New Phishing Scam Reels in Netflix Users to TLS-Certified Sites | Threatpost | The first stop for security news

New Phishing Scam Reels in Netflix Users to TLS-Certified Sites | Threatpost | The first stop for security news

Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates.

Johannes Ullrich, dean of research at the SANS Technology Institute, said Wednesday that there’s been an uptick in Netflix phishing mails using TLS-certified sites.

The bad actors behind the attacks will take advantage of unpatched installs or plugins, or weak passwords, to compromise usual-suspect CMS software, like WordPress or Drupal, said Ullrich. From there, they can create phishing sites that could be mistaken for real Netflix domains. In some cases, they’re using wildcard DNS records

Facebook - An Update on Our App Investigation and Audit

Facebook - An Update on Our App Investigation and Audit

Here is an update on the app investigation and audit that Mark Zuckerberg promised on March 21.

As Mark explained, Facebook will investigate all the apps that had access to large amounts of information before we changed our platform policies in 2014 — significantly reducing the data apps could access. He also made clear that where we had concerns about individual apps we would audit them — and any app that either refused or failed an audit would be banned from Facebook.

The investigation process is in full swing, and it has two phases. First, a comprehensive review to identify every app that had access to this amount of Facebook data. And second, where we have concerns, we will conduct interviews, make requests for information (RFI) — which ask a series of detailed questions about the app and the data it has access to — and perform audits that may include on-site inspections.

We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data. Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.

There is a lot more work to be done to find all the apps that may have misused people’s Facebook data – and it will take time. We are investing heavily to make sure this investigation is as thorough and timely as possible. We will keep you updated on our progress.

DDoS-for-Hire Service Webstresser Dismantled — Krebs on Security

Authorities in the U.S., U.K. and the Netherlands on Tuesday took down popular online attack-for-hire service and arrested its alleged administrators. Investigators say that prior to the takedown, the service had more than 136,000 registered users and was responsible for launching somewhere between four and six million attacks over the past three years.

The action, dubbed “Operation Power Off,” targeted (previously, one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that anyone can rent to knock nearly any website or Internet user offline.

When Your Employees Post Passwords Online — Krebs on Security

Storing passwords in plaintext online is never a good idea, but it’s remarkable how many companies have employees who are doing just that using online collaboration tools like Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources. Among those put at risk by such activity included an insurance firm, a state government agency and ride-hailing service Uber.

By default, Trello boards for both enterprise and personal use are set to either private (requires a password to view the content) or team-visible only (approved members of the collaboration team can view).

But that doesn’t stop individual Trello users from manually sharing personal boards that include proprietary employer data, information that may be indexed by search engines and available to anyone with a Web browser. And unfortunately for organizations, far too many employees are posting sensitive internal passwords and other resources on their own personal Trello boards that are left open and exposed online.

Foreign IPs Spoofing U.S. Government Email Domains Underscore Urgency of DHS Directive on Authentication | Proofpoint

Those of us with a strong interest in restoring trust to the email ecosystem received some great news last month, as the US Department of Homeland Security issued a directive (BOD 18-01) mandating that federal agencies authenticate their email to eliminate spoofers’ ability to impersonate federal agencies. When the directive came out, we were naturally curious about the scale of ongoing spoofing for .gov domains, so our researchers analyzed the metadata of roughly 70 million messages seen in the Proofpoint ecosystem in October across 4,989 unique .gov parent domains (including over 55,488 fully qualified domain names, which includes subdomains), across federal, state, and local agencies.

It was no surprise that .gov email spoofing is rampant. We saw over 8.5 million fraudulent messages, almost 10% of which were not even sent from a US-based IP address. In August of this year, one particular agency saw 80% of malicious emails spoofing their identity sent from Russian IPs, a country which accounted for 27% of all such malicious email since January 2016. Meanwhile, IPs in Germany were the source of 26% of fraudulent emails for this agency in the same time frame. That said, this is a much broader problem. Indeed, in October we saw .gov emails sent from 187 different foreign countries.

There are few, if any, justifiable reasons for foreign IP addresses being allowed to send an email representing itself as from a federal agency or user with a .gov email address. This made up 12.4% of all the emails sent from .gov domains, so effectively 1 out of every 8 .gov emails in October was fraudulent.

