The Technology blog and podcast

The Security box, podcast 43: 2 topics of interest as well as news notes and more

Welcome to another Security Box program folks, I’m happy I’ve gotten some time to get this to you.

The program lasts about 104 minutes and you’re welcome to participate as well.

We’ve got a dial in number right in to my live wire box. Its 623-263-8934. Press the topion to leave a voice message if you wish to do so, or check out any of the programming I’ve got up there.

Here is the 96.02mb file for you to go and download it if you can’t use the rss feed.

Here are the show notes for everyone with links to the various topics and news items for this program.

---

Welcome to the Security box, podcast 43. On this edition of the podcast, we’ve got two topics. The first talks about a fake vaccine web site that is now shut down, thanks to the US Government. The second topic talks about the Exim 21 bug that recently hit headlines. We’ll have news, notes, your questions comments and any catch up from any older podcasts.

Topics

• Feds Shut Down Fake COVID-19 Vaccine Phishing Website
• Qualys researchers uncover 21 bugs in Exim mail servers

>

Sans News Bites

• Sans News Bites for May 7, 2021
• ‘Jugular’ of the U.S. fuel pipeline system shuts down after cyberattack
• Investment Scammer John Davies Reinvents Himself? See podcasts 10, 12 and 14 for other coverage in different aspects whether news notes or full discussions.
• Florida homecoming queen faces up to 16 years after alleged scheme to hack high school contest
• Malicious Office 365 Apps Are the Ultimate Insiders

We hope you enjoy the program as much as we have bringing it together for you. See you next week!

Comments (0)

Podcast catchup: links to podcasts 38-42 of the security box

Hello,

since I’ve decided to go ahead and have the podcasts as links, there are podcasts that are not linked.

I’m going to link them here, feel free to download them!

• podcast 38
• podcast 39
• podcast 40
• podcast 41
• podcast 42

We have full show notes for all of the programs, let me know if you need a copy by sending me an email to tech at menvi.org. Thanks for reading, more soon!

Comments (0)

The Security box catchup, podcasts 41 and 42 show notes

Hello all,

After some technical difficulties and my decision on giving you download links, we’re happy to bring you the backlog of show notes and links to the last two podcasts.

First, let’s go ahead and get the links out of the way.

• TSB podcast 41 (74.58mb)
• TSB podcast 42 (83.72mb)

Now, let me bring you the show notes for podcast 41 which was last week’s podcast. Starting with this podcast, we’re only linking to the articles, as my notations are read to assist me in the discussion anyway and has caused problems with the show notes for the main RSS feed.

---

Welcome to the Security Box, podcast 41. On this edition of the podcast, we’re going to talk about Ubiquiti and their big time breach, as well as something I recently read from Park Mobile and their potential breach. We’ll have news, notes and more.

Topics:

• Whistleblower: Ubiquiti Breach “Catastrophic”
• Ubiquiti All But Confirms Breach Response Iniquity

Both of these articles are from Krebs on Security and while they’re a bit old, you can’t deny that it is worth talking about. Company aught to be ashamed of themselves.

• ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users

A bit of sad news:

🙁 Security Researcher Dan Kaminsky died Saturday at age 42 of complications (ketoacidosis) from diabetes, which he had struggled with for years.
Security Now! researchers know of Dan’s discovery of a critical weakness in the DNS servers at the time.
He will be missed.

News Notes

• The latest malware hiding in video game cheat codes

DeepDotWeb boss pleads guilty to laundering millions

• Trend Micro + ROS-I: Building a more secure future

---

Now, let’s bring you today’s program and its show notes. I’m sure that we’ll have some comments, and I’ll be sure to ge the rss will be updated with today’s program. I hope you enjoy..

---

Welcome to the security box, podcast 42. I think I’ve got two very interesting topics. One of these topics is the ongoing saga over at Experian. We know they had a big time breach, but do we really know what else is going on at the company? Brian has the entire details. Finally in the topic department, we know Ransomware has taken a big toll during the pandemic and there is no slowing down in that department. According to Cyberscoop, demands are higher by 43 percent so far in 2021. We’ll talk about it. I’ll also give you some news and notes, although it may be dated. Your questions and comments are always welcome, so please get in touch! I hope you enjoy the program as much as I have putting it together!

Topics

We used to put all of the notations within the file, but I’ve decided against that unless people want me to do that. I’ve heard nothing, so I’m reverting back to linking to the articles, and letting people decide on what interests them.

• Experian’s Credit Freeze Security is Still a Joke
• Ransomware demands up by 43% so far in 2021, Coveware says

News Notes

• Sans News bites May 3, 2021 Lots of interesting things including IOS 14.5.1 on the heals of 14.5 fixing a zero day.
• A Clubhouse bug let people lurk in rooms invisibly

In another blog post, I’ll link to podcasts 36-current for everyone in a list without any additional show notes. I hope that you guys enjoy, and thanks for listening!

Comments (0)

The security box, podcast 40: Windows Update and ransomware in the manufacturing industry

The RSS has the updated podcast. Due to little download usage, we are not providing any more links for download.

If you wish to have a downloaded copy and you don’t have RSS, let me know and I’ll upload and have an email sent to you from a service.

At some point, we will disable all download links by cancelling Sendspace but it will not be done right away.

Below, please find the show notes for today’s program.

---

Welcome to podcast 40 of the Security Box. On this podcast, we’re going to have our main topic that deals with the Windows Updates which you may have been prompted to install. Instead of news notes, I’ll pick a few of the articles and we’ll see what you think about them as I’ll give my thoughts. No full news notes this week, but plenty of content to boot. We hope you enjoy the program, and thanks for listening!

Topic: Windows Updates for April 2021

Windows, like a lot of software, gets updated each and every month. This batch for April has a record high for this year, according to Trend Micro’s write up of the patches.

According to the Trend Micro article, 114 patches were released for April with only 19 classified as critical, 4 were publically known, and one publically exploitable in the wild. 5 Vulnerabilities were submitted through Trend Micro’s Zero Day Initiative program.

We know that the exchange server fiasco has really caused some headaches over at Microsoft. Exchange was dominated by 16 different problems dealing with RPC or Remote Procedure calls. Out of the 16 critical updates for exchange, the majority (12) were flaws in the RPC runtime. The RPC runtime has to do with programming, and not necessarily having to do with user behavior. There were 15 further vulnerabilities that effected the same runtime, according to Trend Micro.

If we haven’t had any trouble with exchange before , we do now. Besides the RPC vulnerabilities, 2 additional CVE numbers were designated. They are: CVE-2021-28480
and CVE-2021-28481. The CVSS score on both of the CVE’s are 9.8.

Its interesting to note that according to the Trend Micro article, both of the CVE’s were credited to the National Security Agency (NSA) and it suggests that both should be patched as soon as system administrators are able to do it.

Besides that, if you use the Windows Media Video Decoder, there are two vulnerabilities with it. The CVE numbers for these are: CVE-2021-27095
and CVE-2021-28315. They could lead to remote execution if a specially crafted video was sent to you and opened.

Besides these, Trend Micro’s article talks about some important updates which some may want to be aware of. If you use Visual Studio you should look at the Trend Micro article from these show notes, as there are CVE’s for it. For my normal computer users, Visual Studio is used for programming and is not used by the average user.

Key networking components are also effected. Two of these, CVE-2021-28324 and CVE-2021-28325 effect the SMB component, which affects file sharing.

There are several affecting the TCP/IP portion of windows, which deals with routing across the Internet. Two of these lead to denial of service problems, and a third leads to information disclosure. The Trend Micro article should be read to see if you need to worry about these as the CVE numbers are given within it.

Krebs On Security gives highlights and even links to several CVE’s as well as a Microsoft blog post talking about the updates that may affect readers. Both articles are worth the read, especially Trend Micro’s so find the articles and see what is of importance to you.

• April Patch Tuesday Sets Record High for 2021
• Microsoft Patch Tuesday, April 2021 Edition

Topic: Ransomware hitting the Manufacturing Industry: Victims aren’t coming forward

The sectors of business are starting to get hit with Ransomware. Ransomware is defined as malware that is intended to lock up a computer and force people to pay money in the form of bitcoin to get their files back. The ransom notes are usually on the screen and instruct the victim where to go to get help and even have support agents available to answer questions such as where to get Bitcoin from a retailer.

Today’s article was read last week and talked about this now hitting the manufacturing industry. We’ve talked about numerous articles that mentioned how hospitals were affected by ransomware and two or so articles talking about how someone was killed because ransomware affected their care at a hospital and had to be transported some 70 miles away.

The article, written by Cyberscoop’s Sean Lyngaas, starts out with a true story on how Norsk Hydro had to pay 90 to 110 million dollars because production haulted for weeks as they tried to figure out what was happening. Halvor Molland is the senior vice president of communications for the company, and he had to respond to this incident. Its unfortunate that this occurs, but with everything connected in one network, its not a wonder that they got hit. This company isn’t the only one that has gotten effected by this type of thing, look through the tech blog and find ransom articles. You’ll find story after story on companies getting hit.

Norsk Hydro did something that nobody has ever done in this industry. They told their story and did it in vivid detail including releasing video interviews and telling their story of what happened. This is probably the first time we’ve actually heard of someone telling their story and we can get a picture of what they did, what they were doing, and how they were going to fix the problem.

I understand and know that ransomware attacks are mistakes. Someone clicks a link because they believe whatever the email is that they get is real, and that can happen with anybody at any company, big or small.

Even two years later, this candid reporting by this team at this manufacturing company stands out as ransomware continues to plague industries across the world during this aweful time. The actors have taken advantage of the pandemic like its the last thing they can do before the world blows up.

