Category: Cyber Security

“Rivolta” gives an insight into the Exploits of a 15-year-old “Elite” Hacker named Michael ‘MafiaBoy’ Calce, who had taken down the websites of some of the largest companies.

Michael “MafiaBoy” Calce was just 15 years old. During his Exploit days, prior to being arrested, he had taken down the websites of some of the largest companies in the world, causing an estimated $1.7 billion in losses. He realized the depth of what he had done, after watching a news program where then President Clinton spoke about what “Mafiaboy” had done.

This video: “Rivolta: Inside the Mind of Canada’s Most Notorious Hacker” was produced by HP Canada. “Rivolta” was directed by Hubert Davis.

In one way this young person was extremely curious and yet his educators did not pick-up on that, so he sought out info elsewhere. In one part of the video, Michael Calce talked about taking a computer programming class in Pascal, but showed his instructor that he could code the course examples in far more powerful and complex “C Language“.

How many other genius kids who have the inner desire to learn, are also being missed by their Educators? Yes, this video is about the Exploits of a 15-year-old “Elite” Hacker, but it is also about an Educational System which in my opinion failed this young lad.

Video is courtesy of the HP Canada YouTube channel

Altaro is offering a free ebook “Ransomware: A Survival Guide”

Click on this link to visit the Altraro website to Download their free ebook titled “Ransomware: A Survival Guide”. They ask for your name and email to be able to D/L. Just do a Google search on “Temp Email” to find a site which will give you a free temp email address, if you do not wish to give out your email address.

The Altaro eBook is a short, yet interesting read about Ransomware.

Altaro also have a much more detailed video about Ransomware on their YouTube channel (see below).

Video is courtesy of the Altaro Software YouTube channel

Posted by Vincent Banial

WannaKey along with WanaKiwi may help to decrypt your WannaCry encrypted files without having to pay the Ransom

WannaKey works with older variants of Windows Server and Windows Workstation Operating Systems such as Windows Server 2003, Windows Server 2008, Windows XP, Windows 7, and Windows Vista.

When WannaCry encrypts your files, it creates a Private Key which is used to create the decrypt key. Then the Private key is erased. On older Windows systems the erase does not remove the data from memory. So if you are lucky and you have “not” rebooted the PC then there is a chance that WannaKey could recover the Private key, because it is still held in the system memory.

Once you have the Private Key then you can use a different program called wanakiwi to decrypt the files on the WannaCry encrypted PC.

The key point to remember is that the above process “MAY’ work. The Computer which was encrypted by WannaCry Ransomware, must “NOT” have been rebooted. Any files to download would be done using a different computer and then run on the encrypted PC via a USB flash Drive.  The WannaCry code did issue the command to erase the Private Key but the bug in older Windows Operating Systems is that Private Key has not been erased from the computer’s main memory.  With a bit of luck, you may be able to decrypt your WannaCry encrypted PC. Note there is no guarantee that this will work. If you are unsure how to go about this, then get a computer professional to help you.

Click on this Link to visit the GitHub page for Wannakey.

Click on thsLink to visit the

Click on this Link to visit the Comae Blog post by Matt Suiche titled “WannaCry — Decrypting files with WanaKiwi + Demos”. Matt goes thru the whole process along with screen shots.

Video is courtesy of the Vishnu Ava YouTube channel

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to also always create daily backups. If you try to decrypt a WannaCry encrypted personal computer or server, you do so at your own risk. There is no guarantee that the above info will be successful in decrypting the files.

CERT had issued Vulnerability Note VU#867968 advising about the SMB vulnerability in Microsoft Windows

WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.

Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups

Massive Adylkuzz attack is underway which uses the same tools used by WannaCry

New Adylkuzz Malware attack uses the same tools which were used by WannaCry Ransomware – (EternalBlue for instance) which were released by The Shadow Brokers back in April. Eternal Blue code scans a network to find computers running the Microsoft SMB v1.0 protocol service (open TCP ports 139 and 445 along with UDP ports 137 and 138). When found it can then install the malware.  Adylkuzz is infecting thousands of computers around the Globe. Microsoft released a Security patch back in March which addressed the SMB vulnerability. Last week Microsoft also released further Windows Security Patches for Windows systems going back to Windows XP.  Microsoft’s Windows Security Updates will stop the spread of WannaCry and Adulkuzz, once the Security Patches have been installed and the system rebooted. At the bottom of this post, you will find links to the official Microsoft Patches.

Video is courtesy of the DAHBOO77 YouTUbe channel

This new AdylKuzz Malware does not request any ransom from the owner of the infected computer. It does it’s processing in the background. One interesting aspect about the way that Adylkuzz works is that once it infects a computer it then disables the SMB v1.0 protocol. That move prevents any other Malware from infecting the computer. Adylkuzz may very well have protected thousands of computers around the globe from becoming infected by WannaCry Ransomware because Adylkuzz it is believed has been running in the wild on the internet for many weeks and before the WannaCry attack was launched.

Click on this Link to visit the PHYS.Org website to read their post titled: “Another large-scale cyberattack underway: experts”.

Adylkuzz essentially is a Cryptocurrency Miner. Apparently, it is being reported that Adylkuzz does not damage any files. A lot of people use their powerful computers to do Cryptocurrency Mining. Cryptocurrency like Monero and Bitcoin is essentially untraceable Internet money which can be converted to a National Currency or used directly on the Internet. Adylkuzz mines the Monero Cryptocurrency. Once installed on the infected computer it will start to use computer resources. On an older slow PC, the end user will notice a dramatic slowdown. On a Top End fast PC there will be a far less noticeable slowdown. What will be dramatically affected, will be one’s useable internet bandwidth. Downloads and even web page loading will take longer. Watching internet videos will be affected with slowdowns.

To prevent being infected by either WannaCry or Adylkuzz one needs to make sure that any Microsoft Windows Security Updates have been installed. Yes, one can manually disable the SMB v1.0 protocol on a PC, but the Microsoft Security Patches also patch other holes and vulnerabilities in the Windows Operating Systems. Install the Windows Security Patches. Also make sure to Update any and all of your Computer Security software like your Firewall, Anti-Virus, and Anti-Malware software. Then consider buying an external hard drive (if you do not already have one) and start backing up your data. Having a daily Backup of your data files costs far less than having to pay Ransomware, should your PC become infected.

Click on the following like to visit the Proofpoint cybewrsecurity firm’s post titled: “Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar”.

Click on this Link to visit the Symantec Security Response blog to read their post titled: “Adylkuzz Cryptocurrency Miner Is Not The Next WannaCry”.

Click on this Link to visit the news.com.au site to read their post titled: “New Adylkuzz cyberattack targeted at mining virtual currency in infected computers”.

Click on this Link to visit the RT website to read their post titled: “WannaCry XXL? 2nd even bigger global cyber attack already underway”.

The following was posted by Anonymous on their YouTube channel TORnado – Anonymous France. Permission to share was posted on their YouTube channel along with the video linked to below,:
“Published on May 17, 2017

Greetings citizens of the world,

We are Anonymous.

This is a new warning about a massive hack.
Following the attack “WannaCry Ransomware”, a much larger hack was discovered.

Much more vicious, better hidden and bringing much more money to black-hats hackers, this massive virus is called “Adylkuzz” and simply uses the same flaw as WannaCry.
This is once again a computer tool stolen from the NSA.
But this time it is not your data that is affected but your entire computer that through the rat, will become a minor zombie of crypto-currency.

For the moment of what we, Anonymous know, here is the process:

The virus enters the computer with DoublePulsar and EternalBlue, via the MS17-010 fault on the TCP port 445 as the previous “WannaCryptor” but there will be nothing on the screen. You will not even know that you are infected.

