While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and can’t be patched are looking for ways to prevent being the next victim.

No, the vulnerabilities attackers leverage are not new. They prey on systems that have not been updated. This is where IT support and protection is essential.

There is no one-fits-all fix, but Sweet offered some sound advice on a variety of both long- and short-term solutions.

The main culprit behind this attack is a new ransomware that researchers intially called Petya, because it resembled an oldr ransomware strain that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Later, it was discovered this is a new strain altogether, which researchers have started referring to as NotPetya or Petna.

What might have helped protect companies from these worm-like ransomware attacks?

The important thing to remember is that WannaCry and Petya were, in actuality, easily preventable. Victims of these attacks were only victims because they failed to conduct basic software patching. Enterprises searching for a way to protect themselves should know there are several tools on the market that use automation to patch software vulnerabilities in real time.

Automation is one way to close the gap, but we also need to train developers, at the very earliest stage of their education, to bake security into all new code. It’s no longer enough to tack cybersecurity onto projects as an afterthought anymore.

According to several sources, the author of the new ransomware stain appears to have been inspired by last month’s WannaCry outbreak, and added a similar SMB work based on the NSA’s ETERNALBLUE exploit. This has been confirmed by Payload Security, Avira, Emsisoft, Bitdefender, Symantec, and other security researchers. Later during the day, it was also discovered that Petya also used another NSA exploit called ETERNALROMANCE. More on this infection routine in a Kaspersky article here.

Petya’s initial distribution vector was a tainted update for an accounting software package popular in the Ukraine.

Other security measures enterprises can take

Having readily available data backups is the best way to maintain business continuity in the face of an attack. Keeping good, fresh data backups allows enterprises to rebuild systems quickly and inexpensively. In the face of a ransomware attack, there’s no longer a need to pay the ransom because the enterprise already has a recent backup of all the data it needs.

How the industry needs to approach security education to prepare for the future

When we look at the bigger picture and the future of cybersecurity, the issue of education is critical. A recent Cisco report estimates there are 1 million unfilled cybersecurity positions globally. In the U.S., that number is about 100,000. It’s a crisis that directly hurts the ability of companies and governments to curb hacking because there simply isn’t enough available talent to fill those jobs.

How schools and universities can better prepare the next generation to combat future threats to our digital world

Cybersecurity training has not been a priority for the American education system. Universities are inadvertently contributing to the lack of cybersecurity readiness in the U.S. by failing to teach students how to implement security thinking and awareness into all new code design, development and testing. As recently as 2016, only one of the top 121 computer and science information science schools in the country required at least three cybersecurity classes before graduation. At a minimum, cybersecurity training must be a graduation requirement for all computer science programs.

To keep up with the ever-increasing challenges of hackers, though, there is no choice for but to prioritize cybersecurity education for our future.

The post WannaCry and Petya. appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

Distribution methods used by TeslaLocker V3 and other ransomware

Due to the growing popularity of ransomware there is a new sub-class of Trojan horse viruses designed specifically to install the ransomware on affected computers. This is done in order to order to ease up their installation, as well as to avoid any security measures enforced by anti-virus software. In practice the Trojan serves as a backdoor entry point that is also invisible to the defense software. Trojan horse viruses tend to be very well concealed and can be notoriously hard to get rid of, but it is very important to do so. Your PC will not be safe – the Trojan can always download another ransomware virus if it remains on your PC. Finding the Trojan on your own will be next to impossible – you’ll have to download a good anti-malware program to do that. If you don’t already have one you can find our recommendation by clicking on one of the banners on our page.

Of course, it is also possible that the ransomware was installed directly. Ransomware viruses are usually hidden with executable or archive files, which are in turn distributed via spam emails as attachments. They can also be download from torrents and other online storage sites. There are entire sites dedicated to spreading viruses – such fake sites and written with search engine optimization in mind and they can pop-out as a perfect match to any search you make. The code can even generate a file for download that is named exactly like the file you are searching for, but contains nothing but the virus inside.

How to deal with TeslaLocker V3

Now, it is very important to realize that if your files have already been encrypted simply removing TeslaLocker V3 from your system will not restore them. This is also why ransomware viruses are so dangerous. Your files have been encrypted by a sophisticated algorithm that is very hard to crack. There are actually a number of fake/scam programs circulating the internet that promise to decrypt your files. If you happen to see such a program always demand for proof first before paying anything. The reality is that very few ransomwares have been reverse engineered by security companies and for those that have been the information is free.

