The Police Service of Northern Ireland Data Leak Just Got Worse Than It Already Is

Posted in Commentary with tags on August 14, 2023 by itnerd

Last week I told you about a data leak involving The Police Service of Northern Ireland where they accidentally published the data on all their staff creating a critical incident in the process. As bad as that is, it just got worse. Here’s the details from Sky News:

The Police Service of Northern Ireland (PSNI) says it fears its officers could be targeted and intimidated after saying it believes that dissident republicans have data on staff that was accidently leaked by the force last week.

“We are now confident that the workforce dataset is in the hands of dissident republicans,” Chief Constable Simon Byrne said.

“It is therefore a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff.”

And:

Earlier, a redacted version of the leaked document that listed the names of police officers in Northern Ireland was posted on a wall facing a Sinn Fein office in Belfast.

Keep in mind that the peace in Northern Ireland is a recent thing because of the Good Friday accords. Thus this data leak doesn’t exactly help this situation which has not been in a good place for a couple of years now. This this situation illustrates that data breaches don’t just have a financial and repetitional impact, they also have a life threatening impact as is illustrated here.

Leave a comment »

Petro Canada App Users Still Can’t Use The App After The Company Was Pwned By Hackers Two Months Ago

Posted in Commentary with tags on August 14, 2023 by itnerd

In case you’re coming to this story without the full context, let me help you with that. Back in June, Petro Canada and their parent company Suncor were pwned by hackers. That partially took down their gas stations for a few days, and has partially crippled them ever since. Here’s a bunch of stories that you can read that will give you the full background:

Now, about two months after being pwned by hackers, it’s come to my attention that the Petro Canada app is still not working. When users try to log in, they see this:

Having the app in a state where it isn’t working for two months does not inspire confidence to users. And you have to assume that it’s also costing Petro Canada money. Let me give you an example of that. My go to gas stations have always been Esso/Mobil and Petro Canada. And whenever I needed gas, I would go to the closest one. I didn’t really have a preference. Since Petro Canada got pwned, 100% of my gas business goes to Esso/Mobil. And there’s two reasons for that change:

  • The Petro Canada app does not work as mentioned above which is a #fail for me as I use this app to pay at the pump via Apple Pay without putting my credit card into the pump or having to interact with the gas station staff. That’s important for me as gas stations have always been a place where your credit card can be cloned. The app always mitigated that possibility. But since the Petro Canada app doesn’t work, there is no mitigation. However over at Esso/Mobil, this isn’t an issue as their app works fine to pay at the pump.
  • I don’t trust Petro Canada because they haven’t really provided an update of any sort that gives me the confidence to trust them.

The thing with cyberattacks is that there’s financial and repetitional costs to them the longer that the attack affects the public. Petro Canada has entered a place where their reputation has taken a big hit, and this has to be affecting them financially. And I don’t see a scenario at the moment where this ends positively for them. Now Petro Canada is free to prove me wrong on that front. But as long as the public isn’t able to use their app to do anything from pumping gas into their cars, collect and redeem points and the like, Petro Canada isn’t in a good place.

Leave a comment »

X/Twitter CEO Linda Yaccarino Says That The Company Is Close To Breaking Even…. Yeah Right

Posted in Commentary with tags on August 14, 2023 by itnerd

From the “where have I seen this before” department comes this story where X, or Twitter, or whatever its called CEO Linda Yaccarino is claiming that even with all the chaos caused by Elon Musk, that X/Twitter is somehow close to breaking even:

“I’ve been at the company eight weeks,” Yaccarino said in her first broadcast interview since taking on her new role. “The operational run rate right now… we’re pretty close to break even.”

And:

“Our data licensing and API with X is an incredible business. Our new subscription business [is] growing,” Yaccarino said. “And then, part of my, what I would say, expertise and experience, and what I came to do, was to drive advertising at the company.”

I for one am going to call this for what it is: BS.

The fact is that Twitter/X is a dumpster fire at the moment with advertisers fleeing the platform and traffic to the platform dropping. And I see no scenario where that changes as Elon is clearly intent on burning the platform to the ground. On top of that, Elon has clearly been feeding Yaccarino the toxic Kool Aid that he’s been drinking as she’s parroting his lines based on the story that I linked to. You have to wonder how long it will take before we see the effects of whatever suicide pact that Elon and Yaccarino have entered into.

