All posts in “hacking”

A new ransomware is sweeping the globe, but there’s a vaccine

"I wonder if this is what Edward Jenner felt like."
“I wonder if this is what Edward Jenner felt like.”

Image: Christopher Mineses/Mashable

It’s a familiar story: You boot up your computer only to find a mysterious message saying your files are encrypted. You soon realize that your data is likely gone for good — even if you fork over a cryptocurrency ransom payment. 

But this time around, as a new and virulent form of ransomware dubbed NotPetya sweeps the globe, it doesn’t have to be this way. 

Because this time around, there’s a vaccine. 

What is NotPetya?

The first symptoms of the attack appeared on June 27 in Ukraine, with the National Bank of Ukraine and the Kiev International Airport both hit hard. Even Chernobyl’s radiation monitoring system has reportedly been affected. But NotPetya, which targets the Windows operating system, didn’t stay there. Microsoft has confirmed that computers in 64 additional countries have been infected. 

The ransomware, so called because it demands a payment from users in exchange for decrypting their files, appears to use some code from an earlier ransomware known as Petya. However, this latest version looks to have been souped up with the allegedly stolen NSA exploit EternalBlue — the same exploit that drove the spread of WannaCry — and as such has security researchers calling it “NotPetya.”

According to the security firm Symantec, NotPetya is particularly nasty because instead of just encrypting a system’s files, it actually modifies a computer’s master boot record in order to encrypt its hard disk. 

The NotPetya ransom screen.

The NotPetya ransom screen.

Image: symantec

Once a system is infected, a message is displayed demanding $300 worth of Bitcoin in exchange for a decryption key. However, as the listed email address for confirming that the ransom has been paid has been shut down by the email provider, there is little-to-no chance a decryption key will be provided even if a victim pays. 

Essentially, those hit by NotPetya can kiss their data goodbye. 

The vaccine

But the situation isn’t hopeless. Those who either don’t want to or simply can’t afford to turn off their computer and wait for this all to blow over have a weapon in the battle against this attack. And, thankfully, it’s a pretty simple home remedy. 

A security researcher by the name of Amit Serper appears to have found a way to prevent the ransomware from running on vulnerable computers with just a few easy steps. 

His observation, which has since been confirmed by other researchers, is that NotPetya looks for a specific file on a computer before encrypting the computer’s contents. If that file is located, the ransomware won’t proceed.

So all concerned users have to do is create a file by that name, and then NotPetya won’t run. To do this, head to the C:\Windows folder and make a read-only file by the name of “perfc.” Importantly, this should not have a file extension. Bleeping Computer has a great step-by-step guide for those looking for detailed instructions. 

An added dose of security, which everyone should have done by now but clearly hasn’t, is to install Windows security updates. The EternalBlue exploit used by NotPetya, which relies on a Server Message Block (SMB) vulnerability, was patched back in March.

Both keeping your Windows OS up to date with security patches, and creating the perfc file as explained by Serper, should be enough to vaccinate otherwise healthy computers against NotPetya. While that doesn’t help the National Bank of Ukraine this time around, it may be enough to save you.  

As for the next wave of ransomware? While predicting what’s coming down the pike is a difficult if not impossible task, you can still take precautionary steps: Make sure your system is up to date, and be skeptical of any and all emails and links. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

UK’s largest warship hits the seas with massive security worry: Windows XP

Image: Jeff J Mitchell/Getty Images

The largest the aircraft carrier ever built by the UK’s Royal Navy, the HMS Queen Elizabeth, may be hitting the seas with ancient software: Windows XP.

At least that’s the claim from the Guardian and the Times of the UK. During a tour of the massive ship, reporters claim to have viewed computer screens on the ship running Windows XP, an operating system first released in 2001. That claim is setting off alarm bells for many given the recent hacking attack on the UK’s National Health Service, which was largely given traction due to the use of outdated operating systems being in the hospital system. 

The apparent revelation is even more surprising considering the whopping $4.5 billion cost of the ship. Construction of the ship began back in 2009, but the ship just made its first public test trip on Monday. 

“The ship is well designed … we are less susceptible to cyber than most.”

And while fears of the UK’s most powerful aircraft carrier being vulnerable to attack may be gripping some who are still reeling from the hack attacks earlier this year, Royal Navy officials don’t appear to be concerned. 

