David’s Take: Tales from the IRS
I had to call the IRS this week to resolve an issue with an old tax return. At the end of the call, the agent asked me for my phone number in case they need to contact me. I asked him given all the scammers calling at this time of year, how would I know it was a legit call? He was clearly flustered by it and didn’t really give me a valid protocol, other than to say each agent has to cite their “IRS agent number” at the beginning of the call. One thing he did say was that the real IRS never asks you to pay up over the phone: you always get a letter in advance. Only I never got my original letter, which is why I was calling. #IRSFAIL
-- David Strom, editor of Inside Security
Top Story: Congress and ISP Privacy
On Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year by the FCC that would block ISPs from selling to advertisers information about where you go and what you do online. Several crowdfunding sites have been created, wrongheadedly, to try to channel this angst. Another response is to bring attention to using VPNs that protect your privacy and browsing activities. Brian Krebs goes into detail about why you should consider a VPN and how you need to think carefully about the various claims made by VPN providers. “However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process,” Krebs writes in this post. One trusted and very complete VPN evaluation can be found at ThatOnePrivacySite which has a chart of dozens of providers. Only a few of them pass muster, including BolehVPN, Mullvad, NordVPN, oVPM, TrustZone, and VPNSecure.
But you should be doing a lot more to protect your privacy, and my colleague Tom Henderson has a great set of suggestions such as using multiple browsers, cleaning out your cookies regularly, and changing your DNS server to something other than the ISP’s and Google that don’t track your traffic. Both Krebs and Henderson also suggest using Tor as your default browser too.
Finally, keep in mind what Swift on Security says: “The solution to privacy isn’t 0.05% of ISP users trying to opt-out of the net by paying $8/month to someone promising to fix their problems.”
The exploit dubbed DoubleAgent takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors. It gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system. Cybellum dissects how the exploit works in their post here. Several AV vendors announced patches to fix the issue this week. – DARK READING
A new attack on smart TVs allows a malicious actor to take over devices using rogue Digital Video Broadcasting — Terrestrial signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users. The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks. Scheel's method is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV's background processes. – BLEEPING COMPUTER
For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware. The attacks started in January and consisted of malicious emails specifically crafted to attract the attention of developers, such as requests for help with development projects and offers of payment for custom programming jobs. The emails had .gz attachments that contained Word documents with malicious macro code attached. The exploit is called Dimme and this post goes into detail on how it works. – PALO ALTO NETWORKS BLOG
As if we don’t have enough to worry about, here is an exploit that uses non-dotted IP decimal notation, such as http://1760468716. The decimal notation is hard to parse, which is why this is a thing now. – MALWAREBYTES BLOG
There has been yet another LastPass vulnerability. Over last weekend, Google security researcher Tavis Ormandy reported yet another client-side vulnerability in the LastPass browser extension. The company posted this note saying they are now actively addressing the vulnerability. This attack is unique and highly sophisticated. They recommended launching sites directly from the LastPass vault. “This is the safest way to access your credentials and sites until this vulnerability is resolved.” There is no evidence that anyone other than LastPass and Ormandy knows about the flaw. -- NAKED SECURITY
Methods and tools
If you are looking for some new penetration testing tools for your toolbox, you might want to consider these suggestions from Carrie Roberts, a security analyst at Black Hills Information Security. Included are tools for spraying passwords, running PowerShell scripts without actually invoking PowerShell, and others. -- TRIPWIRE BLOG
Seven cyber security start-ups in January joined the first cohort at UK’s GCHQ Cyber Accelerator program. This is a partnership between GCHQ, the Department for Culture, Media and Sport, and Wayra UK, the leading UK corporate accelerator that is part of the global Telefónica Open Future network. This week was Demo Day, and this post describes the graduating companies such as CyberSmart and StatusToday. -- ITSECURITYGURU
Just for fun
This flow chart on North Korean banking hacks sure is impressive. I can't say for certain whether or not it is accurate.
If you are looking to listen to a collection of radio stations from around the world, check out RadioGarden. You can select from the map of the world one of the broadcast stations that they can access online, in real time.
How likely are you to recommend Inside Security to a friend or colleague?