Categories
Communication Information Security

Improbus help businesses conduct secure voting, polls, and surveys

In connection with state COVID-19 restrictions, many general meetings and board meetings must be held digitally to reduce the risk of infection.

For many businesses, this poses challenges, particularly related to the correct conduct of surveys, polls, and voting.

Improbus has, on behalf of clients, built a system for efficient, secure, and anonymous conduct of surveys, polls and, voting, with credible results.

Categories
Health News Safety Security

Additional measures implemented due to the COVID-19 pandemic

Due to the Coronavirus Disease 2019 (COVID-19) pandemic and the following travel restrictions enforced by the Norwegian authorities; Improbus has suspended all travel activity until further notice.

The travel- and meeting-restrictions were originally scheduled to apply from 2020-03-13 to 2020-03-26, but the Norwegian government has now extended this ban to apply until 2020-04-16.

None of Improbus’s employees are infected by the Coronavirus (SARS-CoV-2).

Nevertheless, we continue to comply with advice from both the WHO and the Norwegian authorities.

All scheduled meetings will be held as planned – but electronically – via instant messaging Telegram (chat) or encrypted VoIP.

For urgent questions or emergencies, Improbus technicians will remain available via SMS and phone at +47-94102030.

Non-urgent and non-sensitive matters should be communicated using email.

Electronic communication using Telegram is preferred.

For more information about the Coronavirus (SARS-CoV-2) and the Coronavirus Disease 2019 (COVID-19), please see WHO‘s webpages (English), Helsenorge (Norwegian), or the Norwegian Government’s homepage (“Regjeringen”) in Norwegian or English.

Categories
Media Syndicated

Security Breach Disrupts Fintech Firm Finastra

Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. The company’s public statement and notice to customers does not mention the cause of the outage, but their response so far is straight out of the playbook for dealing with ransomware attacks.

London-based Finastra has offices in 42 countries and reported more than $2 billion in revenues last year. The company employs more than 10,000 people and has over 9,000 customers across 130 countries — including nearly all of the top 50 banks globally.

Earlier today, sources at two different U.S. financial institutions forwarded a notice they received from Finastra saying the outage was expected to disrupt certain services, particularly for clients in North America.

“We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers,” reads the notice. “As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”

Update, 22:21 CET: Finastra has acknowledged that it is battling ransomware.

“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” the company said in a revised statement.

The statement continues:

“Our approach has been to temporarily disconnect from the internet the affected servers, both in the USA and elsewhere, while we work closely with our cybersecurity experts to inspect and ensure the integrity of each server in turn. Using this ‘isolation, investigation and containment’ approach will allow us to bring the servers back online as quickly as possible, with minimum disruption to service, however we are anticipating some disruption to certain services, particularly in North America, whilst we undertake this task. Our priority is ensuring the integrity of the servers before we bring them back online and protecting our customers and their data at this time.”

Finastra also acknowledged an incident via a notice on its Web site that offers somewhat less information and refers to the incident merely as the detection of anomalous activity.

“The Finastra risk and security services team has detected anomalous activity on our systems,” wrote Tom Kilroy, Finastra’s chief operating officer. “In order to safeguard our customers and employees, we have made the decision to take a number of our servers offline while we investigate. This, of course, has an impact on some of our customers and we are in touch directly with those who may be affected.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to strongarm victim companies into paying up.

One reader on Twitter told KrebsOnSecurity they’d heard Finastra had sent thousands of employees home today as a result of the security breach. Finastra told this author the company closed select offices in Canada and Paddington, London today where employees were unable to access the servers which they took offline.

“The majority of the Company’s employees are already working from home,” a statement shared by Finastra reads. “This is determined by Finastra’s response to COVID-19 and not related in any way to this incident.”