You know what’s sad? Cyberscoop tried to contact many different companies that were compromised by Ransomware in the last 2 and a half years. Nearly all either declined or didn’t respond to the inquiry.

To top it all off, Honeywell, a thermostat company that also endeavors in other things, declined to tell its employees and even us if we are affected by this breach at their facilities since data can be taken through the Internet these days. Honeywell has not said a word to anyone about their potential issue.

There is more, including news on the Honeywell incident which indicated that they did have a problem but it “wasn’t a big deal.” You can read the article as part of these notes for the entire detail. Let’s open it up, and get uyour thoughts!

• As ransomware stalks the manufacturing sector, victims are still keeping quiet

Comments (1)

The Security box, podcast 39 for April 14, 2021

Welcome to podcast 39 of the Security Box. Looks like we’ve got commentary from the replay of broadcast 38’s airing. We’ll answer any questions from those comments if any, as well as talk about yet another story I read afterword in regards to Facebook and why it might be a good idea to remove your telephone number or use something like Google or Text Now as your number instead of your primary one. We’ll have news, notes, commentary and more. We hope you enjoy the program as much as I have bringing it to you. Thanks for listening!

Topic: More on Facebook, why Brian Krebs deleted his Facebook account

In an article that I read on April 7th, Brian goes in to detail on why he eventually deleted his Facebook account sometime in 2020.

According to the article, a paragraph says:

The phone number associated with my late Facebook account (which I deleted in Jan. 2020) was not in HaveIBeenPwned, but then again Facebook claims to have more than 2.7 billion active monthly users.

We know that Facebook has never been trustworthy after any type of incident, and I honestly don’t believe that Mr. Krebs couldn’t be part of the 533 million people affected by the breach. Checking with the site, yours truly isn’t effected either, but I honestly wouldn’t believe it now-a-day especially since news of this is two years old.

The supposed database has been kicking around the Internet Cybercrime community since Last Summer, according to the article. I’ve never seen any of these databases, and with the massive amounts of databases out there and what they contain, who could confirm every piece of data in it? I like what Have I been Poned and what it is trying to offer, so don’t get me wrong when it says that I’m not in there when I put my mobile number in the site to check.

We now learn that the database was put up since June 2020 and include names, mobile number, gender, occupation, city, country and marital status. It includes data for 100 different countries and there is a link to a January 2021 twitter post within the article.

KrebsOnSecurity goes on to talk about what might happen if someone with malicious intent gets ahold of your mobile number. One of the things that could happen is your phone number changing hands, otherwise known as a Sim-swapping attack. This happens because an employee at the store you got service is tricked in to changing the information to the attacker and you don’t find out until you use your phone.

Brian talks about how it is probably time to remove your number from services like Facebook once verification of the account is complete. I’m almost tempted on doing this myself. There is a very interesting paragraph in which I got interested in. It says:

Why did KrebsOnSecurity delete its Facebook account early last year? Sure, it might have had something to do with the incessant stream of breaches, leaks and privacy betrayals by Facebook over the years. But what really bothered me were the number of people who felt comfortable sharing extraordinarily sensitive
information with me on things like Facebook Messenger, all the while expecting that I can vouch for the privacy and security of that message just by virtue of my presence on the platform.

We can’t vouch for a presence of a sensitive message just because we’re on the platform. I’ve never used Facebook or its messenger client for anything secure anyway, but that paragraph is very important.

Are You One of the 533M People Who Got Facebooked? is the question and article title we’re talking about in this segment, do read the article.

News Notes and more

• According to an article found on April 8th and written the day before, shopify let data go and it isn’t as we would think. According to the article, the California man, Tassilo Heinrich, is charged with identity theft and conspiracy to commit wire fraud; while two people outside the United States, were not charged. These other two were located in Portugal and the Philippines, according to the article. I don’t understand why these two outside of the United States aren’t charged, they received stolen data, and could have had the oppertunity of using it. California man indicted for stealing Shopify customer data is the article do give it a read.
• Think Ransomware is going away? Not so fast! This time, an article talks about emailing customers of the companies that they hack to tell the customer that they got hacked. The purpose of emailing customers is of course to get the company to pay up, although as we know, that doesn’t necessarily mean anything as ransomware gangs are only in it for the money. Ransom Gangs Emailing Victim Customers for Leverage comes from Krebs on Security and is definitely a good read.
• I blogged about this article on the tech blog, but it never made it in to news notes from what I can recall. Brian Krebs talked about someone who registered the domain krebonsecurity.top and what they’re using it for. I’ll just quote one of the paragraphs outright, it says: “Let’s just get this out of the way right now: It wasn’t me.” The article talks about the Shadowserver Foundation, who has tracked the exchange server attacks and their progress of getting patched or lack there of. According to the article, David Watson, a director of the Shadow Server Foundation Europe, tracked hundreds of unique variants of backdoors that allow the actors to keep access. What was very interesting to me, was the fact that an executable was called krebsonsecurity.exe and Brian talking about this plus the malicious domain made the article worth blogging. I just didn’t have a chance to put it in to news notes till now. Read No, I Did Not Hack Your MS Exchange Server for all of these very interesting details.
• So there was a breach of a water utility in 2019. Cyberscoop’s Sean Lyngaas wrote this article on a Kansas man who was indicted because of that breach. Wyatt Travnichek is alleged to have done it, as they claim he logged in to Ellsworth County Rural Water District’s computer system
  in 2019 and it was unauthorized access. This unauthorized access lead to a shutdown of the facility in question. He is also charged with causing damage to a computer system. According to a customer service rep, Angela Naegele, said the issue was not effected in the drinking water supply. There is no word on whether he bypassed any security controls. Kansas man indicted in connection with 2019 hack at water utility is the article, go on and check it out.
• Finally, in the “I can’t believe i heard this article” department, Michael in Tennessee read this article via arstechnica which really started me thinking about this company’s security posture. The company’s name is Q Link Wireless. They apparently had an app that allowed you to enter any customer telephone number which you had to know. After doing this within their application for IOS and Android, the person could see anything they wanted within the account with “no password required.” According to the article, this company known as a “Mobile Virtual Network Operator,” according to the article. They are based in the state of Florida. It provides government and subsidized phones to people who qualify under the lifeline program. They apparently serve at least 2 million customers, according to the article. I suggest you check jaredtech.help as I have a bunch more to say in regards to this story, suffice it to say, they apparently closed this hole by doing it server-side and no communication with any researcher or anyone who reported this to the company. For full reading of this disaster, I give you: No password required: Mobile carrier exposes data for millions of accounts: Q Link Wireless made data available to anyone who knows a customer’s phone number. is what you need to read. Have fun!

We hope you enjoy the program as much as I have bringing it together, make it a great day!

Comments (0)

The Security box, podcast 38: Facebook at it again, news, notes and more

Hello folks,

The RSS is updated with today’s program that was aired on the Independent artist channel on the mix. Don’t have RSS? Don’t worry! Here is the 100.8mb file.

Below, please find the entire show notes for all to read. The News Notes section is shorter due to time constraints, but good stuff too.

---

Welcome to the Security box, podcast 38. This week, we had planned to go back to DKIM and have a discussion on it, but we aren’t going to do that. Why? It looks like news has gotten about Facebooks’s 2019 breach and 535 million people whose information may now be out there on the free Internet as well as it already being sold to the dark web when the initial breach occurred. We’ll have news, notes and more as well as your thoughts and comments to boot. Enjoy the program!

Topic: Has Facebook done it again?

Michael in Tennessee sent me an article from Phone Scoop, as well as me seeing the article we’ll be taking from, which came from Cyberscoop. It looks like Facebook is really paying for a 2019 breach in which 500 plus million people’s information including phone number were exposed somehow and later patched by Facebook.

The data, which comes from people from over 100 countries, includes users’ phone numbers, email addresses, full names, birthdates and location, among other
identifiers, according to Insider, which first “reported the news.”

The leak, was first reported by Motherboard, according to the article. The only thing that I’m unclear on is the section that talks about the fact that the leak was reported by Motherboard in January.

The information was made available by paying a Telegram bot a couple of bucks for the details according to the article. According to the article, Facebook removed the ability of searching people by telephone number after the breach. Facebook will be probed by Ireland, and its unclear if the Unnited States will follow suit by the FTC.

The article goes on on what the actors may do with the information now that the information has been made available for free. The website “have I been poned” has been updated by Mr. Troy Hunt with the information that was made available by the breach.

For more information and to read the full article, 533 million Facebook users’ personal data leaked online is the article and do read this.

News Notes for podcast 38

• Office 365 is no stranger to attack. A Phishlabs article talks about the latest threat. This time, actors can mimic websites by using Google’s API through Google Ads that allow redirects to whatever they want. The issue with this one is that once you log in, they capture your credentials as well as sending you to your account. For complete information, Breaking Down the Latest O365 Phishing Techniques is the article, which will talk about this entire process.
• Ubiquiti is back in the news. A post by Krebs on Security talks about the latest drama at the company who now has come out saying that there was a problem. After making a change that forced people to log in to their network, they were later told to reset their passwords because of a “third-party cloud provider” may have been breached. There’s more including the very interesting fact that this company should have invalidated all credentials. Ubiquiti All But Confirms Breach Response Iniquity is the article. This is going to get very interesting now.
• Finally, due to time constraints, I’ve got some good news I want to pass along. Another web boss now has been pleaded and this guy pleaded guilty. This boss was behind selling heroin, firearms and hacking tools. He pleaded guilty on charges of money laundering. Tal Prihar was captured by French authorities. Read Cyberscoop’s article DeepDotWeb boss pleads guilty to laundering millions for more.