Then the hack will begin to mining the cryptomony with your machine, ie you will produce virtual currency of type “Monero”, similar to the famous bitcoin without
You know it and free for hackers you do not know.
Knowing that the mining uses the abilities of the PC, the victim then undergoes slowdowns which causes a malfunction of the computer.

Several hundred thousand people would already be in this case, that’s why we’re alerting you once again. It seems that “WannaCry” was only the part of the iceberg, stay alert, update your Windows and keep your antivirus.

On our side we follow different tracks to find these hackers. Already about 40,000 dollars in Monero have recently been discovered probably the money gained through the hack.

The cryptomontee is thus once again likely to have a bad image in the media whereas this currency remains a practical and anonymous means to buy or give money.

Now calls to the Anonymous, it’s time to stop these criminals and help those affected or not knowing how to protect themselves.
The NSA can not even protect its own data, so we can only count on ourselves.
In any event,

We’re Anonymous,
We are Legion,
We do not forget,
We do not forgive,
Rogues, thieves, whoever you are,
Expect us.

————————————-“

The video below, by Anonymous, is the above info but spoken in French.
Video is courtesy of the TORnado – Anonymous France YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to always create daily backups

Global spread of WannaCry Ransomware – Mon May 15 2017

Video is courtesy of the NIC Webcast YouTube channel

WannaCry Ransomware is continuing the spread around the globe. Some have even called it the start of a CyberWar. Russian President Putin is apparently blaming the U.S. for creating the tool set. Microsoft is apparently pointing that it is the stolen software tools from the N.S.A (National Security Agency).

Click on this link to visit the Kaspersky Lab SecureList blog site to read their detailed coverage titled “WannaCry ransomware used in widespread attacks all over the world”

I’m going to try something new, by featuring links to current news and major website posts related to the Global spread of WannaCry Ransomware:

Click on this link to visit the Microsoft Blog to read their post titled: “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack” by Brad Smith – President and Chief Legal Officer.

The following is a paragraph from Brad Smith’s post:
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.

Kudos go out to Microsoft for providing the Security Update for Windows XP:

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Click on this Link to visit the Wall Street Journal website to read their post “Cyberattack Is Likely to Keep Spreading. In the post they state that WannaCry Ransomware has spread to over 150 countries. Yesterday I had checked a tracking site which stated that over 230,000 computers had been hit with WannaCry. The Tracker only keeps track of those PCs which were still connected to the internet.

Click on this Link to visit The Telegraph news site to read their post “Cyber attack latest: Vladimir Putin blames US for hack as thousands more computers hit by ransomware“.

Click on this Link to visit the CyberSecurity Firm Malwaretech to view their live tracker for WannaCry / WannaCrypt.

Click on this Link to visit the Yahoo Tech site to read the Associated Press article “The Latest: 29,000 Chinese institutions hit by cyberattack“.

Click on this link to visit the Associated Press news site to read their article “Log in, look out: Cyber chaos may grow at workweek’s start.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Running demo of WannaCry v2 Ransomware Binary

WnnaCry Version 2 Ransomware is out. I had mentioned it in a prior post. The main difference is that the Kill SwitchCode has been removed. It is still a Worm which can spread across a Windows Server-based network, using the SMB v1.0 protocol.

In the video below the actual Binary Code of the WannaCry V2 Ransomware is run in a virtual environment.

Video is courtesy of the Colin Hardy YouTube channel.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.

First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.

Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.

Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.

Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.

As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.

For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.

For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows  Server.

Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool)  is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.

Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.

You should be looking out for the some of the followingUse of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.

Keep an eye out for instances of the file@Please_Read_Me@.txton your file shares. Also check for any instances of files with these extensions:.wnry,.wcry,.wncryand.wncryt“.

Video is courtesy of the DAHBOO77 YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.