What can you actually do?

Reversing the encryption process is next to impossible, but that doesn’t mean you have no choice, but to pay – quite the opposite. Paying the ransom demand should be your very last option – only consider it if you have tried everything else and you still have files encrypted that are worth the money.

In our guide below we have outlined two methods that you can use to recover your files. Neither guarantees a 100% success rate, but on the other hand they will in no compromise your encrypted files.

• It is never a good idea to pay the ransom. Remember – you are dealing with cyber criminals and extortionists. Every dollar they get only encourages them to get better at robbing victims like yourself. The criminals are also under no obligations to restore your files – if anything goes wrong or their key doesn’t work you’ll be exactly where you started minus the money wasted.

The post Teslalocker TeslaCrypt help appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

The issue affects computers made by Dell that come with a particular preinstalled customer service program. Through a certificate that would identify the computer to Dell support staff, this program makes the computers vulnerable to intrusions and could allow hackers to access encrypted messages to and from the machines, Dell said. There is also a risk that attackers could attempt to reroute Internet traffic to sites that look genuine but are in fact dangerous imitations.

Dell said that customers should take steps to remove the certificate from their laptops, offering instructions on how to do that manually. It also plans to push a software update to computers to check for the certificate and then remove it.

“Customer security and privacy is a top concern and priority,” the Round Rock, Texas-based company said in a statement. Dell did not respond to a request for more information.

Security researcher Brian Krebs said that the problem affects all new Dell desktops and laptops shipped since August. That would mean a vast number of computers are at risk. In the third quarter, Dell shipped more than 10 million PCs around the world, according to market researcher IDC.

 
The disclosure by Dell is another sign of the dangers that lurk as we check our bank accounts online, go shopping via Amazon and share personal information over Facebook. While big data breaches at retailers affect thousands of people all at once, consumers can also be hit much closer to home through their own laptops and smartphones.

Even as they’ve become attuned to taking security precautions, though, consumers typically don’t have to worry about brand-new technology they’ve just brought home from the store. For sure, some programs that computer manufacturers install can prove irritating or cumbersome. The revelation that one might be genuinely dangerous has the potential to erode trust in the computer in one’s hands and in the company that supplied it.

The post SSL Certificate Issues appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

The Bash Bug vulnerability (CVE-2014-6271)

A new critical vulnerability, remotely exploitable, dubbed “Bash Bug”, is threatening billions of machines all over the world.

The vulnerability was discovered by the security researcher Stephane Chazelas at Akamai firm.

It affects Linux and Unix command-line shell, aka the GNU Bourne Again Shell, and for this reason it is potentially exposing websites, servers, PCs, OS X Macs, various home routers, and many other devices to risk of cyber attacks.

The team Bash stands for the GNU Bourne Again Shell and refers to a Unix shell, which is an interpreter that allows users to send commands on Unix and Linux systems, typically by connecting over SSH or Telnet.

The Bash can also operate as a parser for CGI scripts on a Web server. Stephane explained that the vulnerability has existed for several decades and it is related to the way Bash handles specially-formatted environment variables, namely exported shell functions.

A shell gives both administrators and attackers high privileged access to operating system features, allowing them to run almost any command.

“The potential is enormous – ‘getting shell’ on a box has always been a major win for an attacker because of the control it offers them over the target environment,” said software architect and Microsoft MVP Troy Hunt.

An attacker could dump all data stored on a server, change its settings, or serve malicious code to infect the machine.

“There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.”

The National Institute of Standards and Technology has assigned the vulnerability the designation CVE-2014-6271, rating the severity of the remotely exploitable vulnerability as a “10″ on its 10-point scale.

The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3. A threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.

To run an arbitrary code on a system running software which embeds a Bash, it is necessary to assign a function to a variable. Trailing code in the function definition will be executed.

Figure 1 – Shellshock command diagram (Symantec)

“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution,” states the description for the Bush Bug flaw on the NIST National Vulnerability Database, which rated its severity as 10 out of 10.

Every machine having Bash configured as the default system shell could be easily hacked every time an application invokes the Bash shell command (e.g. Mail server) via HTTP or a Common-Gateway Interface (CGI).

