Govt. of India took great initiative by facilitating
citizens with “National Cyber Crime Reporting Portal” (https://cybercrime.gov.in/) for reporting cyber
crime complaints online. This portal specifically focuses on cyber crimes
against women and children. Complaints are dealt by law enforcement agencies/
police based on the information provided in complaint.
Citizens/users may like to avail this service to register
your complaints if you are victim of cyber crime. Fore more details, follow: https://cybercrime.gov.in/
"If something sounds too good to be true… there’s probably a
scammer behind it."
As we all know that Microsoft has officially stop supporting its yet another favorite operating system, Windows 7 (SP1) 14th January 2019 onward.
So, question for all Windows 7 lovers, what to do next? What is your strategy to handle unsupported, unpatched operating system in future, strategy for migrating to Windows 10.
Today, I was reading and came
across some very useful posts regarding how to recover from a hack incident. It
is important, useful and applicable to all, know the aftermaths of being hacked/compromised/phished/malware
installed, irrespective whether you are an individual or an organization. Very truly
described by the authors Karl Thomas and Mat Honan that getting hacked/breached/compromised
is a horrible experience, being individual or as an organization we may lose
money, revenue, pride, dignity, faith, respect, personal data (pictures, email/chat
conversations, ) etc. etc. Their blog entries inspired me to write something,
useful may be not, but I wanted to write. Thankful to them :-) and my workplace :-)
Knowingly/unknowingly, many
people of us are a member of “being hacked” community at some point of time in our
life, it could be a prank by known or a serious breach by unknown. I know, it’s
not easy to believe, it’s stressful and confusing, hard to decide what to do
next, where to go, where to begin immediately after being hacked. We feel lost,
cheated and unable to decide, now what to do with this mess. Many times, we
never know when our account got hacked/compromised/phished.
It’s good to start following the incident
trails as soon as you sense it. Collect whatever you find, write, make a note
of everything you see and feel, related to this breach, either a person, event,
activity etc. There are few steps suggested:
Ask yourself,what could be the reason of this breach? Why were you
targeted? Here are some examples, attacker what to do something nasty, if he
compromises your:
Online bank
account credentials –Obviously monetary gain
Email
– Want to use your account for sending spam, harvest your email address book, staging
you for something, revenge, rivalry, benefiting himself on behalf of your,
impersonation, defaming you, hoax.
Social
networking account – Spreading a word on behalf of you to the masses, sending
spam, harvest your social networking address book, staging you for something,
revenge, rivalry, benefiting himself on behalf of your, impersonation, defaming
you, hoax.
Is your
system started behaving nasty –felt something like this:
oI opened an e-mail attachment and nothing
happened; now my machine is acting funny.
oMy antivirus software has stopped working and the
computer keeps shutting down!
oMy programs are not working properly, and they
all are very slow
oA bunch of files I have never seen before are all
over the My Document folder.
oA number of my files won’t open or have
disappeared!
oAll file suddenly looking weird, unable to open
any document, all encrypted, asking for money to decrypt them.
oTask manager, regedit, folder/file options not
opening, hidden files not visible, unable to change settings.
oAnd many more … … …
What you did?
oHave you opened any email pretending to be coming
from your Bank, Courier Company, Airlines etc. with any attachments like PDF,
XLS/XLSX, PPT/PPTX, DOC/DOCX, ZIP, RAR, 7ZIP, EXE, SCR, SWF etc.?
If yes, you have opened that email, downloaded this
file and executed, YOU ARE A VICTIM OF SOCIAL ENGINEERING ATTACK. Your system
is compromised or installed with Trojan/Backdoor/Keylogger or some kind of sophisticated
malware.
oGot any email from your bank stating the
detection of huge amount transaction and need you to confirm, you did it or
not, by clicking on to a link present in email body?
If yes, you believed in that text matter and clicked
on the URL/link, YOU ARE A VICTIM OF SOCIAL ENGINEERING ATTACK. Your system is
compromised or installed with Trojan/Backdoor/Keylogger or some kind of sophisticated
malware.
oIn this new digital age, you might get SMS, MMS,
or request to install new Banking APP. If you installed that banking app on
your smart phone other than genuine application stores (Google Play Store-Android,
iTunes-Apple, Microsoft Windows Store-Windows etc.), YOU ARE A VICTIM OF SOCIAL
ENGINEERING ATTACK. Your smartphone device/system is compromised or installed
with Trojan/Backdoor/Keylogger or malicious application or some kind of sophisticated
malware.
oAny new application appeared on your smartphone,
which you didn’t installed?
