Perpetual IT

If you’re a user of the venerable, powerful and popular open source programming language Perl, you’ll almost certainly have visited its official website at some point, at: https://perl.org.

You may very well also have visited its sister site perl.com, which until very recently looked like this:

The About page of perl.com used to introduce the website as follows:

Well, be careful out there, folks!

It looks as though the perl.com domain has been taken over, though by whom is hard to say, given that the domain registration is now hidden behind a DNS privacy-guarding proxy.

The website is currently [2021-01-29] no longer accessible at all via HTTPS, and when visited via HTTP just sets a few tracking cookies, fetches some Javascript, and renders as a blank page:

The domain name registration was last updated two days ago, and is now valid for 10 more years from that date:

Domain Name: perl.com
Registry Domain ID: 432086_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.rrpproxy.net
Registrar URL: http://www.key-systems.net
Updated Date: 2021-01-27T12:43:15Z
Creation Date: 1994-08-16T04:00:00Z
Registrar Registration Expiration Date: 2031-01-26T15:26:42Z
Registrar: Key-Systems GmbH
[...]
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY
[...]
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Chisinau
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: MD [Moldova]
[...]
Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY
[...]]
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY

Our chums over at The Register examined the now-dysfunctional domain yesterday [2021-01-28], and noted that name service (DNS) lookup for perl.com was being handled by domain name brokers Afternic, whom El Reg spotted were themselves offering perl.com for sale for a lofty price of $190,000.

Today [2021-01-29], the name servers show up as follows:

$ dig @9.9.9.9 perl.com ns
[...]
;; QUESTION SECTION:
;perl.com. IN NS ;; ANSWER SECTION:
perl.com. 3600 IN NS ns2.namefind.com.
perl.com. 3600 IN NS ns1.namefind.com.
[...]

Right now, neither Namefind nor Afternic seems to be trying to sell off the perl.com name, though at either of those sites you can pick up perly for $9999, perlsite for $4999, or perlmagic for just $2499.

Quite what happened to the perl.com domain name we don’t yet know.

However, The Register insists, on what it says is good authority, that until just before this latest change, the domain’s contact details were listed publicly, with the admin of the domain given as well-known Perl luminary Tom Christiansen.

Whether the original registrants will be able to recover this domain remains to be seen (it certainly seems that they did not intend to dispose of it), but we do know that whoever currently controls it now has it registered for a further decade.

So, if you’re a Perl fan, we recommend you steer clear of the perl.com domain unless and until the All Clear is sounded on it.

Although it looks blank and mostly harmless today, and although the HTTPS version of the site is not working at all right now, who knows what content might show up there in the future?

---

Hello, Naked Security readers. I’m Harriet Stone, an intern in the Sophos marketing team.

Seven months of working (virtually) with cybersecurity professionals has made me realise just how unaware many students are when it comes to their online security.

Even before the COVID-19 pandemic drove a switch to online learning, most university students needed to use a computer every day.

Whether for communicating with classmates, taking notes in lectures or doing research for assignments, technology is seriously important for any student.

I asked 15 students who were not studying computing or cybersecurity about their online security behaviours and even though this was just an informal study, the results surprised me.

Given that technology is such a huge part of student life, it is alarming how many students are oblivious to or unconcerned about cybersecurity threats.

So, here are some simple cybersecurity tips that all students (and non-students) should know to protect themselves – do your homework!

1. Stick to HTTPS websites

Doing research for assignments requires students to hop between many websites every day – but how often do you actually check the search bar?

Make sure you check that each website you visit uses HTTPS (secure HTTP, where there’s a padlock in the address bar) rather than plain old HTTP.

13 of the 15 students asked did not know the difference between HTTPS and HTTP.

Fortunately, if an insecure web page asks for passwords or other personal information, most browsers will warn you not to enter it, because data in insecure web traffic can easily be snooped on as it travels across the internet.

However, it’s important that you know the difference between HTTPS and HTTP for yourself, to ensure that all communication is encrypted against eavesdropping as it travels between your browser and the sites you visit.

The web content you look at, and even the order in which you visit a series of web pages – especially if those pages are on sites you wouldn’t normally visit, but that you need to check out for research purposes – tell a story about you that is none of anyone else’s business.

2. Be cautious about scams

University students typically receive many emails a day regarding lectures, seminars, newsletters, student union activities and other university-related information.

Despite the flood of emails, you need to stay alert, and read emails cautiously – especially if they ask you to take some sort of action on your computer such as clicking a link, downloading a file, installing a new app or changing a system setting.

To prevent being scammed or phished (that’s where you get tricked into giving confidential information to the wrong person, e.g. via a phoney website), it is important that you ensure that the sender really is who they say they are.

