Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware.
Monthly Archives: July 2023
Backdoor in TETRA Police Radios
Seems that there is a deliberate backdoor in the twenty-year-old TErrestrial Trunked RAdio (TETRA) standard used by police forces around the world.
The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is.
The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio.
[…]
Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.
Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping.
Specifically on the researchers’ claims of a backdoor in TEA1, Boyer added “At this time, we would like to point out that the research findings do not relate to any backdoors. The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption.”
And I would like to point out that that’s the very definition of a backdoor.
Why aren’t we done with secret, proprietary cryptography? It’s just not a good idea.
Details of the security analysis. Another news article.
Ransomware Attacks Skyrocket in Q2 2023
SonicWall’s report finds that ransomware rebounded in Q2 2023 following a major reduction in Q1
USN-5807-3: libXpm vulnerability
USN-5807-1 fixed a vulnerability in libXpm. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
Marco Ivaldi discovered that libXpm incorrectly handled certain XPM files.
If a user or automated system were tricked into opening a specially crafted
XPM file, a remote attacker could possibly use this issue to cause libXpm
to stop responding, resulting in a denial of service. (CVE-2022-46285)
How to improve employee phishing awareness
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Social engineering has long been a popular tactic among cybercriminals. Relying exclusively on information security tools does not guarantee the safety of an IT infrastructure these days. It is critically important to enhance the knowledge of employees regarding information security threats. Specifically, there is often a pressing need to educate employees about phishing. But how could phishing awareness training go wrong, and what can be done about it? Let’s delve deeper and unravel the potential issues and solutions.
In recent years, we have seen an uptick in the delivery of malware via phishing attacks. Compounding the problem is the rising volume of email fatigue, which can lead to less vigilance and increased vulnerability. Regrettably, email protection software does not fully safeguard against phishing due to the inevitable human factor involved. Indeed, there is a reason why social engineering continues to be a preferred strategy for cybercriminals – its effectiveness is exceptional.
Many organizations are already conducting training sessions and rolling out specialized programs to enhance employee awareness about phishing. These programs are not just theoretical but also offer hands-on experience, allowing employees to interact with possible threats in real-world scenarios. For this, companies often use simulated phishing attacks, which are a vital part of their awareness programs. Some businesses manage these cyber exercises internally through their information security teams, while others enlist the help of service providers.
However, these training sessions and mock phishing exercises are not without their flaws. At times, technical issues can disrupt the process. In other instances, the problem lies with the employees who may exhibit apathy, failing to fully engage in the process. There are indeed numerous ways in which problems can arise during the implementation of these programs.
Email messages caught by technical means of protection
It is standard practice for most companies to operate various email security systems, like Secure Email Gateway, DMARC, SPF, DKIM tools, sandboxes, and various antivirus software. However, the goal of simulated phishing within security awareness training is to test people, not the effectiveness of technical protective tools. Consequently, when initiating any project, it is crucial to adjust the protection settings so your simulated phishing emails can get through. Do not forget to tweak all tools of email protection at all levels. It is important to establish appropriate rules across all areas.
By tweaking the settings, I am certainly not suggesting a total shutdown of the information security system – that would be unnecessary. When sending out simulated phishing emails, it is important to create exceptions for the IP addresses and domains that these messages come from, adding them to an allowlist.
After making these adjustments, conduct a test run to ensure the emails are not delayed in a sandbox, diverted to junk folders, or flagged as spam in the Inbox. For the training sessions to be effective and yield accurate statistics, there should be no issues with receiving these training emails, such as blocking, delays, or labeling them as spam.
Reporting phishing
Untrained employees often become victims of phishing, but those who are prepared, do more than just skip and delete suspicious messages; they report them to their company’s information security service.
Tools like the “Report Phishing” plugin for Outlook can be extremely useful. This plugin lets employees quickly and easily notify the information security team about potential phishing attempts. If an attack is indeed taking place, vigilant employees can help detect it faster and prevent severe consequences by forwarding the phishing email to the information security team, who can then respond to the incident.
This plugin is also beneficial for simulated phishing campaigns for several reasons:
It helps to evaluate the vigilance of users and the effectiveness of the company’s awareness training program.
It alleviates the burden on the information security service from having to process reports of simulated phishing. The fact is that all real phishing alerts are sent to a dedicated mailbox of the information security service. During a training campaign, this mailbox can quickly fill up. Simulated phishing messages will not end up in this mailbox if the plugin is used. Instead, the platform will simply count the employees who reported the attack, thus preventing cybersecurity specialists from being overwhelmed by unnecessary reports.
Apart from email client plugins, there are other ways to assist employees in taking the right actions when confronted with phishing attacks:
Set up a short and easy-to-remember email address specifically for phishing reports and make sure all employees are aware of it.
Regularly motivate employees to report any suspected attacks. For instance, you could circulate internal newsletters with statistics on reported incidents, discuss how such reporting aids in thwarting attacks, and give recognition to those who have successfully identified a cyber threat.
