The CIA’s Cool CodeNames

Codenames are awesome. Microsoft & Apple have long used cool codenames for big projects. I just learned that America’s Central Intelligence Agenda loves their codenames as well – and boy are they awesome.

It turns out that in addition to being skilled codebreakers & mathematicians the CIA also contains some creative geniuses who have conceived some truly imaginative names for their top-secret projects. Here are some of my favorites.

Brutal Kangaroo

Image result for brutal kangaroo animated gif

Anyone else thinking of Kangaroo Jack right now? Unearthed by Wikileaks earlier today, Brutal Kangaroo is a malware program that can propagate throughout a closed, air-gapped network using infected USB flash drives. It’s very Stuxnet, in that respect. The big difference is that while Stuxnet was used to destroy nuclear centrifuges, Brutal Kangaroo exfiltrates data out of the closed network using some clever steganography tactics.

It’s all very Ronseal-esque; it does what it says in the tin. With respect to the fact that it makes a mockery of air-gapped computers, it’s brutal. Given that the malware and the stolen data ‘hops’ between systems, it’s a bit like a kangaroo.

WeepingAngel

Related image

This one particularly scares because I just bought one these! This malware targets Samsung’s F-Series Smart TVs, allowing the CIA to record what’s going on from the device’s built-in microphone. It’s so named because that’s what happens when you watch those naughty pay-per-view channels.

Starmie and Snubble

Image result for Starmie and Snubbull animated gif

Weirdly, the CIA has a lot of malware named after Pokemon characters. I guess there are similarities between the CIA and Ash Ketchum, with the respect that both are trying to catch ‘em all. Except in the case of the CIA, they’re talking about ISIS members, and instead of Pokeballs, they use Hellfire missiles.

Gaping hole of DOOM

Related image

The CIA named a Comodo AV exploit that promises to consume everything.

Creatine and RoidRage

Both of these target Android. Creatine exploits flaws in the drivers for Qualcomm’s Adreno GPU, while RoidRage is used to monitor all radio functions and steal SMS messages. The documentation for these consists of “DO YOU EVEN LIFT BRAH?” repeated ad-nauseum.

Munge Payload

This tool is used to encrypt and modify payloads so as to avoid detection by an adversary, and sounds nasty.

Panda Sneeze

Image result for Panda Sneeze ANIMATED GIF

It’s not immediately obvious what this threat does. But either way, it’s adorable.

Bumble

Image result for BUMBLE ANIMATED GIF

Similarly, this specimen targeting HP routers is just way too cute.

There you go – these security threats may be dangerous but they now have some very cool and bizarre names!

Share This:

Taking Control of Your iPhone’s Privacy Settings

As technology continues to take over our lives, the struggle to maintain privacy becomes ever harder. But while we may take special steps to update our privacy settings on Facebook and other social media services it turns out that just having your phone on you at all times has some disturbing consequences.

Did you know that every place you’ve ever visited such as the the local supermarket, the office where you work, the movie theater, your own home is all being stored on your iPhone? This information even includes the exact address and the number of times you’ve been to that location.

Are your feeling a bit freaked out right about now?

How is This Happening?

The reason is a feature hidden deep in your privacy settings called ‘Frequent Locations’, and while it’s in no way new, it often goes unnoticed. For years, the system has been pinpointing the places you visit on a map and logging your arrival and departure times from each location, so your iPhone can help improve the Maps app and serve you best.

Clear your location history settings right here if you are feeling spied on by Apple.

Stopping This – If You Want

So if you want to stop this here’s what you do:

  1. Open your ‘Settings’ menu
  2. Select ‘Privacy’
  3. Select ‘Location Services’
  4. Scroll really far down and select ‘System Services’
  5. Scroll more and select ‘Frequent Locations’
  6. Select ‘Clear History’
  7. Swipe left on the ‘Frequent Locations’ tab to turn it off

There you go – you can now rest easy.  Be warned however – that your Maps app probably will not work as well.