Thanks so much for listening!

Comments (0)

The Security Box, podcast 37: The Beginning of DKIM and other stuff

It looks like I did not put the show notes up on the blog for podcast 37’s Security Box. Sorry about that!

The rss feed has been updated after the program was updated.

Don’t worry, those who don’t have RSS can get the 166.76mb file right here.

Want the show notes? You’ve got those coming right up.

---

Welcome to the Security Box, podcast 37. On this episode of the program, we’re going to talk about something I don’t think people know much about dealing with email, verification of domains in the process, the standards of what it is and how it came to be. We will also cover a very interesting webinar that I listened to by Trend Micro that delbt with the security predictions for 2021. We’ll also have news, notes, questions, comments and more as the show progresses and the listeners choice on whether they have something to contribute. I hope you enjoy the show as much as I have bringing it together for you, and thanks so much for listening!

Topic: DKIM

DKIM is a short form of a longer term which means Domain Keys Identify Mail. This may take several programs to cover, and I think its time, seeing how we had some issues that were the result of it in passing. I’ll talk about those issues in this episode and we’ll get through some of the document.

• DomainKeys Identified Mail

Webinar: Turning the Tide: Security Predictions 2021

This was quite eye-opening. Usually these predictions are in writing on a blog, and we can pick them apart. This time its in a video, and I hope people enjoy it. I did.

• Here is a link to the video.

News Notes and more

• Phishing is definitely continuing to be the topic of the landscape more now than ever, even with the pandemic continuing to rage on. In an article I spotted on Phishlabs, they analyzed 100,000 different web sites of phishing because they indicate that some are on free hosts, some are compromised web sites, yet others may be domains that have expired that they snatched up. The site analysis took place through a three month period and they found the following things: 38.3% used compromised websites, 37.4% abused free hosting services, and 24.3% used maliciously-registered domain names. Within the article, the different terms such as malicious registered are defined. There are two main headings “Discerning Compromised vs Malicious Domain Registration” and “Free Hosting Abuse” which should be read if nothing else. This was definitely a great read, and news worth sharing. Most Phishing Attacks Use Compromised Domains and Free Hosting is the article.
• Shortly after podcast 35’s airing, there was an article that was posted that made it in to Trend Micro’s “This Week in Security News” roundup which is posted to our blog. While I’m not going to link to that article in news notes, one article about the Solar Winds breach came to light. According to a Swis firm, an actor had APT access to networks for quite awhile. The name of this group is Silverfish. The firm that was named in the article is called Prodaft. Silverfish took advantage by carrying out a sophistocated attack on at least 4720 targets which included governmental institutions, global IT providers, dozens of banking institutions in the U.S. and EU, major auditing/consulting firms, one of the world’s leading Covid-19 test kit manufacturers, and aviation and defense companies. The hackers worked a normal day, monday through friday 8 am to 8 PM according to the article. The report is linked within the article which is entitled Swiss Firm Says It Has Accessed Servers of a SolarWinds Hacker so go ahead and read this one if you read nothing else.
• Speaking of Phishing, we can’t forget to mention the fact that Covid-19 scams are still out there. A cyberscoop article goes in to detail about the recent rounds of phishing pages to ask for credentials to Office 365 accounts while they send you an email about potential issues or otherwise in regards to the vaccines. All of us now have a chance to get vaccinated, check with your state or pharmacy for complete details for your needs. COVID-19 vaccine scammers are still lurking is the article, and please give it a read.
• Finally, patching after the massive flaw in Redmond is well under way with 92 percent of servers that were now patched after the biggest breach in business history to date as far as we’re aware. There’s lots of links within Cyberscoop’s article, so its best to read the article entitled Patching is trucking along on Microsoft flaws, but hackers are still meddling.

Thanks so much for listening, and make it a great day!

Comments (0)

The Security box, podcast 36: Choosing a good password manager

Happy Saturday folks, welcome to the security box for this week. I normally get the blog up within 24 hours, better late than never posting it at all.

The show notes are extensive as normal, and I think its the way to go so people can read my thoughts on the items as well as listening to them on the podcast.

The RSS has had the program up, Here is the link to the RSS for those who need it.

Don’t have RSS? Here is the 156.28mb file for you to get.

I hope those who listen find the shows of value, and I’ll be back this coming Wednesday on the independent channel of the mix’s suite of servers for another edition of the program.

---

Have you really thought on password managers lately? If not, the main topic may be of interest to you. While there were no calls this week, I feel the way I did the notations and lead the discussion, may make you think about whether its time to get one.

---

Welcome to podcast 36 of the security box. On this edition of the program, we’ll be talking about password managers. Herbie Allen is along with a Things to Ponder section talking about Scams, one in particular dealing with Amazon. We also have a webinar that will be of interest from F-secure. We’ll have news, notes and more. Hope you’ll enjoy the program!

Topic: Choosing a good password manager

Lastpass writes good articles, and this one is no different. How would you choose a good password manager? There are 5 different things that could make your decision that are highlighted within this article. They include:

• How many devices do you own? 
• What are those devices (Android, Apple)? 
• Who do you need to share with? 
• What other type of information would you want to store besides passwords? 
• Are you concerned about data breaches and your personal information being at risk? 

While the article talks about Lastpass features, the heading entitled “Choosing a password manager ” goes in to detail about the different teers of Lastpass. There are definitely alternitives, and you can explore those alternitives. While Lastpass has lots of features, you don’t need all of these features, and you alone need to decide what will work for you.

• How to Choose a Password Manager

Webinar: Attackers Get Personal | F-Secure Live Webcast

Over the weekend, I had decided to go through Youtube and found this very interesting webinar. It talked about three different topics by three different people.

About the webinar:

Taken from Youtube directly it states:

Get an inside view into the cyber threats that challenge our recovery from the pandemic and beyond.

Highlights from the Threat Landscape – Christine Bejerasco

2020 was an unprecedented year. But did this reflect in the threat landscape? Christine takes a look at various areas that highlight some of the threats recently encountered.

Healthcare data under attack – Mikko Hyppönen

The healthcare industry’s outdated IT and security infrastructure has caught the attention of cyber criminals, right when we need it the most. Mikko will discuss what we can do to secure our most essential industry.

Thinking like an attacker – Tomi Tuominen

The different stages of a targeted attack keep evolving. Tomi offers the latest insight into how attackers think and how to make their life more difficult.

Topic covered

• Which threats businesses must face
• How cyber criminals threaten the health care sector
• Why a good cyber defense depends on seeing weaknesses through an attackers’ perspective

What to Watch

• Youtube link to watch the video

Things to ponder

Herbie Allen, main owner of the Mix, will be submitting something of interest dealing with scams and Amazon. Its a three minute listen, and we can open it up to thoughts on that. I later show a recent text message, go through the link, and show you what going on with the link.

News Notes and commentary

• Fiserv used an unclaimned domain that sent out email to customers to do various email tasks like varifying accounts, automating password resets and other tasks that may not have been thought of. A researcher, Abraham Vegh,, contacted Krebs on Security to discuss what he found with the elicit domain which he baught to see what he was seeing. Some of what he saw included bounce messages, messages for out of office replies and even more. To read more, read the Krebs on Security article entitled Fintech Giant Fiserv Used Unclaimed Domain for all of the details.
• Is it really time to get rid of SMS verification?I think it’ll be time sooner than later. Customer service representatives can be tricked in to changing account info, especially if they are low paid, according to the article from Krebs on Security. The article talks about a company called Sakari , who offers a $16 product that allows you to receive text messages from any phone number in the United States. The letter of authorization that needed to be signed by the customer indicated that it could not be used for harassment, inappropriate behavior, or possibly violating the law. As the researcher has indicated, people were able to sign up with the service and do what they want. When approached with more detail, the researcher in question said that it was not just this company that can do this. The article goes in to more detail on this research including Sim Swapping and possibly other tactics that might be used. The question: Can We Stop Pretending SMS Is Secure Now? should be asked and the article is well worth the read.
• You think Joker and his stash of jokes are gone? Let’s think again. According to a Trend Micro report, not so fast. I’m not sure what happened to the article, somehow something happened where parts may be missing. We’ll link it here, but they’re back to their old tricks that may be new. This article talks about signing up for services by selecting the phone operator, put in the MSISDN (Mobile Subscriber Integrated Services Digital Network,) get a One Time Password, enter that code and bingo, you’re subscribed to services. While the text I have may have been truncated, the article should be read just the same. No Laughing Matter: Joker’s Latest Ploy is the article, take this very seriously.
• Think using one password was absolutely safe? Better think again. According to an article by Lastpass’s Amber Steel, hackers found a username and password online, used it, and gained access to 150,000 cameras in places like schools, fire departments, offices, gyms and more. These are security cameras for some 24,000 customers. The article linked here will have more. 150,000 Security Cameras Hacked Because of One Password is the article, give it a read. Think about changing your password immediately.
• WeLeak.Info is back in the news, but probabluy not in a good way. According to an article by Krebs on Security, the site now leaks information about the customers that were at the site buying and selling information. The first paragraph says:
  

  A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo
  let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card.

  The article talks about putting an email address in the site, and getting all possible passwords available with that email address. There’s more, WeLeakInfo Leaked Customer Payment Info is the article, better take a look at it.

• Finally, we’ve got some good news in two members getting arrested and charged. These two have also been sentenced as well. According to the article, “in fraud we trust” is the mantra of the group, and the two people are named Sergey Medvedev of Russia and Marko Leopard of North Macedonia. There’s more to the story, so read Two Infraud members sentenced for role in $568 million crime gang, US says and we hope that it will be called “In Fraud we don’t trust” in the future.

