Graham Cluley Security News is sponsored this week by the folks at Jotform. Thanks to the great team there for their support! What is form encryption, and why is it important? Whether you’re a pro with forms or just a newbie, it might be helpful to get an understanding of form encryption and why E2EE … Continue reading “Keep your sensitive data secure by using Encrypted Forms 2.0 from Jotform”

Read More

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

I believe this all traces back to SolarWinds. In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.

I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.

Sophisticated threat actors are realizing that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organizations who use those infrastructure providers. Attackers like Russia and China—and presumably the US as well—are prioritizing going after those providers.

News articles.

Read More

As we go about our daily lives, whether that be shopping with the family, enjoying dinner at a restaurant, finding our gate at the airport, or even watching TV, we find ourselves more and more often encountering the QR code. These black-and-white checkerboards of sorts have gained a reputation for being a fast and convenient way of obtaining information via our smartphones while at the same time contributing to environmental conservation, as they allow businesses such as retailers and restaurants to print fewer paper menus or flyers.

But before you whip out that phone and activate your camera, you should be aware that these seemingly innocuous QR codes can also be used for purposes you aren’t anticipating. Adversaries can also abuse them to steal your money, identity, or other data.  In fact, the term in the cybersecurity industry for attacks that leverage QR codes as a means of delivery is “quishing.” Although this may sound cute, the intentions behind these intrusions are, in reality, quite sinister.

A brief history of the QR code

While it may seem like we have only been interacting with QR codes over the past several years, they were in fact invented almost 30 years ago in 1994 by a Japanese company called Denso Wave, a subsidiary of Toyota Motor Corporation, for the purposes of tracking automotive parts in the assembly process. QR stands for “quick response” and is a sophisticated type of bar code that utilizes a square pattern containing even smaller black and white squares that represent numbers, letters, or even non-Latin scripts which can be scanned into a computer system. Have you ever noticed that there are larger black and white squares in just three of the corners of a QR code? Their purpose is to allow a scanning device to determine the code’s orientation, regardless of how it may be turned.

The use of QR codes has expanded considerably since 1994. They have become a favored means for businesses to circulate marketing collateral or route prospects to web forms, and other even more creative uses have also been cultivated. Instead of printing resource-consuming user manuals, manufacturers may direct their consumers to web-hosted versions that can be reached by scanning codes printed on the packaging materials. Event venues print QR codes on tickets that can be scanned upon entry to verify validity, and museums post signs next to exhibits with QR codes for visitors to obtain more information. During the COVID-19 pandemic, the use of QR codes accelerated as organizations sought to create contactless methods of doing business.

The dangers that lie beneath

QR codes don’t appear to be going away anytime soon. The speed, and versatility they offer is hard to deny. However, any hacker worth their salt understands that the most effective attacks leverage social engineering to prey upon human assumptions or habits. We’ve become accustomed to scanning QR codes to quickly transact or to satisfy our sense of curiosity, but this convenience can come at a cost. There are several websites that make it incredibly simple and low cost (or free) for cybercriminals to generate QR codes, which they can use to do any of the following:

Open a spoofed web page – Upon scanning the QR code, your browser will open a fake web page that appears to be a legitimate business, such as a bank or e-commerce site, where you are requested to provide login credentials or payment data, also known as a phishing attack. It is also possible that this site contains links to malware.
Recommend an unscrupulous app – You will be directed to a particular app on the Apple App or Google Play Store and given the option to download the app to your mobile device. These apps can contain malware that installs additional programs or they may collect and share sensitive information from your mobile device with its developers and other third parties. This information could be your name, phone number, email address, photos, location, purchasing information, and browsing history,
Automatically download content onto your devices – This may include photos, PDFs, documents, or even malware, ransomware, and spyware.
Connect to a rogue wireless network – QR codes may contain a Wi-Fi network name (SSID), encryption (or none), and password. Once scanned, you will receive a notification banner with a link to connect to the network. From there, a hacker can monitor and capture information transmitted over the network in what’s referred to as a “man-in-the-middle attack.”
Make a phone call – A notification will appear, confirming that you’d like to call the number programmed into the QR code. Someone will answer, claiming to be a legitimate business but then requesting personal or financial information and/or adding you to a list to be spammed later.
Compose an email or text message – An email or text message is prepopulated with the message and recipient that the QR creator has programmed. You will then receive a notification banner confirming that you would like to send it. Once you do so, your email address or phone number may be added to a spam list or targeted for phishing attacks.
Trigger a digital payment – QR codes may be used to process payments through PayPal, Venmo, or other means. This one may seem like an easy one to spot, but what if the QR code was placed on a parking meter with a message to scan it to submit payment for the time your automobile will be occupying the spot?

Five ways to defend against malicious QR codes

Spotting a malicious QR code may be difficult because the displayed URLs are often shortened or hosted on cloud platforms, such as Amazon Web Services (AWS). Fortunately, there are things you can do to reduce your chance of falling victim to a quishing attack:

Ask yourself “How certain am I of the creator of this QR code?” One that is printed on food packaging or posted on a permanently mounted sign at a train station may have a lower risk of being malicious than one that is printed on a sticker at your local brewery or on a flyer handed to you by someone you don’t know. If you receive an email or text containing a QR code from a reputable source, verify that it is legitimate by responding through a different means like sending a message through another platform or making a phone call.
Determine if there is an alternate way of obtaining the information you seek, such as navigating to the business’ public website or requesting a paper menu.
Never enter login credentials or any sensitive personal or financial information, such as credit card numbers or social security numbers, on a webpage obtained by scanning a QR code.
Don’t jailbreak your device. This will bypass the restrictions and security intentionally placed on your device by the manufacturer and expose it to malware and other risks.
Ensure that you have a mobile threat defense solution installed on your tablets and smartphones to block phishing attempts, malicious websites and risky network connections.

Read More

Attacks come after Prime Minister’s trip to Kyiv

Read More