Share This:

Book Recommendation: “The Radium Girls”

Image result for radium girls bookIf you look on the right panel of this fine blog you will always see what book I am reading. My literature taste includes, History, Biography, Historical Fiction (although I have lost interest in this genre lately), Science Fiction and of course Star Trek. What I am going to do from time to time is recommend a book that I hope some of you, my dedicated readers will enjoy. So let’s take a look at the first book recommendation.

“The Radium Girls: The Dark Side of America’s Shining Woman” by Kate Moore.

This book was released on April 18, 2017 and I stumbled upon it while browsing the Kindle book store. I love history – especially what I call “hidden history”. Stories that come out of left field – that I previously knew nothing – or very little about. This book, which I am still reading fits that bill perfectly.

This is an amazing and very upsetting work about events that have gone unreported for far too long.

The Story

On April 20, 1902, Marie and Pierre Curie successfully isolate radioactive radium salts from the mineral pitchblende in their laboratory in Paris. In 1898, the Curies discovered the existence of the elements radium and polonium in their research of pitchblende. One year after isolating radium, they would share the 1903 Nobel Prize in physics with French scientist A. Henri Becquerel for their groundbreaking investigations of radioactivity.

In 1922, a bank teller named Grace Fryer (pictured below) became concerned when her teeth began to loosen and fall out for no discernible reason. Her troubles were compounded when her jaw became swollen and inflamed, so she sought the assistance of a doctor in diagnosing the inexplicable symptoms. Using a primitive X-ray machine, the physician discovered serious bone decay, the likes of which he had never seen. Her jawbone was honeycombed with small holes, in a random pattern reminiscent of moth-eaten fabric.

Image result for grace fryer radium

The girls were paid the modern equivalent of $0.27 per watch dial, so the harder they worked, unknowingly swallowing deadly amounts of poison each time to make a few extra pennies, the faster death would approach. In their downtime, some even messed about painting their nails, teeth and faces with the luminous paint, marketed under the brand name “UnDark”.

From here we are led through the horror of what happened to the girls (usually from their mid teens to mid 20’s) who worked as ” radium dial painters”. Their terrible tragedy is made all the more horrible by the negligence of the plant owners.

In the end this is a true story, brilliantly researched and written by Kate Moore which reveals the courageous fight for justice of the Radium Girls against the long odds and brutal tactics and lies of the companies involved and their cronies in the medical and legal professions and in politics. Even sadder is the fact that residents of towns where radium factories set up demonized the factory workers.

How familiar does all this sound today? How safe do you feel in a country where worker protection laws are being stripped and scuttled on a daily basis? If we refuse to learn from events we will surely suffer from their repetition.

I can say this is one of the most haunting books I have read in a very long time. Do yourself a favor and check it out this summer.

Share This:

198 Million American Voters Hacked

Another security breach – this time American voters are targeted.

It has been reported that the Republican profiling data and personal information on nearly 198 million American voters has been leaked from a private Amazon Server as this week started.

Image result for voters hacked

Amazon hosted the private server, and Republican data analytics firm Deep Root Analytics provided and managed the content.

The information included in the leaks include the voter’s name, date of birth, home address, phone number, and other voter registration details like party affiliation.

The compromised server also included data from conservative market research firm TargetPoint. The group uses their extensive data to help clients better understand voter policy preferences and political actions, according to the report.

This isn’t the first mass information leak from Republican firms. Campaign data firm i360 accidentally exposed 191 million voter profiles in 2015 and another 154 million profiles were leaked during the course of the 2016 election.

At some point, I am not sure when, online security will be taken a seriously as locking your doors when you are not home or making sure you do not leave your purse or wallet alone and open. Until everyone, both as individuals and as organizations do this, our security is exposed.

Share This:

Worst Passwords EVER!

In its sixth annual Worst Passwords report, SplashData, a provider of various security applications and services, listed the 25 weak and easy-to-guess passwords most frequently posted on various hacker forums and websites.

