Information Technology

The Windows XP and Windows Server 2003 source code that was leaked online last week on 4chan has been confirmed to be authentic after a YouTube user compiled the code into working operating systems.
Shortly after the leak occurred last week, ZDNet reached out to multiple current and former Microsoft software engineers to confirm the validity of the leaked files.
At the time, sources told ZDNet that from a summary review, the code appeared to be incomplete, but from the components they analyzed, the code appeared to be authentic.
NTDEV, a US-based IT technician behind the eponymous Twitter and YouTube accounts, was one of the millions of users who downloaded the code last week.
But rather than wait for an official statement from Microsoft that is likely to never come, NTDEV decided to compile the code and find out for themselves.
According to videos shared online, the amateur IT technician was successful in compiling the Windows XP code over the weekend, and Windows Server 2003 yesterday.
“Well, the reports were indeed true. It seems that there are some components missing, such as winlogon.exe and lots of drivers,” NTDEV told ZDNet in an interview today, describing his work on XP.
NTDEV says these missing components mean that the leaked XP code is not yet in a fully usable state, such as for a “full OS replacement,” but that the code is, nevertheless, authentic.
“Certain files, such as the kernel and the Explorer can be compiled easily. I have tried some programs from the compiled source of XP, and it seems that they are identical to the retail versions of Windows,” NTDEV said. 
Barring the missing components, NTDEV believes “the source can be used for compiling all the SKUs, as well as free (optimised) retail builds.”
[embedded content]
As for the leaked Windows Server 2003 source, the second major Windows OS version included in last week’s leak, NTDEV said this code was also similar to the XP leak.
“The leaked source of Server 2003 is actually more complete than the XP one, but it lacks, just as the XP one, the Winlogon source code,” they said.
“I presume this is due to the fact that it may contain the code to the activation process (just an assumption).
“However, unlike XP, I have managed to build a workable installation of [Server] 2003, but I had to substitute some files (Winlogon being the most important one, the rest of them being help files and drivers, mostly),” NTDEV said.
[embedded content]
Still, last week’s leak also included source code for several other Windows operating systems, such as Windows 2000, Embedded (CE 3, CE 4, CE 5, CE, 7), Windows NT (3.5 and 4), and MS-DOS (3.30 and 6.0).
NTDEV told ZDNet they already compiled the NT codebase earlier this year, when it first leaked online, and that they now plan to focus on compiling the MS-DOS 6.0 code next.

Windows 10 More

Image: GitHub
Code-hosting website GitHub is rolling out today a new security feature named Code Scanning for all users, on both paid and free accounts.
GitHub says the new Code Scanning feature “helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.”
Once vulnerabilities are detected, Code Scanning works by prompting the developer to revise their code.
Under the hood, Code Scanning works on top of CodeQL, a technology that GitHub integrated into its platform after it acquired code-analysis platform Semmle in September 2019.
CodeQL stands for code query language and is a generic language that allows developers to write rules to detect different versions of the same security flaw across large codebases.
To configure Code Scanning, users must visit the “Security” tab of each of the repositories they want the feature to be enabled.

Image: GitHub
Here, developers will be prompted to enable the CodeQL queries they want GitHub to use to scan their source code.
To get users started on using Code Scanning, Gitub said its security team has put together more than 2,000 predefined CodeQL queries that users can enable for their repositories and automatically check for the most basic security flaws when submitting new code.
In addition, Code Scanning can also be extended via custom CodeQL templates written by repository owners or by plugging in third-party open-source or commercial static application security testing (SAST) solutions.
Code Scanning has been available to GitHub beta testers since May after the feature was initially announced at the GitHub Satellite conference.
Since then, GitHub says the feature has been used to perform more than 1.4 million scans on more than 12,000 repositories and has identified over 20,000 vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.
Developers also appear to have warmly received the new feature, and GitHub says it already received 132 community contributions to CodeQL’s open-sourced query sets since the feature launched in the spring. More