The attacker could run arbitrary code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Searching on the Internet, it is possible to find the source code for cgi-bin reverse shell reported below:

Similar attacks are possible via OpenSSH. “We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell,” Stephane warned. But if an attacker does not have an SSH account, this exploit would not work.

As reported in the advisory published by the NIST, the critical instances where the Bash Bug may be exposed include:

Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allow arbitrary command execution capabilities.
Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
Exploit servers and other Unix and Linux devices via Web requests, secure shell, Telnet sessions, or other programs that use Bash to execute scripts.
Billions of servers affected by the Bash Bug flaw

The impact of the Bash Bug vulnerability is widely extended. Bash is commonly used to execute commands on a server, especially those sent by other programs and applications. Security experts are considering the severity of this vulnerability higher than the one assigned to the Heartbleed bug, and the most concerning issue is the low level of complexity needed to run an attack which exploits it.

“The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug,” states Robert Graham on his Blog Errata Security.

“They go on to rate it a “10 out of 10″ for severity or in other words, as bad as it gets. This is compounded by the fact that it’s easy to execute the attack (access complexity is low) and perhaps most significantly, there is no authentication required when exploiting Bash via CGI scripts. The summary above is a little convoluted though so let’s boil it down to the mechanics of the bug,” added the security expert Troy Hunt.

The Bug Bash flaw is particularly dangerous for Internet-of-Things devices like smart meters, routers, web cameras and any other device that runs software, which allows bash scripts. Typically, such software is not easy to fix and are more likely to expose the critical flaw in the Internet.

As said by Graham, “Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

According the results of a recent survey conducted by the Internet services company Netcraft, the number and types of Web servers being used worldwide is more than 1 billion servers, and that more than half of those are Apache servers which run Linux and thus contain Bash by default.

Threat actors are exploiting the Bash Bug vulnerability in the wild

According to security experts, the Bash Bug vulnerability may already have been exploited in the wild by threat actors to hit Web servers.

Attackers are already targeting the Bash vulnerability, less than 24 hours after the public disclosure of details about the flaw vulnerability. To date, an unknown number of devices may contain the flaw, including millions of stand-alone Web servers, Unix and Mac OS X systems, and numerous other Internet-connected devices.

Malware researchers speculated that the critical flaw may be exploited by attackers which manage botnets to exploit a large number of machines exposed on the Internet.

The list of potential targets is very long and includes home routers, medical equipment, SCADA/ICS devices and many other systems. For this reason, the Bash Bug is considered by security experts more dangerous than the Heartbleed flaw which affected only versions of OpenSSL released over a two-year period. According to the experts, the Bash bug has is a 25 five year old flaw, and also recent versions of Linux machines are potentially as exploitable as outdated servers.

The real problem resides in the low complexity of a Bash Bug based attack, for threat actors it is quite easy to run them against vulnerable servers

Pierluigi Paganini

The post Bash Bug Sheel shock vulnerability Ireland appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.

Thanks to security experts, an online portal has been created where victims can get the key for free.

The portal was created after security researchers grabbed a copy of Cryptolocker’s database of victims.

“This time we basically got lucky,” said Michael Sandee, principal analyst at Fox-IT – one of the security firms which helped tackle the cyber-crime group behind Cryptolocker.
Cash call

Cryptolocker first appeared in September 2013, since when it has amassed about 500,000 victims.

Those infected were initially presented with a demand for $400 (£327), 400 euros ($535; £317) or an equivalent amount in the virtual Bitcoin currency. Victims had 72 hours to pay up or face the keys that would unlock their files being destroyed.

Analysis of the back-up database indicates that only 1.3% of all the people hit by the malware paid the ransom.

Despite the low response rate, the gang is believed to have netted about $3m from Cryptolocker. Many of those caught out did not pay because they were able to restore files from back-ups.

However, others are believed to have lost huge amounts of important files and business documents to the cyber-thieves.

In late May, law enforcement agencies and security companies seized a worldwide network of hijacked home computers that was being used to spread both Cryptolocker and another strain of malware known as Gameover Zeus.

This concerted action seems to have prompted an attempt by the gang to ensure one copy of their database of victims did not fall into police hands, said Mr Sandee.

What the criminals did not know, he said, was that police forces and security firms were already in control of part of the network and were able to grab the data as it was being sent.
Evgeniy Bogachev Evgeniy Bogachev was believed to be living in Russia, the FBI said

The action also involved the FBI charging a Russian man, Evgeniy Bogachev, aka “lucky12345” and “slavik”, who is accused of being the ring leader of the gang behind Gameover Zeus and Cryptolocker.

