Information Technology

A mysterious group of hacktivists has poisoned the DNS records of several Sri Lankans (.lk) websites on Saturday and redirected users to a web page detailing various social issues impacting the local population.
While most of the affected domains were websites for local businesses and news sites, two high-profile domains for Google.lk and Oracle.lk, were also impacted, readers told ZDNet on Saturday.
The following message was displayed on Google.lk for a few hours before authorities intervened. The message highlights issues with the local tea-growing industry, freedom of the press, the alleged corrupt political class and judicial system, and racial, minority, and religious issues.

Image: ZDNet
This attack took place on Saturday, February 6, just two days after Sri Lanka’s official national independence day, on February 4, which explains the nationalistic message.
NIC.lk, the administrator of the country’s national LK top-level domain space, confirmed the attack on Saturday in a message posted on its website.
“An issue with the .LK Domain Registration System arose early in the morning of Saturday, February 6th, which affected a few domains registered in .LK,” the organization said. “This issue was attended to expeditiously, and the matter was resolved by approx. 8.30 a.m.”
The Telecommunications Regulatory Commission of Sri Lanka also confirmed the incident in a tweet on its account.

Details about the attack and the number of impacted domains have not been made public. A NIC.lk spokesperson did not respond to a request for comment sent by ZDNet on Sunday.
The attack didn’t go unnoticed in Sri Lanka, and several users tweeted about it over the weekend, even if the incident was active for only a few hours.

Users in #SriLanka hv complained that https://t.co/bFifSYuMZa domain is being redirected to a site which highlights issues faced by teaworkers in #lka. Expert @aselawaid tweeted this appears to be a major domain level hijack which seems to be redirected to a propaganda page.
— Jamila Husain (@Jamz5251) February 6, 2021

This is the second cyber-security-related incident that impacts the NIC.lk organization. In 2013, hackers used an SQL injection attack to breach its database and steal data about .lk domain owners. More

I know that a lot of you use Google Chrome. Despite its faults — I’m talking about how it devours RAM — it’s a good browser with a great ecosystem of extensions.
And it’s pretty secure.
But you can do your bit to make it more secure.
Like clicking the Safety check button.
Must read: I wish I’d bought this $10 magnifier years ago

So, where’s the Safety check button? The easiest way to find it is to type this into your address bar and hit enter:
chrome://settings/safetyCheck

Alternatively, you can go into Settings and click on Safety check on the left-hand side.

Google Chrome Safety check
The Safety check button is right there. Clicking on it does four things:
Checks for Google Chrome updates
Checks if any of your stored passwords have been compromised
Checks if Safe Browsing is enabled, and gives you a link to tweak these settings
Checks for harmful extensions (not a bad idea given the latest debacle with The Great Suspender)

Running Google Chrome Safety check
If you want more protection, you can enable Enhances protection under Safe Browsing, and that will give you much greater security, but it does involve consenting to having your browsing data sent to Google.
Carrying out a Safety check is quick, and gives you additional piece of mind.
Do it now. More

Image: SitePoint, ZDNet, Florian Olivo
SitePoint, a website that provides access to a wealth of web development tutorials and books, has disclosed a security breach this week in emails sent to some of its users.

The company has formally admitted to a breach after a hacker put up for sale a collection of one million SitePoint user details on a cybercrime forum in December 2020.
In a data breach notification this week, SitePoint confirmed an intrusion into its systems sometime last year.
“At this point, we believe the accessed information mainly relates to your name, email address, hashed password, username, and IP address,” the company said.
SitePoint has now initiated a password reset on all accounts and is asking users to choose new ones that are at least ten characters long.
The tutorials and books publisher believes that the stolen passwords are currently safe, as they have been hashed with the bcrypt algorithm and salted, which should make cracking the password strings to its plaintext version a pretty lengthy process for the time being.
“We recommend that you change passwords from any other websites that may be a duplicate of your SitePoint password, just as a precaution,” the company added.
The WayDev connection

SitePoint said that based on current evidence, the breach occurred after the attackers gained access to “a third party tool [they] used to monitor [their] GitHub account.”
“This allowed access through our codebase into our systems. This tool has since been removed, all of our API keys rotated and passwords changed,” the company said.
While SitePoint doesn’t mention this tool by name, it is most likely referring to a tool from Git analytics service Waydev, which disclosed a security breach last summer.
This same tool was also used to breach custom apparel vendor Teespring, whose data was also sold by the same hacker, in the same package, at the same time as the SitePoint data. More

Humans are inherently unique from other creatures or machines because of our ability to use: 
Communication: Language capacity. 
Creativity: Abstract thought. 
Critical thinking: Reasoning and planning. 