Leave a comment »

I Was Targeted In A Rogers Phone #Scam… And This One Is Pretty Scary

Posted in Commentary with tags on August 13, 2023 by itnerd

Earlier this week I told you about an email scam that was using the name of Canadian telco Rogers to make you more likely to fall for it. That scam was pretty bad. But on Friday, I came across an even worse scam that uses the Rogers name.

I got a phone call that had a caller ID of “Rogers” with an area code that started with “888” which is likely spoofed. Now my wife and I haven’t been with Rogers for just over a year, but I decided to pick up the call anyway. When I did a woman asked for my wife. That made sense because the Rogers account was under her name. I told the woman that I was her husband and she could speak to me. That’s when things got interesting. The woman told me that she was calling from “Rogers Customer Loyalty” and our Rogers account was selected as part of a promotion.

This is when I started to get suspicious. Like I said earlier, we haven’t been with Rogers for just over a year. So while I can see a scenario where Rogers might call us to try and get us back, there’s no department within Rogers called “Rogers Customer Loyalty” that would do that. Thus I was starting to think that this was a scam. Normally, this is where I would suggest that you hang up. But I wanted to confirm my suspicions, so I played along.

The woman then said that the promotion in question was that Rogers wanted to give us a free iPhone 14 Pro Max with a 35GB data plan for $50 a month. That really started the alarm bells ringing because Rogers to my knowledge never gives away free phones. Not only that, they don’t as far as I know have a 35GB data plan for $50 a month. Thus I was really thinking that this was a scam. Again, instead of hanging up, I played along.

First they wanted to confirm some information. And the information that they offered up was my wife’s email address and name. Then they wanted me to confirm the order by sending me a six digit verification code.

Ding! This confirms that this is a scam.

What the threat actors are up to are getting access to your Rogers account using your email address so that they can order an iPhone of some description, ship it to some location where this phone and every other phone from anyone who fell for this scam is then shipped to some other country for resale. Likely India given the fact that the person who called me had an Indian accent. The other possibility is that you do get the phone, but they they will call you on the day that you get it and say that they messed up and you need to send the phone back. They’ll email you a “return label” that simply sends the phone to a location from where they can forward the phone overseas. In either case, you get stiffed with the bill for the phone. The threat actors need the six digit verification code to get into your account because Rogers has moved to using using two factor authentication in order to stop threat actors from brute forcing their way into your account.

At this point I hung up, but here’s what concerned me. The threat actors clearly have acquired some accurate information that allows them to perpetrate the scam. It makes me wonder if Rogers had some sort of data breach where this information ended up in the hands of threat actors, or did they use a third party call centre who has a copy of this data and are now using this information for evil purposes? I don’t know for sure. But given that they called me with some very accurate information, the question has to be asked.

So if you get a call like this, what should you do? This is what I suggest:

  1. Hang up and call into Rogers using one of the phone numbers on the Rogers website. The person that you speak to will instantly be able to tell you if you have any offers on your account. Chances are that you don’t have any offers, or not ones that fit this description. Thus validating that this is a scam They may also put a fraud alert on your account for your protection. At the same time, you should also confirm that no changes have been made to your account.
  2. Never, ever give the threat actor the six digit verification code. They may say things to convince you that it’s okay to give them the verification code, but they are lying. No Rogers employee would ever ask for this code. Ever.

A suggestion that I have is that if you get a call like this, you should change the email address that your Rogers account uses. That way you can spot scams like this easier.

In my research for writing this story, I have not heard of a similar scam that targets Bell or TELUS customers. Nor any other telco in Canada. But a Reddit thread that I found seems to validate that I am not the only person who got a call like this. Thus this seems to be strictly targeted towards Rogers customers which adds some weight to the fact that the threat actors clearly have some information to allow them to target Rogers customers. Thus I have to wonder what Rogers is doing to investigate this and address this as this is clearly a threat aimed at former and current Rogers customers. Given the scale of this issue, Rogers needs to say something. And the sooner the better. In the meantime, watch out for this scam.

9 Comments »

Ford Cars With WiFi Are Vulnerable To Pwnage

Posted in Commentary with tags , on August 12, 2023 by itnerd

My wife and I have avoided owning any “connected” cars because of the fact that if you connect anything to the Internet, it can potentially be pwned by hackers. Fiat/Chrysler who is now known as Stellantis found that out a few years ago where some white hat hackers demonstrated that these cars can be fully taken over remotely. Which in turn led to a huge recall.