Related image

Presenting the list of the top 25 bad passwords people use. I hope that known of you, my dedicated readers are relying on any of these to protect your information.

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq1zaq1
  25. password1

The list is based on 5 million leaked passwords, and almost 4% of hacked users used “123456” as their password of choice while more than 10% used another from the list.

Most had a single word password, which is a dream come true for any hacker planning a quick and effective dictionary attack. Using this method, a hacker pretends to be the user and tries to log into their account, using a predetermined set of words or phrases from a list called “dictionary”.

Frequent usage also applies to another group of passwords on the list: sequences. “123456”, “qwerty” or “zaq1zaq1” are key sequences, which means the used symbols are near one another on the physical keyboard. This kind of passwords is another dictionary favorite, but is also susceptible to a brute force attack. This tactic is similar to a dictionary attack, since it also happens on the login screen, but instead of using ready-made lists, a hacker uses a special algorithm which attempts to enter different character combinations until a password match is found (i.e. attacker will try using “1234”, then “12345”, etc.).

I recommend again friends, take the time to select a good password manager and use distinct, unique & complex passwords for all of your online accounts. The time you spend doing this may save you much hard-ache later.  You can check out our previous articles regarding password managers here.

Share This:

Google Drive to Offer Hard Drive Backup Service

While Google Drive is already a decent cloud storage tool, it’s about to get a lot more useful. Beginning June 28, the service will let you back up entire folders from your hard drive, and keep them in sync with your account.

Image result for google drive backup

You’ll need to first download the Backup and Sync tool for your PC or Mac when it launches; once you’ve signed in, you’ll be able to choose which folders on your desktop you want to keep backed up, and access them through Drive across your devices. That sounds handy for people who already use Drive extensively – it’d certainly be nice to have a powerful search function for backed up files.

My concern is that unless Google comes up with new pricing plans to support this feature, Drive’s backup will cost you a fair bit more than other services, as it only comes with 15GB of space for free. 1TB of space will set you back by $100 a year.  There are many other cloud backup services like Backblaze which charge about half that price: Backblaze’s unlimited storage and syncing costs $50 annually, and Carbonite as well as small business-focused Crashplan come in at $59 a year.

Would you consider Google Drive for your backup needs, or do you already have a favorite app for that? Although this service may appeal to Google Drive users – even for these users a price job here would make it even appealing.

Share This:

Patch Tuesday Brings New Windows 10 Update

As for the Creators Update, Microsoft is releasing Windows 10 Build 15063.413 for PCs and Build 15063.414 for Mobile devices. The build includes security updates for some of the core components of Windows, and it also includes a fix for the lock screen on Windows 10. Here’s the full changelog:

  • Addressed issue where the user may need to press the space bar to dismiss the lock screen on a Windows 10 machine to log in, even after the logon is authenticated using a companion device.
  • Addressed issue with slow firewall operations that sometimes results in timeouts of Surface Hub’s cleanup operation.
  • Addressed issue with a race condition that prevents Cortana cross-device notification reply from working; users will not be able to use the remote toast activation feature set.
  • Addressed issue where the Privacy Separator feature of a Wireless Access Point does not block communication between wireless devices on local subnets.
  • Addressed issue on the Surface Hub device where using ink may cause a break in the touch trace that could result in a break in inks from the pen.
  • Addressed issue where Internet Explorer 11 may ignore the “Send all sites not included in the Enterprise Mode Site List to Microsoft Edge” policy when opening a Favorites link.
  • Addressed additional issues with time-zone information and Internet Explorer.
  • Security updates to Windows kernel, Microsoft Windows PDF, Windows kernel-mode drivers, Microsoft Uniscribe, Device Guard, Internet Explorer, Windows Shell, and Microsoft Edge. For more information about the security vulnerabilities resolved, please refer to the Security Update Guide.

Head over to Windows Update to grab the latest patches, and have the best patch Tuesday ever!

