Monday review – the hot 25 stories of the week

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 17 February 2020

Tuesday 18 February 2020

Wednesday 19 February 2020

Thursday 20 February 2020

Friday 21 February 2020

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

The Amazon Prime phishing attack that wasn’t…

Earlier this week, we received a moderately believable Amazon Prime phish via email.

The scam had an Account Locked subject line, with a warning that we wouldn’t be able to buy or sell anything via Amazon’s services until we verified our account.

To add a bit more fear and urgency, the crooks went on to warn us that if we didn’t complete the verification process within 24 hours, then our account would be deactivated, not merely suspended.

The “good” news, of course, is that verifying our account was as easy as clicking a link in the email:

Your Prime Membership Account Has Been Suspended Due To The Following Problems Below:

Invalid Card Number
Your Billing Address Does Not Match Our Records
Unverified Email Address

You will not be able to Buy and Sell on amazon until you have click the link below to confirm your account details before 24hrs of receiving this message.

We will be forced to deactivate your account automatically if you do not verify your identity.

We don’t think that Naked Security readers would fall for this one, for several reasons:

  • There are numerous grammatical and spelling mistakes in the message. We think fluent speakers of English would notice these and be suspicious.
  • There’s an unreasonable sense of urgency and drama. Amazon almost certainly wouldn’t use words such as “we will be forced to deactivate your account”, and the company wouldn’t need to deactivate your account for failing to respond within a day. (Online services want to keep you as a customer, not to throw you out!)
  • The sender doesn’t know who you are. The greeting “Dear Suspended user” looks, and is, peculiar and suspicious.
  • There’s no need to click the link in the email. If the email is a scam, the link will be false. But if the email is true, you can simply go to the Amazon site yourself, or use the Amazon app – the online location of Amazon isn’t a secret. Therefore the correct action is never to click, whether you believe the link or not.
  • The link the crooks want you to click uses HTTP. Although an HTTPS link would not mean that the page is safe, you should treat all HTTP links as unsafe – even if you trust the website at the other end – because unencrypted web connections can easily be snooped on by other people.

The teachable moment

Nevertheless, we thought we’d follow the phishing link ourselves, just to see how convincing the final result would be – most phishing sites have some sort of “teachable moment” that we can learn from, no matter how smart we think we are already.

Our first steps were simply to check where the link went, rather than downloading the actual content it linked to.

We found that the first hop was to an otherwise-invisible URL on a legitimate business WordPress site that had obviously been hacked and “borrowed” by the crooks to hide their trail.

The main page of the site was still working normally, promoting a PR business with a (rather ironic) tagline in Spanish saying, “It’s the first impression that counts”:

From here the crooks quietly redirected us to a second hacked site, this time a Middle Eastern company selling awnings, canopies and sun-shades:

Once again, the crooks didn’t take us to the front door, but instead pointed us at a usually-invisible URL that even the site operator probably wouldn’t notice unless they carefully went looking for files that shouldn’t be there.

And that’s where we got a surprise!

We don’t know whether the crook who sent us the phishing email made a mistake, and used the wrong URL, or whether a second crook had arrived in the interim and then taken over the hacked server from the original hackers…

…but instead of reaching a page that demanded our Amazon password, which is what we expected, we ended up at the crooks’ very own remote access backdoor:

Pirate skull? Check.

Comic Sans font? Check.

Haxor bragging (including the word haxor)? Check.

Emoticons and needless EXCLAMATION POINTS? Check.

Full remote access with no username or password needed? Check.

In this case, by implanting just one PHP file – a scrambled and obfuscated remote access toolkit – at a known URL they could visit later, the crooks gave themslves an unaudited, unsecured, unlimited remote console to the raw files on the WordPress server.

In other words, the crooks have set things up so they can sidestep the WordPress administration console entirely: they don’t need a password; they won’t get logged by the WordPress system; and they can add and modify files that WordPress wouldn’t normally allow, essentially allowing them to hide content such as phishing pages and malware downloads in plain sight.

Worse still, because their access isn’t mediated by the WordPress administration tools, they can also snoop around on the site where even a WordPress administrator might not be able to go, and upload or edit files that WordPress itself would probably prevent.

