems are set up to be more trusting towards traffic coming from inside a private network. See how that might pose a problem? If an attacker fed a vulnerable version of netmask the address 012.0.0.1, netmask would read it as the public address 12.0.0.1 instead of the private address 10.0.0.1.

According to netmask’s own maintainer, the vulnerability could have allowed an attacker to abuse this trust and gain access to all kinds of things they shouldn’t:

A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts

CVE-2021-28918

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This zero-day is listed as CVE-2021-28918.

The fix for CVE-2021-28918 has been released in version 2.0.1 of netmask on npm downloads. The Perl component Net::Netmask also suffered from this flaw, and its maintainer, Joelle Maslak has released a fix in the 2.0000 version today.

Stay safe, everyone!

The post The npm netmask vulnerability explained so you can actually understand it appeared first on Malwarebytes Labs.

You’ve probably heard that PHP’s Git repository was recently compromised, allowing backdoors to be added to the code located there. You may also be wondering what that means, what a supply chain attack is, and how you could be affected. Read on and we’ll lead you though a straightforward description of this attack’s many moving parts.

What is a supply chain attack?

This is where an attacker compromises something a project or organisation depends on. In the world of modern software development, where third-party code is reused on a massive scale, it often means compromising something used by lots of other organisations, which can result in the compromise of everyone else further down the chain too.

The bigger the target they snag initially, the wider the reach as the attack slides downstream. This can be very messy to sort out afterwards as news of the attack slowly comes to light over time. It’s a win for attackers, as organisations can’t typically build everything they need themselves. Third-party tools and software will come into play eventually and if one of them is compromised by attackers, everything that uses or includes them is affected.

In this case, attackers going after PHP, which is used the world over, would qualify as a potentially huge supply chain attack.

What is Git?

Git is a version control system which tracks changes to your file(s) over a period of time. It makes this rather cumbersome process much more straightforward thanks to its repository. You can roll back changes if you make a mess of things, move files around, merge contributions from others, and so on.

That may sound a bit confusing, but don’t worry. A very basic comparison would be the page history view on Wikipedia, where you can see all changes made from creation of the page onward. If you understand how that works, then you’ll grasp how Git allows you to outline the who’s and what’s of edits made, the file reversions, the ability for different developers to work on projects in a non-chaotic fashion, and so on.

Put simply, it’s really good and very handy for all sorts of projects.

What is PHP?

PHP is something you almost certainly run into all the time. PHP, created in 1994, is a scripting language which is ideal for web development. It’s also incredibly popular. If something went wrong with or for PHP in terms of malicious actions, that could be quite bad.

As it happens…

A backdoor was added to the PHP code repository, which is definitely up there in the “quite bad” stakes. The PHP team aren’t sure how it happened yet.

What did the attackers do?

Remember the Wikipedia mention earlier? You know how some pages attract trolls and an edit war with defacements and roll-backs is the end result? A similar thing happened here. The malicious code additions were made by someone disguising their alteration as a typo fix, under the name of the creator of PHP.

The rogue code allowed for backdoor access into websites running the non-legit version of the code. It was removed, put back, and removed again some time later.

As a result of this attack, the PHP team are making some changes to how they operate moving forward. According to PHP’s Nikita Popov, “everything points towards a compromise of the git.php.net server”, meaning that the computer that Git was running on was compromised, rather than individuals’ Git accounts. So, like much of the rest of the world, the team is moving its code to GitHub:

While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.

Contributors will also have to be part of the PHP organization on GitHub, which requires two-factor authentication.

This will hopefully make it much more difficult for something like this to happen again.

Am I affected?

According to ZDNet’s reporting, the commits (changes) were caught in the nick of time. As a result, users shouldn’t be affected. The PHP team are also digging into everything available, to ensure no other dubious alterations were made without anybody realising.

In short, you’re likely fine. The story is still developing, so it’d be wise to keep an eye on the news for the next few weeks. As for the attack itself? Opinion is split in some quarters as to how malicious it was intended to be. Although the commits were done in a way to suggest they wanted to stay hidden, it was almost inevitable they’d be found. Some folks have suggested a zero day was publicly “burnt” (used up) to warn of the danger of such a technique. Others maintain it was flat out malicious, end of story.

