Posted on

FBI, DHS Issue Warning On North Korea-Linked Malware

The FBI and the DHS issued a joint warning on the “Volgmer” Trojan malware, which has been infecting multiple organizations across industries over the past few years. The FBI has “high confidence” that the IPs linked to Volgmer belong to North Korea.

Volgmer Trojan

The FBI said that the Volgmer malware has been noticed in the wild since 2013 and has targeted government, financial, automotive, and media industries. The primary delivery mechanism for the malware seems to be spear phishing, a type of phishing attack in which a specific individual or organization is targeted. Through it, the attackers can gain higher privileges inside the network and then further infect the network with their malware.

The Volgmer backdoor is capable of gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. The US-CERT Code Analysis Team also observed in one of the malware samples that Volgmer has botnet controller functionality, too.

According to the government agencies inspecting this malware, Volgmer has been seen in 32-bit executable form, as well as a dynamic-link library (.dll). The malware uses a custom protocol, often with RC4 encryption, to send back data to the command and control (C2) servers. Volgmer maintains persistence by randomly selecting a Windows service in which it can copy itself.

Mitigations

The FBI and the DHS recommend that organizations take a look at the Volgmer-linked IPs and analysis. If they find those IPs connecting to their networks, the companies should take measures to block them and then look for the malware and remove it.

The government agencies have also prepared a list of host-based rules and network signatures that companies can use to detect malware activity related to North Korea. They warned that despite the careful selection of those rules and signatures, some false positives may exist.

The DHS also recommended that organizations implement security best practices, such as:

The agencies would also like to remind companies that a successful network intrusion can lead to loss of sensitive and proprietary information, disruption to regular operations, and financial and reputation losses.

Posted on

Google’s rolls out new, crazy-secure, email

SAN FRANCISCO — Google on Tuesday rolled out a nasty-complicated but insanely secure version of its Google accounts aimed at “those who need it most,” such as journalists, politicians and activists. It’s not pretty but stands a good chance of keeping the bad guys out.

Called the Advanced Protection Program, it requires users to jump through a series of hoops most Internet companies have worked for years to make go away — dongles, extra passwords, locked-down systems that can’t talk to anything else and a non-intuitive sign-up procedure.

This is so not plug-and-play.

What it is, however, is safe. Not “I work for the National Security Agency and print out the nuclear codes every time they change” safe, but more “I’m working on a Senate campaign and we really don’t want the Russians, or anyone else, to get into our email system” safe.

Signing up requires a Google account and then linking not one but two dongles, or small devices that connects to a computer’s USB port or via Bluetooth. Each produces a highly secure code key that uses the standards of the international FIDO Alliance (for Fast IDentity Online.)

These plastic keys are about the size of a regular door key but instead hold codes Google uses to verify that you’re you and that you should have access to the account. The key can go into the USB drive on a computer or via Bluetooth to a mobile device such as a phone.

While the secure accounts are free, the hardware to make them secure costs money. A USB security key runs about $25 while the Bluetooth-enabled keys are about $18.

Once you’ve tied these keys to your Google account, you’ve got to have one of them present in order to access your mail and files.

Otherwise — take note — it’s Do Not Pass Go, Do Not Collect Your Email.

“What I think has changed is that people recognize they may never be able to ‘learn’ how to act optimally in a defensive sense, so this program literally eliminates many sources of humans messing up,” said Joseph Lorenzo Hall, chief technologist with the Washington D.C.-based non-profit the Center for Democracy & Technology.

That means using a locked-down Gmail account which may not have all the functionality a more open one could have, though Google does say it’s exploring adding access to some trusted partners as time goes by.

And about that dongle? You really, really don’t want to lose it, or forget your password. Google hasn’t even said what the recovery process will look like, but it is expected take three to five days.

This isn’t an email system for everybody, Hall said. Those who are considering it should think carefully about the threats they face before they sign on. For most regular email users it will be overkill.
But if someone’s possibly being targeted by a nation state attacker or very determined attackers or organized criminals, the answer is a clear yes, he said.

“Sexual assault and domestic violence victims, billionaires, finance employees, judges and law enforcement officers — they certainly face these threats and should use it,” he said.

The system also doesn’t allow users the freedom that non-secure Google accounts have. Once signed up, their Google account is only able to gather data from a few secure apps so that miscreants can’t get to their inbox or Google drive via them.