If you’re not careful, you could end up disclosing information and details that should be kept private, including credit card numbers, details from ID documents such as your driving licence or passport, or your home address.

When it comes to personal data, use the mantra, “If in doubt, don’t give it out.”

3. Log out or lock your computer when you’re not using it

Many students use the library to study – but there are many distractions, even in a library.

Walking away from your laptop for just two minutes for a trip to the vending machine could be potentially dangerous if you “can’t be bothered” to log out or lock your computer before you leave it unattended.

Although it’s unlikely that there is going to be somebody lurking and waiting for you to leave your account open and free for them to use for a moment, it is better to be safe than sorry.

Better to spend a few seconds unlocking your screen or logging back in than to give someone a chance to mess with your settings, peek at your files or install some sort of malicious app to snoop on you.

Even if all that happens is that one of your “friends” posts a silly Facebook message behind your back, it’s still something you wouldn’t have said yourself that ends up online under your name.

Alarmingly, only 3 of the 15 students asked said they log out of their account or lock their system when they leave their laptop unattended in the library.

We recommend that you use a hotkey to lock the computer manually. Don’t rely on “autolock”, because that usually takes at least two minutes to kick in after you leave your laptop alone. Use Windows+L on Windows or Control+Command+Q on a Mac.

4. Get yourself a good password manager

Surprisingly, 13 of the 15 students said that they do not use a password manager.

Students are probably already drowning in passwords with all their social media accounts, and when university starts, the number of passwords inevitably increases.

When you have lots of passwords to remember, it’s easy to get into the habit of using the same (or at least very similar) passwords for every account.

In other words, if one of your accounts gets hacked, the person who hacked it immediately knows how to get into all your other accounts as well.

A password manager automatically chooses and remembers a strong and different password for each account.

It also helps to stop you from accidentally putting passwords into imposter sites (that’s what we described as “phishing” above), because the password manager keeps a record of the correct web page to use for each account.

Just remember to pick a really good password for the password manager itself!

For tips on picking proper passwords, including the password for your password manager, watch our How to Pick a Proper Password video:

[embedded content]

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Reduce your cyberstress

Starting university can be incredibly nerve-racking, even without the new cybersecurity threats you face when you set out on your own into a world where you’re expected to spend hours online every day just to do the research you need to complete your course.

Trying these simple cybersecurity tips will help reduce your cyberstress – and will help you to keep your personal accounts and your private data to yourself!

---

What’s the connection between coronavirus facemasks and fingerprint biometrics? Who would have expected funky job ads on the White House website? And who would you call if you spotted a deceased former colleague hanging out on your network?

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Apple, rather unusually in today’s cybersecurity world, rarely announces that security fixes are on the way.

There’s no equivalent of Microsoft’s Patch Tuesday, which is a regular and predictable fixture in anyone’s cybersecurity calendar; there’s no “new version every fourth Tuesday” as there is with Firefox; there’s no predetermined quarterly schedule for patches as you get with Oracle’s products.

Apple’s approach is to keep everything under wraps until a working update is ready, and then to announce its patches at the same time that they are available for download:

Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.

Interestingly, Apple says that the official reason for doing it this way, rather than having a more regular process that you can plan around, is: “For the protection of our customers“.

Play your cards close to your chest

We understand the theory.

The idea behind security patches that “just show up” is that as soon as any update is announced or published, crooks and legitimate researchers alike start trying to work backwards from the fix in order to figure out the details of the underlying vulnerability and how it might be exploited.

Generally speaking, finding vulnerabilities in a complex software bundle is much easier if you know roughly where to start looking, in the same way that it’s a lot easier to solve a crossword puzzle clue if you know the first letter of the answer.

(Bear in mind that, although all security vulnerabilities are exploitable in theory, many or most bugs that get patched are close to impossible to exploit effectively in real life – you might be able to figure out how to crash a program, for example, but not actually to take it over and implant malware or steal data.)

So why give anyone, especially the crooks, advance warning of what’s coming?

Why not play your cards close to your chest so you don’t inadvertently give the crooks a head start?

The flipside of update secrecy

The flipside of this approach, of course, is that all Apple security updates – even comparatively unimportant ones that close off minor vulnerabilities that Apple itself discovered privately – feel like emergency updates, because they always arrive so suddenly and unexpectedly.

So you need to read carefully through Apple update notifications if you are interested in knowing whether they are “patches-as-usual” patches, or “OMG-patch-right-now-and-make-double-sure-it-worked” patches.

Amusingly, one rule of thumb is that the shorter the update notification email, the more urgent it is.

Short emails from the Apple Product Security mailing list imply that the patches you are looking at were so important all on their own that they couldn’t wait to be bundled into an update together with the other patches Apple was already working on.