Whatever the truth of the story, it’ll be fascinating to see how things pan out. A little less excitement for stories related to code keeping 79% of websites ticking over would be a nice status quo to go back to.

The post Malicious commits found in PHP code repository: What you need to know appeared first on Malwarebytes Labs.

The education sector’s cybersecurity problem has compounded in the last few months. A recent warning from the FBI, in mid-March, put schools in the US and UK on notice of increased attacks from the threat actors behind the PYSA ransomware.

If this is the first time you’ve heard of this family, read on.

What is PYSA ransomware?

The PYSA ransomware is a variant of the Mespinoza ransomware.

PYSA, which stands for “Protect Your System Amigo”, was first named in open source documents in December 2019, two months after Mespinoza was spotted in the wild. Mespinoza originally used the .locked extension on encrypted files, and then shifted to using .pysa. Because of this, many use the names PYSA and Mespinoza interchangeably.

PYSA, like many known ransomware families out there, is categorized as a ransomware-as-a-service (RaaS) tool. This means that its developers have rented out this ready-made ransomware to criminal organizations, who may not be technically savvy enough to produce their own. PYSA customers can customize it based on options provided by the RaaS groups, and deploy it to their liking. PYSA is capable of exfiltrating data from its victims before encrypting the files to be ransomed.

According to Intel 471, a threat intelligence company, PYSA/Mespinoza is a tier 2 RaaS operator as it has been gaining reputation in the underground. Operators or crews who do this have a page—called a “leak list”—where they name and shame victims who decide not to pay the ransom. Victims are listed with an accompanying attachment containing files the threat actors exfiltrated from them.

PYSA ransomware has at least three known infection vectors: Brute-force attacks against management consoles and Active Directory (AD) accounts, phishing emails, and unauthorized Remote Desktop Protocol (RDP) connections to domain controllers. Once inside a network, the threat actors take their time scanning files using Advanced Port Scanner and Advanced IP Scanner, both are free software, and move laterally within the network using PsExec.

The threat actors then manually execute the ransomware within the network after exfiltrating all the data they need for leverage. Files are encrypted using AES implemented with RSA-encrypted keys.

Who has been attacked by PYSA?

PYSA is known to target large private organizations and those belonging in the healthcare industry. They have also hit government groups across multiple continents. Recently, PYSA has increasingly been used against educational institutions in the US and UK.

Below is a non-exhaustive list of incidents involving PYSA:

• In March 2020, CERT France issued a warning to French local governments of PYSA’s increased attacks.
• In May 2020, MyBudget, Australia’s money management firm, experienced an “outage” that lasted 13 days (from 9 May to 22 May). Leaks of exfiltrated data landed on PYSA’s blog. The company then later confirmed to iTWire on 29 May that the long outage was caused by a ransomware attack. The next month, however, sources noticed that MyBudget’s name and files were taken down from PYSA’s blog, leading some to speculate that it may have paid the ransom, despite assurances that it had “no intention of engaging with ransom demands.”
• In October 2020, a “serious cyberattack” affected London’s Hackney Council in the UK, leaving it unable to process housing benefit payments and causing house purchases to fall. Although they were tight-lipped about the entire incident at first, it has become known that the PYSA ransomware threat actors were behind the attack after leaking the data they exfiltrated from the company in January 2021.

Does Malwarebytes detect PYSA ransomware?

We sure do. We detect is as Ransom.Mespinoza.