What you do?
oFollow the money/transactions, new shipments,
new orders, new payment methods added, new beneficiary added, new accounts
linked.
oCheck for last non-financial/financial
activities under your banking account. If you found anything fishy, go &
report to bank and also seek help from them or local law enforcement agency
i.e. cyber Cell, Police.
oCheck for any changes in your banking/social
networking/email account security. Is security question changed? Mobile/Phone number
changed? Transaction alert disabled or enabled on new Mobile/Phone numbers?
Primary/secondary email Id changed? If yes, review them all and change the
entire set of security and account recovery options.
oCheck your account (Inbox, sent, draft,
deleted/trash or any other folder/tag created) for any message, email not sent
by you, check properly.
o Scan your computer system with good, reputed antivirus and disinfect the same. o Keep your browser up-to-date, disable unwanted BHO, plug-ins and extensions, disable auto-opening of external files, like ppt/pptx, doc/docx, xls/xlsx, pdf etc. Disable JavaScript and Java applet execution, or atleast set them not execute automatically, without permission. There are many more settings you can do in browser, which are not explained here. :-)
Speak up,it is essential to broadcast among your loved ones and
business about the breach incident. Make them aware if you are unable to
contaminate this mess right now. It will help them not to open or view
something received from you, it could be septic. In this way, you are
protecting them from what you are affected with. And in another sense, you are
making them aware of this incident. Sometimes you may get help also, from the
one who knows better way to deal with this situation or have solution for this
problem.
Internal security audit,use
antivirus programs for smartphones, Windows PC etc. from reputed vendors, use
MBSA for windows to review the security of your windows PC etc. check for the
presence of Trojan, Backdoor, Virus, Worm, Keylogger, Adware, Crimeware,
Rootkits, Botnet etc. with the help of reputed antivirus. Check for the
password strength, change them and keep more secure passwords. Check for the
new user account added on to your system. Enable and strengthen your firewall
program.
Locking credit card, if you have supplied your credit card details
anywhere mentioned above, you need to better take care of it, disable it for
some time until you restore your digital fortress.
Take backup of your account, now and regularly too, accounts like Apple,
Facebook, Google, Microsoft, Twitter and Yahoo etc.
There are many more things which
is not possible to write at this time, in this much small space, I may write
specific, if anyone need, suggest or give ideas. J
Rebuilt your digital world and strengthen the security of your digital
fortress. :-)
Google has announced that it is closing Orkut down on September 30, 2014. The social network wasn't a huge success globally, but caught on in India and Brazil. This Tuesday on-wards, your ORKUT profile will be no more.
If you have any pictures or messages in Orkut that you want to keep, then you need to save them elsewhere.
Give a nice farewell to ORKUT and collect your personal belongings, its time to say bye bye.....
Dear all, its been long writing here, so thought of sharing something, which may save many of you out there in this cruel internet, being fooled or may be infected. :-(
Today, I read about a satirical news website, obviously illegitimate website, claiming that Facebook will soon be charging $2.99 every month from its billion users for access social networking website "Facebook".
These false news links are found and spreading around on FB and leading users to this illegitimate news website and making fool of innocent users. It’s a dirty trick, but it’s been done before – and it will happen again and again until internet users wise up and think before they share a link.
Please read more at: http://www.welivesecurity.com/2014/09/22/facebook-charging-2-99-month/
Beware of such fake news and educate yourself against such social-engineering techniques. If it were in anyway true, you would expect to see an announcement on Facebook’s official blog, or in the headlines of major online news outlets.
A click-fraud malware was propagating widely and Symantec announced the takedown of the Bamital botnet in partnership with Microsoft to identify and shutdown the vital components of botnet.
Bamital is a malware designed to hijack search engine results, redirecting clicks on these search results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections.
Bamital also intercepts web browser traffic and prevents access to certain security-related websites by modifying the Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file to redirect specified URLs to different IP addresses. Malware often modifies a computer's Hosts file to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Bamital variants may also modify certain legitimate Windows files in order to execute their payload. Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks.
In case, if you reach to this page "https://malwarenotice.microsoft.com/" while searching for something else, you are likely infected by Bamital malware. Please read the instructions mentioned properly and act smartly to help yourself.
Year 2038 problem
31st Dec 2036 is the last date for iPhones and Androids phone. No one will be able to see New year of 2037 on their phones. :-) Tested with my own Android device, I am not able to set dates beyond 31st December 2036. :-(
To read more, follow: http://en.wikipedia.org/wiki/Year_2038_problem http://www.f-secure.com/weblog/archives/00002489.html
Antisec shared a list of 1,000,001Apple Devices UDIDs pulled from an FBI notebook [ hacking :) ]. System was hacked using an AtomicReferenceArray vulnerability in Java.