An adware family known primarily for distributing browser hijackers has been caught distributing full-blown malware, security researchers said today in a talk at the VirusBulletin 2020 security conference.
“What’s dangerous about Linkury is how it uses its adware front as a gateway to propagate malware,” said Arun Kumar Shunmuga Sundaram & Rajeshkumar Ravichandran, two malware analysts at Indian security firm K7 Computing.
“It walks a very fine line between typical adware and malware, and we have seen how it can switch sides based on geolocale,” the two said.
“It has tailored its operations to cloak its malicious techniques and flies under the guise of ‘legitimate, law abiding’ adware, giving it recourse to plausible deniability of any wrongdoing.”
While cyber-security companies like Malwarebytes, Microsoft, or Trend Micro are currently detecting Linkury operations as “adware,” Sundaram and Ravichandran argue that “the case for flagging it as malware is strong based on the evidence presented in [their] paper.”
What’s Linkury?
Prior to K7’s VirusBulletin presentation today, Linkury was primarily known as an adware operation.
Its main method of distribution is the SafeFinder widget, a browser extension ironically advertised as a way to perform safe searches on the internet.
The widget is usually bundled with other free apps as a secondary installer or is distributed via online ads that redirect internet users to SafeWidget download pages.
Installing the SafeFinder extension would usually changes a user’s default browser search and home tab settings but also install additional binaries, different based on the user’s country.
Image: K7 Computing
In most cases, these binaries would be other apps, for which developers paid a fee to be included in the SafeFinder installation process.
But K7 researchers say that in recent cases they analyzed, the SafeFinder widget has now also begun installing full-blown legitimate malware, such as the Socelars and Kpot infostealer trojans.

Image: K7 Computing
In other cases, the Linkury operation also dropped a version of the Opera browser on infected hosts, which they started silently in the operating system’s background to deliver pop-up ads and generate profit for the Linkury operators.
But the Linkury team also used the SafeFinder widget to force-install extensions on the user’s browsers. K7 reported Linkury force-installing extensions in Chrome and Firefox, for Windows users; and Safari, Chrome, and Firefox, for Mac users.
Furthermore, K7 researchers also noted that the SafeFinder installer also contained many features specific to malware, such as PowerShell scripts to disable Windows Defender, and functions to detect when the installer was executed inside virtual machines and sandboxes, environments usually used for malware analysis — which it obviously wanted to avoid.
And last but not least, Linkury’s SafeFinder widget had no intention of honoring user choices, with its installer specifically designed to install its payload even if the user tried to avoid the installation process, like pressing “No” as in the image below.

Image: K7 Computing More

When my colleagues Claire O’Malley and Brian Kime wrote their blog post “Point/Counterpoint: The Ethics Of COVID-19 Phishing” in March, it turns out they were inadvertently predicting an event that took place last week: An employee took to social media to speak out about a highly insensitive phishing simulation.  

