Category: News

Are you travelling staying in a hotel or using public wifi? – ‘Darkhotel’ downloads information-stealing malware.

Posted on by Mark Pace

There are a number of articles and warnings about Executives being hacked in shared wi-fi including Luxury Hotels , especially in the APAC regions.

Dubbed ‘Darkhotel’ by Kaspersky, the attackers infiltrate luxury hotels’ wi-fi to steal sensitive corporate data from travelling executives.

Targeted businesspeople connect to the hotel wi-fi and are prompted to download fake updates from programs such as Google Toolbar, Adobe Flash and Windows Messenger. Once downloaded, the backdoor installs an advanced keylogger, an information-stealing module and the Trojan ‘Karba’.

Once these applications are installed, it starts looking for private information, cached passwords and login credentials, the attackers delete these hacking tools and avoid suspicion.

A representative from Kaspersky said the attackers have “operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision”.

This malware can also be spread through peer to peer or file sharing networks. It’s estimated that Darkhotel has been downloaded over 30,000 times in the last six months.

To date, the majority of these infections were identified in Japan, Taiwan, Russia, China and Hong Kong.

Kaspersky principal security researcher, Kurt Baumgartner, said these attacks are becoming more common: “Targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”

To avoid attacks,

1. Never install or accept software you are not sure about. If you are in doubt, call Sterling IT and we will quickly confirm the legitimacy of the application or pop up.

2. Use a phone company internet connection such as Vodafone, Telstra or Optus 3G/4G USB or Pocket wifi cards instead of shared services.

3. Ensure your antivirus is up to date.

4. NEVER open emails that you are not expecting with links or attachments.

 

Storm Season, Power Surges and UPS protection.

Posted on by Mark Pace

 

Are you protected against storms? (Sterling IT)
Are you protected against storms?

Electronic and computer based equipment need high quality, uninterrupted power supplies.

In Australia, particularly during summer months, excess strain is placed on our aging electrical infrastructure.  Adding to this is the unpredictable weather patterns associated with summer storms which can cause electrical surges and power outages for extended periods of time.

The best form of PC protection is at all times to be plugged into a quality UPS (Uninterruptible Power Supply). This is a surge protector and voltage regulator with a back up battery. The better ones actually talk to your PC via USB, so when power drops out, the UPS instructs the PC to close all programs safely and then shut down all under battery power. For Laptop users, this is not such great concern, however, plugging into a surge protector may just save your power adapter and in some severe cases your laptop.

With no UPS, if lucky enough to be home before a storm hits, you should power down your PC and unplug it from the wall. BUT, that isn’t all; the most vulnerable route for a voltage spike is through your telephone line. We have seen some pretty severe cases where a Lightening strike has merely passed a telephone pole, to completely render every device useless connected to the router by wire (Ethernet). EMF will surge down a phone line and through your equipment like an electrical Tsunami… It takes out everything in it’s path. The safest way of protecting your equipment during an electrical storm is to firstly disconnect your telephone line from the wall (this is your source of ADSL as well as telephone), and then shut down your computers and disconnect from the power. Unfortunately, even a moderate UPS is no protection against a huge EMF spike.

We also strongly recommend you have insurance to protect your for business interruption as well (Liaise with your broker or insurance company for this) as even with recovery of systems, the loss of income could be claimed.

Even with a UPS, we have found equipment to be affected. This can be due to massive spikes or phase drops as well as the surge coming from phone lines rather than electricity lines.

Some of the more sophisticated UPS’s on the market come with software which monitors the power usage and demand on a computer or server, if the power is off for any period of time, this software will log the users off, and close the programs, then shut down the server safely.

Size matters, having the correct UPS installed will ensure that the power requirements for the business are met and the key hardware protected.

It is also worth checking your UPS from time to time, to make sure that it is doing what it is supposed to. If you’re not sure what your needs are, please request that we check next time we are onsite or book in a health check.

If you do suffer a computer failure after a storm, contact us at  Sterling IT on (02) 9756 6866  and we’ll do our best to get you back on line.

“Sterling IT also provide insurance reports, quotation estimates and repairs or replacements.”

 

 

How to decrypt, unlock and restore Cryptolocker malware for free

Posted on by Mark Pace

Cryptolocker is a particularly nasty type of ransomware that criminals have used to encrypt files on a victim’s computer before demanding a ransom for the encryption key to unlock the files.  Without the key, the encryption renders the victim’s files useless so many people lost files or paid the ransom.

Two security firms, Fireeye and Fox IT have partnered to provide a solution which may help many people. The website Decrypt Cryptolocker can now be used to try and unlock files encrypted by the Cryptolocker malware.

Use of the Decrypt Cryptolocker service is free and simply requires you to upload a sample encrypted file to the website.  If the website is able to decrypt your files, you can then download its recovery program and receive the unlocking master key by email.

Please note that this tool may not be able to decrypt some affected files.

Synology® Continues to Encourage Users to Update – Synolocker attack on NAS

Posted on by Mark Pace

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php

When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later
  • DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: https://www.synology.com/support/download.
  • If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.
  • We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

Open SSL web security issues named Heartbleed – Check and confirm website is safe here

Posted on by Mark Pace

Link to verify if website is secure and safe from heartbleed : https://filippo.io/Heartbleed/

Millions of websites, online stores and social networks are operating with a major security hole in place, exposing user information and financial information to hackers.