Thanks so much for listening to today’s program and reading the accompanying notations. We hope you’ve enjoyed the program as much as I have putting it together for you, and make it a great day!

Comments (0)

Attackers Get Personal | F-Secure Live Webcast | Christine Bejerasco, Mi…

The other day, I was looking in my Youtube feed and found something I thought would be interesting to share, and even have it aired on the Security Box. Attackers Get Personal | F-Secure Live Webcast | Christine Bejerasco, Mi… is the webinar hosted by F-secure and several people including Mikko Hyponen is there. Hope you enjoy it.

Comments (0)

The Technology podcast series presents podcast 35 of the Security Box, audio-centric applications like clubhouse

Welcome to the security box, podcast 35. The program I thoink was very interesting, and we covered everything I had on file.

I’m thinkking of changing the show notes for the RSS to have just the links to things, and the extended version for the blog as I have done it done a little bit differently.

The The RSS feed has the program and had it Wednesday.

Don’t want to deal with RSS? Here is the 91.31mb file for each of you to download.

Show notes

---

Welcome to the security box, podcast 35. We talk about Clubhouse, the security of audio apps like clubhouse and what experts are saying. We also have news, notes, questions, comments and more. Enjoy!

Topic: Apps like Club House and audio-centric apps and their security

Sex workers, for instance, have historically encountered abuse, harassment and employment discrimination in instances when aspects of their private lives
are made public. The issue is particularly acute on Clubhouse, where users must agree to share their list of contacts with the app in order to invite a
friend. Even users who declined to share their contacts with the app could have identifying information exposed in the event that one of their contacts
authorizes Clubhouse to access their information. 

The result has been to inadvertently out sex workers, and then make it difficult for affected parties to delete their account, and thus protect themselves, as Mashable reported. 

Is it necessary for apps like this to mass collect contact details of everyone on their phone? Linkedin, the work version of Facebook, collects contacts so if they do join, you’re notified. I don’t have a problem with this practice, but Facebook, Twitter and even Club House seem to collect data just because. Facebook has notified me of people joining, but I may have telephone numbers for doctors and the like that will become theirs. Google Voice and Hangouts utalize the contacts for me to use Google to call them, and I’ve not had a problem with me giving that permission. I believe Whats App even does this.

According to the article, researchers at Stanford University Agora Inc. transferred information of clubhouse users to servers in China. They are a Shanghai-based provider of engagement software. They apparently transmitted Clubhouse users’ ID numbers and chatroom ID details, though not their username, in plaintext. The discovery meant that Agora would have had access to some raw Clubhouse audio files, and as a China-based company could be required to provide that information to the communist government. 

I read clubhouse’s rules and how they intended recordings to be managed, and how the recording is during the time of the room’s creation and how it is deleted if nobody flags it as part of a review process for abuse.

There were other aspects talked about in this article that came to light, and will be addressed, according to clubhouse representatives.

In another article, Trend Micro talks about the security implications of apps like Clubhouse and the potential of information being stolen. Some of these applications can even be used for command and control servers, (C&C) for short. Trend Micro has information on sample attacks that can be used on apps like this.

The attack points are: Network Traffic Interception and Wiretapping, User Impersonation and Deepfake Voice, Opportunistic Recording, Harassment and Blackmailing, Underground Services, and Audio Covert Channels.

There are best practices Trend Micro recommends.

• Join public rooms and speak as if in public. Users should only say things that they are comfortable sharing with the public, as there is a possibility
  that someone in the virtual room is recording (even if recording without written consent is against the Terms of Service of most, if not all, of these
  apps).
• Do not trust someone by their name alone. These apps currently have no account-verification processes implemented; always double-check that the bio,
  username, and linked social media contacts are authentic.
• Only grant the necessary permissions and share the needed data. For example, if users don’t want the apps to collect all data from their address book,
  they can deny the permission requested.

The article even has information here for providers to implement if they haven’t done so already. They include:

• Do not store secrets (such as credentials and API keys) in the app. We have found cases of apps embedding  credentials in plain text right in the app
  manifest, which would allow any malicious actor to impersonate them on third-party services.
• Offer encrypted private calls. While there are certainly some trade-offs between performance and encryption, state-of-the-art messaging apps support
  encrypted group conversations; their use case is different, but we believe that future audio-only social networks should offer a privacy level on par with
  their text-based equivalent. For example, Secure Realtime Transport Protocol (SRTP)
  should be used instead of RTP.
• User account verification. None of the audio-only social networks currently support verified accounts like Twitter, Facebook or Instagram do, and we
  have  already seen fake accounts appearing on some of them. While waiting for account-verification features, we recommend users to manually check whether the account they’re interacting with is genuine (e.g., check the number of followers or connected social network accounts).
• Real-time content analysis. All of the content-moderation challenges that traditional social networks face are harder on audio- or video-only social
  networks because it’s intrinsically harder to analyze audio (or video) than text (i.e., speech-to-text takes resources). On the one hand, there’s a clear
  privacy challenge that arises if these services implement content inspection (because it  means that they have a way to tap into the audio streams). However,
   content inspection offers some benefits, for instance, in prioritizing incidents.

What to read:

• Questions about Clubhouse security, privacy just keep adding up
• Security Risks for Audio-centric Social Media Apps

h2> News Notes

• I’m being told that Philmore Productions plans to get rid of their privacy policy and terms of service, not like they were utalizing them anyway, but this could be big news if Philmore gets potentially litigated in the future.
• Last podcast, I talked a little bit about an article that was part of this week in security news which I’m a bit behind on. Long story short, there are a lot of numbers in this article entitled 119,000 Threats Per Minute Detected in 2020 which wasquite interesting. Phishing is still the the main vector and the Pandemic isn’t helping much. Email threats which include Phishing are 91 percent of the threats according to the Trend Micro report. 14 million detected URL’s were detected with home networks the primary target, according to the article. There’s more to read, Sarah did a great job covering this for the Info Security Magazine.
• As usual, Windows has their updates that came out, and we have the two articles from Krebs on Security and Trend Micro. According to Krebs on Security, there are over 82 flaws in Windows and supported software. 10 of these are critical, meaning that they can be exploited without you having to do much of anything. One of the biggest flaws is within IE 11 or older edge. Its got a CVE number, and as we know IE11 isn’t really being supported by web sites anymore, especially with sites possibly going to SSL version 1.2 like Live Wire did. Trend Micro says that there are close to 100, almost doubling the amount of patches from last month. Podcast 808 covered the exchange flaws and its big enough news that we really don’t know how many people are effected. Trend Micro says that 14 are critical and the rest are important. Both articles are worth the read.

• March Patch Tuesday: Fixes for Exchange Server, IE
• Microsoft Patch Tuesday, March 2021 Edition

How has Emotet been doing since we talked about its takedown? According to an article, it talks about the story of several members behind this botnet, but it does state there are members at large. that will more than likely go elsewhere because they’re funded and well funded at best. This is a Trend Micro article, Emotet One Month After the Takedown is the article, and it was a good one.

On the third of March, I read about an article where scammers took some control over a cloud security firm named Qualys. This article comes from Cyberscoop’s Sean Lyngaas. According to the article, Qualys CISO Ben Carr said the attackers had accessed files hosted on an Accellion server. . Mandiant has been hired in the case, and I’m sure that it’ll be a hot topic of late. Cloud security firm Qualys reportedly victimized by prolific scammers is the article.

Have you ever heard of ransomware hackers turning to virtual machines to do their dirty work? An article I read near the end of February was quite interesting, and you may find this of interest too. The article is quoted in saying:

Ransomware gangs that target big corporations for extortion have long designed their code to execute on Microsoft Windows systems because of the popularity
of the operating software.

CrowdStrike is mentioned in here because the hypervisor computrer servers that organizations use are now being used to deploy their schemes. There’s plenty to read here, Ransomware hackers turn to virtual machine software to boost extortion schemes i what you need to read.

There are numerous articles in regards to the massive problem at Microsoft with their exchange server problems. Krebs on Security indicates, and I have heard this on podcasts, that this started as early as January 2021. All of the articles linked within this section were of value, and I don’t want to miss anything.

• Warning the World of a Ticking Time Bomb
• A Basic Timeline of the Exchange Mass-Hack
• Microsoft Exchange Attack: Am Iaffected and what do I do next?
• Amid widespread Exchange Server attacks, Microsoft issues patch for older versions

Thanks for listening, and make it a great day!

Comments (0)

The Security Box, podcast 34: The Rest of Keylogging, news, notes, note takers and their security, a very interesting video and more

This week had no listeners on the live recording of today’s program but that’s OK. It is going to happen. I present you program 34 and its accompanying show notes for you to enjoy. If you have comments, please feel free to contact me.

• Email/imessage tech at menvi.org
• Text/whats app 804-442-6975
• Station email/imessage also works go to the contact the DJ’s page to learn more

Here is 130.94mb file for everyone to get. Its on the RSS feed already.

Here are the show notes.

---

Welcome to podcast 34 of the Security Box. On this edition, we’ll pick up where we left off on the Key Logging aspect of our discussion and we’ll have news, notes, commentary and more. We also have something from Michael in Tennessee who sent us a video of 12 Android apps you must get rid of. Some of these, are quite interesting. Hope you enjoy the program as much as I am bringing it together for you.

Topic: Continuing Key Stroke Logging

This may take several programs, but we must cover keystroke logging. We take from the Wikipedia page on keystroke logging so you can follow along. Different heading include, but not limited to: application, software based keyloggers, keystroke logging and writing processes, related features, hardware based keyloggers and history. There are 4 different headings for this article and a lot to read. I figured it would be a good discussion to have since it has come up in discussions of other things. I hope you enjoy the discussion as much as I am bringing it to you.

