Interesting article on the colossal squid, which is larger than the giant squid.

The article answers a vexing question:

So why do we always hear about the giant squid and not the colossal squid?

Well, part of it has to do with the fact that the giant squid was discovered and studied long before the colossal squid.

Scientists have been studying giant squid since the 1800s, while the colossal squid wasn’t even discovered until 1925.

And its first discovery was just the head and arms found in a sperm whale’s stomach.

It wasn’t until 1981 that the first whole animal was found by a trawler near the coast of Antarctica.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.

On April 6, 2023, the FBI’s Denver office issued a warning about juice jacking in a tweet.

“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver office warned. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”

Five days later, the Federal Communications Commission (FCC) issued a similar warning. “Think twice before using public charging stations,” the FCC tweeted. “Hackers could be waiting to gain access to your personal information by installing malware and monitoring software to your devices. This scam is referred to as juice jacking.”

The FCC tweet also provided a link to the agency’s awareness page on juice jacking, which was originally published in advance of the Thanksgiving Holiday in 2019 but was updated in 2021 and then again shortly after the FBI’s tweet was picked up by the news media. The alerts were so broadly and breathlessly covered in the press that a mention of juice jacking even made it into this week’s Late Late Show with James Corden.

The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the reality that many mobile devices were set up to connect to a computer and immediately sync data by default.

Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place.

On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks.

Probably the best known example is the OMG cable, a $180 hacking device made for professional penetration testers that looks more or less like an Apple or generic USB charging cable. But inside the OMG cable is a tiny memory chip and a Wi-Fi transmitter that creates a Wi-Fi hotspot, to which the attacker can remotely connect using a smartphone app and run commands on the device.

Brian Markus is co-founder of Aries Security, and one of the researchers who originally showcased the threat from juice jacking at the 2011 DEFCON. Markus said he isn’t aware of any public accounts of juice jacking kiosks being found in the wild, and said he’s unsure what prompted the recent FBI alert.

But Markus said juice jacking is still a risk because it is far easier and cheaper these days for would-be attackers to source and build the necessary equipment.

“Since then, the technology and components have become much smaller and very easy to build, which puts this in the hands of less sophisticated threat actors,” Markus said. “Also, you can now buy all this stuff over the counter. I think the risk is possibly higher now than it was a decade ago, because a much larger population of people can now pull this off easily.”

How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023.

“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”

What can you do to avoid juice jacking? Bring your own gear. A general rule of thumb in security is that if an adversary has physical access to your device, you can no longer trust the security or integrity of that device. This also goes for things that plug into your devices.

Juice jacking isn’t possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present. If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in.

Read More

This is a current list of where and when I am scheduled to speak:

I’m speaking on “Cybersecurity Thinking to Reinvent Democracy” at RSA Conference 2023 in San Francisco, California, on Tuesday, April 25, 2023, at 9:40 AM PT.
I’m speaking at IT-S Now 2023 in Vienna, Austria, on June 2, 2023 at 8:30 AM CEST.

The list is maintained on this page.

Read More

Here’s a religious hack:

You want to commit suicide, but it’s a mortal sin: your soul goes straight to hell, forever. So what you do is murder someone. That will get you executed, but if you confess your sins to a priest beforehand you avoid hell. Problem solved.

This was actually a problem in the 17th and 18th centuries in Northern Europe, particularly Denmark. And it remained a problem until capital punishment was abolished for murder.

It’s a clever hack. I didn’t learn about it in time to put it in my book, A Hacker’s Mind, but I have several other good hacks of religious rules.

Read More

The guidelines were created by several cybersecurity organizations worldwide

Read More

Trellix said the businesslike approach of the group shows its organizational maturity

Read More

Ransomware. Even the name sounds scary. 

When you get down to it, ransomware is one of the nastiest attacks a hacker can wage. They target some of our most important and precious things—our files, our photos, and our information stored on our devices. Think about suddenly losing access to all of them and being forced to pay a ransom to get access back. Worse yet, paying the ransom is no guarantee the hacker will return them. 

That’s what a ransomware attack does. Broadly speaking, it’s a type of malware that infects a network or a device and then typically encrypts the files, data, and apps stored on it, digitally scrambling them so the proper owners can’t access them. Only a digital key can unlock them—one that the hacker holds. 

Nasty for sure, yet you can take several steps that can greatly reduce the risk of it happening to you. Our recently published Ransomware Security Guide breaks them down for you, and in this blog we’ll look at a few reasons why ransomware protection is so vital. 

How bad is ransomware, really? 

The short answer is pretty bad—to the tune of billions of dollars stolen from victims each year. Ransomware targets people and their families just as explained above. Yet it also targets large organizations, governments, and even companies that run critical stretches of energy infrastructure and the food supply chain. Accordingly, the ransom amounts for these victims climb into the millions of dollars.  

A few recent cases of large-scale ransomware attacks include:  

JBS Foods, May 2021 – Organized ransomware attackers targeted JBS’s North American and Australian meat processing plants, which disrupted the distribution of food to supermarkets and restaurants. Fearing further disruption, the company paid more than $11 million worth of Bitcoin to the hacking group responsible.   