These aspects make cybersecurity an engaging challenge. Ultimately, cybersecurity is a fight between humans. 
With sophisticated threats, attackers and defenders alike use their unique humanness — communication, creativity, and critical thinking — to find ways to achieve their goals. The most devastating attacks are those that are unexpected. 
Despite this, we continue to see security vendors push forward with the idea of not just supporting but replacing human beings with AI and automation. Some highlights include “real-time [sic] autonomous protection” and “Fully-Automated Incident Detection, Investigation, and Remediation” — neither of which is accurate. Autonomous means “undertaken or carried on without outside control.” 
This is neither accurate for what the products do nor for what will actually improve security operations. 
Autonomous Doesn’t Mean Better 
Despite the development of AI that can consistently beat human beings at StarCraft II, there’s still a large difference between true human consciousness and the artificial simulation we lean on so heavily in marketing. 
We’ve seen AI misconstrue athletes as felons and cause investors to lose millions daily. The ultimate lesson here is that AI is only as good as the model on which it’s built. AI and automation lose to human beings because we’re unconstrained and do the unpredictable, which is exactly what attackers do in security. 

The core capabilities of human beings are AI’s blind spots; “humanness” is simply not yet, or possibly ever replicable by artificial intelligence. We have yet to build an effective security tool that can operate without human intervention. The bottom line is this: Security tools cannot do what humans can do. 
To Win, Augment 
Instead of replacing humans in the security operations center, augment them so they can do what they’re good at. Security tools must support security teams in doing their jobs better, from the people, process, and technology aspects. AI and automation are key players in that support and shouldn’t be taken for granted, but they also can’t be the raison d’être of security. 
By shifting the focus from the technology to the analyst, we can empower analysts to be true defenders, instead of turning them into glorified cyber mechanics. Technology should make people better, not replace them. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Analyst Allie Mellen, and it originally appeared here.  More

Image: Catalin Cimpanu
Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.
For non-Chrome users, Chrome sync is a feature of the Chrome web browser that stores copies of a user’s Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google’s cloud servers.
The feature is used to sync these details between a user’s different devices, so the user always has access to his most recent Chrome data wherever they go.
Chrome sync feature was recently abused in the wild
Bojan Zdrnja, a Croatian security researcher, said on Thursday that during a recent incident response, he discovered that a malicious Chrome extension was abusing the Chrome sync feature as a way to communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers.
Zdrnja said that in the incident he investigated, attackers gained access to a victim’s computer, but because the data they wanted to steal was inside an employee’s portal, they downloaded a Chrome extension on the user’s computer and loaded it via the browser’s Developer Mode.
The extension, which posed as a security add-on from security firm Forcepoint, contained malicious code that abused the Chrome sync feature as a way to allow attackers to control the infected browser.

Image: Bojan Zdrnja
Zdrnja said the goal of this particular attacker was to use the extension to “manipulate data in an internal web application that the victim had access to.”

“While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” Zdrnja said in a report published on Thursday.
Malicious code found in the extension suggested that the attacker was using the malicious add-on to create a text-based field to store token keys, which would then be synced to Google cloud servers as part of the sync feature.
“In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure,” he said.
Data stored in the key field could be anything, Zdrnja said.
It could be data the malicious extension gathered about the infected browser (such as usernames, passwords, cryptographic keys, or more) or commands the attacker wanted the extension to execute on the infected workstation.
In this way, the extension could be used as an exfiltration channel from inside corporate networks to an attacker’s Chrome browser instance or as a way to control the infected browser from afar, bypassing local security defenses.
Malicious operations hide in legitimate Chrome traffic
Since the stolen content or subsequent commands are sent via Chrome’s infrastructure, none of these operations would be inspected or blocked in most corporate networks, where the Chrome browser is usually allowed to operate and transmit data unhindered.
“Now, if you are thinking on blocking access to clients4.google.com be careful – this is a very important web site for Chrome, which is also used to check if Chrome is connected to the Internet (among other things),” Zdrnja warned.
Instead, the researcher urged companies to use Chrome’s enterprise features and group policy support to block and control what extensions can be installed in the browser, preventing the installation of rogue extensions like the one he investigated. More

Google has disabled The Great Suspender, an extension that was used by Chrome users who were prone to having a lot of tabs open, because, in the words of the message users have been receiving, “it contains malware.”
This has left users with some questions and concerns.
Also: Best Google Chrome extensions in 2021
First, what happened? Well, concerns were raised last year that the extension contained nefarious code after the extension changed hands. More details here on GitHub.
Yesterday, Google pulled the plug on the extension, telling users that it was now blocked, and all mentions of it on the Google Chrome webstore now result in 404s.
If you were a user, the tabs you had suspended are now gone. Well, you can still recover them, but it’s a bit of a faff. It involves searching your history for the ID of the extension (klbibkeccnjlkjkiokjodocebajanakg) and then extracting the URL from the string (it’s after the uri=).
Others want to know what to do next.