Indicators of compromise (IOCs)

SHA256 hashes:

• 7fd3000a3afbf077589c300f90b59864ec1fb716feba8e288ed87291c8fdf7c3
• e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead
• a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
• 327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
• e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8
• 327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
• f0939ebfda6b30a330a00c57497038a54da359e316e0d6e6e71871fd50fec16a
• 48355bd2a57d92e017bdada911a4b31aa7225c0b12231c9cbda6717616abaea3
• 0f0014669bc10a7d87472cafc05301c66516857607b920ddeb3039f4cb8f0a50
• 61bb42fe06b3511d512af33ef59baa295b29bd62eb4d0bf28639c7910a65e4ae
• 425945a93beb160f101d51de36363d1e7ebc45279987c3eaf5e7f183ed0a3776
• a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
• 5510ae74b7e2a10fdafa577dc278612f7796b0252b7d1438615e26c49e1fc560
• 1a0ff707938a1399e23af000567806a87fff9b8789ae43badb4d28d4bef1fb81
• b1381635c936e8de92cfa26938c80a359904c1d709ef11ee286ba875cfb7b330

Ransom note file, Readme.README, containing the following content:

Hi Company,

Every byte on any types of your devices was encrypted.
Don’t try to use backups because it were encrypted too.

To get all your data back contact us:
{2 @protonmail.com email addresses}

————–

FAQ:

1.

Q: How can I make sure you don’t fooling me?

A: You can send us 2 files(max 2mb).

2.

Q: What to do to get all data back?

A: Don’t restart the computer, don’t move files and write us.

3.

Q: What to tell my boss?

A: Protect Your System Amigo.

The post PYSA, the ransomware attacking schools appeared first on Malwarebytes Labs.

The IT security researchers at AdaptiveMobile have called out what looks like an important vulnerability in the architecture of 5G network slicing and virtualized network functions. They warn that the risks, if this fundamental vulnerability in the design of 5G standards had gone undiscovered, are significant.

What is 5G?

5G is the 5th generation mobile network. It is the fifth new global wireless standard after (you’ll never guess) 1G, 2G, 3G, and 4G. 5G enables a new kind of network that is designed to connect virtually everyone and everything together, including machines, objects, and devices. 5G is based on OFDM (Orthogonal frequency-division multiplexing), a method of modulating a digital signal across several different channels to reduce interference.

What is 5G network slicing?

5G network slicing is a network architecture that enables the multiplexing of virtualized and independent logical networks on the same physical network. Basically, the actual 5G network is compartmentalized into multiple virtual networks that function independently.

This allows the infrastructure providers to divide their network up into several independent ones for separate mobile network operators. A mobile operator can create specific virtual networks that cater to different clients and use cases.

The vulnerability

Network functions are services available within a network, and in 5G they can be dedicated to single slice, or shared between multiple slices. AdaptiveMobile Security looked at 5G networks that contain both shared and dedicated network functions.

What it learned was that when a network has network functions that support several slices there is a lack of mapping between the application and transport layers identities, which allows rogue slices to do more than they are allowed. The separate networks were not as separate as they should be.

The fundamental vulnerability has the potential to allow data access and denial of service attacks between different network slices on a mobile operator’s network.

5G networks are complex, and so are the attacks. AdaptiveMobile sets out a few examples in its report, but the easiest to explain is an example of a Denial of Service (DoS) attack.

Imagine a network carved into two slices that can both have access to the same shared network function (“the shared service”). We’ll call the slices “Victim” and “Aggressor”, just to make it really obvious! In our example, the Aggressor network slice is under the control of a rogue operator who wants to run a DoS attack against the Victim network slice.

In simple terms, the Aggressor slice sends a message to the shared service, claiming that it is the Victim slice, and that it’s overloaded and does not want to receive any communication from the shared service, thereby denying that service to Victim.

The attack works because although the shared service checks that the Aggressor slice is permitted to speak to it (correctly), it does not have to check that the messages it sends actually relate to it and not a different one.

Or, as the report puts it:

Currently, there is no requirement in the 3GPP specifications to validate if the slice identity in the 3GPP-Sbi-Oci header matches the slice identity in the token for the service API usage.

How can this be abused?

According to AdaptiveMobile, an attacker could gain access to data and launch denial of service attacks across multiple slices if they have access to the 5G Service Based Architecture.

• The operator and their customers would be exposed and risk the loss of sensitive location data.
• Denial of service against another network function on the same network.
• Access to a network function and related information of another vertical customer.