“The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most,” Mark Deller, commander air on the Queen Elizabeth, told the Guardian

“When you buy a ship, you don’t buy it today, you bought it 20 years ago. So what we put on the shelf and in the spec is probably what was good then. The reality is, we are always designed with spare capacity, so we will always have the ability to modify and upgrade. So whatever you see in the pictures, I think you will probably find we will be upgrading to whatever we want to have in due course. It might have already happened but I can’t tell you.”

Commanding Officer Captain Jerry Kyd onboard the HMS Queen Elizabeth Aircraft Carrier at Rosyth Dockyard on June 21, 2017.

Commanding Officer Captain Jerry Kyd onboard the HMS Queen Elizabeth Aircraft Carrier at Rosyth Dockyard on June 21, 2017.

Image: Jeff J Mitchell/Getty Images

The good news is that any fears regarding the HMS Queen Elizabeth and WannaCry have been put to rest thanks to a patch released by Microsoft back in May. Nevertheless, if the enormous ship does hit the seas running Windows XP, it’s difficult not to imagine that some new threat targeting the outdated operating system might crop up.  

The Royal Navy plans to put the HMS Queen Elizabeth into full operation by the end of this year. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80548%2f018ace7c 23f5 48c9 9167 2a6240e68d0f

Nearly 200 million voters exposed in GOP data leak, proving all political parties are susceptible to being hacked

Image: Shutterstock / Barbara Kalbfleisch

Registered U.S. voters dating back more than a decade have been exposed in what’s believed to be the largest leak of voter information in history.

A data analytics contractor hired by the Republican National Committee (RNC) left databases containing information about 198 million potential voters open to the public for download without a password, according to a ZDNet report.

The leak helps prove that any political party is susceptible to cybersecurity vulnerabilities, despite the GOP’s insistence that it ran a more secure 2016 presidential campaign than the rival Democratic National Committee (DNC).

The exposed databases belonged to the contractor Deep Root Analytics and contained about 25 terabytes on an Amazon S3 storage server that could be viewed without requiring a user to be logged in. In theory, this means that anyone knowing where to look could have viewed, downloaded, and have potentially used the information for malicious purposes.

The RNC worked closely with Deep Root Analytics during the 2016 election and paid the company $983,000 between January 2015 and November 2016, according to an AdAge report.

The RNC’s remarkably bad security was first discovered by researcher Chris Vickery of the security firm UpGuard. The security firm responsibly disclosed the vulnerability to the RNC, and the server was secured last week prior to making the news public today.

This vast exposure of voter information highlights the growing risk of data-driven campaigning used by both the DNC and RNC. The data in this case contained models about voters positions on different issues, including how likely it is that they voted for Obama in 2012 and whether they were likely to agree with Trump’s “America First” foreign policy talking point. 

The leak has essentially exposed more than half of the U.S. population, trouncing the second-largest leak of voter information, the 2016 exposure of 93.4 million Mexican voters.

Perhaps the worst part about all of this is there’s very little voters can do to ensure their information is stored privately and securely. Mashable has reached out to the RNC and Deep Root Analytics for comment, and will update when we hear back.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f1012%2fa0fcbd3e 259f 4127 bea8 329b9f0afb7c

Twitter’s 2-factor authentication has a serious problem

Adding an extra layer of security to your online accounts is a fundamental step to protect your digital life from hackers, but what’s the point if the new methods are just as vulnerable as the old ones?

It’s a question some Twitter users are asking after discovering that the two-factor authentication on their accounts isn’t as secure as it seems. 

But let’s back up for a second. No matter who you are, having your Twitter hacked would be a major bummer. In the case of political figures like Donald Trump, however, a hijacked account means more than just a headache — think of the havoc a fake policy pronouncement could wreak?

And so it was welcome news back in 2013 when Twitter rolled out two-factor authentication (2FA) to all of its users. This added layer of security allows users to protect their accounts, even if their passwords had been stolen, by requiring a second login credential sent via text message. 

Great, right? Well, kinda. 

While SMS-based 2FA does provide additional protection, there’s a big problem with it. Namely, SMS itself isn’t secure. A flaw in what is known as Signaling System 7 protocol (SS7) — something that allows different phone carriers to communicate back and forth — means that hackers can redirect texts to practically any number they want. 

That means your SMS verification code could end up being sent directly to the cellphone of your hacker. 

