Information Technology

Ethical Hacking: A Hands-on Introduction to Breaking In • By Daniel G Graham • No Starch Press • 376 pages • ISBN 9781718501874 • £41.99 / $49.99   The parlous state of software and IT infrastructure security is also a career opportunity, with malware analysts, security researchers, penetration testers and red teams all in demand. Defenders need to know how attackers think, and what tools they use, so they can assess their own infrastructure for vulnerabilities and learn to detect malicious activity in the network.  In Ethical Hacking: A Hands-on Introduction to Breaking In, Daniel G Graham sets out to deliver a practical guide for learning hacking techniques, and you jump straight into the hands-on guide by creating a set of Linux VMs to host the environment you’re going to break into (since you can’t ethically hack someone else’s environment). You then work through some known vulnerabilities, progressing to capturing traffic, building a botnet and a ransomware server, generating phishing emails and deepfakes.  Although you’ll need to know how to write and run Python code, you don’t need a great deal of expertise to get started because the step-by-step instructions are clear and detailed. Along the way, complex concepts are explained well: if you want to execute ransomware or try to bypass TLS, you need to understand encryption first, you need to understand syscalls and the underpinnings of Linux for rootkits, and likewise hashing for cracking passwords.

Graham steps through common hacking techniques, creating deepfake video and audio, exploring how publicly available information is interconnected with Maltego to reveal information about an organisation’s staff and infrastructure, downloading databases of cracked and breached passwords, looking for exposed vulnerable devices with Masscan, Shodan and Nessus, building Trojans and Linux rootkits (you’ll need to know C coding for this), using SQL injection to extract usernames and passwords from websites, cross-site scripting attacks and privilege escalation once you get into a network. You’re unlikely to discover your own zero days, but you will learn fuzzing, and how to exploit the OpenSSL Heartbleed vulnerability. Along the way, Graham introduces other hacking tools like King Phisher, the swaks SMTP auditing tool in Kali Linux, John the Ripper for password cracking, Hydra for automating brute force password attacks and many others.  The chapter on attacking domain servers, Active Directory and Kerberos on large Windows networks could probably be expanded to fill a book of its own, but if you’re a Windows network admin and you don’t already know how to use Mimikatz, even this quick survey of the approaches hackers will take should be something of a wake-up call. (Microsoft has extensive guidance on remediating many of the issues covered here.)  While this book will help even a relative beginner to become familiar with a wide range of tools that are useful to hackers, it is — as promised — a hands-on introduction. Readers will be in a position to explore further, and the final chapter talks you through hardening a hosted VM that you can use for actual ethical hacking. It also mentions some tantalising advanced targets like industrial systems and cellular infrastructure, although readers won’t immediately be in a position to go after those without doing quite a bit of extra work. 

Even if you don’t plan to do any active ethical hacking, it should be a salutary warning to anyone in IT that hacking tools are both sophisticated and widely available. There are plenty of tutorials aimed at using them maliciously, so the detail in this book doesn’t increase the risk to those with vulnerable systems. If you do want to pursue this as a career, Ethical Hacking will guide you through the first steps.  Read more book reviews More

A Nigerian man has been arrested in connection to a scheme attempting to lure insiders to deploy ransomware on employer systems.

On November 22, security expert Brian Krebs reported that the man, Oluwaseun Medayedupin, was arrested by Nigerian authorities on Friday. The suspect is allegedly linked to a ‘ransom your employer’ scheme investigated by Abnormal Security in August. Customers of the cybersecurity firm were sent emails with the subject “Partnership affiliate offer,” requesting that the recipient considered becoming an accomplice in a cyberattack.  The emails offered a 40% cut of an anticipated $2.5 million ransomware payment in Bitcoin (BTC), made after the recipients installed the DemonWare ransomware on their employer’s systems.  A Microsoft Outlook email address and Telegram handle were provided for interested parties. Abnormal Security researchers reached out under the guise of a fictional person and confirmed they were sent a ransomware executable hosted on two file-sharing websites. However, the ransomware ‘cut’ on offer was reduced to between $120,000 — $250,000 once the team began communicating with the scheme’s operator.   