Sad test results
Companies can run special phishing tests using both clean emails and ones labeled “external sender” or “spam.” These red flags are intended to caution employees to exercise more care when handling such emails, as they are more likely to contain malicious attachments or phishing links. Interestingly, research shows that presenting suspicious details in email headers does not improve phishing detection. Even when emails bear labels like “external sender” or “spam” in the subject line or body of the message, employees click on them nearly as frequently as they do on unlabeled ones.
Why does this happen, and what can be done about it? There could be a level of mistrust towards technology and software algorithms at play here. We often hear the advice, “If you did not receive an email from us, check your spam folder.” And, of course, simple inattention on the part of employees is common.
Curiosity, interest, or fear triggered by the content of the email can lead employees to fall for the hackers’ bait. Certain expertly designed templates, such as those warning of potential account breaches and prompting password changes, generate high click rates. Often the “sender” field in an email might show an address that perfectly matches the legitimate domain of the client. However, the “from” field only displays text, which can be altered by the sender’s email server. To truly ascertain the domain from which the email originated, examining the headers in the email’s properties is necessary. Therefore, again, relying entirely on software and hardware for email information security is unwise. The human factor is a crucial element to consider.
Even following training, phishing emails continue to be opened
Let’s say right away that there are no magic pills against phishing for employees. Training courses are an important part of the process, but they will not work without regular practice. Upon contact with a new variant of phishing, an employee may become confused and eventually fall for the trick of scammers.
Cultivating robust phishing detection skills and enhancing awareness of threats should be continuous processes that involve direct exposure to these threats. Every training phishing email sent, irrespective of the unsafe action statistics, enhances an employee’s awareness: they learn about a new threat, encounter it firsthand, experience the potential impact, and consequently, become less vulnerable. As the proverb says: “Fool me once, shame on you. Fool me twice, shame on me.”
Practical experience affirms the need for ongoing engagement with employees. Mere theoretical training sessions will not protect you from phishing, and a single training session is not sufficient either. Interestingly, reports suggest that after one round of simulated phishing emails, there might be an increase in unsafe actions with mock phishing, even after employees have completed training courses.
Does this suggest that the training courses were entirely ineffective? Not necessarily. It simply indicates that the practical skills needed to recognize phishing are not yet fully developed, reinforcing the notion that understanding the information security theory without practical application is insufficient. It is through regular phishing training emails that employees become more adept at identifying phishing attempts and reporting them to the information security service.
Cycle-based phishing awareness program implementation
A phishing awareness program typically starts with an initial round of simulated phishing emails to evaluate employees’ susceptibility to such attacks. Next, the employees undergo training to learn about phishing and how to spot it. Following the training, another round of simulated phishing is conducted to provide practical reinforcement of the training and to assess its impact on employees. This constitutes the initial cycle of the program. Depending on your resources and the size of your organization, this part may take anywhere from several weeks to a few months to complete.
The process does not stop there. You should conduct new rounds of simulated phishing emails approximately once a month, gradually making them more complex. Employees who consistently fall for phishing attempts should be given additional training.
Yes, this is a slow process. Building sustainable skills takes time, typically at least 12 months. And even after this period, regular phishing simulation exercises are still necessary to ensure employees maintain their alertness. By running regular phishing simulations, employees become more knowledgeable and vigilant, boosting the attack resilience of both the individual and the entire organization.
Conclusion
As you can see, relying solely on technological measures for protection against phishing is not enough. The human factor should not be underestimated. Engaging with employees and motivating them in matters of information security is essential. That is why simulated phishing exercises are so valuable. If you are in charge of cybersecurity for your organization and do not yet have a dedicated process for reporting phishing and other cyber threats, it is time to establish one. This is a straightforward and effective initial step to shield against cyber threats and kickstart a security awareness program. It is important to properly structure the learning process and run multiple cycles of theoretical and practical sessions on an ongoing basis.
Education Sector Has Highest Ransomware Victim Count
Over 900,000 MikroTik Routers Exposed to Critical Bug
Industry Coalition Calls For Enhanced Network Resilience
CVE-2022-2502
A vulnerability exists in the HCI IEC 60870-5-104 function included in certain versions of the RTU500 series product. The vulnerability can only be exploited, if the HCI 60870-5-104 is configured with support for IEC 62351-5 and the CMU contains the license feature ‘Advanced security’ which must be ordered separately. If these preconditions are fulfilled, an attacker could exploit the vulnerability by sending a specially crafted message to the RTU500, causing the targeted RTU500 CMU to reboot. The vulnerability is caused by a missing input data validation which eventually if exploited causes an internal buffer to overflow in the HCI IEC 60870-5-104 function.
ZDI-23-982: Oracle VirtualBox VRDP Memory Corruption Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle VirtualBox. Authentication may or may not be required to exploit this vulnerability, depending upon product configuration.