How to disable SMB to stop WannaCry Ransomware. Also links to Microsoft Patches for Windows to stop WannaCry Ransomware

UPDATE May 14 at 3:00pm – added more ways to disable SMB

Some Cyber Weapons which were apparently developed by a National Spy Service to break into enemy computers, were supposedly stolen. Then some of the code for the Cyber Weapons was released to the public, on 14 April, through a dump by a group called Shadow Brokers.

On May 12 2017, a new Ransomware was released on the Internet. It utilized some of the code found in the Cyber Weapons and also a Malware called WannaCry. Hundreds of thousands of computers around the globe got hit. Then a kill switch was set off which dramatically slowed and possibly will stop the Ransomware from spreading further.

Stop the presses. A new version 2 of the WannaCry Malware is now out, which no longer has the Kill Switch code. That will make it difficult to stop.

The Hacker News facebook page posted a solution. Essentially their posts stated to disable the SMB service within Windows. It is not needed and is enabled for backwards compatibility.

Ok, but how do you disable SMB in Windows?

In Windows go to Control Panel. In Control Panel go to the icon labeled “Programs”. Click on it. Then under Programs and Features click on Turn Windows Features on and off. Once there, just scroll down till you find SMB 1.0/CIFS File Sharing Support. Make sure the checkbox to the left of SMB 1.0 is “NOT” checked off. Then click OK and then close control Panel. Reboot the computer.

In my Windows 10 it was already off (unchecked).

Video is courtesy of the Andr.oid Eric YouTube channel

Video is courtesy of the HatimTech YouTube channel

Another way to disable SMB is by using the Registry Editor. The following Video shows how to do it in Windows 7.

Video is courtesy of the Brxtt Tech YouTube channel

Another way to do it is to key in a Powershell command. That is like a super DOS Prompt. Open a Powershell Window and key in the following (but not the Quotes):

Disable-WindowsOptionalFeature -Online -FeatureName SMB1protocol

Press Enter and you should be good to go after you reboot the computer. I would double check in ControlPanel. Better safe than sorry.

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

  • To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  • To disable SMBv1 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB1Protocol $false
  • You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet. But I would restart the computer.

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.
Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  • Note you must restart the computer after you make these changes.

REGISTRY. To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Restart the computer after making the changes to the Registry.

How to enable or disable SMB protocols on the SMB client
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:

     sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

     sc.exe config mrxsmb10 start= disabled
     Restart the computer after executing the above.

If that is the hole inside all Windows Versions that existed prior to the Mar 2017 Microsoft Patch, then it has been around for ages.

Click on this link to visit The Hackers News Facebook page.

Click on this link to visit The Hackers News website.

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

One final note which is bugging me. People are saying that this Ransomware is a “VIRUS“. WannaCry Ransomware is “NOT” a Virus. The WannaCry Ransomware is a vastly more complex computer “WORM“, hence it’s ability to find Windows computers connected to a network.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. The WannaCry Malware has already been changed (minus the Kill Switch). Disabling SMB may not prevent future versions from affecting your computer. Best Practice is to always create daily backups

“Hack the Air Force” is a new White Hat Hacking contest. The United States Air Force is inviting vetted computer security specialists from across the U.S. and select partner nations to do their best to hack some of its key public websites.

Posted by Vincent Banial

The recent DOD ‘Hack the Pentagon’ contest was a success. That contest was limited to US based Cyber Security enthusiasts. The United States Air Force “Hack the Air Force” contest,  will be expanding the opportunity to join in the contest by allowing individuals and groups from the following countries to also participate (in addition to US Citizens): United Kingdom, Canada, Australia and New Zealand.

The Hack the Air Force contest is being run with the help of CyberSeurity Firm HackerOne. The HackerOne platform will help allows White Hat Hackers to submit their Security Holes in a safe and secure manner.

Video is courtesy of the HackerOne YouTube channel

On the HackerOne main website page they state :
“77% of Programs Find Security Vulnerabilities within 24 Hours.”.