The team suspected the ransomware initiative may be of Nigerian origin. When queried, the threat actor said he was attempting to build a social network for Africa called Sociogram and shared his LinkedIn profile containing his full name.   “According to the actor, he collects his targeting information from LinkedIn, which, in addition to other commercial services that sell access to similar data, is a common method scammers use to obtain contact information for employees,” Abnormal Security said. “[…] he had originally intended to send his targets — all senior-level executives — phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.” Medayedupin then reached out to Krebs following his report, asking that the name Sociogram be removed, but at the same time, neither confirming nor denying Abnormal Security’s investigation. Another message followed via a domain registrar, calling “Mr. Krebson” a “clout chasing monger.” Charges are expected to be brought against Medayedupin, reportedly 23 years of age, this week.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A severe PHP deserialization vulnerability leading to code execution has been patched in Imunify360. 

Discovered by Cisco Talos researcher Marcin ‘Icewall’ Noga, the vulnerability “could cause a deserialization condition with controllable data and then execute arbitrary code,” leaving web servers open to hijacking. Tracked as CVE-2021-21956 and issued a CVSSv3 score of 8.2, the security flaw is present in CloudLinux’s Imunify360 versions 5.8 and 5.9. Imunify360 is a security suite for Linux web servers including patch management, domain blacklisting, and firewall features.  In a security advisory published on Monday, Cisco Talos said the flaw was found in the Ai-Bolit malware scanner functionality of the software.  The Ai-Bolit component is used to scan and check website-related files, such as .php, .js, or .html content, and is installed natively as a service with root privileges. Within a deobfuscation class of the module, a failure to sanitize data that has been submitted means that arbitrary code execution can be performed during unserialization.  If the software is configured for real-time file system scanning, attackers could trigger an attack by creating a malicious file in the target server, or if a user is duped into performing a scan on a crafted payload file on behalf of the threat actor.  Cisco reported its findings to the vendor on October 1 and coordinated public disclosure was agreed upon. Linux web developers making use of Imunify360 should upgrade their builds to the latest release, at the time of writing, version 6.1. 

ZDNet has reached out to the vendor and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An audit of Australia’s big four banks by the Office of the Australian Information Commissioner (OAIC) has found that they have been handling consumer data under the Consumer Data Right (CDR) in an open and transparent way, and have demonstrated good privacy practices as it did not find any areas of high privacy risk.As part of the first CDR privacy assessment, the OAIC, which is a co-regulator of the CDR, examined ANZ, Commonwealth Bank, National Australia Bank, and Westpac as they were initial CDR data holders.Each bank was evaluated according to their compliance with privacy safeguard 1, which requires providers to have a CDR policy describing how they manage consumer data and implement internal practices, procedures, and systems to ensure compliance. There are 13 legally binding privacy safeguards under the CDR that set out consumers’ privacy rights and providers’ obligations when collecting and handling their data. Privacy safeguard 1 is considered, as the OAIC puts it, the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards. “Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.According to the assessment, all banks have good privacy practices in place, as they each developed a CDR policy that outlined how they managed CDR data and their consumer complaint handling process. It also found the banks were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.

“All banks had appointed senior staff responsible for strategic leadership of the CDR regime and officers responsible for day-to-day management of CDR data,” the OAIC audit said.”Three banks demonstrated good privacy practice in limiting access to CDR systems and data to staff with an operational requirement to have access.”The banks generally demonstrated good practice by setting practices, procedures and systems to review their CDR policies on a scheduled basis, as well as following legislative and operational changes. They used existing document control frameworks and specific staff were responsible for reviewing their CDR policy.”At the same time, the audit uncovered areas for improvement. For each bank, the OAIC identified at least one medium privacy risk. One bank had four medium privacy risks, two banks had three, and one bank had one. The majority of medium privacy risks were related to the way the banks have implemented internal practices, procedures, and systems to ensure compliance with their CDR obligations.Off the back of these findings, the OAIC recommended what each bank could do to address the medium privacy risks, such as developing internal practices, procedures, and systems that specifically address compliance with privacy safeguards that diverge from, or are additional obligations to, the Australian Privacy Principles. All banks accepted the OAIC’s recommendations. “Our recommendations and suggestions will assist these data holders and other providers in the system to further embed, review and enhance their privacy practices, so that consumers can continue to use the Consumer Data Right with confidence,” Falk said.On finalising the assessment, the OAIC wrote to the banks outlining its expectation that they respond with a plan for implementing the recommendations. The OAIC will revisit each bank in six months to ensure all the recommendations are fully implemented.”The Consumer Data Right has a strong regulatory framework to protect consumers’ privacy and build confidence in the system,” Falk said.”We are proactively auditing and monitoring providers in the system to ensure these strict privacy safeguards are being upheld, so that consumers can feel confident their data is protected.Australia’s CDR was officially launched on July 1, with the first tranche, an open-banking regime, requiring financial services providers to share customers’ data when requested by the customer.Under CDR, individual customers of the big four banks can request their bank share their “live” data for deposit and transaction accounts and credit and debit cards with accredited data recipients.Earlier this month, amendments to the CDR were made so it could be expanded to the energy sector.Under the amendments, from October 2022, energy product information will be shared so consumers can better compare energy plans, and from November 2022, energy consumers will be able to give consent to share their data about their own energy use and connection with a comparison service or fintech app. “With increased consumer mobility, energy retailers will be encouraged to improve tailoring of services and create better consumer experiences to retain their customers. I’m excited to see this expansion of the CDR across the economy, with telecommunications as the next sector under consideration,” Minister for  Superannuation, Financial Services and the Digital Economy Jane Hume said.Related Coverage More

