Hack on the track: Signaling flaw leaves UK trains vulnerable

UK train services could be vulnerable to being hacked, hijacked and crashed, due to the trial of new digital signaling system designed to make lines safer, reports ITV.

According to government advisor Professor David Stupples, the new European Traffic Rail Management System (ETRMS) could be targeted by hackers and exposed to malicious software which could result in an accident. The system – which is being implemented by Network Rail and expected to be operational in the 2020s – is designed to replace aging signal lights, using computers to transmit critical information live from the tracks.

“It’s the clever malware that actually alters the way the train will respond,” Stupples told the BBC. “So, it will perhaps tell the system the train is slowing down, when it’s speeding up.”

The internet security expert said that the ETRMS is well protected from outside attacks, but warned that the greatest threat is posed by insiders. Stupples noted that a Network Rail employee, either through a bribe or acting on general dissatisfaction, is the most likely way malware would get into the system.

“Governments aren’t complacent,” the professor added. “Certain ministers know this is absolutely possible and they are worried about it. Safeguards are going in, in secret, but it’s always possible to get around them.”

Network Rail has said that it acknowledges the threat, and is working with government, security services, partners and suppliers in the rail industry to understand the risks and protect its passengers.

As transport systems become more reliant on computers and the internet to operate smoothly, new vulnerabilities are being analyzed by governments and industry bodies. Just last week, a US government watchdog warned that the adoption of modern technology in airplanes could allow hackers to access flight controls over public WiFi.

by Kyle Ellison, ESET

Ransomware: Should you pay the cybercriminals?

Ransomware is a growing threat, threatening to take over your machine, encrypt your files and demand payment in exchange for their safe return. But, as we explore below, paying the ransom is rarely the solution.

What is ransomware?

Ransomware is a type of malware, or malicious software, which has exploded in notoriety in recent years.

The malware is often installed on your machine via a phishing email or a drive-by-download on a compromised website, and a short time later a pop-up message will appear on screen telling the user to pay a ransom (in some cases as much as $300) in order to ‘unlock’ their stolen documents.

Fortunately, the severity of ransomware varies considerably. At the lower-end, most variants simply bombard the user with ‘scareware’ pop-up messages, telling them to pay up to restore normal service. However, these variants  haven’t actually encrypted any files.

That said, there are other versions which block access to the start screen, while ‘filecoders’, like CryptoLocker, will encrypt documents stored on the system’s hard drive.

These warning messages typically claim to be from law enforcement agencies, warning of illegal activities or content. They may alternatively claim that the system’s operating system is a forfeit, or pretend to be an anti-virus solution that has identified an infection.

To date, the most prolific variants of ransomware been CryptoLocker, TorrentLocker, Reveton and CryptoWall although newer versions like CryptoFortress, CoinVault and others have emerged in recent months, sporting newer tactics like making emails appear quarantined and running operations through the Tor or Invisible Internet Project (I2P) anonymizing networks. As ESET found with Virlock, ransomware is increasingly polymorphic, which makes it harder to detect and remove.

Ransomware, described by one malware analyst as a “polished and finished product for the bad guys”, is so widespread now that it’s a big concern for businesses. One study earlier this year found that ransomware had a bigger impact on organizations than widely-publicized advanced persistent threat (APT) attacks.

What you should do

Paying for the ransom is a dangerous option. For starters, there is no guarantee your files will be returned or that the malware has been removed. Will the hacker exploit you again in six months’ time? The truth is you don’t know.

Instead, information security professionals recommend a few useful tips, such as regularly backing up your data and ensuring your computer is running the latest software and anti-virus (ESET protects against CryptoLocker, Cryptowall, CTB locker and many other types of ransomware).

If you do get infected, and haven’t followed the advice above, all is not lost; your best bet is contacting an IT professional although there are free decryption tools online, and ways you can remove the malware via the operating system.

For less sophisticated ransomware that hasn’t encrypted files, you can enter Windows Safe Mode and run an on-demand virus scanner to hopefully remove the malware. Alternatively, you could try and do the same by logging onto the computer from another user account (hopefully bypassing the malware on the start screen), or by accessing the infected PC from a ‘clean’ PC on the same network.

If you can’t get onto the home screen, another option is System Restore, which will restore system files and programs to a state they were in previously. To do this, shut down your computer, reboot and hit the F8 key continuously to enter advanced boot options. You should see an option to repair your computer.

ESET security expert and Editor in Chief of We Live Security says users shouldn’t pay for the following reasons: “If you pay, you will support cybercrime activities by funding them with money; you don’t have any guarantee that your information is going to be decrypted again. Remember, this is not a service, they are cybercriminals. [And] even if you pay, you are not going to be ‘whitelisted’ so you could get infected again so it’s not a real solution for the future either. Prevention is the most important tool against Ransomware, since the infection can be usually cleaned afterwards but not always the information restored.”