There are a few extensions that you can use that do similar things. Session Buddy and OneTab sprint to mind.
If you’d rather a paid service, I’ve been using Partizion for the past few months, and I find it really reliable, and once you get used to it, it works really well.
Or, you know, you could limit the number of tabs you have open. More

A woman from Iowa has pleaded guilty to sharing confidential photos then published to a social media group focused on outing “snitches”. 

On Thursday, the US Department of Justice (DoJ) said that two individuals were involved in the scheme: Rachel Manna, a resident of West Des Moines, and Ankeny, Iowa-based Danielle Taff, who was formerly employed as a contractor paralegal for the US Attorney’s Office for the Southern District of Iowa. 
Taff worked in the civil division, and so should have been nowhere near records related to criminal cases. 
However, in 2018, 33-year-year Manna asked Taff, as her acquaintance, to access information relating to “certain defendants in a criminal investigation and prosecution being handled by the US Attorney’s Office,” according to the DoJ. 
Taff agreed to Manna’s request and in mid-May, the 37-year-old used her government PC to access criminal investigation files on the district’s shared storage drive. 
After finding records relating to police interviews with “at least two individuals” who cooperated in a drug trafficking investigation, Taff pulled out her mobile phone and took photographs of the files. 
Taff then handed over her photographs, of which there were approximately 30, to Manna. 

These photographs, which identified the people who were helping the police in their investigation, were then shared by Manna to a Facebook group dedicated to “outing snitches” in the Des Moines region. 
Individuals labeled as snitches by cooperating with law enforcement, especially when criminal activities are occurring, could face personal retribution and increased risk to their safety. 
Taff pleaded guilty for her role in the leak of confidential information in November 2020. Taff will be sentenced on March 9. Manna, having now also admitted to her crime, will be sentenced on June 4. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Remote attackers can use the bugs to execute code as the root user.
Image: Getty Images/iStockphoto
Cisco is warning customers using its small business routers to upgrade the firmware to fix flaws that could give remote attackers root level access to the devices. 
The critical flaws affect the Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers. These were the models Cisco recommended customers using unsupported small business routers to move to last month. 

Networking

There are several bugs in the web management interface of the routers that remote attackers can use to execute code as the root user. The devices don’t properly validate HTTP requests, allowing an attacker to send specially crafted HTTP requests that might exploit the flaw. 
Also: Best VPN services in 2021: Safe and fast don’t come free
The gear is vulnerable if it is running a firmware release earlier than Release 1.0.01.02, according to Cisco. Affected devices include the RV160 VPN Router, RV160W Wireless-AC VPN Router, RV260 VPN Router, RV260P VPN Router with POE, and RV260W Wireless-AC VPN Router. 
There are no workarounds, so customers must upgrade to release 1.0.01.02 or later. It released that version in January. Cisco is tracking the bugs as CVE-2021-1289, CVE-2021-1290, and CVE-2021-1291. 
The web interface of the Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers are also vulnerable to remote attacks via a directory traversal issue. Admins need to ensure devices have firmware that is release 1.0.01.02 or later to be protected. 

“An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to a location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device,” Cisco warned. 
This set of bugs is being tracked as CVE-2021-1296 and CVE-2021-1297. 
There are also multiple high-severity flaws in the web interface of the Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers. The bugs are remotely exploitable and can be used to trigger a denial of service. 
It’s another input validation issue that allows an attacker to send HTTP requests designed to exploit the bugs. Cisco notes that the attacker would need correct administrator credentials to exploit the bugs. Cisco is tracking these as CVE-2021-1319, CVE-2021-1320, and CVE-2021-1321.
The same set of routers are also vulnerable to multiple command injection vulnerabilities that have been tagged with the identifiers CVE-2021-1314, CVE-2021-1315, and CVE-2021-1316. 
SEE: How do we stop cyber weapons from getting out of control?
Again, the flaws are due to improper validation of user-supplied input that allow an attacker to send crafted HTTP requests to the devices. These are high severity issues that “could allow the attacker to execute arbitrary code as the root user on the underlying operating system”, according to Cisco.
An attacker would need to have valid administrator credentials to exploit the flaws. 
Cisco fixed the bugs affecting the RV320 and RV325 Dual Gigabit WAN VPN Routers in firmware release 1.5.1.13.
However, it will not release firmware updates for the Cisco RV016, RV042, RV042G, and RV082 Routers because they have have entered the end-of-life process. 
The affected devices are vulnerable if they’re running the below firmware releases: 

Product

Firmware Release

RV016 Multi-WAN VPN Routers

4.2.3.14 and earlier

RV042 Dual WAN VPN Routers

4.2.3.14 and earlier

RV042G Dual Gigabit WAN VPN Routers

4.2.3.14 and earlier

RV082 Dual WAN VPN Routers

4.2.3.14 and earlier

RV320 Dual Gigabit WAN VPN Routers

1.5.1.11 and earlier

RV325 Dual Gigabit WAN VPN Routers

1.5.1.11 and earlier More