Tribune Publishing Company, publisher of newspapers like the Chicago Tribune and The Baltimore Sun, conducted an ill-timed phishing simulation. The email was offering targeted bonuses of $5,000 to $10,000 to the remaining staff that had survived an ongoing wave of pandemic-spurred firings and pay cuts. Users were prompted to log in to view their promised bonuses, and, in doing so, they were met with an alert of how they had just failed a phishing simulation test. 
A Thoughtless Campaign Phishes Away Brand And Goodwill 
This presumably inadvertent misstep resulted in a negative experience for all involved: 
Already struggling employees got an extra slap in the face with a phish. The pandemic has introduced a significant amount of stress around reentry to work, burnout, financial instability, health concerns, and anxiety about job loss. Loss of jobs and wages exacerbates the stress on employees. In this instance, the reception of employees receiving this phishing simulation that claims to pay a bonus to those who’ve already lost so much could not have been direr. 
The organization’s brand took a hit. How you treat your employees defines your brand and values as an organization. Customers, business partners, and future hires are watching how and if your firm places an emphasis on employee experience (EX), as they make decisions about their relationship with you. Tribune Publishing Company’s employees took to social media to register their outrage; others joined in amplifying the outrage, putting the organization’s brand through the wringer at the worst possible time. 
The vendor’s image was hurt, despite taking steps to manage this risk. The vendor, KnowBe4, did not initiate the simulation, and it took many steps to educate customers about the ethics of phishing and clearly marked its controversial templates, as KnowBe4’s CEO pointed out. However, this did not spare the vendor from the public’s ire, as many publicly criticized the vendor that provided the phishing template. Cybersecurity vendors should be wary that the way customers use your products and services can impact you as a provider, no matter how much you might attempt to distance yourself from it. 
Security’s already tarnished reputation faced more negativity. Security has long held the reputation of being a team of fun-ruiners who regularly tell the rest of the organization “no” and place inconvenient restrictions on employees’ everyday tasks, including distributing security quizzes and phishing tests that can be annoying and unnecessarily deceptive. Security practitioners have been working hard to improve security’s image by creating positive associations with security and reworking security practices. However, an incident like this sets the clock back and forfeits some of the goodwill earned. 
Controversial Phishing Simulations Can Damage EX 
The counterpoint supporting the use of controversial simulations is that attackers are not above using the very same tactics in question here — and that’s true. The difference is that attackers have no obligation to treat the employees in your organization with respect and empathy — your security program does. Your security awareness and training programs (including phishing simulations) are your face to the organization. The importance of remaining ahead of adversaries does not give you license to hurt the very people you’re trying to engage. Be intentional about the examples you’re using for your simulations and consider the following: 
What is the potential impact of this simulation on employees’ mental health? 
Is this simulation realistic, necessary, and empathetic? 
How will the tone of the simulation be perceived by employees? 
Does this benefit the humans on the other end? 
Am I being smug and gaming with employees, or am I genuinely trying to change behavior? 
Is there another way you could be communicating this message? 
The Tribune Publishing Company could have educated their employees about the dangers of phishing with a simulation that prompts them to check their vacation balance, log in to a virtual meeting, or a variety of other non-pandemic and non-fear-inducing wording. 
Additionally, be consistent about the way you provide pandemic updates. For example, provide business-related pandemic updates via virtual meetings instead of mass email chains. That way, your employees will also recognize that if they see an email containing pandemic updates and click prompts, they’ll know it’s from an attacker with malicious intent and not a manager or HR. 
Make Influence And Empathy, Not Shame, The Names Of Your Game 
Education and shame are not synonyms. You may win the battle, but the war is much bigger. Continue your phishing simulations and your security awareness and training campaigns. These efforts, however, don’t tell the full story. As a security leader, your bigger opportunity is to engage, influence, and benefit your employees as well as your organization’s customers, and even society. You do this through careful planning and positively influencing and engaging your stakeholders. In this environment, more than ever, make empathy your new superpower in all the big and small things that you do, such as walking the floor, managing your teams, engaging with your stakeholders, and yes, even phishing simulations. 
This post was written by Principal Analyst Jinan Budge with a team of analysts, and it originally appeared here.  More

The FBI is investigating a global business email compromise (BEC) campaign that has netted cybercriminals at least $15 million in illicit proceeds. 

On Wednesday, cybersecurity researchers from Mitiga said the campaign, which is ongoing, uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services. 
The Israeli incident response company said over 150 organizations — ranging from law, construction, finance, and retail — have been identified as victims worldwide. The majority of those tracked so far are in the United States. 
See also: This latest phishing scam is spreading fake invoices loaded with malware
BEC scams focus on targeting businesses and organizations through email fraud, often with financial gain in mind. Analysts estimate that in Q2 2020, the average successful BEC campaign now nets fraudsters $80,000 — an increase from $54,000 in Q1 2020 — but in the worst cases, financial theft can reach millions of dollars. 
It was a “multi-million-dollar global transaction,” Mitiga told us, that alerted the researchers to the campaign. Emails were sent between a buyer and seller over several months, in which a threat actor impersonated “senior parties” involved in the transaction, providing alternative wire payment instructions, and vanishing with the proceeds. 
However, this single case of criminality was only one of what appears to be many widespread BEC campaigns run by one or more cybercriminal groups. 
CNET: Facebook says fake accounts tied to Russia posed as journalists and promoted other websites
Digital clues linked over a dozen clusters of rogue domains to the BEC campaign and the researchers say that “each cluster was a coordinated attack on its own.”
Numerous rogue domains have been registered via GoDaddy’s Wild West Domain registrar, and these domains mask themselves as legitimate businesses. In what is known as a homograph technique, the website addresses used to impersonate a company include alterations made via letters or symbols that would be difficult to spot — such as the difference between ‘paypal.com,’ and ‘paypall.com.” Office 365 accounts were then linked to email addresses associated with these domains in order to send fraudulent messages. If a victim accepted a phishing message and unwittingly executed a payload, this could also lead to their inboxes becoming compromised. 
The team believes that Microsoft’s email service is being abused to reduce “suspicious discrepancies and the likelihood of triggering malicious detection filtering.”
TechRepublic: Cybersecurity: How to properly perform vulnerability assessments in your organization
When conversations were intercepted via compromised accounts, the attackers used a forwarding rule to bounce all communication back to another attacker-controlled account. 
“This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided,” the company added. 
An investigation into the widespread BEC scam is ongoing. Microsoft and relevant law enforcement agencies have been notified. 
“We’re are experiencing a dramatic increase — 63% in fact — of ransomware and BEC attacks across our customer base,” Tal Mozes, Mitiga CEO told ZDNet. “These attacks are originating mainly from African countries and are showing an increasing level of sophistication. With this specific BEC campaign, our analysts were able to identify a digital fingerprint that allowed us to identify and notify the victims, as well as alert law enforcement of threat vectors.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A phishing attack taking place against an organization has revealed a crafty method to bounce between victims in a way deemed “ingenious” by a researcher. 