Labaca Castro recommends using a security solution to prevent computer getting infected, frequently back-up information so it is somewhere safe and recover it easily, and avoid opening attached files in emails from unknown senders. Additionally, ESET also offers a decryptor for specific variants from Simplocker to recover your information.

by Karl Thomas, ESET

The dirty secrets of webcam-hacking peeping toms and sextortionists

Virtually every computer sold today comes with a dirty little secret.

It can spy on you.

What’s more, if hackers can infect your computer with malware they can hijack your webcam and secretly watch you too – regardless of whether they’re based down the street or on the other side of the world.

In some cases, if they’re really crafty, hackers can even spy on you without the LED on your webcam lighting up.

Notable victims of webcam hacking include Cassidy Wolf, an American model who was crowned Miss Teen USA in 2013. In her case, Wolf was spied upon by one of her former classmates – Jared James Abrahams – who had installed the Blackshades RAT malware on her laptop in order to covertly take naked photographs of the beauty queen.

Abrahams sent Wolf an anonymous email, threatening to post the intimate photographs of her on social media websites, unless she agreed to send additional photos to him or (eww…) strip for him during a Skype video chat.

Here’s a video of Cassidy Wolf being interviewed about the hack on CNN last year:

Wolf did the right thing. She didn’t give in to the extortionist’s demands, she told her parents what was happening, and contacted the police so they could investigate.

Fortunately, Abrahams was caught, and received an 18 month prison sentence for his crimes against Wolf and other victims.

But it’s not an isolated problem. In May last year, the European Union’s Judicial Cooperation Unit, announced it had arrested almost 100 people worldwide, in an operation targeting the developers and users of Blackshades, a kit of malware tools sold online for just $40.

Amongst those arrested was Swedish hacker Alex Yücel, the co-creator of the Blackshades Remote Access Tool (RAT), which provides an easy way for perverts to remotely commandeer the webcams of unsuspecting parties and snoop upon their activities.

Yücel was clearly doing quite nicely by selling software that helped hack people’s webcams and access their computer files, being able to hire several paid administrators, including a director of marketing, customer service staff, and a director of marketing.

Between September 2010 and April 2014, Blackshades had generated sales of more than $350,000.

You can do your maths yourself to determine just how many people must have been buying the malicious software, and had within their power the ability to hack into stranger’s computers and spy upon them.

Yücel pleaded guilty earlier this year to distributing malware,

Although arrests have been made in relation to the Blackshades RAT malware, there are plenty of other tools and trojan horses in existence which can help strangers snoop upon you.

So what can you do to prevent webcam hackers?

Well, you could follow the example of delegates at the recent Infiltrate conference held at a swanky hotel in the city of Miami Beach.

According to press reports, the Fountainebleau hotel offers guests the use of an Apple Mac computer in every room.

So what do Infiltrate’s security-conscious delegates do when they get into their room and see the Mac (including built-in webcam)?

Why, they turn it around, unplug it, and put a towel over the monitor for good luck!

Hotel Mac

That approach may be a little extreme for some of us on our own computers, but when you use a PC or Mac in an environment where it is likely to have been used by strangers, you should certainly be aware that you cannot have much confidence regarding whether the device has already been compromised by malware.

When it comes to your personal computer – be it Mac or PC – make sure that you are always running the latest anti-virus and other security software, have kept your software patches updated, and be alert about opening unsolicited email attachments and clicking on potentially dangerous links.

Also, if you have internet-accessible cameras elsewhere in your house – such as baby monitors or CCTV – be aware that many such devices are sold with default or weak passwords that are child’s play for hackers to crack. Make sure to configure with unique, hard-to-guess passwords just as you would for, say, your bank account.

In addition, it should go without saying that you should also update your webcam’s firmware regularly to protect against newly discovered security holes and vulnerabilities.

Furthermore, although it can be circumvented in some cases, keep a keen eye out for the webcam’s LED lighting up unexpectedly as it may imply unauthorised access by an application – perhaps being controlled remotely by a hacker or peeping tom.

Finally – cover it and unplug it. If you can, disconnect the webcam if you only use it infrequently but at the very least put a Post-It note over the lens so you can choose when you want to be “on camera” and when not.

by Graham Cluley, We Live Security

Irish Revenue, Bank of Ireland and DHL scams detected

ESET Ireland has detected increased online activity targeting Irish email addresses with phishing scams, using the names of Irish tax and Customs, Bank of Ireland and DHL.