The Gameover Zeus family of malware targets people who bank online, and is thought to have racked up millions of victims.

“There’s a bit of guesswork in that figure because some of it was paid in bitcoins and that does not have a fixed exchange rate,” said Mr Sandee.

Now, security firms Fox-IT and FireEye – which aided the effort to shut down the Gameover Zeus group – have created a portal, called Decrypt Cryptolocker, via which any of the 500,000 victims can find out the key to unlock their files.

“All they have to do is submit a file that’s been encrypted from that we can figure out which encryption key was used,” said Greg Day, chief technology officer at FireEye.

Mr Day said people wishing to use the portal should submit a file that did not contain sensitive information to help it verify which key they needed.

The post Cryptolocker help is in hand with Decrypt Cryptolocker Support appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

In case you missed it, BadUSB is malware that hides in the firmware of USB drives. Security researchers Karsten Nohl and Jakob Lell will present their full findings on the software, which they created, next week at the Black Hat USA security conference in Las Vegas.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Wired wrote that malware of this type could cause an “epidemic.” Nohl told Reuters that BadUSB functioned like a “magic trick.” Publications from ZDNet to VentureBeat predicted apocalyptic consequences for BadUSB.

But take a deep breath, because BadUSB is not likely to open the floodgates to a computing cataclysm — or, at least, not likely to open them any wider.

First things first: BadUSB is a proof-of-concept attack, designed by security researchers. They’re not going to release it into the wild, and most malicious hackers (who lack both the resources and know-ho to design something similar) would rather rely on tried-and-true phishing and malware attacks. These attacks are easy to avoid with a little common sense and even the most rudimentary antivirus software.

Furthermore, demonstrating something like BadUSB at a conference like Black Hat is basically an open invitation for the security community to fix this vulnerability before it becomes widespread. With some of the world’s foremost researchers and hackers on the case, prophylactic and curative measures won’t be too far behind.

Perhaps the most important point is that USB sticks compromising PCs is nothing new; it’s actually the easiest way for malefactors to get ahold of your system. Any public computer is susceptible to sneaky USB-based malware (and, in fact, most hotel computers are just ripe for hacking). Even so, USB hacks are relatively uncommon, compared to online ones.

The reason why is because USB attacks — even sophisticated ones like BadUSB — are extremely easy to prevent. If you own a private computer, you control who has access to it. If you buy a new USB stick, it will not come with any unwanted software. Simply use your judgment when accepting sticks from friends or third parties, and you’re not likely to contract any malware.

Make no mistake: BadUSB is a fantastic proof-of-concept, and lays bare some serious problems with USB stick security. But, like anything else in the world of computing, you can avoid trouble using a little common sense.

Tom’s Guide

The post Don’t Panic Over the Latest USB Flaw appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

In a strongly worded affidavit in support of the technology company embroiled in a landmark legal fight with the US government, Mr McDowell – who is also a practising senrior counsel – argued the disclosure of data is only lawful if signed off by a judge here.

Ireland is required by law to protect data held in the country from foreign law enforcement agencies.

The case being heard by a federal court in New York centres on the prosecution of a drug trafficker. Prosecutors want Microsoft to hand over emails stored in Microsoft’s server in Dublin, without going through existing international treaties. Microsoft has described it as potentially allowing federal agents to break down the door of its Dublin facility.

A federal magistrate had agreed a simple warrant, normally not valid outside US jurisdiction, was enough to force US-headquartered companies to hand over data. The ruling has been challenged by Microsoft and, if upheld, has deep implications, particularly for Ireland with its heavy US corporate footprint.

International treaties
It will essentially allow US law enforcement agencies to easily get information held in other countries without worrying about international treaties. Oral arguments in Micrsoft’s appeal were heard yesterday.

Co-operation with the US seeking information for criminal prosecutions is covered by Irish and European mutual legal assistance treaties and a 2008 criminal justice act. “In the present case, I understand that US law enforcement seeks email content stored in Microsoft’s servers in Dublin, Ireland,” Mr McDowell wrote in a four-page statement.

“The aforementioned treaties and procedures were designed to apply under precisely these circumstances. The US government should therefore obtain the evidence it seeks through the MLA treaties,” he said.