This sounds like a great move by the Department of Defence and the US Air Force. The prior “hack the Pentagon” contest was a great success. This new Hack the Air Force contest will allow non-US based CyberSecurity Talent to participate. The more people joining the contest the more Security Vulnerabilities I suspect will be found.

This should be a win-win for bothe the Air Force and for the White Hat Hackers. The HackerOne facebook page states that $16 Million in bounties have been paid out in prior HackerOne coordinated White Hat Hacking events.

Registration for the ‘Hack the Air Force’ event opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23. Military members and government civilians are not eligible for compensation but can participate on-duty with supervisor approval. Mark your calendars and make sure that you register starting on May

Mark your calendars and make sure that you register starting on May 15 2017.

Click on this link to visit the official US Air Force site to read their news Release about this new “Hack the Air Foce” White Hat Hacking contest.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

 

“SysAdmin’s Essential Guide to Linux Workstation Security” free eBook from The Linux Foundation

artificial-intelligence-2167835_1920-Vince changed-640x480-web
Photo courtesy of Gerd Altmann  – CC0 License. Vincent Banial modified the look & feel.

The Linux Foundation is offering a free download eBook titled: “SysAdmin’s Essential Guide to Linux Workstation Security“.

The suggestions offered in their eBook, are based on 3 level levels of security which one would want. These are:

(ESSENTIAL) items, if “not implemented” could introduce high risks to your workstation security.

(NICE) to have items will increase the overall security, but may require learning new habits or unlearning old ones.

(PARANOID) items could significantly improve your workstation security but may require time to learn new ways of doing things.

Click on this link to visit The Linux Foundation website and download your own copy of their eBook titled:SysAdmin’s Essential Guide to Linux Workstation Security.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

Demo of FuzzBunch breaking into a virtual Windows 2008 Server. FuzzBunch is NSA created Malware which had been leaked by Shadow Brokers

Posted by Vincent Banial

It has been a while since I posted about Cyber Security. Last year’s round of posts were very well received. We even had a major Cyber Security firm linking to our posts.

What a “coincidence“, back in March of this year Microsoft patched a whole bunch of security holes in assorted Windows Operating Systems. On Friday, April the 14th 2017, a Hacker group called the Shadow Brokers released a ton of NSA developed weaponized software Exploits and Malware which allowed the NSA to break into computers around the globe. Not just break in, but potentially to also take control of computers running Windows Operating Systems prior to Windows 10. The Friday, April 14th Easter Egg contained over 200 megabytes of code which was dropped on GitHub.

Yes, Microsoft released a Security Update (patches) In March 2017 for their Windows Operating Systems which plugged the Security Holes used by the code which Shadow Brokers made available to the whole wide world on April 14th 2017. The key question is, will users and Network Admins apply those patches? If the March 2017 release of Microsoft patches are not installed, the computers remain vulnerable, as the Exploit and Malware code is available to everyone from Newbie Wannabe to Elite Hacker. Just wait till modified versions start being used.

One of the most powerful NSA coded Malware released is called FuzzBunch. The video below is a demo (in a controlled test environment) of FuzzBunch breaking into a virtual install of Windows 2008 Server.

Spiceworks did a survey of Network Server Operating systems being used. Windows 2008 Server was installed on over 40% of the Windows Server installations. People are even still using Windows 2003 Server. Hey, if it works and ain’t broke, why upgrade.

Click on this link to visit the Spiceworks website to read their 2016 post.

FUZZBUNCH from The Intercept on Vimeo.

Click on this link to visit the ARS Technica website to read their informative article about the Shadow Brokers April 14th Easter Egg NSA created weaponized software Exploits and Malware dump.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

 

Cisco Talos Security Webinar

Participated in the Cisco Talos Security Webinar on Wednesday.