A Brazilian Wi-Fi management software firm exposed data of various high profile companies and millions of their customers.

The data was leaked by WSpot, which provides software that enables businesses to secure their on-premise Wi-Fi networks and allow password-free online access to their customers.The leak was discovered by security research firm SafetyDetectives. The researchers found WSpot’s misconfigured Amazon Web Services (AWS) S3 bucket, which was left open and exposed 10GB worth of data to the public. After discovering the sensitive data on September 2, the researchers contacted the software firm on September 7. WSpot secured the breach the following day. Some 226,000 files were exposed in the leak, the researchers noted, including personal information from approximately 2.5 million individuals who connected to the public Wi-Fi networks provided by WSpot clients. The company’s client portfolio includes Pizza Hut, financial services provider Sicredi, and healthcare firm Unimed. According to SafetyDetectives, the set of information exposed included details supplied by individuals in order to access the Wi-Fi service provided by the companies. This includes full name, email address, full address, and taxpayer registration numbers — in addition to the login credentials created in the registration process.WSpot confirmed the leak to ZDNet, saying the issue was caused by a “lack of standardization in the management of information [stored] in a specific folder.” The Brazilian company reiterated that it has been working to address the issue since it was contacted about it until the conclusion of technical procedures on November 18. WSpot states that its servers remain intact and were not invaded by malicious actors, saying there’s no evidence that the exposed data has been accessed by cybercriminals. However, the software firm also stated that it has hired a security company to fully investigate any repercussions in relation to the data leaked in the incident.

WSpot says the issue impacted 5% of its total customer base, and none of its clients had business and/or sensitive information compromised. Additionally, it reiterated that it does not capture financial information such as credit card details or access credentials to other services. It’s unclear whether the company will inform the individuals exposed about the incident. According to a WSpot spokesperson, the National Data Protection Authority has not yet been contacted about the incident, however, “all legal issues surrounding the case are being addressed by WSpot as thoroughly as possible, especially in order to ascertain the next steps.” More

WordPress is far more than just blogs. It powers over 42% of all websites. So whenever there’s a WordPress security failure, it’s a big deal. And now GoDaddy, which is the top global web hosting firm with tens of millions more sites than its competition, reports that data on 1.2 million of its WordPress customers has been exposed.

In a Securities and Exchange Commission (SEC) filing, GoDaddy’s chief information security officer (CISO) Demetrius Comes said they’ve discovered unauthorized access to its managed WordPress servers. To be exact the breach opened information on 1.2 million active and inactive managed WordPress customers since September 6, 2021. This managed service, according to WordPress, is streamlined, optimized hosting for building and managing WordPress sites. GoDaddy handles basic hosting administrative tasks, such as installing WordPress, automated daily backups, WordPress core updates, and server-level caching. These plans start at $6.99 a month. Customers had both their email addresses and customer numbers exposed. As a result, GoDaddy warns users that this exposure can put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password, created when WordPress was first installed, has also been exposed. So if you never changed that password, hackers have had access to your website for months.In addition, active customers had their sFTP and database usernames and passwords exposed. GoDaddy has reset both these passwords. Finally, some active customers had their Secure-Socket Layer (SSL) private key exposed. GoDaddy is currently reissuing and installing new certificates for those customers.WordFence, a WordPress security company, says in their report, “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”GoDaddy has announced that its investigation is ongoing. The company is contacting all impacted customers directly with specific details. Customers can also contact GoDaddy via its help center. This site includes phone numbers for users in affected countries.

At this time, that’s all the information GoDaddy has made public about the breach.Related Stories: More

Meta, the parent company of Facebook, has pushed back its plans to enable end-to-end encryption (E2EE) as the default on Facebook Messenger and Instagram until 2023. 