Colonial Pipeline, May 2021 – In an attack that made major headlines, a ransomware attack shut down 5,500 miles of pipeline along the east coast of the U.S. Hackers compromised the network with an older password found on the dark web, letting the hackers inject their malware into Colonial’s systems. The pipeline operator said they paid nearly $4.5 million to the hackers responsible, some of which was recovered by U.S. law enforcement.  
Kaseya, July 2021 – As many as 1,500 companies had their data encrypted by a ransomware attack that followed an initial ransomware attack on Kaseya, a company that provides IT solutions to other companies. Once the ransomware infiltrated Kaseya’s systems, it quickly spread to Kaseya’s customers. Rather than pay the ransom, Kaseya’ co-operated with U.S. federal law enforcement and soon obtained a decryption key that could restore any data encrypted in the attack.  

Who’s behind such attacks? Given the scope and scale of them, it’s often organized hacking groups. Put simply, these are big heists. It demands expertise to pull them off, not to mention further expertise to transfer large sums of cryptocurrency in ways that cover the hackers’ tracks.  

As for ransomware attacks on people and their families, the individual dollar amounts of an attack are far lower, typically in the hundreds of dollars. Again, the culprits behind them may be large hacking groups that cast a wider net for individual victims, where hundreds of successful attacks at hundreds of dollars each quickly add up. One example: a hacker group that posed as a government agency and as a major retailer, which mailed out thousands of USB drives infected with malware.  

Other ransomware hackers who target people and families are far less sophisticated. Small-time hackers and hacking groups can find the tools they need to conduct such attacks by shopping on the dark web, where ransomware is available for sale or for lease as a service (Ransomware as a Service, or RaaS). In effect, near-amateur hackers can grab a ready-to-deploy attack right off the shelf. 

Taken together, hackers will level a ransomware attack at practically anyone or any organization—making it everyone’s concern. 

How does ransomware end up on computers and phones? 

Hackers have several ways of getting ransomware onto one of your devices. Like any other type of malware, it can infect your device via a phishing link or a bogus attachment. It can also end up there by downloading apps from questionable app stores, with a stolen or hacked password, or through an outdated device or network router with poor security measures in place. And as mentioned above, infected storage devices provide another avenue. 

Social engineering attacks enter the mix as well, where the hacker poses as someone the victim knows and gets the victim to either download malware or provide the hacker access to an otherwise password-protected device, app, or network. 

And yes, ransomware can end up on smartphones as well.  

Smartphone ransomware can encrypt files, photos, and the like on a smartphone, just as it can on computers and networks. Yet other forms of mobile ransomware don’t have to encrypt data to make the phone unusable. The “Lockerpin” ransomware that has struck some Android devices in the past would change the PIN number that locked the phone. Other forms of lock screen ransomware would simply paste a warning over the home screen with a “pay up, or else” message. 

Still, ransomware isn’t as prevalent on smartphones as it is on computers, and there are several reasons why. For the most part, smartphone ransomware relies on people downloading malicious apps from app stores. Both Google Play and Apple’s App Store both do their part to keep their virtual shelves free of malware-laden apps with a thorough submission process, as reported by Google and Apple.  

Yet, bad actors find ways to sneak malware into the stores. Sometimes they upload an app that’s initially clean and then push the malware to users as part of an update. Other times, they’ll embed the malicious code so that it only triggers once it’s run in certain countries. They will also encrypt malicious code in the app that they submit, which can make it difficult for reviewers to sniff out.   

Further, Android allows users to download apps from third-party app stores that may or may not have a thorough app submission process in place, which can make them more susceptible to hosting malicious apps. Moreover, some third-party app stores are actually fronts for organized cybercrime gangs, built specifically to distribute malware.   

Basic steps to protect yourself from a ransomware attack. 

First, back up your data and files.

The people behind these attacks play on one of your greatest fears—that those important and precious things on your device might be gone forever. Yet with a backup, you have little to fear. You can simply restore any data and files that may have come under attack. Consider using a reputable cloud storage service that you protect with a strong, unique password. Similarly, you can back up your data locally on an external drive that you keep disconnected from your network and stored in a secure location. So while a backup won’t prevent an attack, it can most certainly minimize any threat or damage from one. 

Be careful of what you click.

Ransomware attackers use phishing emails, bogus direct messages in social media, and texts to help install malware on your device. Many of these messages can look quite legitimate, like they’re coming from a brand you know, a financial institution, or even the government. The links embedded in those messages will take you to some form of malicious website where you’re prompted to download a phony file or form—which is actually malware. Similarly, some phishing emails will simply send malware to the recipient in the form of a malicious attachment that masquerades as a legitimate document like an invoice, spreadsheet, or shipping notice. 

Use online protection software.

This provides your first line of defense. Online protection software includes several features that can stop a ransomware attack before it takes root:  

Safe surfing features that warn you of malicious downloads, attachments, and websites. 
Strong antivirus that spots and neutralizes the latest malware threats with the latest antivirus technologies. 
Vulnerability scanners that help keep your device and its apps up to date with the latest security measures. 
A firewall that helps prevent intruders from accessing the devices on your network—and the files on them. 

Yet more ways you can prevent ransomware attacks. 

That list is just for starters. Our Ransomware Security Guide goes even deeper on the topic. 

It gets into the details of what ransomware looks like and how it works, followed by the straightforward things you can do to prevent it, along with the steps to take if the unfortunate ends up happening to you or someone you know. 

Ransomware is one of the nastiest attacks going, because it targets our files, photos, and information, things we don’t know where we’d be without. Yet it’s good to know you can indeed lower your risk with a few relatively steps. Once you have them in place, chances are a good feeling will come over you, the one that comes with knowing you’ve protected what’s precious and important to you. 

The post How To Prevent Ransomware appeared first on McAfee Blog.

Read More