Last year I had posted about Kaspersky Lab reporting about a Bank exploit, where Russian Banks were targeted. Basically the Hackers were able to get Bank Accounting Staff to connect to a site where a keylogger and other Trojan Remote Control software was secretly uploaded and installed into “system RAM“, but not onto the Hard Disk or Network Storage. That allowed their remote control software (called Lurk) to be overlooked by Security Software, because Security Software usually scans stored files and not RAM. Once installed, the hackers could monitor the employees. When the employee went for lunch, they took over the PC and started to transfer funds around the world.

Video is courtesy of the DewClarke YouTube Channel

Earlier this year, Russian Authorities had arrested over 50 alleged Hackers who were alleged to be part of the group which targeted and Hacked into the Banks. The investigation into this group’s activities had been ongoing for years (at least since 2013). The Cisco Talos Security Webinar discussed the arrests and the aftermath. Cisco’s research seems to indicate that the same group was involved in other Internet Exploits. One of which was the Angler Ransomware.

Since the Russian arrests, certain malware has disappeared, along with certain DarkNet sites and BotNets. The Russian Authorities made the Internet a tad safer, at least for a short while.

Click on this Link to visit The Hackers News website to read about the Russian sting operation and arrest of 50+ alleged hackers involved in the Banking Exploit.

Click on this Link to view other Uniquely Toronto posts related to Cyber-Security issues.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Norton Security Premium – 10 Devices [Download Code] Amazon Deal of the Day Jun 20 2016

UPDATE June 21 2016 – This Amazon Deal of the Day has expired. Was valid only on June 20 2016

For our American USA based visitors, the Amazon Deal of the Day for June 20 is:

Norton Security Premium – 10 Devices [Download Code] priced at $27.99 or 69% discount on June 20 2016 only

Deal only valid on June 20 2016. Deal only valid for residents of the US. Sorry Canadians. Click on this link to visit the amazon.com site for this their Deal of the Day

Norton make decent Security Software. The Norton deal is for 10 devices, that includes laptops and Desktop PC (MAC and Windows based), Cell Phones, Tablets.

Installing a security package on your Cell phone or internet connected Tablet is a smart move, especially for Windows users. Mac Operating systems are a growing target, but no where near how much Windows is targeted.

The deal ends today June 20 and is only valid for US residents.

Uniquely Toronto saves you money…

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official http://www.amazon.com website to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.

 

Malware infected Android Apps discovered by Cybersecurity Researchers

Warning for Android based Cell Phone Users. Cybersecurity Experts have found a Fake Google Chrome Update which instals Malware

The Cybersecurity Researchers at Zscaler Inc have posted a new finding of a Fake Google Chrome Update which installs Malware. The only way to get rid of the Android Infostealer Malware is to reset the Android Phone to factory settings (thus wiping claen).

Click on this line to be taken to the Zscaler website to read their Blog post ttiled: Android infostealer posing as a fake Google Chrome update.
Their post was written by Viral Gandhi

Click on this line to visit the Zscaler YouTube channel

Click on this line to visit the Zscaler website.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

HORNET, the alternative to Tor Network

When we think about surfing the Internet, most people are looking at just the top of the network iceberg. When in fact, the web actually holds a “Deep Web,” hidden from everyday users and ordinary browsers. This is due to the Deep Web continuously encrypting …

Source: HORNET, the alternative to Tor Network

 

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Major Bank Heist using SWIFT. Hackers tranferred over $950 Million and got away with $81 Million

The link above is to a Financial Post article on Cyber Security by Martin Arnold

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

New Apple OS X Ransomware discovered by “Unit 42” of Palo Alto Networks


A new Ransomware targeting Apple OS X based computers has been found and reported by Palo Alto Networks
. Their Unit 42 Security Group have named this new ransomware as “KeRanger”.

Two installers of the Transmission BitTorrent ailient installer for OS X were found by Palo Alto Networks to be infected with KeRanger Ransomware.

