Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng

Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng

Read more »

A Hacker's Tool Kit - Cybercrime is growing ever more pervasive—and costly.

Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.

Read more »

Here is every patch for KRACK Wi-Fi attack available right now

Monday morning was not a great time to be an IT admin, with the public release of a bug which allowed WPA2 security to be broken.

As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.

The security protocol, an upgrade from WPA, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system's four-way handshake which permits devices with a pre-shared password to join a network.

According to security researcher Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks (MiTM) and eavesdrop on communication sent from a WPA2-enabled device.

US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the exploit from being utilized in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.

The bug is present in WPA2's cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.

In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android version 6.0 Marshmallow and above.

The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.

The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.

In total, 10 CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

So who is on top of the game?

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available."

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

The WiFi Standard: A fix is available for vendors but not directly for end users.

Mikrotik: The vendor has already released patches which fix the vulnerablities.

Google: Google told The Verge that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

OpenBSD: Patches are now available.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Check back as we update this story.

via zdnet

Read more »

Sophos continues to work at protecting customers from the WannaCry ransomware attack – here’s what you need to know.

Sophos continues working to protect customers from the WannaCry ransomware attack. That effort has been successful, but we continue to receive many questions about how this attack happened, what we must do to defend our organizations, and, of course, what’s next?

This article is designed to answer those questions.

What happened?

A fast-spreading piece of ransomware called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) held computer systems hostage around the globe Friday. National Health Service hospitals (NHS) in the UK was hit hard, with its phone lines and IT systems being held hostage. From there, the attack spilled across the globe.

It encrypted victim’s files and changed the extensions to: .wnry, .wcry, .wncry and .wncrypt. It then presented a window to the user with a ransom demand:

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers’ APT EternalBlue Exploit (CC-1353). It also uses strong encryption on files such as documents, images, and videos.

This was different from past ransomware attacks. Why?

There were some unique aspects to the WannaCry attack. Typical ransomware infections happen after the victim clicks on a malicious email attachment or link. In this attack the malware was able to exploit a remote code execution (RCE) vulnerability that allowed it to infect unpatched machines without users having to do anything.

Because of that, this was able to spread in the same rapid fashion as the worm outbreaks common a decade ago, such as Slammer and Conficker.

Specifically, WannaCry exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Organizations running older, no-longer-supporter versions of Windows were particularly hard hit. In fact, Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement:

We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.

Is this over?

Unlikely. With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them. We also expect aftershocks Monday as employees at affected company’s who weren’t there Friday return to work and fire up their computers.

What is Sophos doing to protect customers?

Sophos continues to update protections against the threat. Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.

Is there anything I need to do?

You’ll want to ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks. As noted above, Microsoft has made the decision to make the Security Update for platforms in custom support only — Windows XP, Windows 8, and Windows Server 2003 — broadly available for download:

Windows Server 2003 SP2 x64	Windows Server 2003 SP2 x86
Windows 8 x64	Windows 8 x86
Windows XP SP2 x64	Windows XP SP3 x86	Windows XP Embedded SP3 x86

As we always say, patching is critical. For Sophos customers, keep checking the Wana Decrypt0r 2.0 Ransomware Knowledge Base where we’ll be issuing updates.

via sophos

Read more »

Stop the Phishing

Practical advice and free tools to help stop phishing attacks

Phishing caused 
$3.1 BILLION 
in damages in 2016.

Phishing is big business for the cyber crooks. With 89% of phishing attacks orchestrated by professional organized crime organizations, it’s essential to stay ahead of the game. 

This whitepaper will help explain what you’re up against so you can make sure your organization doesn’t take the bait.

Don’t Take the Bait Whitepaper

Read more »