(Of course, thanks to Apple’s update secrecy, you can never be sure what patches the company is working on at any moment, and that inevitable uncertainty is another weakness in Apple’s approach.)

Going by email length, the latest iOS and iPadOS updates, which take you to version 14.4, are ultra-critical, because there are just two items in the list, covering three vulnerabilities numbered CVE-2021-1870, -1871 and -1872:

Kernel
------
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A race condition was addressed with improved locking.
CVE-2021-1782: an anonymous researcher WebKit
------
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1871: an anonymous researcher
CVE-2021-1870: an anonymous researcher

The real giveway above, of course, is the pair of statements saying that “this issue may have been actively exploited“, which you can translate as “this is a zero-day bug that attackers already know how to abuse“.

Zero-days, as you know, are working attacks that the Bad Guys found first, so that even the best-informed sysdmins in the world had zero days during which they could have patched ahead of the crooks.

In other words, patch right now!

(Interestingly, there’s no update to the iOS 12.x series that’s still officially supported on some older iDevices such as the iPhone 6 and iPhone 5 – those devices are still on 12.5.1. Apple TVs do get an update, also to 14.4, and Apple Watches go to 7.3.)

The other giveaway of urgency in Apple’s notification is the presence of the telltale words below information we quoted above, namely: “Additional details available soon,” which you can translate as “this one took us by surprise“.

Two bugs are more than twice as bad

As you probably know, actively exploited vulnerabilities such as the ones listed above often appear in the wild in pairs because they’re more dangerous when combined.

A kernel elevation of privilege bug (EoP) is dangerous on its own, because it could give an attacker access to absolutely everything on your device, not just to the data that belongs to an individual app.

But a local EoP bug is no use to an attacker who wants to implant malware on your phone remotely, for example via a booby-trapped web page, because the attacker needs to have a foothold on your device already.

Likewise, a remote code execution bug (RCE) in a single app is dangerous, because it could allow an attacker to dig into everything you do or have done with that app.

But a compromised photo app, for example, is no use to an attacker who is after your emails or your browsing history, because mobile phone apps are typically insulated from one another, meaning that one app can’t peek at another app’s files.

However, if crooks can combine an RCE and an EoP bug into a hybrid attack, they can use the RCE to get their initial foothold, immediately followed by the EoP to take over your device entirely.

In other words, patch right now!

What to do?

Even if you’ve got automatic updates turned on, go and check whether you have received the update yet.

If you check and you already have 14.4, you are done for now; if you don’t have 14.4 then your phone will offer to get it for you right away (do it!).

The screen to go to is: Settings > General > Software Update.

LISTEN NOW: UNDERSTANDING VULNERABILITIES

Learn more about vulnerabilities, how they work, and how to defend against them.
Recorded in 2013, this podcast is still an excellent and jargon-free explainer of this vital topic.

Click-and-drag above to skip to any point in the podcast. You can also listen directly on Soundcloud.

---

Many, if not most, organisations will tell you that they have processes and procedures that they follow when employees leave.

In particular, most companies have a slick and quick procedure for removing ex-staff from the payroll.

Firstly, it doesn’t make economic sense to pay someone who is no longer entitled to the money; secondly, many countries require employers to withold payroll taxes automatically, to pay them in promptly, and to account for them accurately.

Why get into trouble with the tax office over former employees when you can have a simple “staff leaving” checklist that will help to keep you compliant and solvent at the same time?

Unfortunately, we’re not always quite so switched on (or, to be more precise, not quite so good at switching things off) when it comes to ex-staff and cybersecurity.

History is full of stories of havoc wreaked by ex-employees who maintained both their grudges and their paswords or access tokens after being fired or laid off.

Some of these revenge attacks have acquired legendary status, like the man from the splendidly named town of Maroochydore in Maroochy Shire in Queensland, Australia, who used insider information and a purloined computer to “hack” the council’s waste management system.

This crook quite literally, if you will pardon the expression, showered the shire with… well, with 1,000,000 litres of raw sewage, by operating all the right pumps in all the wrong ways.

As amusing as this crime sounds with 20 years of hindsight – it happened in the year 2000 – the disgruntled former contractor caused an environmental hazard, including polluting a tidal canal, that took days to clean up.

He was caught, tried and convicted of 27 counts of unauthorised computer access, and one count of wilfully and unlawfully causing serious environmental harm:

“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.

Then there was the US sysadmin who was fired in 2009 and decided to get his own back by planting keyloggers on his former employee’s network, harvesting passwords until he had access to the accounts of senior staff, and then remotely hacking into a presentation by the CEO to the board of directors.

You can probably imagine what happened next.

Zoom bombing may be a new phrase in our vocabulary, but the technique of, ahem, replacing someone’s presentation in real time with NSFW material – porn, in a word – is not a new thing at all.