News Notes and More

This Tech blog post: Wetransfer has now joined the services that can be and has now been abused for Phishing Lures covers my thoughts on this and gives an example of a link that is valid verses the link that they show that is not valid and could lead to some big time problems. Zloader is the malware out there and I link and will link to the article from Phishlabs Surge in ZLoader Attacks Observed so that you can read my thoughts, or just decide to read Phishlabs coverage on this.
• Looks like Lastpass is offering the ability to allow people to use SMS or voice calling for their second factor. I’m a little bit confused because I thought we can select it as well as our already existing two-factor method like the app or SMS already. This is the best thing that can come out of it, having a second factor of your choosing. LastPass Now Offers the Flexibility to Authenticate Into the Vault & Single Sign-On Applications With SMS Passcode, Voice Call or YubiKey is the article, please check it out.
• Security Now, podcast 808 is being listened to, and they’re talking aobut the Solar Winds password which was solarwinds123. This password was used to log in to one of their servers. According to the new CEO, this password was used from 2017 until it was changed in 2019, roughly two years after it was first used. The old CEO said it was an intern who set that password and it was changed upon discovery of it being published on a GetHub page.
• Speaking of Solar Winds, there are apparently three more malware strains of this out there in the internet. Tim Starks, the writer for Cyberscoop, goes on to talk about these new strains. Fireeye called one of them SunShuttle, while two more strains Microsoft named GoldFinder and Sibot. SunShuttle was named by Microsoft to GoldMax. Researchers uncover three more malware strains linked to SolarWinds hackers is the article on this latest development and we’re still quite involved in this one.
• There are articles out there that talk about Microsoft having trouble with their exchange server. According to one of the articles, there are 4 such holes in Microsoft’s software that has been patched the week of March 6, 2021.
  • Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails Krebs on Security
  • At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software Krebs on Security
  • Victims of Microsoft Exchange Server zero-days emerge Cyberscoop
• Another Payroll company has been hit, this time, in the ransomware department. The article was written by our good friend Mr. Krebs and the response is typical of a ransomware attack. They also do HR work as well. According to the article, they have processed at least $80 billion in payroll money. They had hoped to have operations back up within a matter of days, but numerous PEOs as they’re called were effected by the outage. PrismHR is the best thing out there according to the article, as other options have different issues that are documented. For complete details, check out the article Payroll/HR Giant PrismHR Hit by Ransomware? as there is more than what is being documented here.
• The hackers are also getting hacked. Talked about also in a recent podcast of the Cyberwire, Krebs is getting some well deserved recognission on this one. The Cyberwire names a fourth in their coverage, but when I read this article, I just had to chuckle on this one. There are definite indicaters this is true including a private encryption key, ICQ numbers, and possibly more. The article Three Top Russian Cybercrime Forums Hacked should be read for more.

Other things

• Michael in Tennessee sent me 12 Android Apps you need to get rid of and we’ve got this video. These are some scary things the gentleman talks about in here, better watch what you’re getting out there in Android world.

End of program

Comments (0)

The Security box, podcast 33: Continuing where we left off with part 2 of the Keystroke logging topic and more

Hello folks,

Welcome to another edition of the Security Box. The RSS feed now has the program. Do you not want to deal with RSS or you can’t for any reason? Here is the 140.88mb file for you to get.

The RSS feed has the bulk of the show notes, but the show notes will be included in full including the full news notes segment which could not be included.

Here are those show notes.

---

On this podcast, we continue where we left off with our Key Logging topic, and we’ll also have news, notes, questions, comments and concerns. Hope you’ll enjoy the program as much as we have putting it together for you.

Topic: Continuing Key Stroke Logging

This may take several programs, but we must cover keystroke logging. We take from the Wikipedia page on keystroke logging so you can follow along. Different heading include, but not limited to: application, software based keyloggers, keystroke logging and writing processes, related features, hardware based keyloggers and history. There are 4 different headings for this article and a lot to read. I figured it would be a good discussion to have since it has come up in discussions of other things. I hope you enjoy the discussion as much as I am bringing it to you.

News Notes

• According to an article found through twitter from a site called WSLS, Kroger is reporting a breach dating back to December. They’re notifying people because some employee data may have been accessed, however, the grocery and pharmacy chain who is based in Ohio indicate that no physical Store was ever effected. The breached was from a third party file transfer service I’ve never heard of called FTA. Accellion, the makers of FTA, indicate their file transfer product was patched even though the version used was 20 years old and is approaching end of life support. Kroger is latest victim of third-party software data breach has the complete details.
• Scandinavian Airlines is among the victims of the Solarwinds breach, reports DN. This comes from Mikko Hyponen from F-secure translated what the tweet was saying and quoted an account on twitter who links to an article. Using Chrome and translating the page, I’m not getting a good read on it except its a potential backdoor attack. If there is an article in English, please let us know. I’m not linking to the Norwegian article since most of my readers may not understand it.
• On February 22nd, I came across an article via the Lastpass blog that may be some days old but very valuable. The free service is changing quite a bit starting in March. The author, Dan DeMichele, goes in to detail on what is changing and it is very important for people to read it. The Tech blog also has this posted on the day mentioned and it’ll be linked here in the show notes for people. Quoting a paragraph it says:
  

  We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type. 

  Examples are given on each, and they allow you a $9 discount if you upgrade before March 16th. Also going away is the free technical support. While I only utalized support sparingly, once was when I got my new phone and I needed their help to disable two factor. To learn more: Changes to LastPass Free is the article, feel free to read all of the details on this.

• I’ll never think of Apple Juice as a juice that I enjoy again. While I like the drink apple juice, we’re not talking about the juice now, we’re talking about a piece of Malware that seems to have popped up again as CISA has gone ahead and issued an AA advisory and 4 MAR21’s in regards to this. Acording to 48A under targeted nations, it says:
  

  HIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology,
  and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil,
  Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland,
  Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States

  There are many versions here listed including: AppleJeus Version 1: Celas Trade Pro, AppleJeus Version 2: JMT Trading, AppleJeus Version 3: Union Crypto, AppleJeus Version 4: Kupay Wallet, AppleJeus Version 5: CoinGoTrade, AppleJeus Version 6: Dorusio, and AppleJeus Version 7: Ants2Whale. Several of these have Windows and Mac components as well as crypto currency information within the AA. The MAR’s have not been read by me, but I suspect go in to detail about the specific ones. The MARS emails were all HTML raw based but everything is linked below.

• Alert (AA21-048A) AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
• Malware Analysis Report (AR21-048B) MAR-10322463-2.v1 – AppleJeus: JMT Trading
• Malware Analysis Report (AR21-048F) MAR-10322463-6.v1 – AppleJeus: Dorusio
• Malware Analysis Report (AR21-048D) MAR-10322463-4.v1 – AppleJeus: Kupay Wallet

There may be more, check the blog for things that may be of interest, and stay safe.

---

Enjoy the show!

Comments (0)

The Security Box, podcast 32: Part 1 of Keystroke Loggers

Hello folks,

On this edition of the podcast, we start a discussion of keuystroke loggers. As indicated in the last podcast announcement, we do have some tracks, but they’re short and don’t take a lot of time. The program is still much shorter than the program’s broadcasting length on the mix, and we’ll see how it goes for podcast 33. We’ve got news, notes and more. I’d be interested on what people think of our “things to ponder segment” which starts the program. Thanks so much for listening!

Don’t want to deal with the RSS feed? No problem! Here is the 141.06 file for you to download.

Now, without any further ado, here are the show notes for this program, and thanks so much for listening, reading and participating!

---

Welcome to the security box, podcast 32. On this edition of the program, we’re going to talk about keystroke loggers. I found a Wikipedia article which is detailed and there could be a possibility that this goes in to multiple weeks. We’ll also have news, notes, questions, comments and even a “things to ponder” segment to boot.

Topic, Keystroke logging:

This may take several programs, but we must cover keystroke logging. We take from the Wikipedia page on keystroke logging so you can follow along. Different heading include, but not limited to: application, software based keyloggers, keystroke logging and writing processes, related features, hardware based keyloggers and history. There are 4 different headings for this article and a lot to read. I figured it would be a good discussion to have since it has come up in discussions of other things. I hope you enjoy the discussion as much as I am bringing it to you.

Things to Ponder

During last week’s program, we were still learning about the possible issue in a small town in Florida that could’ve had some serious problems with its water supply if it weren’t for a worker noticing something as simple as a mouse moving. In this things to ponder segment, I talk about what we’ve learned to date, and its quite interesting. To date, I have two sources you can read more, one an article by our good companion Brian Krebs, the other from CISA. You should read them both, and of course listen to what my thoughts are and participate.

• What’s most interesting about the Florida water system hack? That we heard about it at all. Krebs on Security
• Alert (AA21-042A) Compromise of U.S. Water Treatment Facility CISA

I hope you’ll participate in this interesting story.

News, notes and more:

This is the news, notes and other commentary from around the web. Where appropriate, links to any articles may be possible.