On September 29, cybersecurity architect and bug bounty hunter Craig Hays outlined a recent phishing attempt which went far beyond the usual spray-and-pray tactics and basic attempts to compromise a network, to become “the greatest password theft he had ever seen.”  
In a Medium blog post, Hays detailed how a response team received an alert from their organization at 10 am, when a user fell prey to a phishing attack. 
Originally, the security expert simply deemed the notification “another day, another attack.” The team locked the impacted account down and began to investigate the incident in order to find the root cause and any potential damage. 
Within minutes, several more alerts pinged their inbox. This, in itself, isn’t unusual. As Hayes noted, “emails that made it through the filtering rules tended to hit a number of people at the same time.”
However, after the sixth report, the responders noticed this was potentially something more substantial — and by the time they had conducted an initial damage assessment and two accounts had been recovered, they faced a “huge wave of account takeovers.”
“We could see that all of the accounts were being accessed from strange locations all over the globe and sending out a large number of emails,” Hays said. “For so many accounts to be hit at once, it was either a really, really effective phishing attack, or someone had been biding their time after stealing credentials over a long period.”
The problem was, the initial credential theft vector wasn’t obvious and no victim had received an email from a new contact on the day — the latter of which being how phishing messages are generally sent, often appearing from a spoofed or seemingly-legitimate source. 
See also: What is phishing? Everything you need to know to protect yourself from scam emails and more
Eventually, the team turned to sign-in timestamps to connect the account takeovers with emailed communication — and this revealed the attack vector.  
“The phishing emails were being sent as replies to genuine emails,” the researcher explained. “Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.”
This is how it worked: once one email account was compromised, the credentials for the account were sent to a remote bot. The bot would then sign into the account and analyze emails sent within the past several days.
“For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials,” Hays said. “The wording was generic enough to fit almost any scenario and the link to a ‘document’ didn’t feel out of place.”
Sent as a reply-all, using a legitimate email account, and given the conversation history, trying to distinguish the bot from the genuine account owner was difficult. 
The technique, resulting in worm-like mass takeovers, left Hays “in awe” of the “phenomenal number of accounts [that] were compromised within a few hours.”
CNET: SIM swap fraud: How to prevent your phone number from being stolen
Unfortunately, as the bot grew in size and took over account after account, this allowed it to propagate beyond the impacted company itself — the phishing emails were also sent to other people outside of the organization. 
The phishing attack was out of control by this point and the only way the team was able to clamp down on it was by finding a pattern in the URL of the phishing pages that could be used to add a quarantine rule. 
While Hays calls the campaign “ingenious” and “the most favorite attack I’ve seen in person,” he also notes that the bot was “too effective” and its eagerness to propagate set up red flags and alerts too quickly to reach its full potential. 
TechRepublic: FBI says hackers want to stoke doubt about the 2020 election
Multi-factor authentication was quickly implemented for email accounts that had not enabled the additional security measure. 
“The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained,” Hays commented. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has developed a blockchain-powered application touted to better manage and secure medical records. Enabling healthcare data to be stored in a digital wallet, the software has been used in a pilot in which COVID-19 discharge memos have been verified more than 1.5 million times. 
Government-owned investment firm SGInnovate and local startup Accredify jointly developed the “digital health passport” to support the management of medical records. Work on the application had begun in May during the height of the global pandemic, when SGInnovate roped in Accredify on the project. The Singapore startup specialises in document lifecycle management products, including document management and verification. 
Funded by the Ministry of Finance, SGInnovate focuses its investment on deep tech startups that work on emerging technologies such as artificial intelligence, quantum technology, and medical technology. 