Is there any real danger?

To pull off a successful attack you would have to get accepted as a mobile operator and get assigned a “slice” of the 5G network. Which would set you back by a significant amount. Probably a lot more than you could ever hope to gain by successfully exploiting the flaw. The only real and current danger would be if two competitors on the same network decided to spy on one another. Given the limited amount of network operators and the cost involved in becoming one, the danger to customers seems non-existent.

But, once a flaw has been found, there is a good chance more will follow, and it is better to expose these flaws than to discard them just because they are harmless now. Because, as the head of 5G Security Research at AdaptiveMobile Security, Dr. Silke Holtmanns, put it:

“Having brought this to the industry’s attention through the appropriate forums and processes, we are glad to be working with the operator and standards communities to highlight this issue and promote best practice going forward.”

In short, it’s good to be aware of existing vulnerabilities, but we have seen much more effective DoS attacks against 5G.

The post 5G slicing vulnerability could be used in DoS attacks appeared first on Malwarebytes Labs.

For years, Apple has marketed its iPhone as the more secure, more private option when compared to other smart phones, which do not, by default, include an end-to-end encrypted messaging app, warn users repeatedly about app location requests, or provide a privacy-forward Single Sign-On feature.

But, while Apple has taken several, commendable steps into protecting users, the company’s reach only goes so far, which means that it alone cannot stop threat actors from snooping on users’ unencrypted web traffic, poorly configured apps from leaking user data to rogue WiFi networks, or mobile phone carriers from selling user data to make money.

For those problems, iPhone users would greatly benefit from using a Virtual Private Network (VPN). A VPN creates an encrypted “tunnel” between your phone and somebody you trust, such as the company you work for, or your VPN provider. Your phone traffic is routed through the tunnel, where it’s protected from surveillance, before joining the internet.

Using a VPN on an iPhone can bolster the overall privacy and security that users have come to expect from the Cupertino-based phone maker, which has literally gone to court to fight back against efforts to downgrade its mobile operating system’s security.

If there’s one reason users need to use a VPN with their iPhones, it’s this: A VPN can protect where Apple cannot. Below are a list of reasons why you need a VPN on your Apple iPhone:

VPNs encrypt your iPhone’s web activity

The Internet is a complex place, with countless servers hosting trillions of web pages, visited by billions of machines every day. When you use the Internet, there are some safeguards in place for protecting your online activity, but those safeguards are incomplete and they aren’t the work of Apple. Expecting Apple to protect all of your Internet traffic is like expecting Ford to make safer highways.

Because of this, when you use an iPhone to browse online, you could still be vulnerable to threat actors snooping on your Internet traffic when you use a public WiFi network, like when working at a café, staying at a hotel, or waiting for a flight at the airport.

Using a VPN on your phone can protect you against those attacks, in exactly the same way it would if you were browsing the web on your laptop or desktop machine. You get the same security and the same privacy boosts, no matter the device. This is crucial because, as users begin to spend more time navigating the Internet on their phones, they are spending more time connecting to it from untrusted environments, over somebody else’s WiFi.

The good news for Internet users is that there is a long-standing effort to encrypt the entirety of the web. But although great strides have been made in the last decade, it’s important to remember that the Internet today is not yet reliably private or secure. Whilst lots of web pages are served over HTTPS (the secure form of HTTP) many are not, and most DNS lookups—which reveal the names of the websites you’re visiting—are vulnerable to snooping.

The better news is that, until the entirety of the web is encrypted, a VPN will fill in the gaps and provide much of the security online that Apple can’t control. Remember, the iPhone’s security can only go so far.

VPNs encrypt your iPhone’s app traffic  

Encrypting your iPhone’s web activity while browsing online is good, but realistically, many of your iPhone apps are connecting to the Internet on a near round-the-clock basis, crunching data in the Cloud, and refreshing in the background to check for notifications and updates. Just because these connections aren’t happening through a browser doesn’t mean that threat actors are any less interested in it.