What to do?

In the end, this turned into a website insecurity story rather than a phishing alert, and it’s a good reminder of several important facts:

  • No website is unimportant to the crooks. Cybercrime isn’t just about million-dollar ransomware attacks on giant corporations. Your website has real value to the criminals, even if it’s just as a jumping-off point for them to enable further crimes.
  • If your site gets hacked, you’ll probably end up blocklisted. Once the crooks start using your website to host malicious content, you are likely to end up getting blocked or filtered by security products and the major browsers. This could dissuade or even prevent customers from reaching you. So even if the crooks don’t infect your business, they are very likely to affect it.
  • Patches and updates are vital. We don’t know how the crooks got access in this case, but a common entry vector to WordPress sites is via plugins that have security holes that you or your hosting provider forgot to patch. WordPress can keep itself up-to-date, but you also need to keep all the other parts of your system, especially your WordPress plugins, up-to-date as well.

You could also consider investing in a network firewall with web filtering capabilities – web protection isn’t just for users inside your network browsing to the outside.

Security products such as the Sophos XG firewall can also guard you from rogue probes and connections from the outside, adding an extra layer of defence against crooks trying to break in.

Lastly, if you are running your own website, whether it’s on a server that belongs to you or via a cloud service at a hosting company, make sure you pick proper passwords, and turn on 2FA for added login protection if you can.

Remember that crooks who get your password and login just once could leave behind a backdoor, like the one shown here, that gives them unfettered, unaudited and almost undetectable access from then on, even if you change your password.

By the way, if you ever do find yourself wandering in through a crook’s backdoor, like we did here, resist the urge, no matter how tempting, to take a look around “for the sake of research” – you could attract the sort of attention you don’t want.


Latest Naked Security podcast

S2 Ep27: Bluetooth holes, dodgy Chrome extensions and forgotten passwords – Naked Security Podcast

This week we discuss why Google abruptly pulled more than 500 Chrome extensions from its Web Store, the case of a man held in custody for refusing to decrypt two hard drives, and research detailing a number of security holes in Bluetooth chipsets.

Greg Iddon plays host and producer this week and is joined by fellow Sophos experts Paul Ducklin and Peter Mackenzie.

Listen now!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Larry Tesler, of copy-and-paste fame, dies at 74

Larry Tesler, the computer scientist who is widely credited with the copy-and-paste function that is now nearly ubiquitous in user interfaces, has died at 74.

Tesler – note the spelling! – worked at the influential Xerox Palo Alto Research Center, better known as PARC, in the 1970s.

Old-timers in the computer industry will tell you that “everything that we take for granted in computing these days was invented at PARC”, and there’s a grain of truth in that rose-tinted reminiscence.

Xerox, so the story goes, was worried that the paperless office was on its way, which wouldn’t be great for its vast photocopier business.

If everyone in an office had their own computer, companies wouldn’t need copiers because they could share documents electronically, and if they did need a printed copy, then they could just print it out themselves.

At least, they could do those things if [a] they had their own computers, [b] those computers were easy to use, [c] the computers could be interconnected reliably, [d] the computers could be programmed easily, and [e] if they had printers that were kind of like copiers, but didn’t need an original document to copy from.

So the researchers at PARC came up with, and learned to program and use, a whole raft of technologies that we do now take for granted – such as ethernet networking, object-oriented programming, laser printers, personal computers, bitmapped screens (so you could do text and graphics at the same time, just like in a book), square pixels, GUIs, a mouse to control them, and, of course…

…copy-and-paste.

Steve Jobs visited PARC in the 1970s, and by 1983, Apple had come out with a personal computer called Macintosh that had a bitmapped screen, square pixels, a GUI, a mouse to control it and, of course… copy-and-paste. By 1985, Apple had followed up with the Laserwriter, an astonishingly powerful personal printer with more memory and a more powerful processor than the Macintosh itself.

In fact, Larry Tesler’s ideas about user interface design went much deeper than just copy-and-paste.

He lived by the computer science motto No Modes.