Interestingly, several ransomware gangs have apparently stated that they are observing a kind of moratorium on attacking hospitals and other healthcare centers while the COVID-19/Coronavirus epidemic rages on. Bleeping Computer’s Lawrence Abrams said he recently reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Abrams said several of those gangs told him they would indeed stop attacking healthcare providers for the time being. One gang even used its victim-shaming Web site to post a “press release” on Mar. 18 stated that “due to situation with incoming global economy crisis and virus pandemic” it would be offering discounts to victims of their ransomware.

“We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” reads the release from the Maze ransomware gang.

Source: KrebsOnSecurity.

Categories
News Security

Successful recovery of stolen domain names

Improbus facilitated today the safe return and recovery of stolen domain names.

Two competing companies were domain name holders of domain names associated with each other’s businesses.

In connection with maintenance on the domain name services on behalf of Company A, it was discovered that one of the domain names had been illegally transferred from ISP A to ISP B, then deleted by the registry and re-registered by the registrar within milliseconds.

This action led to the unauthorized and illegal transfer of domain name ownership from Company A to Company B. The domain name hijacking and subsequent domain name theft were made possible by means of ID theft.

Information on the method used was obtained and extensively documented by Improbus, and the persons and companies involved were confronted.

Instead of a judicial process, an amicable agreement was entered into between the parties – after mediation by Improbus:

Assuming that Company B transfer domain names that were affiliated and associated with Company A – Company A would in return refrain from reporting criminal offenses (i.e., theft of domain names) to the police, as well as permit the legal transfer one of its domain names to Company B.

In this way, the normal situation was restored in an efficient, peaceful and amicable manner – without involving the prosecution authorities or the justice system.

Improbus’ handling of the incident led to a happy outcome for both parties.

Categories
Media Security Syndicated

Zxyel Flaw Powers New Mirai IoT Botnet Strain

In February, hardware maker Zyxel fixed a zero-day vulnerability in its routers and VPN firewall products after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited by a new variant of Mirai, a malware strain that targets vulnerable Internet of Things (IoT) devices for use in large-scale attacks and as proxies for other cybercrime activity.

Security experts at Palo Alto Networks said Thursday their sensors detected the new Mirai variant — dubbed Mukashi — on Mar. 12. The new Mirai strain targets CVE-2020-9054, a critical flaw that exists in many VPN firewalls and network attached storage (NAS) devices made by Taiwanese vendor Zyxel Communication Corp., which boasts some 100 million devices deployed worldwide.

Like other Mirai variants, Mukashi constantly scans the Internet for vulnerable IoT devices like security cameras and digital video recorders (DVRs), looking for a range of machines protected only by factory-default credentials or commonly-picked passwords.

Palo Alto said IoT systems infected by Mukashi then report back to a control server, which can be used to disseminate new instructions — such as downloading additional software or launching distributed denial of service (DDoS) attacks.

Zyxel issued a patch for the flaw on Feb. 24, but the update did not fix the problem on many older Zyxel devices which are no longer being supported by the company. For those devices, Zyxel’s advice was not to leave them connected to the Internet.

A joint advisory on CVE-2020-9054 from the U.S. Department of Homeland Security and the CERT Coordination Center rates this vulnerability at a “10” — the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.

My advice? If you can’t patch it, pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.

Source: KrebsOnSecurity.

Categories
Media Syndicated

Live Coronavirus Map Used to Spread Malware

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.

Source: KrebsOnSecurity.

Categories
Media Syndicated

Microsoft Patch Tuesday, March 2020 Edition

Microsoft Corp. today released updates to plug more than 100 security holes in its various Windows operating systems and associated software. If you (ab)use Windows, please take a moment to read this post, backup your system(s), and patch your PCs.

All told, this patch batch addresses at least 115 security flaws. Twenty-six of those earned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Given the sheer number of fixes, mercifully there are no zero-day bugs to address, nor were any of them detailed publicly prior to today. Also, there were no security patches released by Adobe today. But there are a few eyebrow-raising Windows vulnerabilities worthy of attention.