In fact, the vulnerabilities of many poorly configured apps are likely too many to count. Time after time, studies of different types of apps have shown too many are either missing the encryption necessary to protect you, or that it exists in a weak, flawed or broken state. And, most alarmingly, there is no way for users to tell the good apps from the bad ones without specialist knowledge and equipment.

Just like the web, there is only so much that Apple can do to protect you from apps that communicate insecurely. But, again, a VPN can help plug the gaps in your apps’ encryption by wrapping it all in a protective tunnel.

VPNs stop your carrier from monetizing your data

Protecting your Internet activity from eavesdropping doesn’t just defang threat actors, it also prevents your mobile service carrier from making an extra buck at your expense of your privacy. At least in the United States, mobile service carriers like Verizon, AT&T, and T-Mobile can look at your Internet activity—including what you look at, what apps you’ve downloaded, and how you interact with certain services— and then bundle that activity into profiles that it can then sell for advertising purposes.

If this sounds wrong to you, you’re not alone. And if you think that mobile carriers wouldn’t abuse your data, think again. Last year, the US Federal Communications Commission announced a collective $200 million in fines against Verizon, AT&T, Sprint, and T-Mobile for those companies’ sale of user location data without users’ consent.

A VPN on iPhone will hide a great deal of your Internet activity from your mobile carrier, in the exact same way that it hides your online activity from your Internet Service Provider. Your carrier is on the outside of the VPN’s tunnel and can’t look inside it. Take a stand for your privacy and reclaim your Internet activity for yourself.

By now, it should be clear that using a VPN with an iPhone isn’t futile, or redundant, or useless. In fact, it’s a great way to bolster your security and your privacy.

The post The one reason your iPhone needs a VPN appeared first on Malwarebytes Labs.

Suppose that, out of the blue, a Steam user tells you they’ve accidentally reported you for something you didn’t do, like making an illegal purchase, and that your Steam account is going to be suspended.

They ask you to message a Steam admin, whose profile they kindly provide, to help you sort out this dilemma.

What do you do?

There are some scams on Steam which have stood the test of time. Their tactics and target have remained generally consistent for years. Phishing campaigns aimed at harvesting as many user credentials as possible, for example, are a dime a dozen. And let’s not forget the many ways a fraudster can dupe Counter Strike: Global Offense (CS:GO) players.

Like Steam phishing campaigns, this particular Steam scam—referred to loosely as the “I accidentally reported you” or “I accidentally reported your account” scam—has been coming and going since initial reports of it emerged in late 2018. To date, it has no other target apart from Steam users. And, based on its new latest iteration, it targets Steam users with a Discord account.

For those who aren’t aware of this scam and its variants, below is a breakdown of how the scam works. On the other hand, if you’re quite acquainted with it, dear Reader, then feel free to skip to the next section.

The Steam scam playthrough

The hello

The fraudsters behind the “I accidentally reported you” scam usually approach their targets under the pretext that they need something, or they have something to say. Anything to suggest that it’s something important and that they should be heard out.

They may already be a Steam “friend”, from a couple of days or years ago, someone in the same Steam group as you, or a user who wants you to add them to your friends list.

I’m so sorry but I accidentally reported your account to the steam admin for scamming me and duping items instead of someone who impersonated your profile and that impersonator is a scammer who scammed me

There is no word-for-word script that scammers stick to, but the gist is this: someone posing as you scammed them, but they reported you instead of the impostor.

Note that other variants of this scam will claim that they have reported you for “doing illegal purchases”—another reason to cause a degree of alarm but flawed, nonetheless.

The help

I’m worried about your account now bro because the steam admin already ban his account

if my report on your account gets process you will get ban too just like the scammers account

At this point, the scammer drives the point that your account will get banned next, unless something is done. The scammer then insinuates that help is on the way: a “Steam admin” that will cancel the report and remove the target’s account from the ban pile. However, they should confirm that the report against them was a mistake first.

ok so here is the profile of the steam admin if he accept just file a ticket to him that you are not involved in the report

The sharing of a legitimate profile—or what appears to be legitimate—that is connected to Steam or its developer, Valve, is one of the tactics scammers employ to make their claims look more truthful.