His car tag and his personal website both featured the text NOMODES – which, in computing terms, means that things such as mouse clicks and keypresses should work consistently, rather than changing what they mean and do as you navigate through a program.

Larry Tesler’s 1996 vehicle tag

You wouldn’t tolerate a keyboard where A came out as B, B as C, and so on, but only when you were in the menu to pick a new font – it wouldn’t just be annoying, it would be confusing and error-prone.

You wouldn’t be safe driving a car where the brake and clutch pedals swapped over when you entered a private car park, only to swap over again when you exited back onto a public road.

Why modes?

So why, Tesler wanted to know, do we have so much computer software where keystrokes and mouse clicks change their meaning depending on where you are in the program?

The classic example of a “modal program” is the famous vi editor, where characters sometimes stand for themselves, and sometimes stand for controls to choose an operating mode.

For instance, if you are in the middle of a file, editing it with vi, and you want to add the word riddle into the document, you might think you’d just click where you wanted the text and then type riddle.

Riddle-me, riddle-me, riddle-me-ree, but that’s not how it works.

Ther enters replace mode, which says to overwrite the current character with the next one you type, namely i.

Then the first d in riddle enters delete mode, and the d after that is a delete-mode operator that says to delete the entire line, ironically including the i character you just entered into the text in the wrong place.

Now you are automatically back in command mode, where l says to move the cursor right (don’t shoot us, we’re just the messenger), and the final e moves to the end of the current word.

Phew!

To enter riddle into the document itself you have to type iriddleEsc, which first turns on insert mode, then inputs the actual characters you want, and finally escapes from insert mode back to command mode.

You can see why Larry Tesler was passionate about NOMODES.

Even if there are still millions of vi-loving techies and programmers who don’t yet agree with him.

Larry Tesler, RIP.


Latest Naked Security podcast

Featured picture of Larry Tesler smiling cropped from CC-BY-2.0 image via Flickr.

US and UK call out Russian hackers for Georgia attacks

The US and UK governments have both accused Russia of launching a cyber attack against the Georgian government last year. The attacks, mounted on 28 October 2019, came from Russia’s notorious GRU military intelligence unit, according to announcements from the US State Department and the UK’s National Cyber Security Centre.

This is a rare statement of attribution from western governments. Both the US and the UK rebuked Russia for its behaviour and pledged their support for Georgia.

In its announcement, the US State Department said:

This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions.

Sandworm has been active in Ukraine, reaching power utilities there in 2015 and 2016 in attacks that deprived thousands of electrical power. The hacking group has also been linked to NotPetya, a worm that spread globally in 2017. In his book of the same name, Greenberg tracked this group’s connection to several egregious hacks, including the attack on the Olympic Games in Seoul in 2018, which it tried to blame on North Korea.

The group is also said to be responsible for the 2016 attack on US election infrastructure, and for the theft of emails from the Democratic National Committee (DNC) and their distribution to WikiLeaks. An FBI indictment released as part of the Robert Mueller investigation tied GRU operatives to that attack. Sandworm has also been spotted uploading malicious Android apps to the Google Play Store.

In the book, Greenberg linked all these attacks to Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). He identified Sandworm as GRU Unit 74455, operating from a Moscow suburb.

The UK government backed up the US claims. Its National Cyber Security Centre (NCSC) said that it “assesses with the highest level of probability” (which is 95% or more) that the GRU carried out large-scale disruptive cyberattacks against web hosting companies in Georgia, defacing sites including those belonging to the Georgian government, courts, NGOs, media and businesses. It also disrupted broadcast services in the country, the government said, adding that Georgia is a strategic partner of the US.

Foreign Secretary Dominic Raab added:

The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law.

The UK government also identifies Sandworm as BlackEnergy Group (after the 2015 Ukraine electrical system attack), Telebots, and VoodooBear. Alongside the electrical grid and NotPetya attacks, it was also responsible for the BadRabbit ransomware in October 2017, according to the NCSC.

Greenberg added that the US is shining a light on cyber-subterfuge by going public with its claims. He also suggested that it could be an attempt to head off any election shenanigans:

It’s important to note that the Sandworm hacking group is a separate thing from the malware of the same name.


Latest Naked Security podcast

go top