• I was told on February 15th about a 60 minutes piece on Solar Winds and the potential hack or lack there of where the Russians were possibly involved. On my own Internet Radio show for Sunday, I talked about one such story where a tech story like this was found on my local news site KNX some month after I saw it in publications like Cyberscoop. This doesn’t necessarily surprise me that Solar Winds was covered on 60 minutes, it is a national syndicated program and is well respected. I respect them, but this is now old news, but yet I don’t know what they really had to say about the attack so I can’t ccomment further.
• While I’ve not been blogging like I really should, we can’t skip patch Tuesday. Besides Windows, its a good idea to check for updates on other software such as Adobe Reader, and even software you use on a more frequent basis. As usually the case, Trend Micro and Krebs on Security are the two places where I get coverage on the patches. If you have not gotten your updates, you should be soon. Please reboot if necessary. For February, there were 56 vulnerabilities, according to Krebs. 9 of these are the most critical, according to the article. To date, over 1700 CVE’s have been already disclosed this year. The CVE this time is CVE-2021-1732 affects Windows 10, server 2016 and later. According to Trend Micro, 7 of the vulnerabilities were disclosed via the Zero Day initiative (zdi) program. According to the Trend Micro article, 3 out of the 9 critical issues are in networking aspects of Windows. Please read Microsoft Patch Tuesday, February 2021 Edition and February Patch Tuesday Fixes 11 Critical Bugs for complete details.
• While Emotet was dismantled as well as other gangs, we can’t let our guard down. There are other things that are out there that can take its place, or even it being used as a stepping stone to other attacks across your network. According to the article, a paragraph states:
  

  In 2020, Emotet, Trickbot, and ZLoader were the loaders of choice for actors, contributing to 78% of the overall loader volume. 

  In 2021, trickbot and z-loader are still being used according to Phishlabs. Emotet Dismantled, Trickbot, ZLoader, and BazarLoader Step In should be read for the complete details. According to the Cyberwire Daily, seems as though Emotet is still going, even though infrastructure was disrupted by arrests of people.

• While I’m behind on Trend Micro’s week in security postings as of late, I did come across some good news for a change which I always like to cover. The most recent article I’ve read in regards to arrests and seizures of infrastructure and domains deal with NetWalker’s ransomware gang. This is an article that our good friend Mr. Krebs covers. He describes what Netwalker is up to, the fact they are a ransomware as a service (raas) and how the domain or multiple domains were used. Its well worth the read, so check out the article Arrest, Seizures Tied to Netwalker Ransomware for all of the complete details.
• Speaking of arrests, I read an article back on the 10th talking about the arrest of people involved with a phishing kit. According to this article, this phishing kit had a web control panel that would give you information as well as access to phishing templates and the like. The article Arrest, Raids Tied to ‘U-Admin’ Phishing Kit should be read for all of the complete details.
• I don’t believe facebook for one minute. According to an article, Facebook, TikTok, Instagram and Twitter will target stolen accounts. How, I’m not exactly sure, but Facebook has been known to allow this type of thing. Instagram is part of their brand now, but I could see TikTok and Twitter having a stance. The article was written by mr. Krebs, and its a good article to read. The article talks about how these accounts are taken from legit users. The TTP’s include but are not limited to: Besides intimidation and harassment tactics, they use hacking, coercion, , sextortion, sim swapping and swatting. There is a forum called OG users which Brian covers in this well written article, and I urge everyone to read it. Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts is the article.

---

Lots to read and comment on, let your voice be heard!

Comments (0)

The Security Box, podcast 31 February 10, 2021

It looks like I have neglected to post some show notes for some programs, so its time to catch up on this. The Security Box has been uploaded, but I’ve neglected to post the notes.

On podcast 31, we pick up where podcast 30 left off on the domain discussion. We also covered news, notes, questions, comments and more.

Do you not want to deal with the RSS feed because you can’t or don’t know how? Here is the 103.03mb file and we hoep you enjoy it.

The podcast is much shorter than the program as we started playing less music within our program to comply with my other podcast. While podcast 32 plays some tracks, they are short tracks.

Here are the show notes for podcast 31 of the podcast, and again, thanks for listening!

---

Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.

---

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

• Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
• Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
• Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
• A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
• Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
  to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
  IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
• According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Comments (0)

The Security box, podcast 31: More Domain discussion, news, notes and more

Hello folks, welcome to the show notes of the Security Box. Yes, its been a couple of days, however, its better late than never I’d say. Other stuff got delayed like the playlists for my shows for my independent stuff, so it isn’t too bad.

The RSS feed has had the program up since the podcast was done, and now its time to provide the link to the podcast as well as the extensive show notes.

You’ll notice that we only have two tracks now, and the lunch time set I play if I don’t have anything else was not broadcasted. This makes the podcast less than two hours instead of the 2 and a half hours the internet radio program took. I hope that this makes the podcast better to listen to.

Don’t want to mess with RSS? Here is the 162.57mb file for you to download. Thanks so much for listening!

---

Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.

---

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

• Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
• Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
• Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
• A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
• Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
  to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
  IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
• According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Comments (0)

The Security box, podcast 30: Domain discussion, a talk segment, news, notes and more

Hello everyone! Welcome to the tech podcast as part of 986 the mix entitled The Security Box.

For those who don’t know, this is a weekly show on the Independent channel of the Mix’s suite of servers, and we have multiple ways of listening to the server if you wish. Please go to the Magnatune and independent channel page to learn about it and ways to listen.

The technology blog has had the program up since shortly after the program aired, but I neglected to get the show notes up on the blog which this post will cover here.

Do you not like the RSS because you can’t or you would rather have it on the computer? No problem! Please download the 162.57mb file and I hope you enjoy the show as much as I have bringing it together for you!

---

Now, without any further ado, let us give you the extensive show notes for this episode and we’ll see you on another edition of the program!

---

Welcome to podcast 30 of the Security Box. On this security box podcast, the goal is to talk about domains. We’ll talk about what a domain is, how they work, a little bit about the IP system, and some recent news in regards to domains, registration companies, look-alike domains and more. We’ll have news, notes, questions, comments and Michael in Tenessee with a segment to boot.

Domains discussion:

Domains are used instead of an IP address so people can get to web sites quicker. Instead of going to 198.x.x.x to get to my web site, you go to my domain name. You can easily get to the IP of where my domain is located by pinging or trace rooting the domain.

In the following example,, I pinged my domain, and the next line will show my current IP.
Pinging jaredrimer.net [198.37.123.246] with 32 bytes of data:

Since the site is up, I got 4 replies (not shown here) and it returned me back to the prompt. Since multiple domains can live on one IP, just typing the IP in to your browser will not give you the web site you want, and I’ve not been able to figure out how to do this without typing the domain name I want such as jaredrimer.net.

According to the Wikipedia page on domain name system it goes back to the Arpanet days in the 1970’s. The Stanford Research Center (SRI International as its now known) maintained a hosts text file that pointed to different domains in the .edu era which was the first domain system for that time. Elizabeth Feinler developed the first directory on Arpanet. She had to be called during business hours and would manually update it. Jon Postel would also work with her as he was at USC’s Information Sciences Institute as it was known then. Elizabeth came up with the DNS and who is directory as well as basing domains based on the location of the computer. There’s more to this, so read the link to DNS for complete information on this.

Now the fun part. The DNS system and domains were not built with security in mind. With that in mind, Phishing for passwords started in the late 80s and early 90s as we discussed in earlier podcasts. Now, domains can be taken over, phishers and scammers can take domains over by social engineering, sub-domains can be created anywhere in the world, web sites can be taken, and more.

Domains must be registered with companies that can provide services for pointing domains to wherever the owner wishes to go. Rules are in place to make sure that certain domains go in certain locations, material suited for adults are labeled as such by the content creator, and valid accurate information is given whether it is public or not. Icann is responsible for IP allocation as well as rules governing domains as outlined above. Registrars must be accredited for following rules set forth by Icann. There are large companies, small companies, and medium sized companies that may sell domains through their services. One such registrant is Net 4 India. They’re looking to get in trouble for some pretty serious stuff, and you can read more through Icann. I found this when making sure I had the right URL to Icann, for the show notes. While they may not be a registrar if they do not comply with what is asked of them.

One large registrar is named Go Daddy. They’re based here in California, and while they’ve had their issues, they seem to be very credible and honest. People can choose who to have as a registrar, and that is all well and good. Recently, they have helped out with the Solar Winds fiasco that has plagued us since early December, but in November, an article came out saying that they were tricked to have attackers take over domains including the big named site, escro.com. In this case, a site called liquid.com which is part of a network was incorrectly given to an actor who then got access to other document storage. This isn’t the first time Go Daddy has been in the news and the article linked here entitled GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services should be read for the entire story of this ordeal. I’m sure this can happen to anyone, even if you have two-factor and proper security measures in place. There are items within your account to prohibit transfers without your knowledge, but this can be bypassed by customer service in cases where it may be necessary to do so by law enforcement takedowns or other situations. Besides liquid.com, other sites may have been mentioned within this article which I’m not going to cover in these notes. The article linked here is coming to us from Krebs on Security, and is a great read on its own time.

One of the things we continue to see is phishing, and all kinds of things including what is known as look-alike domains. What is a Look-alike Domain? is the article title. Under “Anatomy of a Look-alike Domain” which is one of many headings within this article, it says:

Domain names act as a map to tell browsers and other applications how to find what we’re looking for. Explaining the full structure of domain names and their hierarchy is more complex than this, yet here are the basics:

There are three bullet points within the article I want to discuss.

• The top-level domain portion on the far right can identify the location where the domain registrant resides, their organizational purpose, or even the
  industry of the business that registered it. 
• The second-level domain section is the address name and unique identifier often manipulated to impersonate domains used for legitimate purposes. They
  enable our computers to find the server where a website or email is hosted.
• A subdomain is a part of the domain that helps registrants organize a website into different sections or categories. Subdomains can also used to create
  look-alike domains. Example: phishlabs.000webhost.com.

According to the article:

The process is inexpensive, and threat actors will see a large return on their investment if they know what they’re doing and move quickly to evade detection.