If you raise the possibility that this Steam admin might not accept your friend request, the scammer suggests that you contact them via Discord.

can you add him on discord? so that if he cannot notice your req on steam maybe he will notice it on discord.

anyway I need to show you something

Oh no, what now?

this is a reply about my report on your account

It’s another reinforcement tactic, to erase any doubts you may still have. Frankly, it’s overkill at this point.

The hogwash

Convinced of what you must do and who you need to contact, you get in touch with the Steam admin. Of course, this admin is fake and likely either the scammer or an accomplice.

Note that the tone of the conversation changes here. The scammer’s concerned and helpful front is gone once you start chatting with the fake admin:

Hello there, Please state the reason why did you add me?

After you briefly explain the situation, the fake admin asks for a screenshot of the chat that transpired between you and the scammer.

I received the report according to our coordinator’s review about illegal activity for Illegal Purchased but you don’t have to worry here if you’re not really involved in the said issue. I will remove the banned report issue in your account. All you need to do is to prove that your account is in good condition and it was a false accusation so that Valve Report Assistance Team will cancel the Banned report charge on your account

The proof they ask for is a screenshot of your purchase history. They will also ask you to log out of your Steam account on your computer and/or mobile so they can “start the scanning of your account status”. Of course, there is no scan. The fake admin asks this as a lead in to asking for more information—for starters, the email address tied to your Steam account.

An email address is needed when a Steam user finds themselves locked out of their account and they forgot their account name or password.

The fake admin asks you to get the verification code sent by Steam to your email address. If you happen to have Steam Guard enabled, the fake admin will ask for the code as well.

Never give anybody your Steam Guard password.

In some cases, the fake admin will ask you to send them the reported duplicate item to check if it was, indeed, a duplicate via the Steam trading function. This is framed as “borrowing” the item, but you won’t be getting it back.

If you comply with the fake Steam admin you can lose your accounts, your game items, and even money.

Targets who question any of the tasks the fake admin asks them to do are met with the pressure to respond quickly because they’re “running out of time”, they are presented with a fake certificate, or they are threatened with having their accounts deleted.

Although several Steam users will not reach this part of the scam, many aren’t so lucky. Some, despite knowing that something is off, aren’t 100 percent sure if they’re dealing with a scammer or not.

True social engineers, or just desperate?

What we believed to be the first variant of this scam in 2018 was simple and solely focused on misusing the Steam trading function. This scam is now highly evolved and, one can say, has branched out into other nefarious acts, such as hijacking accounts, rare item theft, and other ways scammers can milk victims of their (or their parents’) hard-earned money.

Like most scams, the “I accidentally reported you” scam relies heavily on social engineering tactics that aim at gaps in a Steam user’s familiarity with how things work within the platform’s ecosystem.

Scammers want to appear believable, so it’s no surprise they use already hijacked accounts that have a good standing on Steam when reaching out to targets. The same can be said about Discord accounts under their control.

The scammers behind this scheme also come prepared. Not only do they have the materials—screenshots and a guide script—they need to counter frequent questions raised about their credibility, they are also not afraid to play on Steam users’ fears, even at the risk of losing the credibility they already built up with their target.

Familiarize and exercise

Steam has always put the onus of not getting scammed onto the shoulders of its users. If you did get scammed, Steam Support will assist to the best of their abilities, including getting your hijacked account back. But beyond this, like retrieving a stolen rare item, refunding money if your account has been used to purchase Steam gift cards (for example), they likely won’t be able to help.

That said, it’s crucial for Steam users to realize that they may have blind spots and may not be as well acquainted with some aspects of the platform as they think. Filling in these blind spots can help you spot scams.