Recorded Future warns exploit code is now available for one of the critical bugs Redmond patched last month in Microsoft Exchange (CVE-2020-0688), and that nation state actors have been observed abusing the exploit for targeted attacks.

One flaw fixed this month in Microsoft Word (CVE-2020-0852) could be exploited to execute malicious code on a Windows system just by getting the user to load an email containing a booby-trapped document in the Microsoft Outlook preview pane. CVE-2020-0852 is one just four remote execution flaws Microsoft patched this month in versions of Word.

One somewhat ironic weakness fixed today (CVE-2020-0872) resides in a new component Microsoft debuted this year called Application Inspector, a source code analyzer designed to help Windows developers identify “interesting” or risky features in open source software (such as the use of cryptography, connections made to a remote entity, etc).

Microsoft said this flaw can be exploited if a user runs Application Inspector on a hacked or booby-trapped program. Whoops. Animesh Jain from security vendor Qualys says this patch should be prioritized, despite being labeled as less severe (“important” versus “critical”) by Microsoft.

For enterprises, Qualys recommends prioritizing the patching of desktop endpoints over servers this month, noting that most of the other critical bugs patched today are prevalent on workstation-type devices. Those include a number of flaws that can be exploited simply by convincing a Windows user to browse to a malicious or hacked Web site.

While many of the vulnerabilities fixed in today’s patch batch affect Windows 7 operating systems, this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Update, 7:50 p.m.: Microsoft has released an advisory about a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. Critical SMB (Windows file-sharing) flaws are dangerous because they are typically “wormable,” in that they can spread rapidly to vulnerable systems across an internal network with little to no human interaction.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” Microsoft warned. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Microsoft’s advisory says the flaw is neither publicly disclosed nor exploited at the moment. It includes a workaround to mitigate the flaw in file-sharing servers, but says the workaround does not prevent the exploitation of clients.

Source: KrebsOnSecurity.

Categories
Health News Safety Security

Measures implemented due to the COVID-19 pandemic

Due to the Coronavirus Disease 2019 (COVID-19) pandemic and the following travel restrictions enforced by the Norwegian authorities; Improbus has suspended all travel activity until further notice.

None of Improbus’s employees are infected by the Coronavirus (SARS-CoV-2).

Nevertheless, we comply with advice from both the WHO and the Norwegian authorities, which recommend reduced travel- and face-to-face meeting-activities.

However; all scheduled meetings will be held as planned – but electronically – via instant messaging Telegram (chat) or encrypted VoIP.

For urgent questions or emergencies, Improbus technicians will remain available via SMS and phone at +47-94102030.

Non-urgent and non-sensitive matters should be communicated using email.

Electronic communication using Telegram is preferred.

For more information about the Coronavirus (SARS-CoV-2) and the Coronavirus Disease 2019 (COVID-19), please see WHO‘s webpages (English) or Helsenorge (Norwegian).

Categories
Media News Security

Man convicted of “extensive data breach”

Man convicted of “extensive data breach” in Bergen District Court

Article from Digi / BT / NTB

A 30-year-old man in Bergen District Court has been sentenced to 14 days suspended prison for data breach by the Norwegian Public Roads Administration. The man says he wanted to develop an app.

In addition to the conditional prison sentence, the foreign man living in Bergen is sentenced to give up two hard drives and one SSD disk, writes Bergens Tidende.

The defendant wanted to develop an app that would allow contact with the owner of a motor vehicle without exchanging personal information, according to the judgment.

The man extracted information about Norwegian car owners from the Roads Administration’s website, but this went beyond what the Norwegian Public Roads Administration intended to offer of information through the service. Therefore, he is convicted of violation of section 207 of the Penal Code for burglary in computer systems.

The defendant understood that this was not how the service should be used, the court believes.

But the court also states that the information he obtained was legally obtained through a request for access.

The man’s defender, attorney Alexander Gonzalo Sele, says he and the client will go through the verdict and consider whether to appeal.