That is because a core safety mechanism used to secure the internet has a flaw in it. Worse still, it has been in place for over two years and experts are unsure if it has been exploited for criminal or espionage purposes.

Late on Tuesday, the bombshell hit the web: a Google security engineer and some other researchers published information indicating they had discovered a serious flaw, dubbed “Heartbleed“, in numerous but not all versions of the OpenSSL cryptographic software library, which is used to secure millions of websites.

Tech news website The Verge labelled it “the most dangerous security flaw on the web”.

Advertisement

“It is catastrophically bad,” ICSI security researcher Nicholas Weaver told the website.

Anonymisation software service Tor put it more bluntly: “If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days …”

“This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Yahoo’s Tumblr said.

“This … means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.”

Melissa Elliott, a security researcher, noticed the flaw affecting a number of Yahoo websites – including the Yahoo.com search engine, email service mail.yahoo.com, and photography site Flickr.com – and suggested that users of those sites should stay away from them until they were patched.

Others echoed her concerns, saying that the only way internet users could be sure they were safe was to stop using vulnerable websites while they were unpatched, and to change their passwords after that. (A helpful tool at filippo.io/Heartbleed shows if a site is vulnerable.)

The flaw allowed anyone to grab credentials from a web server in plain text. In Yahoo’s case, this was possible for most of Tuesday until it patched its sites on Wednesday.

Australian IT security expert Chris Gatford, of HackLabs, wrote in a blog post that about 10 per cent of the Australian Stock Exchange’s top 200 companies used vulnerable versions of OpenSSL as of Tuesday night. Although some might dismiss the flaw, he was concerned by it.

A separate search of Alexa’s top 10,000 websites on the internet performed by former Lulzsec hacker Mustafa Al-Bassam found about 629 of them vulnerable to the flaw.

“… We have been able to dump from the affected servers plain text usernames and passwords, session cookies of banking customers and other information that would at the least allow compromise of user accounts etc from the affected web applications running on the tested servers,” Mr Gatford said.

While usernames and passwords were exposed, if an attacker had access to a user’s session cookie, they could log-in as the user without their password, as the cookie acts as their log-in.

A search by Fairfax Media using publicly available vulnerability testing websites uncovered retailer JB Hi-Fi’s website jbhifionline.com.au was vulnerable to the flaw on Tuesday, as well as cert.gov.au, the Australian government’s Community Emergency Response Team (CERT) website.

CERT refused to comment on whether it patched its site and would not say what advice it was offering to government departments.

“There is a range of open source information available about the Heartbleed vulnerability and the actions to take to address it,” it said.

Priceline’s priceline.com.au and the Commonwealth Courts portal comcourts.gov.au were also vulnerable.

JB Hi-Fi chief executive Terry Smart said JB Hi-Fi’s website used Amazon Web Services, which was vulnerable to the flaw until late on Tuesday.

“We’re updating all of our [SSL] certificates to protect against this potential issue,” Mr Smart said.

“No attacks have been identified by both our internal and external scans and we’re confident that no data breaches have occurred.”

Priceline confirmed it was affected too and had moved “immediately to apply a security patch”. “We have run security checks that indicate there were no breaches before we fixed the flaw. We are also purchasing a new certificate.”

Comment is being sought from the Federal Court by Fairfax Media as to what it will be doing to address the issue.

The flaw

OpenSSL is one way to implement the cryptographic protocol Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), on web servers. Most consumers know when these protocols are implemented when they see “https” and a padlock in their browser.

The padlock is the indication web users look for to be assured a website is safe and transmitting their data in a secure manner. It essentially means that the connection between the user and the server is encrypted and can’t be snooped on. The idea behind using this is so that anyone attempting to perform a “man in the middle” attack can’t see the data transmitted. This means that even if a rogue network administrator at an internet service provider was in the “middle” of your connection and tried to intercept it they would be unsuccessful and get encrypted data they couldn’t decrypt.

But thanks to the flaw the IT security researchers found, in many instances the way the encryption has been implemented on the server side across large swathes of the internet has been flawed. It’s meant that an attacker with knowledge of it would have been able to get servers to spit out data previously thought to be secure by injecting the server with exploit code.

That leaky data was coming out in chunks from a server’s memory, and a number of proof of concepts built overnight show that lots of private user data can be extracted from a server over time.

Attackers could do this all remotely, the researchers who found the flaw said. Further, it’s thought that a server’s “crown jewels” – the private keys it uses to encrypt data between it and users – could have also been stolen using the flaw, as it allowed for not only client data to be stolen but server data.

It may sound boring, but many IT security experts have told Fairfax Media that it’s really important for internet users to understand the flaw and the risks.

“You are likely to be affected either directly or indirectly,” the researchers who found the flaw said of the bug. “OpenSSL is the most popular open source cryptographic library and Transport Layer Security implementation [is] used to encrypt traffic on the internet.

“Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.”

With the private keys potentially having been stolen, it means affected companies now face making a decision of whether they need to renew and regenerate their private keys – at a cost. This can vary from a couple of dollars to thousands depending on the type of key purchased.

As of Wednesday morning, hacking search engine tool Shodan was showing there were at least 576,231 devices worldwide with vulnerable versions of OpenSSL running on them. Of those, 6270 were based in Australia. The numbers are by no means comprehensive – as Shodan doesn’t index the entire internet – and they may include some servers that aren’t affected.

Security experts are encouraging users to wait until the sites they use patch their OpenSSL and issue new certificates before recommending they change their passwords.