Know that:

• There is no such thing as “Steam admin”, false report, or a “Certificate of Eligibility”.
• There are Valve employees with Steam profiles. And they proudly display a legitimate badge to prove this. They are top-tier moderators (mods) who have full administrator privilege in Steam.
• Real Valve employees belong to two invite-only groups, which are Valve and Steam.
• There are Steam Community Moderators. Like Valve employees, current and retired moderators have their own badges, too. Community moderators can ban users, among other things.
• Real Steam Community Moderators, both active and inactive, belong to the invite-only group, STEAM Community Moderators (SUFMods).
• There is a page where you can look up all Steam Community Moderators.
• Scammers link back to legitimate profiles of Valve employees or Steam moderators to hook targets into reaching out to through Discord. These Discord accounts are not manned by Valve employees but by scammers.
• There is no such thing as an illegal item. That said, there is no need for anyone to review an item.
• If an item does need inspection, Valve employees would not require you to hand them over. They will just look it up in their database.
• Duplicate items (or dupes) exist, but they are not illegal. Duplication was done years ago by Steam Support to restore scammed or stolen items for hijacked victims. Steam Support doesn’t do this anymore.
• If you have handed over an item to someone claiming to be a “Steam admin”, consider it gone forever. The current policy is that Steam Support does not restore items that have left an account, including scammed ones.
• If there is a problem with your account, or you have an impending ban, Steam will let you know either via email, a Support ticket, or account alerts. Here is an example [link to account-alert-sample] (taken from Steam on Reddit).
• A Steam moderator will never contact you via chat or a third-party app like Discord for any reason.
• A Steam moderator will never mediate between you and another user.

Secure your Steam account by using a strong password, taking full advantage of Steam Guard—Steam’s two-factor authentication method—and be aware of the latest scams that are targeting you as a Steam user. Keep the above points in mind, and stay safe!

The post Steam users: Don’t fall for the “I accidentally reported you” scam appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we speak to Malwarebytes senior security researcher JP Taggart about the importance of trusting your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

Tune in to hear about what your VPN can see, why it is important for that information to be secured, and how you can safely transfer your trust to a VPN, on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group
• Six social media safety sins to say goodbye to
• The human impact of a Royal Mail phishing scam
• Software renewal scammers unmasked
• How to enable Facebook’s hardware key authentication for iOS and Android
• Safe Connections Act could help domestic abuse survivors take control of their digital lives
• When contractors attack: two years in jail for vengeful IT admin
• Slack hurries to fix direct message flaw that allowed harassment
• Perkiler malware turns to SMB brute force to spread

Other cybersecurity news:

• Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions. (Source: BleepingComputer)
• Researchers discover two dozen Chrome extensions that are being used to serve up unwanted adds, steal data, and divert users to malicious sites. (Source: DarkReading)
• An advisory for two high-severity flaws has been issued by the OpenSSL project. (Source: SecureBlink)
• A $50m ransomware demand made against PC manufacturer Acer by the REvil/Sodinokibi cyber crime syndicate sets a nw record. (Source: ComputerWeekly)

Stay safe!

The post Why you need to trust your VPN: Lock and Code S02E05 appeared first on Malwarebytes Labs.

If you or anyone you know is committing the below social media sins, it’s time to change that habit of an online lifetime. Even the most innocuous of things can cause trouble down the line, because everyone’s threat model is different. Unfortunately, people tend to realise what their threat model is when it’s already too late.

With this handy list, you’ll hopefully avoid the most common mistakes which are served up to social media with a dash of eternal regret.

Don’t post: credit card information

Yes, people do this. Someone is issued a new credit card. Perhaps it’s their first and they’re really excited. They want to tell the world…and they do it by posting up un-redacted shots of the front and back of the card. If they’re really unlucky, they’ve left bits and pieces of personal information on the same profile or elsewhere. I’m not sure why, but these posts often stay online long after hundreds of people have replied with “Delete this!”

It’s a mystery we may never get to the bottom of.

Don’t post: medical information

This is quite a timely one. Various forms of medical data are very popular on social media right now, especially due to the pandemic. Got a nice health and wellbeing story? Off it goes into Twitter or Facebook. This can bring problems, however. Back in 2017 we looked at the trend of posting X-Rays to social media. Even where people thought they’d redacted everything, some details still slipped through the net.

