Wednesday, January 24, 2018

Phishing from Netflix ??

 Weird phishing campaign looking to be from Netflix.

First the email:

A normal phishing attempt   -  so far.
Easily done,

To be expected:

I had never seen one like this:



 Phishing (sending email to lure you to a fake site that looks identical to a site you are familiar with)
is profitable for cyber criminals. Being a victim of such sites and email links is common.
 This is a new twist to me, but there will be more in the future.
 FOMO (fear of missing out) is tempting. Fear of losing your Netflix account is tempting. Being the first to know is tempting.

 Be careful out ther.

Apple updates again

 Updates out from Apple late yesterday.
Products: iOS, MacOS, WatchOS, tvOS, Safari

Thursday, January 18, 2018

Inspectre utility to clarify Meltdown and Spectre

 I try to avoid placing links in blog posts. A security vulnerability.
 I try to avoid recommending applications or utilities.
HOWEVER
 This is one I make exception for.
Steve Gibson is a seasoned security researcher.
After Microsoft released a power shell script to give details on Meltdown and Spectre, AND disabled patches for the vulnerabilities under certain circumstances   users were unsure how to protect themselves from the sensationalism in print and video media.

https://grc.com/inspectre is an executable that adds some clarity.  When downloaded and run the executable checks for the required patches, does an analysis and performance impact, and allows you to disable one or both patches and measure performance with and without the patches.
 My recommendation is to patch and adapt to any performance impact.


 After running you can scroll the window to gain further information.

 The mitigations for meltdown and spectre will be ongoing for awhile.

 I will attempt to update the blog and Cyber Security SIG meetings with updates.

Wednesday, January 10, 2018

Windows security updates related to Meltdown and Spectre

 Microsoft has started the process of mitigations for Meltdown and Spectre.

 Problems have been reported, so ensure you have a backup, media creation tool instance, and create a restore point.

 If you have a ARM CPU, some instances of  security suites, some applications that use kernel level code   -  the update may not occur     or   will occur and cause significant problems.

 To determine if you have an ARM CPU
from the CMD window:
In this case, the Processor is Intel based.

 Now note the OS Version. Windows 10.0.16299 in this case.
 The Hotfix(s) for this iteration of remediation
using the CMD window determine if the appropriate Hotfix has been applied.

Tuesday, January 9, 2018

Western Digital Network Attached Storage (NAS) Vulnerabilities

 Some models of Western Digital's Network Attached Storage devices have vulnerabilities that allow remote access. In addition, a backdoor with a hard coded unchangeable username and password has been found.
 The models affected:

My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100

 Consider not using this device until these issues are resolved by the vendor.

Brave Browser updates today 01/09/2019

Brave 0.19.131

Added Strict Site Isolation mode, disabled password autofill during page loads, improvements to both Brave Payments and autoplay. Upgraded to Chromium 63.0.3239.132. More details: https://github.com/brave/browser-laptop/releases/tag/v0.19.131dev

Partial mitigations for Sepctre

Monday, January 8, 2018

Apple security updates related to Meltdown and Spectre

 Apple released today (01/08/2018) security updates to partially address the recent Meltdown and Spectre vulnerabilities.

 iOS 11.2.2
 Safari 11.0.2
 High Sierra 10.13.2

Partial security updates are out for Windows 10. If your Windows system does not update, I would recommend checking your security suites and applications for updates first. Some security and higher level applications will need to be updated/patched before the Windows 10 updates are applied. Trust me.

 Linux distributions are in process of kernel updates.

 As with any updates, perform a backup, read any warnings, share your experiences if you encounter problems or issues.

Saturday, January 6, 2018

Cyber Security SIG Presentation 01/04/2018






Meltdown and Spectre vlunerabilities

 A surprising (to me) amount of press coverage on these two vulnerabilities. I am usually more alarmed when vulnerabilities are revealed.
 I wrote kernel level code for microprocessors back in the 1970s and have used that experience in modern day computer forensics for many years.
 There are currently many ways to exploit similar vulnerabilities, but those till now were application and/or operating system dependent. These two vulnerabilities are processor dependent.
 Modern processors have multiple threads, multiple cores, and can have multiple chips making up the Central Processing Unit (CPU). To take advantage of all these threads, cores, chips   processors now "predict" program behaviours, prefetching blocks of memory for opcode decoding and cache population. This allows system speed up. A problem occurs when the application does not take the code path the processor "predicted". Now a block of code is in cache that will not be executed. That unused cached block of memory will be overwritten with new "predicted" pre-fetch blocks soon, but until it is the code running on the processor can access that block. That's the problem. That is the vulnerability.
 IF (big if) that pre-fetched block in cache has a memory copy of secret session keys, unencrypted passphrases, or other sensitive data and is accessed (read) by the processes running on the processor before the cache has the "dirty" bit set - the vulnerability as been exploited.
 Meltdown allows a process to access memory mapped by that process. Some applications run multiple process threads (different from processor threads) to save memory and processor time, the vulnerability allows a covert channel between the multiple users of that application. In any case the process can gain access to kernel memory which it should not be able to do.
 Sepctre allows a process to read memory belonging to another process.
 Vulnerabilities and exploits are both required to affect a compromise. Several years ago a savvy attacker could work months attempting a compromise. Now with many many attackers focused on the vulnerability compromises should appear more rapidly.Now ass machine learning and Artificial Intelligence. Once a compromise is found, it is available to anyone made aware.
 The linux kernel is open source. Kernel level developers and maintainers around the world work on the linux kernel. An increase in activity around memory management for the kernel was noted recently. The comments to the code were cryptic, then redacted. Most linux distributions have been patched.
 The patches may cause slower performance on high performance applications with lots of unpredictable branches (eg. games).
 The patches may cause problems with applications that rely on kernel code analysis and/or analyzing process behaviors (security suites). Security suite vendors are working on patches as well.

 The primary method of exploit in my view will be browsers and tabs. For safer browsing:
 Use a different browser for sensitive sites (banks, brokers, shopping, etc.)
 Use security add-ons and extensions on that browser so used
 Before every sensitive session, check for browser, add-on, and extension updates. Apply if they are available
 Use the newly invoked browser for ONE session. Exit the browser. Then repeat for the next session.
AVOID multiple tabs for multiple sensitive sessions.

 The Chrome browser has "Strict site isolation" that can be enabled
Type chrome://flags in the address bar
Turn on "Strict site isolation"


Then relaunch Chrome. I would recommend doing both Strict site isolation AND a separate browser session for sensitive sites as common best practice.

 This may be a story / issue for some time. I will attempt to update the blog posts with information as I am able.

Tuesday, January 2, 2018

Are you an AOL or Verizon email user?

 Recently email to AOL users (some reports of Verizon users as well) are getting email rejected from gmail and a few other sending domains. Members of the Cyber Security SIG had the latest meeting notice rejected.
 If you are getting your mail at AOL or Verizon, you may not be getting the emails sent by the gmail domain.