And this is not just theoretical. In January, reports Ars Technica, a group of criminals exploited this flaw to snatch victims’ SMS 2FA verification codes and drain their bank accounts. 

So, with text-based 2FA known to have a security hole so large you could drive a truck through it, Twitter helpfully introduced additional ways to set up 2FA. Users who already have access to their accounts via the Twitter mobile app can use something called a login code generator, but as this requires already being logged in on mobile, it doesn’t help if you’re signed out.

The other method, a 3rd-party authenticator app, offers a better option. These apps, like Google Authenticator, generate a number sequence on your phone as your verification code — no vulnerable text message required.  

Image: twitter

Problem solved, right? 

Not so fast. Because here’s the thing, even with an authenticator app enabled Twitter still sends out SMS verification codes. That’s right, the people that have taken the extra step to secure their Twitter accounts with an authenticator app — arguably the people most concerned about having their accounts hacked — are still just as vulnerable as those who rely on SMS-based verification codes. 

And this has not gone unnoticed. 

Users are rightly wondering what’s the point of having a 3rd-party authenticator app set up if Twitter still sends out text messages with the codes.  

Twitter, for its part, is staying silent on the matter. 

We reached out to the company and exchanged multiple emails with numerous employees who all categorically refused to explain if there was any way to disable SMS-based 2FA verification codes while maintaining a 3rd-party authenticator app, as well as why that would be the case.

One spokesperson simply responded the company had “nothing to share on our 2FA beyond what’s in our help center.” To be clear, the help center does not address this issue. 

What about just deleting your phone number from your Twitter account? Then it can’t send you texts, right? Go ahead, but then you can no longer use the 3rd-party authenticator app. 

The company, through spokespersons, also refused to comment on the SS7 exploit rendering SMS vulnerable to hackers.

Why this matters

For the average Twitter user, a text message-based verification code — despite its flaws — is a great added layer of security. However, as demonstrated by the criminals that emptied bank accounts in January, a determined hacker can bypass this security measure. 

And maybe this is just a bug affecting some users’ accounts, and not each and every one of Twitter’s users with 3rd-party 2FA apps. Twitter’s refusal to discuss the matter, however, means we don’t know. 

For you and me, this might not be that big of a deal at the end of the day. For celebrities, politicians, and members of the Silicon Valley elite? Well, that’s a different matter — and it’s one that Twitter should quickly address. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80247%2f366c0a4f a5a3 4b65 bc06 1c29309637b7

Apple’s going to mandate 2-factor authentication, so you better get used to it now

Apple’s trying its hardest to protect the security of your account — whether you like it or not. 

In an email sent out in the early hours of June 6, the company confirmed that going forward it will mandate the use of 2-factor authentication (2FA) for many of its services. 

“If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID (xxxx@xxxx.com) will be automatically updated to use two-factor authentication,” reads the email. “This is our most advanced, easy-to-use account security, and it’s required to use some of the latest features of iOS, macOS, and iCloud.”

To be clear, this means that it’s not just early adopters downloading public betas of iOS 11 and High Sierra that will be required to use 2FA, but rather everyone that wants access to all the hot new features.   

And what is 2FA, you ask? Two-factor authentication is a basic security measure which requires two pieces of information for a user to access his or her account. Think of taking cash out of an ATM machine. You need your physical bank card (“something you have”), and your PIN (“something you know”). Only with both those keys can you get your cash. 

That High Sierra goodness.

That High Sierra goodness.

Image: apple

With email, 2FA frequently manifests as your account password (“something you know”) and a random code sent to you either via SMS or an authenticator app (“something you have”). With these two elements required to gain access to an online account, it is much harder for hackers to gain unauthorized access. 

“Once updated, you’ll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience,” the email continues. “Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.”

So, whose Apple IDs will be automatically updated to 2FA? We reached out to Apple to determine if it’s just people downloading the public betas, or if the same requirements will apply to everyone downloading iOS 11 and High Sierra later this year. Unfortunately, we received no response as of press time. 

Either way, with Apple stating that 2FA is required to use “the latest features of iOS, macOS, and iCloud,” it’s clear the company is making a hard push toward better account security. 

So go ahead and update those security settings now — before Apple does it for you. After all, medicine’s always easier to swallow when it’s not being shoved down your throat. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2fdbf25738 af8f c133%2fthumb%2f00001