Tag Archives: DNS

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

DHS Issues Emergency Directive 19-01 (DNS)

Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.

The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.

CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.

Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world.  Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.

The hackers redirect the users to the legitimate web site after stealing their credentials.

DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.

There are no consequences if the agency blows off DHS, which many do on normal day.  Under the current circumstances, likely even more with do so.  This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.

DHS is admitting to at least 6 agencies who have had their DNS records hijacked.  Likely there are more;  some of whom do not know that they have been hijacked for a variety of reasons.

If you are not a government agency (or even if you are), here are some things that you should do:

  • Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings.  Examples of big domain registrars are Go DaddyWixHostgator1&1 IONOS, Network Solutions and others.
  • Verify that existing DNS records for domains and sub-domains have not been altered for any resources. 
  • Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person.  These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
  • Conduct an investigation to assess if attackers gained access to your environment.
  • Validate the source IPs in OWA/Exchange logs.

 

Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.

Facebooktwitterredditlinkedinmailby feather

Phishing? Pharming? Don’t these guys know how to spell?

Network World wrote about an interesting attack that is – at least in this case – very simple to fix.

First, what is Pharming.  When you go to your browser and type in www. foo.com, you are trusting the browser to actually send you to foo.com.  What if it really sent you to badfoo.com?  Badfoo.com is designed to look very much like foo.com, except maybe, it loads malware on your computer or maybe captures your userid and password to your banking site.

In this particular attack, the attacker sent out a bunch of emails that were a phishing attack.  If the user clicked on the link, it directed the user to a site that compromised their home Internet router.  From that point, the malware tries the default userid and password for the router and if the user has not changed the password, the malware is able to make changes to the configuration of the router.  Specifically, it changes the setting for what is called the DNS server.  The DNS server is that part of the internet that converts the web site that you put in your browser into the numbers that the Internet actually understands.

For example, if I type in WWW.WELLSFARGO.COM, what my browser needs to know is that the address for that web site is 159.45.170.42 .  The DNS server does this translation.

What the malware does, in this case, is change the DNS server from your Internet provider’s server to one controlled by the hacker.  Now, if the hacker wants to create his own web site for Wells Fargo, he can, and your browser will happily send you there.  This address translation affects your email and most every other form of internet traffic.

The hacker could achieve the same result by hacking your Internet provider’s DNS servers, but that is likely well protected, while your home router is not.  In addition, your Internet provider will eventually detect that their DNS server has been hacked while you likely will never detect that your home router has been attacked.

Being able to change your DNS server address is joyful for the hacker and really sad for you.

This particular attack is based on two things.  First, a bug in your home internet router that has not been patched and second, the fact that 99 percent of the planet does not change the default password that comes with the router.

All you need to do in order to thwart this – and a whole bunch of other – attacks is change the default password.  While this won’t make you younger, better looking or richer, this simple change will help keep the bad guys out.

Changing the password also applies to any other Internet connected device that you have in your home – TV, refrigerator, washer.  It is amazing what is connected to the Internet these days.  All of those smart devices are connected to the same network as your laptop or your nanny cam that is watching your baby.  Hack your refrigerator and they have a toe hold to the rest of your network.  That is EXACTLY how the Target and Home Depot attacks started.  Seriously.  So, if you have not changed the password of all Internet connected devices since they came out of the box, I recommend you do so now.

Mitch

 

Facebooktwitterredditlinkedinmailby feather