The offender in this case received a two-year sentence, but avoided prison because the judge suspended it.

And 2019, a former sysadmin for a US Senator went on trial for stealing and revealing – what’s known in the trade as “doxxing” – the confidential personal data of several US members of Congress.

Ironically, the offender in this case had his logon accounts closed down when he was fired, but was still able to get physical access to his ex-workplace to install keyloggers and copy off gigabytes of confidential files.

Simply put, there’s a lot that can go wrong if your cybersecurity processes don’t deal reliably and rapidly with shutting down the access of staff who no longer work for you.

Ghost in the machine

Sadly, however, it’s not always grudge-filled ex-staff or rogue insiders whose accounts end up getting abused.

The Sophos Rapid Response team has just written up a recent case study of a network attack that involved the account of a sysadmin who had died three months before.

The account of the late employee wasn’t shut down because various internal services had been configured to use it, presumably because the deceased had been involved in setting up those services in the first place.

Closing down the account would have stopped those services working, so keeping the account going was, we’d imagine, a convenient way of letting the dead person’s work live on.

Indeed, we think it’s a rather nice memorial, a way of honouring the work of the departed sysadmin as well as ensuring business continuity in a part of the system that was already working properly.

Unfortunately, given that the dead person was not logging into and actively using the account any more, no one was there to notice that it wasn’t being used in the expected way.

Cybercrooks love orphaned or abandoned accounts, because they’re less likely to get caught out by the account’s regular user – in much the same way that Goldilocks would probably have avoided the attention of the Three Bears if she hadn’t had a go at everyone’s porridge, sat on everyone’s chairs, and slept in all their beds.

In this case, the active use of the account of a recently deceased colleague ought to have raised suspicions immediately – except that the account was deliberately and knowingly kept going, making its abuse look perfectly normal and therefore unexceptionable, rather than making it seem weirdly paranormal and therefore raising an alarm.

It ended in ransomware

Unfortunately, the attackers weren’t spotted until significant damage had been done, namely after they had unleashed the Netfilim ransomware (also known as Nemty) on the victim’s network and brought more than 100 computers to a standstill by scrambling all their data.

Even worse, when Sophos Rapid Response began investigating, having been called in almost immediately after the ransomware attack, they realised that the crooks had already had access to the network for a full month.

As you probably know, many ransomware attackers these days use the final scramble-all-the-files stage not as their primary vehicle to blackmail the unfortunate victim, but merely as a sort of attention-grabbing finale.

After all, you can recover from file-scrambling ransomware without paying if you have a recent and reliable backup…

…but what you can’t do after it’s happened is “unsteal” files that the criminals have quietly copied off your network in the days leading up to the final drama of the encryption attack.

Two-pronged blackmail

Sadly, many of today’s ransomware exortion demands have two prongs of blackmail: pay up or we will delete the decryption key to get your precious files back, and pay up or we will not delete the files we’ve already stolen.

If you don’t pay, the crooks threaten to send your confidential data – and data about your customers, which the crooks have probably got hold of as well – to the regulators, to the media, to other crooks, and even, in many cases, to publish them on their own darkweb “name-and-shame” sites where anyone can download them for any nefarious purpose they like.

Sophos Rapid Reponse discovered that the data exfiltration in this attack was already finished by Day 24 of the crooks’ 31-day infiltration – the attackers had apparently used the well-known (some might even say infamous) encrypted New Zealand-based cloud service MEGA to steal and store the victim’s data.

For two weeks before that, the crooks had been snooping around quite generally, quietly setting up additional accounts – this time, not of dead staff but of people that didn’t exist at all.

Incidentally, one of the reasons the crooks take their time before adding their own accounts, directories, registry entries, programs and services is that they like to get a feel for your network and your nomenclature first, so their unauthorised additions don’t stand out as unusual.

The crooks also like to discover what system administration and hacking tools you already have on your network, so that they can “borrow” ones that exist already, thus raising less suspicion than if they downloaded their own favourites – a technique known in the jargon as “living off the land”, or simply “fitting in well” to you and me.

What to do?

• For a summary of the steps you can take to stop your own user accounts being abused, please see the Sophos Rapid Response report.
• For a list of the Indicators of Compromise (IoCs) for this particular attack, including the Netfilim ransomware and the MEGA file uploading tools, please see the SophosLabs GitHub account.
• For advice on dealing with cybercriminals in the 2020s, please listen to this well-informed podcast with John Shier, Sophos Senior Security Advisor:

LISTEN NOW: 20 YEARS OF CYBERTHREATS THAT SHAPED INFOSEC

Click-and-drag above to skip to any point in the podcast. You can also listen directly on Soundcloud.

---