– We believe the judgment raises fundamental questions about what can be characterized as a data breach. He has retrieved information that was publicly available and that one could also find using a regular telephone directory, Sele says, pointing out that the client did not get any sensitive information.

© NTB

Source: digi.no (Article in Norwegian)

Improbus’ comments

The verdict (case number TBERG-2019-141281) is available online, in Norwegian (check Google Translate for an OK English translation).

According to the accusation (and verdict), the accused accessed publicly available web resources served by the Norwegian Public Roads Administration.

The accused then opened several browser tabs, and changed the individual URLs slightly, to see if the different http requests yielded individual, but still relevant results.

The accused allegedly then proceeded to collect the output of the respective web outputs provided by the site; storing them in a local database; one record for each http request.

Bergen District Court has ruled that even though the information gained and stored was already publicly available, nor did any damage or presented the server with a significant load of any kind – the action is still to be perceived as illegal.

Since the information from the Norwegian Public Roads Administration’s web site already was publicly available, it is obvious to think that this system behavior was intentional.

It is obvious to Improbus that what has been explained as misuse of a minor design flaw, has not been misused for evil purposes at all, but rather as a means for retrieving public data in an efficient, easy and convenient way.

If the data had been private or sensitive, the situation would have been quite different – maybe not technically or juridically, but at least ethically and morally.

It is sad to see that neither the courts nor the police able to keep up with current knowledge about the common usage of information systems.

If this really is a criminal act, it is nonetheless a victimless one.

Categories
Media Syndicated

FCC Proposes to Fine Wireless Carriers $200M for Selling Customer Location Data

The U.S. Federal Communications Commission (FCC) today proposed fines of more than $200 million against the nation’s four largest wireless carriers for selling access to their customers’ location information without taking adequate precautions to prevent unauthorized access to that data. While the fines would be among the largest the FCC has ever levied, critics say the penalties don’t go far enough to deter wireless carriers from continuing to sell customer location data.

The FCC proposed fining T-Mobile $91 million; AT&T faces more than $57 million in fines; Verizon is looking at more than $48 million in penalties; and the FCC said Sprint should pay more than $12 million.

An FCC statement (PDF) said “the size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.”

The fines are only “proposed” at this point because the carriers still have an opportunity to respond to the commission and contest the figures. The Wall Street Journal first reported earlier this week that the FCC was considering the fines.

The commission said it took action in response to a May 2018 story broken by The New York Times, which exposed how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

In response, the carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, Joseph Cox at Vice.com showed that little had changed, detailing how he was able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Gigi Sohn is a fellow at the Georgetown Law Institute for Technology Law and Policy and a former senior adviser to former FCC Chair Tom Wheeler in 2015. Sohn said this debacle underscores the importance of having strong consumer privacy protections.

“The importance of having rules that protect consumers before they are harmed cannot be overstated,” Sohn said. “In 2016, the Wheeler FCC adopted rules that would have prevented most mobile phone users from suffering this gross violation of privacy and security. But [FCC] Chairman Pai and his friends in Congress eliminated those rules, because allegedly the burden on mobile wireless providers and their fixed broadband brethren would be too great. Clearly, they did not think for one minute about the harm that could befall consumers in the absence of strong privacy protections.”

Sen. Ron Wyden (D-Ore.), a longtime critic of the FCC’s inaction on wireless location data sharing, likewise called for more stringent consumer privacy laws, calling the proposed punishment “comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck.”

“Time and again, from Facebook to Equifax, massive companies take reckless disregard for Americans’ personal information, knowing they can write off comparatively tiny fines as the cost of doing business,” Wyden said in a written statement. “The only way to truly protect Americans’ personal information is to pass strong privacy legislation like my Mind Your Own Business Act [PDF] to put teeth into privacy laws and hold CEOs personally responsible for lying about protecting Americans’ privacy.”

Source: KrebsOnSecurity.