Original file NCFTA_iOS_devices_intel.csv contains a total data 12,367,232 iOS devices including UDIDs with user names, device name, device type, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. Antisec says "there you have. 1,000,001 Apple Devices UDIDs linking to their users and their APNS tokens. the original file contained around 12,000,000 devices. we decided a million would be enough to release. we trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc." Although the file is encrypted and availble over internet but decryption method is also listed on pastebin. Lets see what is inside. :P Read original post here: http://pastebin.com/nfVT7b0Z
A new crimeware toolkit emerged in underground economy in December 2009 named SpyEye. It took a chunk of Zeus crimeware toolkit space. Now after take down of Zeus and revealing of Zeus code, recently SpyEye guys introduced their new version "SpyEye V.1.3.4.X" incorporating Zeus in it.
Analysis done and published by TrendMicro lab, can be found in TrendLabs MalwareBlog.
Since few weeks, we heard about google image searches infected by Search Engine Optimization (SEO) poisoning. Many legitimate sites linked to scareware trojans and exploits via Google Image results are discovered every day. Many of these sites would otherwise be considered as safe but they've been compromised by a hack of some sort.
Do not search for inurl:wp-images unless you are using test network or use Google SSL as the poisoned SEO sites will only attack if visited from http://www.google.com.
Few years ago, In 2006 and earlier, “No one ever thought of spreading malware via legitimate websites.”Popular Infection Vectors (before 2006) are:
Go to system and install a malicious piece of code (Rarely heard of it or very few cases),
Supply malware in USB drives with autorun (pretty common and still effective, spreading malware enormously)
Distribute malware as an email attachment (pretty common and still effective unfortunately)
Convincing users to download legitimate looking software but actuallyMALWARE(providing direct link in email, chat or other mechanism)
Malware authors are shifting their focus from traditional desktop bases attack methodology to the new emerging dynamic and user interactive web applications for spreading malware.
Drive-by-download.Drive-by-download is working covertly, which make it difficult to suspect or detect.Since last 3-4 years, awareness in web administrators and security professionals regarding server side vulnerabilities has increased. Eventually, they are doing their job quite nicely, securing all six OSI layers except the last and most vulnerable layer- "Application layer".
Motive of malware authors:
Access on the infected computer
Steal user credentials, banking or other passwords
Use as a launching pad for further attacks
Install more sophisticated malwares/viruses
Gain chain of access to corporate networks via VPN etc for which user or user's system is allowed for.
Web 2.0 functionalities are also being effectively used for controlling botnet.
Again, the Rouge Antivirus Vendors are on rise. This is not just happening this year, actually this is noticed during the begining of year. Check my last year's blog posting "Beaware of Security Essentials 2010, A Rouge Anti-Virus" for the similar Rouge antivirus product.
This time they, "Rouge Antivirus Vendors", came up with "AVG -Antivirus 2011", which is obviouslyfake. Rouge Antivirus Vendors are impersonating the legitimate AVG antivirus product and replicating the GUI and trademark symbols of AVG antivirus.
Just have a look to the Rouge antivirus "AVG -Antivirus 2011" shortcut icon:
Once installed on system, It blocks other programs running on the computer, hijacks web browsers and displays fake security alerts, threats and risk. This kind of fake security warning may be observed.
It also reports false infections found on your computer and ask to purchase a full version to remove them.
This is the warning page displayed by Rouge AVG-Antivirus 2011, which says, this is trial version having limited functionality and in-order to disinfect your system, you need to purchase the full version of Rouge AVG-Antivirus 2011. And they will lead you to the make some financial transactions.
Please do care about this threat, do not panic and pay. For removal please follow the steps mentioned below:
Disable System Restore Temporarily
Update the latest virus definitions for your existing Antivirus
Reboot computer in Safe Mode
Run a full system scan and clean/delete all infected file(s)
Countermeasures:
Use caution while clicking on links to Web pages
Keep up-to-date Antivirus and Antispyware signatures
Be cautious while opening e-mail attachments
Keep up-to-date patches and fixes on the operating system and application software
A List of rouge anti-virus /anti-spyware products can be found here.
What brings me to write in here is, the issues seen early this year, two critical vulnerabilities in Microsoft. Almost all flavours of Microsoft operating systems are affected. And the worry is both issues are Zero day and no patch is available from the vendor, off-course some workarounds are there, follow the references.