Now it seems to be Ford’s turn. Texas Instruments has identified a flaw that allows a nearby attacker via WiFi to trigger a buffer overflow using a specially crafted frame because a flaw in the driver that is used to run the WiFi subsystem. Ford uses this WiFi subsystem in their SYNC3 infotainment system which is found in the following list of vehicles at the very least:

  • Ford EcoSport (2021 – 2022)
  • Ford Escape (2021 – 2022)
  • Ford Bronco Sport (2021 – 2022)
  • Ford Explorer (2021 – 2022)
  • Ford Maverick (2022)
  • Ford Expedition (2021)
  • Ford Ranger (2022)
  • Ford Transit Connect (2021 – 2022)
  • Ford Super Duty (2021 – 2022)
  • Ford Transit (2021 – 2022)
  • Ford Mustang (2021 – 2022)
  • Ford Transit CC-CA (2022)

Ford has put out a press release that says the following:

Ford learned from a supplier that a security researcher discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. Immediately, and in collaboration with them, we began developing and validating measures to address the vulnerability.   

To date, we’ve seen no evidence that this vulnerability has been exploited, which would likely require significant expertise and would also include being physically near an individual vehicle that has its ignition and Wi-Fi setting on. Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking.  

Soon, Ford will issue a software patch online for download and installation via USB. In the interim, customers who are concerned about the vulnerability can simply turn off the Wi-Fi functionality through the SYNC 3 infotainment system’s Settings menu. Customers can also find out online if their vehicles are equipped with SYNC 3. 

Needless to say, Ford owners with SYNC3 should install this patch whenever this patch appears. And for the record, I am not buying what Ford is saying here completely. I say that because the bulletin from Texas Instruments says this:

The CVSS base score for this issue can range from 8.8 to 9.6. The higher base score reflects a Confidentiality and Integrity impact of High. However, some systems can have a Confidentiality or Integrity Impact of Low depending on the characteristics of the host processor executing the WL18xx MCP driver and whether the disclosure or modification of the memory that can be accessed represents a direct or serious loss.

So, depending on how Ford uses this driver, this could be kind of an minimal to non-issue, or it could be extremely bad. I for one would like to see Ford shed more light on this as would either reassure Ford owners if it is the former, or push them to turn off WiFi until the patch comes out. The fact that Ford is suggesting (not recommending to be clear) that people who are concerned turn off the WiFi in their cars kind of suggests to me that it might be the latter. But I have zero evidence to back that up. It’s just a hunch on my part.

I for one hope Ford gets this patch out quickly. And this reinforces the fact that my wife and I when we get our next car will lean towards one that is “disconnected.”

Leave a comment »

Fortra Introduces New Integrations for Offensive Security

Posted in Commentary with tags on August 11, 2023 by itnerd

Global cybersecurity software and services provider Fortra today announced new integrations for its offensive security solutions that streamline capabilities for vulnerability management, penetration testing, and red teaming. Working together, the solutions apply the same techniques used by threat actors to identify and exploit gaps in an organizations’ security. With this proactive security approach, customers can find and fix weaknesses in their security posture before they are exploited. 

Fortra’s offensive security solutions, including Frontline Vulnerability Manager (VM), Core Impact penetration testing software, Cobalt Strike adversary simulation software, and Outflank Security Tooling are now interoperable, providing data centralization, easy information sharing, reduced console fatigue, accelerated time-to-remediation, among other benefits.  

Fortra’s offensive security offerings come in five configurations for an enhanced security stance and centralized control:    

  • Essentials – Combines Fortra’s Frontline VM, the industry’s most comprehensive SaaS vulnerability management solution, with Fortra’s powerful penetration testing platform, Core Impact, to scan, evaluate and prioritize security vulnerabilities and remediation efforts throughout an organization’s network. 
  • Advanced – Combining Fortra’s penetration testing and adversary simulation software solutions, Core Impact and Cobalt Strike, this provides a robust view of vulnerabilities through advanced ransomware and phishing simulations and comprehensive reporting, while also giving teams the ability to collaborate in real time.  
  • Elite – Combines Frontline VM, Core Impact, and Cobalt Strike, allowing customers to evaluate security, identify vulnerabilities and proactively reduce risk. These combined vulnerability management, penetration testing, and adversary simulation tools run at the same time and are interoperable, streamlining the process to identify, analyze and prioritize vulnerabilities. 
  • Red Team – Built to integrate seamlessly into Cobalt Strike’s flexible command and control framework, Outflank Security Tooling extends a company’s red teaming capabilities. Together, these tools can deploy more sophisticated adversary simulation and assess overall security posture and vulnerability.  
  • Advanced Red Team – Combines Core Impact, Cobalt Strike and Outflank Security Tooling to safely evaluate security gaps, defenses and security strategies using the same tactics as today’s threat actors. Together, these solutions provide a holistic security testing methodology for advanced red teamers. 