The following is a quote from the Palo Alto Networks Reseaarch Center blog:

Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website.

The Transmissionbt.com home page features the following security notice:

Read Immediately!!!!

Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer.

Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.

Click on this line to visit the Palo Alto Networks Unit 42 webpage. There you will compete details about KeRanger. Scroll down to the section titled: How To Protect Yourself.

Click on this line to visit the MacRumors website to read their post titled: “First Mac Ransomware Found in Transmission BitTorrent Client”.

Click on this line to visit the 9to5Mac website to read their post titled “First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs (updated: how to fix)

Click on this ine to visit the arstechnica website to read their post titled: “First Mac-targeting ransomware hits Transmission users, researchers say Rogue copy of BitTorrent client results in KeRanger install, which demands 1 bitcoin.”

Click on this line to visit the Reuters website to read their post titled: “Apple users targeted in first known Mac ransomware campaign“.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.

“Hack The Pentagon”. The Department of Defense, in the USA, announced Cybersecurity Initiative.

The following is the official News Release about the DoD’s Cybersecurity Initiative titled”Hack The Pentagon“.

Statement by Pentagon Press Secretary Peter Cook on DoD’s “Hack the Pentagon” Cybersecurity Initiative

Press Operations

Release No: NR-070-16
March 2, 2016

PRINT | E-MAIL

The Department of Defense announced today that it will invite vetted hackers to test the department’s cybersecurity under a unique pilot program.  The “Hack the Pentagon” initiative is the first cyber bug bounty program in the history of the federal government.

Under the pilot program, the department will use commercial sector crowdsourcing to allow qualified participants to conduct vulnerability identification and analysis on the department’s public webpages.  The bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products, and digital services. The pilot marks the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites, and networks.

Participants in the bug bounty will be required to register and submit to a background check prior to any involvement with the pilot program.  Once vetted, these hackers will participate in a controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system.  Other networks, including the department’s critical, mission-facing systems will not be part of the bug bounty pilot program.  Participants in the competition could be eligible for monetary awards and other recognition.

This innovative project is a demonstration of Secretary Carter’s continued commitment to drive the Pentagon to identify new ways to improve the department’s security measures as our interests in cyberspace evolve.

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” said Secretary of Defense Ash Carter.  “Inviting responsible hackers to test our cybersecurity certainly meets that test.  I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”

The “Hack the Pentagon” initiative is being led by the department’s Defense Digital Service (DDS), launched by Secretary Carter last November.  The DDS, an arm of the White House’s dynamic cadre of technology experts at the U.S. Digital Service, includes a small team of engineers and data experts meant to improve the department’s technological agility.

“Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country,” said DDS Director and technology entrepreneur Chris Lynch.

This initiative is consistent with the administration’s Cyber National Action Plan announced on Feb. 9, which prioritizes near-term actions to improve our cyber defences and codifies a long-term strategy to enhance cybersecurity across the U.S. government.

The pilot program will launch in April and the department will provide more details on requirements for participation and other ground rules in the coming weeks.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.

Apple withdraws China Apps for the Apple App Store, after XcodeGhost Malware infected IOS Apps were found by CyberSecurity firm Palo Alto Networks.

Ryan Olson, Intelligence Director, with Cyber Security Firm Palo Alto Networks discusses the finding of Apps on Apple’s App Store which were infected by XcodeGhost Malware.

Ryan Olson states that this is an important issue for every Apple IOS user.

If you had downloaded an infected app, one solution might be to then download an “updated” version as it becomes available on Apple’s App Store.

Video is courtesy of the Associated Press YouTube Channel

You can read full details about what Unit 42 of Palo Also Networks had found regarding the XcodeGhost Malware infected IOS Apps found on Apple’s App Store by clicking on this line.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Cybersecurity For Dummies available for legal download, at no charge from cybersecurity firm Palo Alto Networks

Palo Alto Networks is a Cybersecurity firm which creates Enterprise level solutions from Firewalls to full Endpoint Protection.I had previously written about Palo Alto Networks and the work of their Unit 42 Experts who broke the story, back in November 2014, about the WireLurker Apple IOS and OSX Family of Malware.

