October is Cyber Security Awareness month, it’s likely that one of your email accounts has been involved in a breach - find out how to know for sure, let’s ditch Yahoo mail together, a new password stealer is in the wild, and another unsecured database is discovered, this time compromising NFL players and their agents private data.

Attackers turn their attention to foods this week, Wholefoods & Sonic compromised point of sale systems, cause fire sale of credit and debit card account numbers on the dark web, we learn how much Tinder knows about you, and it seems the Deloitte hack is going to be a lot worse than originally estimated.

For those in the Twin Cities:

We are having a Cyber Security Fall Forum at Utepils Brewery on October 17^th, Craft beer, soda, food and an afternoon of Cyber Security!  Register here:  http://connect.cyberadvisors.com/brew-and-bytes-fall-securitforum

Pattern recognition easily defeats Android passwords, more Amazon S3 buckets exposed, GPS coordinates on an Instagram post lead to a Most Wanted Arrest, and WI-FI theft causes the FBI to raid the wrong home. 

We continue with our theme of improving our security posture by looking at some quick ways to keep our own personal WI-FI from being hacked.

For those in the Twin Cities:

We are having a Cyber Security Fall Forum at Utipils Brewery on October 17^th, Craft beer, soda, food and an afternoon of Cyber Security!  Register here:  http://connect.cyberadvisors.com/brew-and-bytes-fall-securitforum

This week we learned:
1.    The Equifax breach was indeed the result of an unmitigated known security vulnerability in the Apache Struts 2 web application service discovered in March 2017 Apache Struts CVE-2017-5638.
2.    Security researchers exposed an additional database in Argentina protected with the credentials of admin/admin.  Equifax claims that this database had not been used since 2013 which leads one to question what other databases were left exposed to the internet with easily guessable passwords.  
3.    Two executives have “retired” and the CEO will be facing a congressional inquiry on October 3rd.

In last week’s article we focused on tackling the immediate steps to take charge of your own credit.  If you haven’t had a chance to freeze and review your credit and change your logins and passwords please consider doing so.  Keep track of all of your receipts and expenses related to the breach, as there will be opportunities to participate in a variety of lawsuits, especially if your identity was stolen as a result of Equifax’s negligence.  There’s also the opportunity to take a short position through put options or a straight short sale, if that interests you.  The stock has moved 50 points down in the last 2 weeks and some speculate that it still has further to go.

This week the focus will expand to include ways to protect your overall identity and take back control over what information companies have about you.  Recent legislation allows ISP’s (Internet Service provider) to get into the data mining business and collect information about your browsing history, geo location, and online activity.

Three things you can do to protect  your browsing.
1.    Use a VPN (virtual private network) service that doesn’t log your data.  For a few dollars a month you can set up a VPN service, creating a virtual encrypted network tunnel between your computer and the VPN service provider.  Since all Internet traffic will be coming from the network you connect to at the end of the tunnel, your ISP will be blind to your surfing activities.  VPNs are a must have for people who connect to public wifi connections in coffee shops, libraries, etc.
2.    Use a tor browser:  Tor obfuscates your traffic by sending it through a free relay network which helps to conceal location and browsing information from anyone conducting network surveillance, including your ISP.  https://www.torproject.org/

3.    Make sure the sites you browse leverage HTTPS instead of HTTP.  HTTPS traffic is encrypted, and while your ISP can see the site that you visit (unless using a VPN or tor browser) it won’t be able to see and record as much of what you are doing on the site.

4.    Use a web browser that has built in tracking prevention and/or install 3rd party extensions such as Ghostery, Ad Block, uBlock Origin or Privacy Badger.  Reminder:  Some sites rely on ad revenue to survive.  Consider white listing the sites you frequent, and those sites that promise an ad-light experience.
Write up on new Safari tracking prevention:
https://www.blog.michiganfreelisting.com/apple-addresses-ad-industry-complaints-safari-tracking-prevention-feature/

Secure Email – Setup time 10 minutes.  Cost:  free or a small monthly fee.
All of the free email providers (Yahoo! (Verizon), Gmail, Hotmail (Microsoft)) and many of the paid providers (Comcast, other ISPs, etc.) scrub your email for content and sell metadata about you.  All of the major social media providers (Facebook, Twitter, Instagram, Snapchat) also collect and store information about you, not only is this information available for sale in metadata form, it’s also available to the federal government.

The PRISIM program allows for the collection of Internet communications from at least nine Internet companies.  The data collected includes E-mail, Chat (video & voice), Videos, Photos, Stored data,  VoIP, File Transfers, Video Conferencing, login data, Social networking details (Geo locations, etc).
https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29

If you wish to exclude yourself and your data from this type of collection then a place to start is by making sure your personal email is encrypted in transit and at rest by using a secure email provider.