The treaties and act are “highly effective”; Ireland rarely turns down requests. However, the prosecutors in the case argue using the treaties would be too “cumbersome.”

Echoing privacy activists in the US, Mr McDowell said this argument was in part about Ireland’s sovereignty. Leading US privacy advocates, the Electronic Frontier Foundation said Ireland’s sovereignty risks being “trampled on.”

Ireland’s data protection acts “highlights its sovereign interest guarding against foreign law enforcement activities within its borders by any means other than the applicable MLA treaties,” said Mr McDowell, who was asked by Microsoft to file the affidavit in support of its appeal.

Any disclosure of data held in Ireland “is only lawful where such disclosure is required or mandated by reference to Irish law and subject to the jurisdiction and control of the Irish court,”

The US Department of Justice argues overseas records held by US-based companies must be disclosed if when a valid “warrant compels their production”.

Source:Irish Times

The post Microsoft fights US request for Irish-held data appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

The bookmaker announced on its website yesterday that it has been working with Canadian police after a tip in May of this year and discovered the historical breach consisting of “individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer”.

However, it assured punters, “Customers’ financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised.

“Paddy Power’s account monitoring has not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way.”

Paddy Power MD of Online Peter O’Donovan told customers, “Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.

“This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”

Commenting on the leak, Troy Gill, security analyst at Appriver explained, “There is no need for panic here since no financial or password info has actually been exposed.

“It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username. Of course these events at the very least serve as a great reminder to keep up good security practices – utilizing different passwords for each account – even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road.

“However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed.”

The company put the number of people affected by the breach at 649,055, all of whom it said are being contacted. The company is also advising users to monitor other websites at which they have used the same credentials.

Paddy Power is the latest in a long line of consumer facing organisations to suffer security breaches in recent months, with eBay advising its customers to update passwords earlier this year, and the flaw found in Oauth and OpenID credentials, hot on the heels of the Heartbleed OpenSSL flaw, which caused panic when it was discovered in May.

By: Chris Merriman

The post IRISH ONLINE BOOKMAKER has revealed that it was the victim of a data breach in 2010 appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

Make sure you’ve got the right SMTP settings. Most Irish ISPs block outbound Port 25 connections.

Below is a list of smtp settings for the majority of ISP’s in Ireland:

Smart Telecom Outgoing SMTP Server
smtp.mysmart.ie

Irish Broadband Outgoing SMTP Server
smtp.irishbroadband.ie.

Eircom Outgoing SMTP Server
mail1.eircom.net OR mail2.eircom.net

Magnet Outgoing SMTP Server
smtp.magnet.ie

NTL and UPC Outgoing SMTP Server
smtp.upcmail.ie

Vodafone Outgoing SMTP Server
mail.vodafone.ie

O2 Outgoing SMTP Server
smtp.o2.ie

Clearwire Outgoing SMTP Server
smtp.clearwire.ie / mail.clearwire.ie

Digiweb Outgoing SMTP Server
smtp.digiweb.ie

Imagine Broadband Outgoing SMTP Server
mail.imagine.ie OR mail.gaelic.ie

Perlico Outgoing SMTP Server
mail.perlico.ie

3 Outgoing SMTP Server: Mobile broadband with 3 mobile Ireland
mail-relay.3ireland.ie

Gmail Outgoing SMTP Server
smtp.gmail.com (use authentication)
Use Authentication: Yes
Port for TLS/STARTTLS: 587
Port for SSL: 465

The post Irish SMTP Settings appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.

Now, Microsoft has once again reversed course, indicating that they will in fact provide anti-malware support to Windows XP, Microsoft’s ancient but still-popular operating system, past the initial April 8, 2014 end of extended support deadline. Now, Microsoft will make anti-malware updates available through July 14, 2015, which they announced via an official blog post.

However, in the blog post, Microsoft gave a bit of a wink wink nudge nudge by mentioning that adopting “modern software” is a great way to help your system stay secure. Translation: Buy Windows 8! Here’s what Microsoft had to say.

“Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Microsoft was possibly moved to continue providing anti-malware updates to Windows XP due to the fact that it still widely in use, despite its age, hovering close to 30 percent as of December.

What do you think of Microsoft offering anti-malware support for Windows XP until the middle of 2015?

The post Microsoft Blinked Windows XP extended Malware protection. appeared first on Orbit IT Support Services Dublin, Ireland, Dublin City Centre.