Tuesday, March 28, 2017

Hackers threaten mass iCloud carnage: don't panic, but do enable 2FA

There have been rumblings in recent weeks (with varying degrees of credibility and/or paranoia) of several hundred million Apple accounts stolen by hackers, with a threat that the iPhones, iPads, and iCloud backups associated with these accounts will be deleted on April 7 unless Apple pays a ransom fee. The threat is that owners of those account could wake up to find all their pictures, all their files, all their data, deleted forever.

ZDNet's Zack Whittacker has a sane take on the matter: Apple has not been hacked, but people are prone to reusing the same passwords across all the apps and websites they use - many of which have been breached. ZDNet's analysis has found that not all the accounts the hackers claim to have compromised, are indeed compromised - but a not insignificant number are.

What you need to know:
  • If you haven't changed your Apple (aka iCloud) password recently (as in, within the last 6 months or so), it wouldn't be a bad idea to change it now. 
  • Use separate passwords for each account, so one stolen password doesn't put all your other accounts at risk.
  • Enable two-factor authentication on any accounts that matter to you, so a stolen password by itself isn't enough to break into your account and steal or delete your valuable data. Here's how to enable it on your Apple ID: https://support.apple.com/en-us/HT204915

Friday, March 24, 2017

Why is this website impersonating the FBI-run InfraGard?

The real and fake InfraGard websites side-by-side

Can you tell which is the real InfraGard login screen?

InfraGard is a partnership between the FBI and private business, created to share information about threats. It consists of members from private business, state and local government agencies, state and local law enforcement agencies, schools and universities. Some of the information shared to members - while not classified - is also not entirely public.

The true web portal for InfraGard is www.infragard.org -- the image on the left.

Someone created a pretty convincing replica of the real portal, at www.infragard.com -- the image on the right. Other than a few outdated images, the only noticeable differences are that the replica domain name ends in .com instead of .org, and the replica is served over non-secure http instead of https.

Tuesday, March 21, 2017

Cisco's CIA Vault7 exploit in context

Cisco issued a security bulletin on March 17, disclosing a remote code execution vulnerability in the Cluster Management Protocol function of IOS and IOS XE software, affecting over 300 Cisco switches and routers. Through this vulnerability, remote attackers can take complete control of a network device.

Cisco discovered the flaw while going through the WikiLeaks "Vault7" documents believed to have come from the CIA, suggesting that the flaw has been actively exploited. Naturally, every tech writer on the planet has rushed in to write doom and gloom stories of mass exploitation.

Slow down just a bit.

Those following long-standing best practices for securing infrastructure hardware are not at risk. The vulnerability can only be exploited through the Telnet protocol, and requires access to the management interface of a switch. 

Telnet communicates with a remote device unencrypted - transmitting usernames and passwords, as well as commands and configuration details, in the clear where anyone listening can intercept them. All modern switches and routers support SSH, which serves the same purpose but with an encrypted connection.

Disable the Telnet service on your Cisco switches, restrict management to an isolated management network, and update the OS as soon as practical once Cisco issues a fix.

Carry on.

Wednesday, March 15, 2017

Facebook Messenger phishing scam

A phishing scam is using Facebook Messenger to spread, by telling your friends a video of them has gone viral.

Updated 20-March: My initial analysis was limited due to traveling without my laptop, and with unreliable data service. I've updated the post with a few additional domains to block, and to show the different behavior on mobile versus PC.

There’s a scam making the rounds on Facebook, making use of Facebook Messenger to spread. (Sysadmins, scroll to the bottom for a list of domains to block).

It starts when you receive a message from a friend, that simply says your name, with your profile picture designed to look like a preview of a video with hundreds of thousands of views. The implication is there is a “Facebook Video” of you that has gone viral.