As discussed earlier, domains can be cheap to buy, and now we’ve got a bigger problem with domains that look like something similar to what you might have seen elsewhere. Take the Apple emails for example. Please check out this article for complete details on this, because it is quite a lot to talk about.

Next week, we’ll talk about the APWG quarter 3 report on Phishing and what criminals are looking for. We’ll also talk about more look-alike domain stuff coming from Phishlabs. For now, if you want to take a peak at the APWG report, APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and leave your thoughts on it. That article came out in December 2020.

Segments:

Michael in Tennessee is on to talk about Facebook, apps, updating phones and other odds and ends. The segment is roughly 50 minutes long.

News, Notes and more

• Security Now, podcast 803 talks about a railway in China. I remember hearing something about this, but they were running in flash. I guess the Chinese railway did not know that there was a timebomb in flash where it haulted the railroad for half a day. Good thing I didn’t write or learn flash, seems like it was more of an inaccessibility problem for the disabled with screen readers until elements were made accessible. Time to rid of it, it isn’t useful in today’s environment. Security Now goes in to other agencies that might be effected by flashes demise. Good-bye, Flash.
• In the same episode, Steve and Leo talk about the ransomware attacks becoming a big problem. We already know that, but according to the episode, actors may deploy a prolonged Distributed Denial of Service attack (ddos) if you don’t pay. This was employed by two ransomware gangs, Suncrypt and Ragnar Locker . Think this is a huge problem now? If I weren’t to pay because I couldn’t afford it, keep my website offline by attacking it until I decided to pay? What else is next?
• Also in this episode, Steve goes in to great detail from about 47 minutes in, till about 70 minutes in, talking about the Solar Winds breach and the fact that the actors may have started as early as February 2020. They turned off logs when they wanted to do something, turned them back on when they were done, and carefully, painsteakingly, made sure they covered their tracks. Teardrop and raindrop are just two variants of malware that was used. Also disclosed was the fact they removed the malicious DLL’s from Solar Winds in June 2020 after they got their targets. The segment is worth listening to, the episode itself is full of items you might find of interest.
• Emotet and other gangs have been having their sales shortened with some loss of members. Emotet, NetWalker and TrickBot have taken big blows, but will it be enough? was written by Cyberscoop and International Action Targets Emotet Crimeware are two articles. A third article on this is Sharp Increase in Emotet, Ransomware Droppers should go here because while the gangs are being depleated, this stuff is being used as a backbone to other malware. Researchers are still checking out what is happening, and we’ll see how things go.Read this article linked here, and continue to check out the blog for more.
• valid.cc is one of many sites shuttered, according to an article written by Krebs on Security. ‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered is the title of this article.
  

  ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed
  up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

  There are many types of shops out there that sell card not present data, but most source the data from other criminals in the business. The article is pretty detailed, so check it out.

• This is some great news, U.K. Arrest in ‘SMS Bandits’ Phishing Service is the article.
  

  Authorities in the United Kingdom have arrested a 20-year-old man for allegedly operating an online service for sending high-volume phishing campaigns
  via mobile text messages. The service, marketed in the underground under the name “SMS Bandits,” has been responsible for blasting out huge volumes of phishing lures spoofing everything from COVID-19 pandemic relief efforts to PayPal, telecommunications providers and tax revenue agencies.

  If we can slow these guys down, that’s great. Keep up the great work! I just got a message about a package beginning with 1Z that was supposed to be a fed-ex package was delayed. I already know the link is not what it claims to be. I have no packages for delivery at this time. Want to try again?

• The tax man will be coming around to collect their payments for this past year, but a Krebs on Security Article is talking about ID theft as part of the tax man. The Taxman Cometh for ID Theft Victims is the article, and its time to repeat this again. There are a lot of links within the article, quoting anything here is impossible. Check out the article its worth the read.
• If solar winds wasn’t talked about enough, an article entitled After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case should be read. The first paragraph says:
  

  As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another
  troubling supply chain breach that was disclosed five years ago.

  I’m surprised we’re still interested in that one, but I don’t believe we got any answers on it either.

• This Week in Security News – Jan. 29, 2021 has tons of stuff here including parents saying yes to more screen time during these times, Sodinokibi is examined, another article on emotet, fake office 365 used for phishing attacks, CEOs are most valuable for phishing, three actively exploited zero-days, Linux is not out of the woods as threats are around for that, and cybercriminals use SMS to send sweepsteaks credit cards and delivery scams. As part of Michael in Tennessee’s segment, I mention this.
• Going back to January of this year, shell scripts are being used for cloud credentials. The article Malicious Shell Script Steals Cloud Credentials is the article, and maybe its time to bring this up as part of news notes. The subhead says: “In past cryptocurrency mining attacks, malicious shell scrips were typically used as downloaders. However, recent cases show that they now serve other purposes such as stealing sensitive data.” This is definitely worth the read.
• Parler was shut down some time ago, and a denial of service protection company is giving up IP space belonging to them. In an article DDoS-Guard To Forfeit Internet Space Occupied by Parler we learn why. According to one paragraph written by Brian, it says:
  

  The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

  This was definitely a very interesting read.

We hope you enjoyed the program as much as we have bringing it together for you. We know there were a few tech problems, it’ll be worked on. Not sure what is up, but its just strange some times. See you on another edition of the box next time.

Comments (0)

The Technology podcast, podcast 359 for January 29, 2021

The technology podcast has been posted to the rss feed yesterday, and this is the download for the podcast. Its an hour, and covers several different things.

---

Welcome to podcast 359 of the technology podcast. I’m Jared, and its time to bring you another podcast.

Today, we’ve got something I think you’ll be interested in as I talk about something that has been around awhile that seems to be finally dismantled, at least for now. What might that be? Its called Trick Bot. I heard a podcast about it and how it has pretty much fell, but yet, its still around according to an article I’ll be talking about and reading later.

Next, I talk about Weather Gods. Its one of many different apps on the app store. I posted on the tech blog and on Applevis in regards to this topic, and I chose this app because of my needs, and something I feel isn’t fair called double extortion. There is a paid app, and then they want us to pay for a subscription for what I can get for either beta testing, or paying for the subscription. Thoughts are welcome.

Finally, could Net Neutrality be coming back? According to a podcast, it might be, and I talk about it here instead of the security box.

Contact info is at the end of the program as usual.

What to read or listen to:

• <Trickbot may be down, but can we count it out? The Cyber Wire Daily

Thanks for listening!

Comments (0)

The Security box, podcast 29: messaging applications, cloud security, news, notes and more

Hello folks, welcome to the security box, podcast 29. While the show notes has the topics on hand, the show notes on the rss did not cover any of the news notes items.

Don’t want RSS? No problem! Here is the download of the program (147.07mb) for you to have.

Now, without further ado, let’s get those show notes out for you.

---

Welcome to the security box, podcast 29. On this episode of the podcast, what seems to be the problem with messaging applications such as Whatsapp, Signal and others when it comes to their security? What do you think of for cloud security for 2021 as the pandemic continues? We’ll have news, notes, questions, comments and more including bits from Sans News bites, Trend Micro and more.

Topics

• Security Now episode 802 was released and broadcasted the week of January 19, 2020. On this podcast, are we really concerned about what application we choose to use to message? Steve says that it doesn’t honestly matter, as metadata isn’t all that big of a deal. Who really cares if phone numbers, time of messages, and even how long audio messages may be? There are apps discussed for more private communication, but metadata doesn’t cover the content of the message itself. From Steve’s introduction taken from his security now page he writes in part:
  

  Then we wrap up by looking at various aspects
  of the frenzy caused by WhatsApp’s quite predictable move to incorporate its users’ conversation metadata into Facebook’s monetization ecosystem.

  This segment lasts roughly 20 minutes as I play the segment for all to hear. What do you think about this?

• What about cloud security for 2021? The Top Worry In Cloud Security for 2021 is the Trend Micro article, and I found a video on their youtube page that seems to voice the article. We’ll play this video and we’ll discuss. Cloud Dynamics: Top Cloud Security Challenges for 2021 is the video. Your thoughts are welcome.

News notes and more

• Cyberwire Daily for Friday, January 21st is talking about an android app called “daily food diary.” Apparently, this app doesn’t just care what you’re eating as you are to take pictures of what you’re eating, but it wants contact permissions, phone call permissions, foreground permissions, runs in the background, exfiltrates data, and more. Check out thecyberwire.com web site for more and for a link to the episode. “I can’t believe I ate all of those fries the other day” should probably not be written in this app, but using another application.
• The Cyberwire Daily reports that Malwarebytes, a company talked quite a bit on Andy and Josh’s tech talk and Music show, recently gotten bit by the actors that may have been responsible for the Solar Winds breach. According to Cyberwire, the actors may have gotten to some of Malwarebyte’s email access through Microsoft365. Malwarebytes does not use Solar Wind products, the podcast states. UNC2451 is the name given according to the podcast, and it seems to be a name of a particular group. This link is the link to the notations for the podcast in which I’m writing about.
• There’s always plenty in the news notes sections of Trend Micro. Some may include articles on APT attacks, an article on malwarebytes and their compromise by the supposed solar winds folks, VPN filter and how it is still being used as routers are still compromised, a phishing scam that lead thousands of passwords searchable through Google, a bug in Signal and other apps allowed attackers to listen in to calls, CISA warning about hackers using phishing to get at cloud services and more. If there is something that is of interest to you, I’ve got this week’s news, news ending January 22, 2020. Here’s the link to the article for you to peruse.
• In a very interesting turn of events, we learn that someone who was to be released on Covid concerns will not be released. On the 22nd, I read an article that indicates that a hacker must stay behind bars, even though a judge said that he would be released due to Covid concerns within the place he was staying. He also was charged with new charges. The hacker in question stole personal data on 1300 U.S. Military government employees and giving it to an Islamic State hacker. The person’s name is Ardit according to the article. The new charges, according to the article stem from activity he has done behind bars. There’s more to the article, read it as it is entitled: New Charges Derail COVID Release for Hacker Who Aided ISIS. This article was written by Brian Krebs. I found this interesting. Another article on the same story is: After judge orders release of hacker tied to ISIS, US says ‘Not so fast’ which was written by Cyberscoop’s Jeff Stone.
• A Health insurer, Excellus, penalized $5.1M by HHS for data breach. According to the article, The $5.1 million fine is for violations of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) which has a good start in protecting our data, but I’m sure it isn’t enforced. We’ve had too many breaches in the health care industry, and its time to send a message to health care that our data is important. Health insurer Excellus penalized $5.1M by HHS for data breach is the article, and I think it should definitely be read.
• Rob Joyce is now the new NSA cybersecurity director, according to an article written by Cyberscoop’s Shannon Vavra. He replaces Anne Neuberger as director of the agency’s cybersecurity directorate. Anne will be joining the Biden team according to the article. For full details and links to other items, why not check out the article Rob Joyce named new NSA cybersecurity director for full details?

