Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Orvis says the exposure was inadvertent, and that many of the credentials were already expired.

Zero Trust strategy—what good looks like

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

DDoS attacks in Q3 2019

News overview

This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out by spoofing the return IP address through the WS-Discovery multicast protocol. According to other security researchers, cybercriminals started using this method only recently, but have already achieved an attack capacity of up to 350 Gbps. The WSD protocol has limited scope and is not generally intended for connecting machines to the Internet; rather devices use it to automatically discover each other on LANs. However, it is fairly common for WSD to be used not entirely for its intended purpose in a variety of equipment — from IP cameras to network printers (about 630,000 such devices are currently hooked up to the Internet). Given the recent rise in the number of WSD-based attacks, owners of such devices are advised to block on the server UDP port 3702, which is used by this protocol, and to take a number of additional steps to protect their routers.

Leashing Cerberus

Overview

Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 – $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written[1].

Leashing Cerebus

Overview

Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 – $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written[1].

Twitter drafts a deepfake policy that would label and warn, but not always remove, manipulated media

Twitter last month said it was introducing a new policy to help fight deepfakes and other “manipulated media” that involve photos, videos or audio that’s been significantly altered to change its original meaning or purpose, or those that make it seem like something happened that actually did not. Today, Twitter is sharing a draft of its new policy and opening it up for public input before it goes live.

Announcing the osquery@scale Conference

Osquery has become a popular tooling for endpoint-based security analytics. The user community is thriving and vibrant as reflected in GitHub security showcase and osquery slack channel activity. There are many organizations, large and small, who are using it for a wide-variety of use cases. There are anecdotal references to organizations such as Facebook, Google and others using it at very large scale to get security visibility.

Beware of fleeceware

Remember how Pulp Fiction hitman Vincent Vega wanted to try a milkshake simply because it cost a whopping $5? That’s a completely normal reaction — many people automatically associate high price with some extraordinary quality. So, if they can sample an expensive product free, even those who don’t plan to buy are interested. Some smartphone app developers take advantage of this human trait.

Deepfake Videos: When good tech goes bad

By Ben Lorica, Chief Data Scientist at O’Reilly

More than a decade ago leading UK investigative journalist Nick Davies published Flat Earth News, an exposé of how the mass media had abdicated its responsibility to the truth. Newsroom pressure to publish more stories, faster than their competitors had, Davies argued, led to journalists becoming mere “churnalists”, rushing out articles so fast that they could never check on the truth of what they were reporting.

Phishing attacks are increasingly sophisticated: here’s how to stay safe

The days of crude phishing attacks, which anyone with a little common sense could avoid falling victim to, are a thing of the past. Today’s cybercriminals are savvier than their predecessors, capable of producing spoof emails and websites convincing enough to fool even the most educated eye. While it’s easy to feel helpless in the wake of these advances, there are still steps that ordinary internet and email users can take to avoid falling victim to phishing attacks.

CFOs Getting More Involved in Cyber Security Strategies

CISOs, CSOs, and CIOs are not the only C-level executives with a deep concern about cyber security. New research shows that CFOs appear to be taking a more active role in ensuring that their organizations are protected against data breaches, hacks, malware, and other threats.

Just in time for Veterans Day, Donald Trump Jr compares himself to dead soldiers in his new book

I know the Trumps and their cronies are all a bunch of asshole con artists. I know they get off on saying egregious things for the lulz, as long as they can still turn a profit. I know that they have mastered the art of playing the victim card in order to turn said profits, deliberately framing the world in a hyper-partisan “Us-vs-the-Other” way that is nauseating and divisive and god dammit, still actually working for them.

Heart Attack Mortality increased due to Hospital Cyberattacks

Breach remediation processes adversely impact timeliness in patient care and outcomes, a new study finds. Ransomware attacks and data breaches targeting hospitals may cause a higher mortality rate among heart patients in the months and years after an incident, Vanderbilt University researchers report, as breach remediation time interferes with patient care and outcomes.