Social Networking

Messenger and Instagram chats are on the same platform these days, reflecting the company’s push to unify its messaging products and aligning them with WhatsApp, where E2EE is the default, based on Signal’s E2EE protocol. In April, Facebook said that Messenger and Instagram direct messages wouldn’t be “fully end-to-end encrypted until sometime in 2022 at the earliest”.E2EE should mean that even Facebook employees with physical access to its hardware in data centers can’t access the content of messages, preventing the firm and employees from producing some evidence even when ordered by a court to do so. Facebook rolled out E2EE for WhatsApp in 2016 using the protocol developed by messaging platform Signal, which gained users after Facebook announced plans to share user data between WhatsApp and Facebook to expand its offering for businesses on both platforms. Antigone Davis, Meta’s global head of safety, detailed Meta’s encryption challenges in an article for the UK’s The Telegraph.  “There’s an ongoing debate about how tech companies can continue to combat abuse and support the vital work of law enforcement if we can’t access your messages,” wrote Davis. 

“We believe people shouldn’t have to choose between privacy and safety, which is why we are building strong safety measures into our plans and engaging with privacy and safety experts, civil society and governments to make sure we get this right.”Davis said Meta has three approaches to the question of safety, including detecting suspicious patterns like someone setting up multiple new profiles and messaging strangers. She said this system is in place and that “we’re working to improve its effectiveness.”The second is giving Instagram users the ability to filter direct messages based on offensive words. The third is encouraging people to report harmful messages. She goes on to point out that law enforcement still has access to metadata for criminal investigations. “Even with billions of people already benefiting from end-to-end encryption, there is more data than ever for the police to use to investigate and prosecute criminals, including phone numbers, email addresses, and location data,” she notes. “Our recent review of some historic cases showed that we would still have been able to provide critical information to the authorities, even if those services had been end-to-end encrypted,” wrote Davis. “While no systems are perfect, this shows that we can continue to stop criminals and support law enforcement.””We’re taking our time to get this right, and we don’t plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023,” Davis said.  The US, UK and Australia have in 2019 called on Facebook to create a create a backdoor to access encrypted messages. Facebook has resisted these calls.  Facebook CEO and co-founder Mark Zuckerberg announced the name change to Meta in November, a month after a former employee Frances Haugen went public with allegations the company’s algorithms are used to spread harmful content. Meta and its brands are facing new laws in the UK that could require them to protect users from harmful content.      More

Over 4,000 online retailers have been warned that their websites had been hacked by cybercriminals trying to steal customers’ payment information and other personal information. 

ZDNet Recommends

In total, the National Cyber Security Centre (NCSC) has identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. They alerted the retailers to the breaches over the past 18 months.  The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. Most of those affected and alerted to the compromises and vulnerabilities are small and medium-sized businesses.  See also: A winning strategy for cybersecurity (ZDNet special report). The NCSC revealed the number of businesses it has notified about customer data being stolen ahead of Black Friday. It urges all retailers to ensure that their websites are secure ahead of the busiest online shopping period of the year to protect their business — and their customers — from cybercriminals.  “We want small and medium-sized online retailers to know how to prevent their sites from being exploited by opportunistic cybercriminals over the peak shopping period,” said Sarah Lyons, deputy director for economy and society at the NCSC. “Falling victim to cybercrime could leave you and your customers out of pocket and cause reputational damage.”  One of the key things that online retailers can do to help prevent payments and personal data from being stolen is to apply the available security patches that stop cybercriminals from being able to exploit known vulnerabilities in Magento and any other software they use. 

“It’s important to keep websites as secure as possible, and I would urge all business owners to follow our guidance and make sure their software is up to date,” said Lyons.  Applying security patches in a timely manner is just one of the things recommended by the NCSC’s and British Retail Consortium’s Cyber Resliance Toolkit For Retail. This kit was released in October 2020, but the information on keeping websites secure from cyberattacks is still very much relevant today.  “Skimming and other cybersecurity breaches are a threat to all retailers,” said Graham Wynn, assistant director for consumer, competition and regulatory affairs at the British Retail Consortium. “The British Retail Consortium strongly urges all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end-of-year period.” See also: Ransomware: It’s a ‘golden era’ for cybercriminals — and it could get worse before it gets better. The compromised shopping websites were identified as part of the NCSC’s Active Cyber Defence programme, which has been monitoring for vulnerabilities that could impact online retailers since April 2020.  The NCSC has also reiterated advice to consumers on how to stay safe when shopping online. The advice includes being selective about where you shop, only providing necessary information, ensuring the payment system used is protected and keeping online accounts secure. 
More on cybersecurity More