Chinese authorities had arrested a number of individuals and shut down the WireLurker Command and Control Server just ten days after Palo Alto Networks released their findings.

Last weekend we focused on Cybersecurity issues. Many visitors to this site may not be fully versed in Cybersecurity issues. In that vein, I wanted to let you all know that Palo Alto Networks is allowing the legal download of Cybersecurity for Dummies. It discuss APTs (Advanced Persistent Threats) to the Enterprise Network. Old solutions no longer work. A layered approach of new solution is detailed.

Click on this line to visit the Palo Alto Networks page where you can fill in a brief form to gain download access to Cybersecurity for Dummies.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.

Next Suits and Spooks event to be held in London England on May 06 and 07 2015


Suits and Spooks Events are a bit like TED Talks, but focused on Cyber Security issues. From the Suites and Spooks webpage: “Each event draws thought leaders and decision makers from the public, private, defense, law enforcement and intelligence sectors who come to learn about and discuss some of the key security challenges which face our digitally connected nation and world

One unique aspect of the presentations made at Suits and Spooks is that after the first 10 minutes, the Audience can join in by asking questions or directly challenging the presenter. Audience participation resulting in Debate and Discussion is the cornerstone of these events.


The next Suits and Spooks Event will be held in London England on May 6th and 7th 2015.


Click on this line to view their prior events which were held in 2014 and to check out the agenda of presentations made.


Click on this line to visit the Registration page for the upcoming 2015 London Suites and Spooks Event.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial for Uniquely Toronto
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.

Just wanted to say Hello to our visitors from the American NSA agency , Canadian CSIS agency, Russian SVR agency and German BND agency. Sorry if I left out one or two others…


Thanks for dropping by and checking out this past weekend’s Cybersecurity related posts….

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Kaspersky Lab publishes details about the Equation Hacker group’s arsenal, including “nls_933w.dll” which can reprogram the hard drive firmware of over a dozen different hard drive brands


Kaspersky Lab presented at their Security Analysts Summit something even more scary than the details about the Carbanak Bank Cyber Heist. Per Karspersky the Carbanak group ripped off about 100 banks around the globe of about $1 Billion Dollars (and in my opinion very likely still counting).

Kaspersky Lab Experts referred to the Equation group as the “God” or the “Death Star” of Malware. Part of the huge arsenal of code which the Equation group has been developing over what looks like decades is nls_933w.dll“. “It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands“.

Oncenls_933w.dll installs the Malware into the Hard Disk’s firmware, there is no way to remove it. Repartitioning will not affect it. Reformatting has no effect. The only way to get rid of this Malware from the targeted computer, is to physically destroy the Hard Disk.

Kaspersky Lab goes on to report that the Equation group seems to have existed long before the Stuxnet group.

The word “Elite” is part of the lexicon of Hackers. The Equation group therefore can be called the Elite of the Elite of the Elite of the Elite of the Elite and so on of Uber Hackers. To be able to hack and modify a Hard Drive’s firmware is unheard of. To be able to do so for Hard Drives of over a dozen different brands is insanely impossible. Yet the Equation group did it and very likely much more, that has yet to come to light. In comparison, this makes things like the REGIN Malware group’s incredible capabilities seem like no big deal.

Ok, enough of my rambling.

Click on this line to view the Kaspersky Lab report about the Equation group and their arsenal of jaw dropping Malware. On that page you will find a link to a downloadable PDF of the Question and Answer session from their presentation at the Security Analysts Summit.

Wow, this has turned into a CyberSecurity long weekend. Very impressive and rather scary stuff has been revealed by Kaspersky Lab.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.