California adds biometric specs to data breach law

California is changing its Information Practices Act of 1977 to expand the definition of personal information with additional identifiers, including biometric data of those affected. The amendment comes with new instructions on how to notify affected parties by a breach.

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The “hook” it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.

There were two attachments (see hashes bellow). RTF file masquerading as a Word Document (“SHIPPING DOCUMENT..doc”), which tried to exploit the famous CVE-2017-11882 vulnerability in Equation Editor used by Microsoft Office[1]. The second was an ACE archive (“INVOICE & AWB..ace”), containing a malicious executable (“mk.exe”). Although the executable was kind of interesting – it was an info stealer using Delphi packer[2] – the phishing turned out to be notable for a different reason. The spoofed sender domain had a Sender Policy Framework (SPF)[3,4] record set.
That, by itself, might not be that surprising – contrary to popular belief, setting a SPF record for a domain doesn’t mean that it will be impossible to use the domain in spoofed e-mail messages. Basically, SPF checks themselves cover only the “MAIL FROM” address (i.e. whether the sending server may send e-mails for the domain used in the “MAIL FROM” address) but don’t deal with contents of a “From” field in the e-mail header. This means that the following spoofing attempt will fail, providing that a SPF record for the “sender.tld” domain is correctly set.

HELO sender.tld MAIL FROM:<sender@sender.tld> RCPT TO:<receiver@receiver.tld> DATA From: "Sender" <sender@sender.tld> To: "Receiver" <receiver@receiver.tld> Date: Thu, 17 October 2019 10:15:00 +0100 Subject: Phishing?

Webinar: Hacking Humans

Join Some of the World’s Most Interesting Human Hackers!

The Human Hacking Conference, presented by the creators of DEF CON’s Social Engineering Village, brings together the leading experts in all facets of hacking humans including deception, body language analysis, cognitive agility, intelligence research, and security best practices. Join social engineering pioneer and legend Chris Hadnagy, international actress and renowned communications expert Stephanie Paul, and acclaimed ‘Inc. Magazine’ top influencer and leadership guru Dov Baron, as they share a sneak peek into their highly sought workshops at The Human Hacking Conference. Learn something new about hacking thoughts, actions, and the people around you—plus, what a career in social engineering REALLY looks like—in this FREE EH-Net Live! webinar on Tues Oct 29, 2019 at 1:00 PM US Eastern. Join us live to receive certificates for easy submission of CPEs!

Trump Rages at Pelosi, Mattis, and Communists During ‘Meltdown’ in White House Meeting

President Donald Trump invited Democratic Party leaders to the White House on Wednesday and proceeded to have what those leaders described as a “meltdown” in front of them. Before the lawmakers left early, Trump managed to rail against communists, his own former Secretary of Defense James Mattis, and House speaker Nancy Pelosi, whom he called “a third-rate politician,” according to the Democratic leaders and sources’ descriptions of the meeting.

Trump Rages at Pelosi, Mattis, ISIS Escapees, and Communists During ‘Meltdown’ in White House Meeting

President Donald Trump invited Democratic Party leaders to the White House on Wednesday and proceeded to have what those leaders described as a “meltdown” in front of them. Before the lawmakers left early, Trump managed to rail against communists, his own former Secretary of Defense James Mattis, and House speaker Nancy Pelosi, whom he called “a third-rate politician,” according to the Democratic leaders and sources’ descriptions of the meeting.

Cryptominers & Backdoors Found in Fake Plugins

When cleaning websites, we regularly find phishing pages, malicious code injected into files, and SEO spam. However, over the past couple of months we’ve also noticed a considerable increase in the number of malicious plugins which have been added to compromised websites as well.

These plugins appear to be legitimate, but inspecting the code reveals that the plugin is not just an innocent plugin at all. The fake plugins are actually part of the attack—and in most cases used as a backdoor for the attacker to maintain access to the compromised website environment, even after the initial infection vector has been cleaned up.

Earlier this year, I wrote about another incident concerning a malicious plugin that was encrypting WordPress posts, but in that case the plugin was more of a tool to access the posts and encrypt them—not a backdoor as documented below.

Fake “wpframework” Plugin Installed on Hacked Sites

We recently discovered a number of compromised websites containing a plugin called “wpframework”. This plugin is being planted by bad actors to gain and maintain unauthorized access to the site environment.

The malicious file includes the following information in it’s header:

/. Plugin Name: WordPress Framework Plugin URI: http://wordpress.org/# Description: WordPress Framework Author: wordpress.org Version: 1.0 Author URI: http://wordpress.org */

Giuliani Pushed Trump to Deport Cleric Sought by Turkey, Ex-White House Officials Said

Rudy Giuliani, the president’s personal lawyer, repeatedly urged President Donald Trump to arrange for the deportation of a Turkish cleric, Fethullah Gulen, calling him a violent extremist who needed to face justice in Turkey, former White House officials said Tuesday.

Turkey has requested that the United States hand over Gulen, a permanent U.S. resident living in self-imposed exile in Pennsylvania, to be tried on charges that he instigated a failed coup in Turkey in 2016.