---

Thanks so much for checking out the program, and I welcome your questions, comments and concerns! Lets talk.

Comments (0)

The Security box, podcast 28: 2020 year end reports, teledildonics, news, notes and more

Hello folks, welcome to the Security Box for this week. This week’s show is packed and we’ve got the entire show notes for you. The rss got the show the same day, and it got a bit of the show notes up to the news notes.

News Notes is where I try to be thorough in covering with links to various stories where possible. I could not get this in to the notes for RSS, however, it’ll be available on the blog as we have unlimited space for the blog.

You tell me that you don’t want to mess with RSS? Please don’t worry. I’ve got you covered with the download of the file (172.62mb) for you to download.

Now, without any further ado, let’s give you those show notes so that you can read anything that is of interest. Thanks so much for checking out the blog, podcast series, and my web sites!

---

Welcome to podcast 28 of the Security Box. On this podcast, a couple of year in review items, news, notes, something called teledildonics or “The Male Chasity Cage” from a recent Security Now podcast, news, notes, questions, comments and more.

Topics:

• Year In Review: Ransomware
• The Year In Review: How COVID-19 Has Changed Cyber Security
• Security Now has a segment on something that I really don’t understand, but yet, caught my attention. I believe the term used by Steve was Teledildonics. Something we should be concerned about? The Internet of Dongs
• Covid-19 scam alert on vaccines

News, notes and more

• One of the biggest carding shops to date will be closing its doors come February 15th, 2021. Some of the reasons why it is closing are: poor performance on up-to-date value cards, the government shuttering some of their domains, and apparent covid-19 diagnosis of the owner of the shop. According to the article from Krebs on Security, the shop has been around for 6 full years. Most notably, some of the breaches that were high-profile that this shop sold valuable credit card data include: Saks Fifth Avenue, Lord and Taylor,  Bebe Stores,  Hilton Hotels,  Jason’s Deli,  Whole Foods,  Chipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ. According to Krebs, those who got in early will be able to cash out, while most will need to cash out before closure on February 15th. Both articles cover this well with links to various other stories, and the tech blog will be having this covered as well. Joker’s Stash Carding Market to Call it Quits Krebs on Security and Joker’s Stash, a forum for stolen data, says it will shut down within 30 days Cyberscoop should be read, and you can decide which article you like.
• Did you get your windows update on? Microsoft Patch Tuesday, January 2021 Edition and January Patch Tuesday Repairs Critical MS Defender RCE Bug should be read. MS Defender always gets updates, so this should already be patched according to articles. This month, there are 83 updates. 7 of the 83 were reported by Trend Micro’s ZDI project.
• The Vulnerability summary email I get might have things that pertain to you, one being mentioned by them for Del. The Dell Inspiron 5675 BIOS versions prior to 1.4.1 contain a UEFI BIOS RuntimeServices overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the RuntimeServices structure to execute arbitrary code in System Management Mode (SMM). If you have this, call Dell to get an update link or information on how to obtain it. There are also patches for Android and chrome listed in the high severity list. Here’s CISA’s writeup for people to see.
• Have you read this week in Security news which ended January 15th, 2021? There’s qquite a bit in there including some in which we’ve also covered. You can consider this as a digest of news each week, and usually I post these to the blog. Since I haden’t been feeling well, some of this stuff is being posted to the blog for the first time. This Week in Security News – Jan. 15, 2021 is the article, did you find something of interest?
• Mimecast had some certificates stolen, and there may be a link to the Solar Winds breach according to the article. Mimecast breach investigators probe possible SolarWinds connection is the article, and well worth the read. If you’ve been effected, Mimecast has already contacted you hopefully by now, but if not, do contact them for assistance.
• Krebs on Security says that if Solar Winds got breached as bad as they did, this can happen to anyone. I’d hate to find out if Microsoft got that breached, and all of Windows was compromised. SolarWinds: What Hit Us Could Hit Others is the article from Brian, and its definitely worth the read. Its all about the supply chain.
• Ring adds encryption to their product for video feeds between your camera and your app. Some may say that this is a little too late, but sometimes you don’t think about such things. Ring has been in the news for varying reasons, hopefully this will help. Ring adds encryption tool as other security questions surface is the article talking about this if you are a customer. If not, you might want to read it anyhow, because if you’re considering being a customer, this will be of importance to you. Ring is an Amazon product.
• You’ve probably heard about Signal and the pain they had when an influx of customers left facebook and went there. The reason is because Facebook was going to collect Metadata like phone numbers, how long messages were, and contacts just to name a few. This is common practice, even the phone companies do this when you place a call. Since Facebook has my cell phone number for my account already, I honestly don’t see this to be a problem. Signal endures ‘technical difficulties’ amid new popularity is the article, things hopefully will be returning to normal really soon.

Thanks so much for listening, please contact me throughout the program with questions, comments and concerns. We’d love to hear from you!

Comments (0)

The Security box, podcast 27: Breaches of the last year, security predictions, news, notes and more

Hello everyone, the RSS feed has had the podcast for at least a day now. Today has been a bit draining today, although I’ve felt great when I woke up, but then just didn’t have a whole lot of energy as the day progressed.

That being said, I did listen to my daily podcast, and there has been news that came out of that and of course Trend Micro came out with other news I have not read. Some of this will be covered in next podcast, but this podcast does have some interesting topics today.

The RSS does have a lot of the show notes, but I like to be as detailed as I can with the show notes so we’ll have them here for you.

You tell me that you don’t want to deal with the RSS because you don’t have a reader, or you just don’t want to learn? That is OK. Get the 169.67mb file by clicking on the link or pressing enter.

Here are the show notes for this program, and thanks for listening!

---

Hello folks, welcome to the security box, podcast 27. Trend Micro has a report they do each year talking about the trends of the next year and its worth talking about. Did you know about any of the breaches of the past year? We’ll go through that thanks to Solutions Review, as well. We’ll have news, notes, commentary and more and even a guest to boot if everything goes well. Thanks so much for listening, and make it a great day!

Topics:

• The Security Predictions from Trend Micro is always something fun to read. We’ll talk about some highlights that might be of interest, and of course, we’ll take questions and comments in regards to this. You can read the article entitled: Takeaways from Trend Micro’s 2021Predictions to learn more. I also posted a blog post with my thoughts on this one, and its available for everyone to read.
• Are you aware of the biggest breaches of the year? There is a post with videos and text, and we’ll talk about this. Ben Canner, a follower of mine on twitter, tweeted out Solutions Review Presents: The Top Data Breaches of 2020 and boy, is it something that I think we should cover.
• Cyber Wire Daily has what they call Research Saturday. This is a link to January 9th’s episode on Emotet and I will be summarizing this as part of this week’s program. There is a link to read show notes, and thanks to Overcast for providing a link to the episode, I think its worth sharing.

News Notes:

I think we’re going back to the original format that we started with, its much easier to maintain it that way. If you liked the other format, please let me know.

• According to Cyberwire Daily, a podcast, President Trump was removed from Twitter for several days, as well as removed from Facebook until he leaves office. The Washinton Post may have an article on this, as they site the post as being where the reports of him being kicked off. The January 7th program talked about the fact President Trump urged people to show their displeasure, although a tweet said to do it peacefully. It made no difference, as people demonstrated and caused problems on January 6th and caused the recount to be delayed. It was resumed later in the evening, and president elect Joe Biden was confirmed. Facebook bans Trump indefinitely; risks ‘simply too great,’ Zuckerberg says and Facebook, Twitter act on Trump’s false messaging after violence at Capitol should be read in regards to the latest on this ordeal. These two articles were read after listening to the podcast.
• This Week in Security News – Jan 8, 2021 has quite a lot of articles, some of which I had meant to cover but haden’t had an opportunity to blog about.
• Russian man sentenced to 12 years in prison for massive JPMorgan data heist is a bit of good news after a long bout of wondering if we are going to get some good news. While I published some good news recently, 2021 has gotten off to a great start with this one. This J.P. Morgan breach at the time was the biggest to date for that time, but Solar Winds today tops that. This was well orchestrated, and you should read this.

Things to ponder:

• Have you ever heard of Swatting? The tech podcast covered swatting and technology and things before, but swatting and Internet of things? Security Now episode 800 covers this in a 9 minute segment which I introduce making the segment over 12 minutes long. Do you really have your security settled?

Comments (0)

Older Posts »

go to sections menu

---