Wind forward to 2021, and we have people posting vaccination selfies. Those are fine. However, close ups of the sheets / slips detailing patient info in relation to their vaccine are not. There’s plenty of folks posting these images up from all over the world, which is to be expected. We beg you to ask yourself if you really need to post it and, if you do, please redact most if not all the information on these cards. You really don’t need it online.

Don’t post: visas and passport photos

Many immigration advice firms post to social media whenever they manage to obtain visas for their clients. That’s great! Well done. What’s not so great? Posting images of the client’s passport to social media, usually along with the visa, or other entry document.

Occasionally they’ll redact some of the data…but not all of the time. And even when name / address / D.O.B. is obscured, other elements are left visible. That could be their biometric residence permit number, or something else specific to their identity in their new country of residence. Given these are Government issued documents, it’s best not to post any of it online at all. There’s often steep fees for replacement documents, and I’m not sure if it’s any better if they need replacing due to negligence as opposed loss.

Let’s say “It’s probably worse” and resolve to never do it again.

If you’re a customer of organisations helping arrange visas and you know they have social media accounts? Feel free to keep an eye on their feeds, especially if you see they already do this. You’ll probably find yourself posted online at some point, and even with redactions applied this feels like a very uncomfortable practice.

Don’t post: personal information in customer service chats

Interacting with customer service reps on Twitter is something people do 24/7. It’s often one of the fastest ways to resolve an issue, but trouble beckons when people post the inner workings of their problem. Something wrong with an order? Missing screws for your DIY table? Milk expired 3 weeks ago?

Okay, but you don’t need to post everything to go with it. Order numbers tied to public accounts, screenshots of your order summary complete with home address listed, telephone numbers, we’ve seen them all down the years.

Is your delivery driver disputing that someone was in when they rang the doorbell? It happens, but you don’t need to post up a shot of the GPS indicator from their website showing exactly where you live.

All of this information is usable to some degree by people up to no good. It could be phishing, it could be doxxing, it might be stalking. Bottom line: start from a position of total redaction and only show what you absolutely need to.

If you’re taking the conversation to direct messages? Don’t post anything sensitive in there either, and that includes things like passwords.

Don’t post: vacations in real-time

Given it’s an age since anyone likely went on holiday, it’s worth dusting off one more golden oldie. If and when we’re all able to go on vacation, remember to control your travel experience ruthlessly.

We strongly suggest you post about your trip after you get back home. It may be appealing to get everything online as it takes place, but “I’m hundreds of miles away from my empty home” seems a bit dangerous to us.

This is especially the case if any of your profiles make use of geolocation, or you happily tag your home address in any geolocation service. You may as well hire someone to fly a plane over your house with a big banner that says “We’re empty for 14 days, come on in”. This isn’t a very catchy marketing slogan, but people up for a bit of burglary will love it.

Don’t post: the TMI selfie

This probably isn’t what you’re expecting it to be. However.

Something we regularly see on social media is the TMI selfie. This is an entirely boring and normal photo, with one major exception lurking. That pic of your nice new sofa in the front room? There’s a letter on the shelf with your bank statement on it. The Instagram-worthy snap of your meal? You can see a reflection of confidential work information on your laptop in the mirror. Finally received that delivery you’ve been waiting on and Tweeted it out? You left the label with your address on the box.

We let out guard down in places we trust. This often proves disastrous for people who prefer to remain a little bit anonymous on social media. The TMI selfie is usually brought to light by helpful followers of whoever happens to post it. Interestingly, unlike the credit card snaps, these usually get deleted swiftly. That’s definitely a good thing.

Keeping it safe on social

These are the social media sins which frequently have a negative impact on people’s lives when they least expect it. By avoiding them, you’re encouraging solid security and safety practices in all aspects of your life both offline and on. If you can think of others, we’d love for you to add some of your own in the comments.

The post Don’t post it! Six social media safety sins to say goodbye to appeared first on Malwarebytes Labs.