First issue discovered is in Windows Graphic Rendering Engine (GRE), Issue is caused due to some stack overflow vulnerability in "CreateSizedDIBSECTION()" function in "shimgvw.dll" module. Attackers could exploit this vulnerability by luring users to view a malicious crafted thumbnail image.
Second issue is in Microsoft Internet Explorer 8 (IE8), almost all different flavours of MS has this latest browser. Issue is caused due to use-after-free error in mshtml.dll when processing circular references between JScript objects and Document Object Model (DOM) objects. Attackers can exploit this vulnerability by luring users to visit a crafted webpage or website.
After exploiting any of these vulnerabilities, attackers can take control of affected systems.
Microsoft released workaround for DLL vulnerability
Microsoft has released an advisory explaining the DLL preloading attacks and provides workaround that allows customers to disable the loading of libraries from remote network or WebDAV shares. This workaround tool can be configured to disallow insecure loading of per-application or global system basis.
When an application queries or loads a .dll file, but full path name is not hard coded, Windows searches a pre-defined set of directories for it. An attacker/intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code to exploit this vulnerability.
For testing this vulnerability you can use latest metasploit and any windows applications which searches for .dll, this metasploit server will dynamically generate .dll as requested by compromised system, but before that u need to compromise the system.
Workarounds suggested:
Disable loading of libraries from WebDAV and remote network
Disable the WebClient service.
Block TCP ports 139 and 445 at the firewall.
Microsoft has issued a tool to allow administrators to alter the library loading behavior on a system-wide basis or for specific applications. The tool is available at:
http://support.microsoft.com/kb/2264107
Users can consider the best practices against DLL preloading attacks described here(http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx)
yes, penetration testing became so easy nowadays. You don't need heavy, bulky, expensive vulnerability assessment tools. Now you just need now is, a browser (Firefox) and its Add-ons (plug-ins), which are available freely. Here I'm going to tell you something about free Mozilla Add-ons, which can help you to effectively perform vulnerability assessment and penetration testing.
These tools are listed below:
1.SQL Inject Me: SQL Injection vulnerabilities can cause a lot of damage to a web application.
2.HackBar: Simple security audit / Penetration test tool.
3.Backend Software Information: Detect the backend software of the current website (Drupal 5.x, 6.x, Wordpress 2.x, Django, phpBB, MediaWiki, MoinMoin, Joomla, Reddit, ...).
4.Firebug: It integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
6.Fireforce: Launches brute-force attacks on GET or POST forms.
7.Widerbug: web developing with CSS and JavaScript.
8.Lazarus: Lazarus securely auto-saves all forms as you type.
9.ShowIP: Show the IP address(es) of the current page in the status bar.
10.Multiproxy Switch: This tool lets you switch proxy between multiple configurations, and it's easy to manage, easy to configure.
11.FoxyProxy Standard: FoxyProxy is an advanced proxy management tool that completely replaces Firefox's limited proxying capabilities.
12.PassiveRecon: PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information.
13.Live HTTP Headers: View HTTP headers of a page and while browsing.
14.Add N Edit Cookies: Cookie Editor that allows you add and edit session and saved cookies.
15.Greasemonkey: Allows you to customize the way a webpage displays using small bits of JavaScript.
16.XSS Me: Cross-Site Scripting (XSS) is a common flaw found in todays web applications.
18.SQL Injection: SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page.
It makes easier to test and identify SQL injection vulnerabilities in web pages.
20. iMacros for Firefox: Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***
21.Xmarks Sync: Xmarks is the #1 bookmarking add-on. Keep your bookmarks, passwords and open tabs backed up and synchronized across computers and browsers. Search smarter with website ratings and reviews displayed with your search results.
22.Read It Later: Save pages to read later with just one click. When you have time, access your reading list from any computer or phone, even without an internet connection!
This month, adobe released patches for lots of severe vulnerabilities in their products. Most of these vulnerable applications are generally used by us. Hence it is requested, to update all adobe products and avoid system compromise & severe problems caused, and if possible use adobe update manager.
Today is Microsoft patch day, Microsoft has released 15 security bulletins which are covering 34 vulnerabilities.
These vulnerabilities are affecting Windows Kernel, Windows Movie Maker, SChannel, Microsoft XML Core Services, Microsoft MPEG Layer-3 Codecs, Cinepak Codec, SMB Server, Internet Explorer, Microsoft Office Word, Microsoft Office Excel, TCP/IP, Microsoft .NET and Silverlight. Install the patches as mentioned in Microsoft Security Bulletin. Most of them are critical and needs to be patched as early as possible.