The newly developed digital health passport is touted to enable personal medical documents to be stored in a digital wallet, secured with blockchain technology, for easy access and verification. It also digitises medical documents for distribution such as COVID-19 discharge memos and swab results, helping to streamline the workflow of healthcare services providers. 
This feature bypasses the need for paper-based documents, which are difficult to manage and  easily replicated, lost, or misplaced, the organisations said in a joint statement Wednesday. The application is built on the OpenAttestation platform, which was developed by the Singapore government’s CIO office, GovTech, as an open source framework to notarise documents using blockchain.
“Digital Health Passport leverages blockchain technology to generate tamper-proof cryptographic protections for each medical document. Users can automatically verify the digital records via a mobile app and present it to officials via QR code, for a quick and seamless verification process,” SGInnovate said. It added that blockchain-powered data storage allowed for greater transparency, security, and privacy, and ensured personal health data would not be revealed. 
For added security, users will be able to log into their SingPass account — used to access e-government services — and choose the relevant records they want shared and set expiry timings. 
According to SGInnovate, an early version of the digital health passport was deployed in a July 2020 pilot involving Singapore’s health and manpower ministries. Introduced as a new feature in the Manpower Ministry’s FWMOMCARE app, the health passport helped manage and display digital COVID-19 discharge memos for foreign workers, verifying such documents more than 1.5 million times. Foreign workers require the discharge memos to return to work. 
The digital health passport also was used on other medical records such as COVID-19 swab results, immunity proof, and vaccination records.
The application could potentially be extended to the travel industry and facilitate checks and verifications on the health status of travellers, such as the application process for “green lane” essential and official travels, or at boarding and border check-points for greater safety.
SGInnovate’s deputy director of venture building Simon Gordon said: “As the pandemic tested Singapore’s healthcare sector, we identified a gap in the large-scale management of medical records. We wanted to quickly build a solution that enables a trusted authentication process, to create more efficiencies for healthcare practitioners and officials working at the frontline, and support the safe reopening of the economy.”
RELATED COVERAGE More

Image: Twitter (supplied)
After leaving the position unfilled for months and suffering a major hack over the summer, Twitter has hired this week a new Chief Information Security Officer (CISO) in industry veteran Rinki Sethi.
Sethi joins Twitter from her previous role as Vice President and CISO at Rubrik, a cloud data management company.
Before that, Sethi also served as Vice President for Information Security at IBM, Vice President for Information Security at cyber-security firm Palo Alto Networks, Director & Head of Product Security at software giant Intuit, and in other cyber-security roles dating back to 2004, at companies like at eBay, Walmart, and PG&E.
In her new role at Twitter, Sethi will report to Nick Tornow, Platform lead. She will oversee Twitter’s information security (InfoSec) posture, which includes areas like Enterprise Risk, Security Risk, Application Security, and Detection & Response.
Twitter says Sethi will also work closely with teams such as the Privacy & Data Protection to address key company initiatives, and will also keep Twitter staff and the company’s board up to date on security-related issues.

Mike Convertino served as Twitter’s previous CISO. Convertino left his position in December 2019, and the role remained unfilled.
Twitter has been criticized this summer for not filling the CISO role fast enough. The criticism came after the social network suffered a major security breach in July when hackers broke into Twitter’s backend admin tools and defaced the timelines of tens of high-profile verified accounts with a cryptocurrency scam.
Sethi’s hiring will quiet most of this criticism as the San Francisco-based exec is one of today’s most respected infosec figures.
Outside her extensive career credentials, Sethi also stood on the boards of major security conferences (WyCiS and SecureWorld), consulted on infosec books, and received numerous industry awards.
In addition, Sethi was also one of the founders of an initiative to develop the first set of national cybersecurity badges and curriculum for the Girl Scouts of USA. More