In the recent weeks cybersecurity experts at ESET Ireland have been tracking several persistent phishing scams. The first appears to come from Irish Tax and Customs and claims the receiver is entitled to a €351.23 tax refund. A link is attached that takes the victim to a faked Revenue website, which asks for a credit/debit card details where they are to receive the refund.

Revenue

The second claims to come from the Bank of Ireland, inviting victims to take part in an “online survey” and offering a reward of €226, which is to be transferred to their 365 account, once the victim has given the scammers all the details of it.

The last one pretends to be from DHL and claims a package was rejected due to a faulty address and asks the victim to go to a forged DHL website which asks them to “log in” with their email and password, effectively stealing their login credentials and enabling cybercriminals to “hack” their email or DHL account.

dhl

ESET Ireland warns Irish computer users not to click on any links, nor open any attachments in such fraudulent emails to avoid having their money stolen and to refrain from replying to the scammers as that just validates their email addresses to them.

by Urban Schrott, ESET Ireland

Monthly Threat Report: March 2015

Top_10_ELG_mar_15_1200x627eng

The Top Ten Threats of March 2015

1. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 3.55%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

2. Win32/Bundpil
Previous Ranking: 3
Percentage Detected: 2.27%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. Win32/TrojanDownloader.Waski
Previous Ranking: 5
Percentage Detected: 1.95%

Win32/TrojanDownloader.Waski is a Trojan that uses HTTP to try to download other malware. It contains a list of two URLs and tries to download a file from the addresses. The file is stored in the location %temp%\¬miy.exe, and is then executed.

4. Win32/Sality
Previous Ranking: 7
Percentage Detected: 1.41%

Sality is a polymorphic file infector. When executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5. HTML/Refresh
Previous Ranking: 2
Percentage Detected: 1.39%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

6. LNK/Agent.AV
Previous Ranking: 8
Percentage Detected: 1.38%

LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

7. JS/Kryptik.I
Previous Ranking: 4
Percentage Detected: 1.36%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

8. LNK/Agent.AK
Previous Ranking: N/A
Percentage Detected: 1.30%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

9. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.29%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

10. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.24%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to auto-execute a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

Minecraft exploit makes it “easy” for hackers to crash servers

A security researcher has posted a Minecraft flaw that makes it “easy” for hackers to crash the game’s servers, reports Ars Technica.

Developer Anmar Askar first noticed the exploit two years ago and notified the game’s creator, Mojang, but after being “ignored” and given several “highly unsatisfactory responses” he has now published the details on his blog.

According to ZD Net, the exploit concerns how the Minecraft sever decompresses and parses data, which, when taken advantage of, can cause a processor load that would exhaust the server’s memory. A fix for the flaw “isn’t exactly that hard,” according to Askar, but the company has failed to address the issue in a series of patches.

“I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” he wrote. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.”

The Register notes that Mojang attempted and failed to patch the flaw after Askar’s blog was published, leaving the game’s server’s still vulnerable.

Minecraft was the victim of an attack earlier this year, after 1,800 logins were leaked online in plain text format. It is thought that the data breach could be used to target gamers with phishing attacks that would put their account details at risk.

Microsoft, who purchased Minecraft last year for $2.5 billion, has not yet responded to the latest exploit.

by Kyle Ellison, ESET

Verizon report: Healthcare security shows little sign of improvement

Security in the healthcare sector has been making headlines for all the wrong reasons in recent months, and a new report has found that the industry is showing little sign of cleaning up its act.

More organizations than ever participated in this year’s Data Breach Investigations Report, which identified a record 80,000 security incidents and 2,100 data breaches. According to information shared with Healthcare IT News, 234 of those security incidents related to healthcare as well as 141 data breaches.

A number of security areas became more vulnerable, including incidents of insider misuse, which accounted for 15 percent of healthcare incidents in 2014 but jumped to 20 percent this year. Senior Verizon analyst Susan Widup says this is a particular cause for attention, as it includes everything from employee snooping to organized crime groups.

Other areas in which healthcare organizations became more vulnerable included web app attacks (seven percent, up from three percent in 2014) and denial of service attacks (9 percent, up from two percent last year and the 4 percent all-industry average.)

These jumps, of course, mean that there was some good news for the healthcare industry, as theft or loss of unencrypted devices fell from a huge 46 percent last year to 26 percent this year. “It was surprising to see that go down a bit,” said Widup, but the new figure still represents “a huge problem.” She concluded that rather than any significant improvement, healthcare is just seeing a shift in some of the threat actors.

In February, Anthem Inc. was hit by the largest ever data breach suffered by a health insurance company, potentially affecting as many as 80 million customers.

by Kyle Ellison, ESET

Follow

Get every new post delivered to your Inbox.

Join 90 other followers