  For more information about Fortra’s offensive security capabilities, visit: https://www.fortra.com/products/bundles/offensive-security.  

Leave a comment »

Flashpoint Research: Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime; Clop Claims To Post Victim Names on August 15

Posted in Commentary with tags on August 11, 2023 by itnerd

Here’s a couple of topics that Flashpoint’s research team has been keep tabs on this week. 

  1. Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime

KEY TAKEAWAYS

  • “FraudGPT,” likely also referred to as “ChatGPT Fraud Bot,” is a bot targeting online actors who want to commit illicit activity. 
  • This and similar tools, such as “WormGPT,” emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. 
  • Flashpoint procured access to this bot and determined that it appears to have similar functionality to WormGPT. FraudGPT provides answers to questions that could enable cybercrime and that other bots, such as ChatGPT, refuse to answer.
  • For example, unlike ChatGPT, FraudGPT is willing to provide malware samples. However, the malware sample it provided was not highly effective.
  • It also provided a list of Dark Web markets upon request, though the list was outdated.      
  • Ultimately, the threat posed by FraudGPT and other similar tools likely depends on how their operators use them.
  • The dual-edged nature of technology is evident; while advancements like ChatGPT can be created with ethical intentions, their underlying technology can easily be repurposed for malicious activities.

BACKGROUND: Threat actors are advertising AI chatbots that have allegedly been trained on illicit content from the cyber underground and can be leveraged to commit fraud and enable illegal activity. Sellers are advertising an increasing number of fraud-related chatbots. Observed subscription prices include US$100 a month or several hundred dollars a year.

Several of these tools emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. However, researchers and malicious actors have found ways to work around some of ChatGPT’s restrictions, such as by using prompt injection attacks.

“FraudGPT,” also known as “Chat GPT Fraud Bot,” is a malicious Telegram-based chatbot that purportedly provides AI-generated content that can be used for a variety of fraud and cybercrime purposes. FraudGPT is similar to the malicious AI bot “WormGPT,” which Flashpoint profiled in July 2023. FraudGPT emerged on Dread shortly after WormGPT began making headlines. FraudGPT’s answers are often similar to those of WormGPT, but when asked identical prompts, it offers its own answers. While WormGPT uses a fingerprint login via a URL, FraudGPT is accessed via Telegram. FraudGPT’s responses incorporate rude commentary as well as disclaimers regarding the illegality of the advice.

Additional available tools, such as “WolfGPT” and “XXXGPT,” also advertise similar capabilities. However, it is unclear how effective these tools are in enabling malicious online actors. The proliferation of these types of tools will likely continue as members of illicit communities seek to use them to enhance their capabilities. However, as researchers test these bots, it appears that their answers have some limitations. In some cases, the malicious chatbots decline to answer questions, do not answer them in detail, or warn the user not to engage in illegal activity. The severity of the risks posed by these tools thus likely depends on the actors using them.

  1. Clop Claims To Post Victim Names on August 15

Clop posted the following message on their ransomware leak site, indicating that they will start publishing data from companies that are infected but have not contacted Clop: 

Now we post many company name and proof we have their secrets and data. Some company do not speed to us and decide to stay quiet. We are very reasonable operators and when right situation we offer deep discount to block you data from being sold and publish. Advice you to contact us and begin discussion on how to block publicate of data. On 15 August we start publishing of every company on list that do not contact. You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data. Also all data go on torrent and speed of download is very quick. YOU NOT HIDING MORE.

As of August 9, 2023, analysts have observed 659 victims that have appeared on the ransomware blog, or publicly disclosed or reported on the incident. For context, they have identified approximately 260 victims on Clop’s ransomware blog, and 486 on CRA through responsible disclosure or reporting. Several of these victims result from third-party compromise and may not be directly affected. They cannot accurately assess the total number of additional victims that may appear on the ransomware blog beginning on August 15. 