Proton mail is a provider that offers encrypted email with data stored on servers in Switzerland, a country known for its privacy laws.  Proton mail is unable to provide access to your data to any country or entity because 1.  Swiss laws do not allow it.  2.  Proton mail does not have cryptographic access to your data.
https://protonmail.com/privacy-policy

This week, instead of reporting five incidents of the previous week, I’m just going to focus on one, the Equifax breach. With over half of the adult population in the US impacted, it is likely that you, or someone you know is affected.
Over the next two weeks I’ll provide an overview of steps we can all take to tighten up our own security, starting with preventing unauthorized use of our personal information. Most of these solutions are free or low cost.
We’ll start with the most important items first and things that would ideally be done this week. If you are unable to, or are reading this at a future point in time, the items are still relevant and can be done anytime.
There are four credit bureaus, three that report credit and assign a score – Experion, Equifax, Transunion, and one, Innovus, that just reports on credit. We’re going to work with all of them to make sure that you have full control over your credit.

1.  465,000 St. Jude pacemakers to receive a critical patch - a year after a vulnerability was discovered 

Google removes 500 apps from the Play marketplace due to Trojan horse style spyware, iPhone 7/7Plus hacked, Facebook messenger spreads malware, another Amazon S3 bucket left open, this time exposing 1.8M Chicago voter records. And thousands of IoT device IP address and passwords exposed on Pastebin.

Two of the articles this week deviate from cyber security, however, they are topical and relevant to painting a larger ‘buyer beware’ theme.  Malicious actors sell counterfeit eclipse viewing glasses, Roomba's map your house (potentially for the highest bidder), embedded ultrasonic signals played through a TV can allow malicious actors to track your movement, DJI plans to remove a Trojan from its ‘Go’ app, and shared smartphone application libraries libraries expose content to hackers.

User targeted malware picks up this week – the latest variant of ransomware-as-a-service, Cerber, steals bitcoin, and browser passwords before encrypting systems.  Free is not always free, Hotspotshield Free VPN is in some hot water as researchers discover that ads and tracking data is injected into its users’ browsing streams.  NIST (National Institute of Standards and Technology) releases new password guidelines – It says previous guidance of frequent changes and random numbers and characters leads to weaker passwords.  The international SMS messaging app SMS Touch compromises its users by sending authentication data and conversations in the clear.  And researchers discover thousands of Android apps are spying on their users.

1.  Cerber Malware gets more malicious
Cerber a popular ransomware of 2016, in part due to its Ransomware–as-a-service operating model where the author of the ransomware receives 40% of the ransom, and the distributor receives 60%, is back in the news.  The latest Cerber variant scans systems for cryptocurrency wallets, and attempts to steal the coins before encrypting the system.

Latest Windows SMB flaw (SMBLoris) compromises all versions of Windows from Windows 2000 to Windows 10.  A big week for phishing - Copyfish Chrome Extension compromised by phishing, Whitehouse execs phiished by “prankster”, Germany reports sophisticated spearphishing, Nissan expired domain allows attackers to collect live telemetry data from cars.

1. SMBLoris – latest SMB (internet protocol) flaw in Windows remains unpatched
SMBLoris effects all versions of the SMB protocol going back to Windows 2000.  This SMB vulnerability is executed when SMBLoris opens an SMB connection and requests a buffer of 128kb (maximum size allowed).  Alone 128kb isn’t much, but since a single attacking address can request 65,535 connections, (one for each source port), it can buffer 8GB of memory.  Multiply this by a few source addresses and memory will be filled quite quickly.  These requests allocate memory in physical RAM without allowing it to be paged in swap space.   This puts the CPU in a loop where it is scanning for additional free memory without cycles to do anything else.  The system will completely freeze without blue screening as it doesn’t even have the time to produce one.

The flaw was privately reported to Microsoft in early June, but the company considered it to be of moderate impact and does not consider it to be a security breach. In addition, it would probably not even be fixed.  Instead Microsoft recommends blocking access from the internet to SMBv1. 

Two researchers Sean Dillon and Zach Harding discovered the exploit while researching EternalBlue. The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. The research team demonstrated how they could take down a 128GB server using only a Raspberry Pi in under 30 seconds.

Attackers were able to connect to the IoT device, compromise one of these sensors and move to other vulnerable areas of the casino’s network and send out data. 

Overview:
https://community.rapid7.com/community/infosec/blog/2017/08/03/smbloris-what-you-need-to-know
SMBLoris Attack Demonstration:
https://youtu.be/mPPUv6Y4zHk
SMBLoris Denial of Service Code (in C):
https://packetstormsecurity.com/files/143636/SMBLoris-Denial-Of-Service.html