In a way, this is an admission of defeat but also of reality. The Holy Grail of online security has long been a system with serious security that was as easy to use as any other program.

With the launch of Advanced Protection, Google is acknowledging that while no one has come up with something that’s both easy to use and secure, there are enough people out there who really need protection that even a somewhat gnarly program is going to find users.

Posted on

Wi-Fi has a serious vulnerability. Here’s how to stay safe

Wi-Fi is the invisible connective tissue of the internet. But on Monday, we all learned of a vulnerability in the method that wireless networks use to secure the information that travels from your router to your device, and it lies in a protocol called WPA2. Mathy Vanhoef, a 28-year-old postdoctoral researcher at KU Leuven, a university in Belgium, discovered the issue, called KRACKs, months ago.

Here’s what you need to know about the problem, and what to do about it.

It starts with a handshake

When a machine like a laptop or smartphone connects to a Wi-Fi network, the two gadgets carry out a multi-step handshake. That process involves confirming that your phone, for example, has the right password to connect to the network. The handshake system also produces encryption keys that keep the data secure, so no one can snoop on you. It’s here where the vulnerability lies—the exploit causes one of those keys to be reused, which is a security no-no.

“We found a weakness in the design of this WPA2 protocol [in which] we can force a victim into reusing a key,” Vanhoef, the researcher who discovered the issue, says. “In turn we can use that to reveal sensitive information that the victim is sending, such as passwords, or usernames, and so on.”

Good news: For this exploit to actually happen, the hacker taking advantage of it must be in range of the Wi-Fi network, so it’s not the kind of attack that can be carried out from the other side of the world. Bad news: if done successfully, the attacker could intercept and see the data that flows from your device to the internet

“When I initially discovered it, it was really surprising to find this,” Vanhoef says. “Because this WPA2 protocol has been around for 14 years.”

For those looking for a more thorough explanation of the problem, Leuven has published a research paper on the topic and also lays it all out in a website about it.

Who’s affected?

The problem lies in the WPA2 wireless protocol—so it’s not something that a specific device-maker created. According to Vanhoef, common operating systems like iOS, Android, Linux, and Windows are all susceptible, but to different degrees. The most vulnerable devices run the Android and Linux operating systems, Leuven says.

Your home Wi-Fi network is less likely to be vulnerable than a big one, like a public Wi-Fi system at an airport or an office

Leuven says it is unclear if anyone has actually used the exploit yet. “We’re not in a position to determine if people are abusing this or not,” he says. But he remains most concerned about smartphones running Android.

So what should you do?

The most important thing you can do—today and always—is install the automatic updates that companies push out. Whether your smartphone or laptop is running iOS or Android, Windows or macOS, the key is to “always install updates,” Leuven advises. No need to change the password on your home Wi-Fi network, he says. (Microsoft is on the ball with this one and patched the issue on October 10.)

And while home networks and routers are less vulnerable than others, it’s also a good idea to make sure your router’s firmware is updated. For example, Netgear published an article listing the routers, cameras, range extenders, and other gizmos that are vulnerable to this exploit, and explains how to get the newest firmware

Karen Sohl, a communications director for Belkin, Linksys, Wemo, says that they are “aware” of the vulnerability. “Our security teams are verifying details and we will advise accordingly,” she says, via email, adding that they “are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”

And Apple confirmed to Popular Science that fixes for the exploit are coming to consumers via updates in the next few weeks for iOS, macOS, watchOS, and tvOS; those same updates are already out in either public or developer betas.

“Don’t panic,” Candid Wueest, a threat researcher with Symantec, says. However, he adds, “It is definitely a serious vulnerability which is present in the design of Wi-Fi as we use it, with the WPA-2 encryption.”

Like Leuven, Wueest stresses the importance of updating the software that runs your devices. He also recommends that if you are sending sensitive information, check your browser to make sure the connection is secured with HTTPS/SSL. (Look for a lock symbol in the URL field.) When configured correctly, that protocol protects your information with an additional level of security. The last step to take, for the truly worried? Consider using a virtual private network, or VPN.

Ultimately, a vulnerability like this is “rare,” but compared to malicious code like WannaCry, Wueest says, “it’s not as bad for the internet.”