Leave a comment »

Moneris Supports TTC with Solution For Credit And Debit Payments

Posted in Commentary with tags , on August 11, 2023 by itnerd

Starting August 15, it’ll be easier and more convenient for passengers who take the TTC in Toronto to pay their fare as the transit system will have an option to tap an Interac debit or credit card on PRESTO devices.

Moneris, Canada’s largest provider of innovative solutions for mobile, online and in-store payments, is excited to be supporting the TTC with an open loop payment solution, which will provide a seamless and secure process for paying, giving commuters more options and convenient ways to pay.  

Moneris is proud to work with transit authorities and their technology partners across the country to improve rider experience. They have been long-time partners to multiple transit systems like STL in Quebec, Translink in BC and others across Ontario for Metrolinx. 

Leave a comment »

ONCD/CISA Have A Request For Information On Open Source security

Posted in Commentary with tags on August 11, 2023 by itnerd

The ONCD / CISA has issued a Request for Information on security areas in open source software, and seeking insights on their long-term focus and prioritization:

The security and resiliency of open-source software is a national security, economic, and a technology innovation imperative. Because open-source software plays a vital and ubiquitous role across the Federal Government and critical infrastructure, vulnerabilities in open-source software components may cause widespread downstream detrimental effects. The Federal Government recognizes the immense benefits of open-source software, which enables software development at an incredible pace and fosters significant innovation and collaboration. In light of these factors, as well as the status of open-source software as a free public good, it may be appropriate to make open-source software a national public priority to help ensure the security, sustainability, and health of the open-source software ecosystem.

Allen Drennan, Co-Founder & Principal, Cordoniq had this comment on this initiative:

It is critical that we prioritize the primary open-source, security software infrastructure that runs the Internet. A significant portion of the Internet uses open-source security stacks such as OpenSsl for cryptography and PKI for both clients and server, and history has shown that major vulnerabilities in these components have wide-spread implications (think Heartbleed).  Ideally ONCD and CISA need to derive a overall plan that not just involves how to identify and rectify issues in open source security stacks, it needs to come up with a plan to react to issues in the event they arise so widespread malware attacks can be mitigated.

Open source software can’t become the Wild West as that will simply end badly. Thus this is a good move to make sure that this does not happen and open source software can be used safely regardless of the use case.

Leave a comment »

HP sees attackers combine simple methods to fool detection tools and deploy multi-language malware

Posted in Commentary with tags on August 10, 2023 by itnerd

new threat blog from HP Wolf Security’s threat research team has just gone online. The blog shows how opportunistic threat actors can use simple techniques and inexpensive cybercrime tools to bypass Windows security features and anti-virus scanners. HP Sure Click protects users from this type of attack, as it enabled HP to capture the malware trace. The blog also outlines HP’s analysis of the attack and describes mitigations for organizations that aren’t protected. In this case, threat actors used a mix of simple-but-effective and clever tricks to infect victim PCs with AsyncRAT, a remote access trojan that steals sensitive information:

  • The art of illusion: What’s in a name? By simply mislabelling unusual file types (such as batch files) as something more familiar (like a PDF), attackers can trick users into clicking on malicious attachments. This basic technique takes advantage of Windows hiding file extensions by default. i.e., if you save a batch (.bat) file as “hello.pdf.bat”, it will show up as “hello.pdf” in Windows File Explorer. While this technique is not new, we see it being used more frequently by commodity threat actors.
  • Ones and zeroes – Attackers are artificially inflating their malicious files by padding them with millions of meaningless ones and zeros. Some were almost 2GB in size, too large for many anti-malware scanners to analyze, allowing malware to slip past a critical detection measure. Because the inflated section follows a repeating pattern, the malware can be compressed into an archive file only a few megabytes large – ideal for spreading the malware in spam campaigns.
  • Here comes the clever part: multi-language malware – by using multiple programming languages, the threat actor evaded detection by encrypting the payload using a crypter written in Go, before disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.
    • In-memory execution of .NET files from C++ requires in-depth knowledge of undocumented Windows internals, but threat actors can access these techniques through tools sold in hacker forums. 

 The blog is here for your reading pleasure. 

Leave a comment »

« Older Entries
Newer Entries »