Share This:

TA17-163A: CrashOverRIDE Malware

I am subscribed to the Homeland Security National Cyber Awareness System and will begin posting these cyber-security bulletins here for all of you, my dedicated readers. 

The United States Computer Emergency Readiness Team (US-CERT) strives for a safer, stronger internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cyber-security information with trusted partners around the world.

TA17-163A: CrashOverride Malware

06/12/2017 05:44 PM EDT

Original release date: June 12, 2017

Systems Affected

Industrial Controls Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to the U.S. critical infrastructure.

Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.

For a downloadable copy of IOCs, see:

To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.

Risk Evaluation
NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)
Yellow (Medium)
A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
Details

There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.

Description
Technical Analysis

CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses a targeted ICS system’s legitimate control systems functionality to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is more important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:

  1. Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
  2. Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
  3. Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
  4. Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
  5. Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.
Detection

As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify pre-courser activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.

NCCIC is providing a compilation of indicators of compromise (IOCs) from a variety of sources to aid in the detection of this malware in the appendices. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.

 

 

Share This:

New Malware Threat Infects Through Microsoft’s PowerPoint

In another security hack that is making the rounds, Microsoft’s PowerPoint is the target.

Image result for powerpoint malware

“Spammers are testing a new way to trick victims into installing malware that downloads after the user hovers over a link in a PowerPoint slide show,” ZDNet reports. The new infection, which was discovered by BleepingComputer, “abuses a hover action in PowerPoint slide show mode to install malware.” When a user opens the PowerPoint file and puts their cursor over the malicious hyperlink, a PowerShell command runs quietly in the background “that connects to a malicious domain and downloads malware files.”

Like other Office malware that uses macros to infect victims, the latest malware is spread via email attachments. The attached file formats are the open-source version of Microsoft PowerPoint slide show, which are only for viewing, and can’t be edited like normal files. The malware proceeds to download a banking trojan.

Image result for powerpoint malware

The PowerPoint (PPSX) examples seen so far display the hyperlinked text “Loading… Please wait”. Hovering over it will download malware automatically unless Office Protected View is enabled. Fortunately, Protected View was enabled by default in Office 2010, in which case Office displays a security warning that blocks the download.

The PowerPoint file downloads a banking trojan it calls Gootkit or Otlard. SentinalOne calls the malware Zusy.

Protecting Yourself

I wonder how much I have stated this. “Do not open attachments, or click on hyperlinks in your email unless you are 100% certain of it’s origin and that you have requested it”. Most security threats (malware – trojan horses, ransomware etc.) are spread through email. Always use caution before clicking!

Share This:

Is Our Power Grid in Danger?

Was hacking our Presidential election just the first part of an even greater cyber-problem?

Researchers from the network security firm ESET have reported that a Russian hacker group may have developed a way to take down the power grids of entire countries.

Image result for power grids cyber

The researchers described the malware, dubbed “Industroyer,” as the most dangerous hacking weapon since Stuxnet. First identified in 2010, Stuxnet is a malicious computer worm that targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program.

In fact, the ESET researchers said the malware was responsible for a 2016 blackout that affected Ukraine’s capital city of Kiev for an hour. The researchers also said the malware could be reconfigured to attack other key infrastructure components as well.

A Very Scary Threat Evolves

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas),” the company wrote in a blog post today.

Because Industroyer affects switches directly, the malware can inflict varying degrees of damage on a target country’s infrastructure, from simply triggering a temporary blackout, to causing cascading failures or serious damage to equipment.

The malware is able to attack infrastructure equipment so effectively because it uses the common industry protocols that were first designed decades ago, long before most systems were connected to the Internet. As a result, security had not been a major priority at the time they were implemented. In many cases, the hackers only need to learn how to program the malware to communicate with the protocols because there aren’t any security systems that they need to circumvent.

This is yet another example that our national security relies less on firearms and more on cyber-defense.

Share This:

1 2 3 147