Three Key Findings from Our Latest Global Email Fraud Research | Proofpoint

Email fraud, also known as business email compromise (BEC), is one of today’s most widespread cyber threats. These highly targeted, socially engineered attacks seek to exploit people rather than technology. They don’t include malicious attachments or URLs, arrive in low volumes, and impersonate people in authority. As a result, they are difficult to combat with traditional security tools.

But what is the direct impact of these hard-to-detect attacks? What organizations are most at risk? And what security measures are they implementing if any?

To answer these questions, Proofpoint commissioned a survey of more than 2,250 IT decision makers across the U.S., the U.K., Australia, France, and Germany.

Below, we explore three key findings from our research. To read the full report, click here.

Facebook Collected Your Android Call History and SMS Data For Years

Facebook Collected Your Android Call History and SMS Data For Years

Facebook knows a lot about you, your likes and dislikes—it's no surprise.

But do you know, if you have installed Facebook Messenger app on your Android device, there are chances that the company had been collecting your contacts, SMS, and call history data at least until late last year.

A tweet from Dylan McKay, a New Zealand-based programmer, which received more than 38,000 retweets (at the time of writing), showed how he found his year-old data—including complete logs of incoming and outgoing calls and SMS messages—in an archive he downloaded (as a ZIP file) from Facebook.

Secure Inter-Domain-Routing | New NIST and DHS Standards Get Ready to Tackle BGP Hijacks

Two US government agencies have united forces to coordinate the creation of a new set of standards aimed at securing the process of routing of information between major Internet entities, such as Internet Service Providers, hosting providers, cloud providers, educational, research, and national networks.

The solution they developed is actually a collection of standards known collectively as Secure Inter-Domain Routing (SIDR).

SIDR standards will secure Internet routing

SIDR is the first comprehensive effort of its kind aimed at improving the security of BGP (Border Gateway Protocol), an Internet networking protocol used to route information between large Internet networks.

The protocol works by each router advertising to its neighboring networks what IP blocks are available on its network. When data needs to travel from one network to another, the sending router selects the best neighboring router to send the data based on an internal score that describes each adjacent router's reliability. The protocol is a little bit more complex and we can't describe it here in full. You can read more about BGP here.

BGP's biggest problem is security, or its lack of. Developed in the late 1980s, security was not a major threat vector at a time before the Internet we know today, so it wasn't taken into consideration when building the original protocol.

BGP hijacks are the Internet's biggest security hole

Attackers of different sizes and with various intentions have abused the BGP protocol in attacks named BGP hijacks. These happen when an Internet entity (network) advertises to nearby networks that certain IP blocks are on its network when they aren't.

This allows the malicious network to receive traffic intended for other networks. For example, a rogue ISP could hijack traffic destined for Google's servers.

BGP hijacks are currently considered the Internet's biggest security hole and have been at the base of several major security incidents. [12345]


Joint NIST & DHS effort to secure BGP

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Science and Technology Directorate have started working on addressing the problem of BGP hijacks a few years back.

While work on SIDR has been going on behind the scenes for years, recently, the people involved started publishing standards on the Internet Engineering Task Force (IETF) portal.

The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks. There are three essential components of the IETF SIDR effort: The first, Resource Public Key Infrastructure (RPKI), provides a way for a holder of a block of internet addresses—typically a company or cloud service provider—to stipulate which networks can announce a direct connection to their address block; the second, BGP Origin Validation, allows routers to use RPKI information to filter out unauthorized BGP route announcements, eliminating the ability of malicious parties to easily hijack routes to specific destinations.

The third component, BGP Path Validation (also known as “BGPsec”), is what is described in the suite of draft standards (RFCs 8205 through 8210) the IETF has just published. Its innovation is to use digital signatures by each router to ensure that the entire path across the internet crosses only authorized networks. Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it.

RPKI is a product of the IETF's SIDR Working Group, not NIST or DHS, but they are part of the final SIDR standard.

Most of the NIST and DHS proposed solutions have already gone through the first stage of the IETF standardizing process, which is "Internet Draft." Most are the stage of proposed RFC (Request For Comment), the last step before becoming an official Internet Standard.

You can read more about the SIDR on the project's homepage, in this project intro, and you can check out the IETF SIDR project page. NIST and DHS have separate project pages describing their efforts on SIDR.

Gas Pump Skimmer Sends Card Data VIA SMS(Text)

Gas Pump Skimmer Sends Card Data VIA SMS(Text)

Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.