Septenber 18, 2019

WannaCry – the worm that just won’t die

By Naked Security writer

Remember WannaCry?

That’s the infamous self-spreading ransomware attack that stormed the world in May 2017.

WannaCry was an unusual strain of ransomware for two main reasons.

Unlike most ransomware we’ve seen in the past 30 years (yes, it really is that long!) WannaCry was a computer virus, or more precisely a self-spreading worm, meaning that it replicated all by itself, finding new victims, breaking in and launching on the next computer automatically.

WannaCry broke in across the internet, jumping from network to network and company to company using an exploit – a security bug in Windows that allowed the virus to poke its way in without needing a username or a password.

And not just any exploit – WannaCry used an attack called ETERNALBLUE that was allegedly stolen from the US National Security Agency by a hacking crew known as Shadow Brokers .

The good news is that, even back at the time that WannaCry burst onto the internet, a patch to fix the ETERNALBLUE security hole was available, issued two months previously by Microsoft as part of the March 2017 Patch Tuesday update.

If you’d patched within the past two months, you were largely immune to WannaCry, and could therefore stand down from red alert.

Even if you detected network attacks coming from existing, unpatched, infected victims, those ETERNALBLUE probes would have bounced harmlessly off your up-to-date devices.

Of course, not everyone had patched within that two month window, and so the malware spread far and fast, demanding $300 per infected computer from something like 200,000 victims in short order.


Is $100 million enough to save the web from ads?

By John E Dunn

After years of going nowhere, could web micropayments be the next big enabler for user privacy?

The privacy angle on this has always sounded interesting: if visitors could pay websites small amounts of money for consuming content, perhaps those sites wouldn’t need to sell traffic to advertisers whose business is built on distracting, tracking and profiling visitors.

Easy to aspire to, harder to make work – with a long list of commercial micropayments systems that nobody uses serving as cautionary tales.

But that was before privacy became a big deal, which is why a startup called Coil has decided to try again by backing an initiative called Grant for the Web (GftW), backed by a $100 million fund to be handed out over five years.

Founded in 2018, Coil describes itself as a “content monetisation” company, but don’t let that put you off. Grant for the Web is taken seriously enough by outsiders that The Mozilla Foundation and copyright non-profit Creative Commons have signed up as launch partners.

But what is it?

The following explanation appears on the Creative Commons website:

The program will fund individuals, projects, and global communities that contribute to a privacy-centric, open, and accessible web monetisation ecosystem.

Content creators and software companies will be able to do this using Coil’s open Web Monetization API, which has been proposed to the World Wide Web Consortium (W3C) Web Incubator Community Group as ILP-RFC 0028 (Draft 9).


Leaky database spills data on 20 million Ecuadorians and businesses

By Lisa Vaas

Ecuadorian police on Monday searched the home of an attorney for the consulting and analytics company Novaestrat, seizing storage devices, documents and electronic equipment after what appears to be the company’s unsecured database – located in Miami – was found spilling deep data on over 20 million Ecuadorians.

…as well as data for one Australian by the name of Julian Assange, who was granted political asylum by Ecuador in 2012, and squirreled away in the Ecuadorian embassy in London up until April 2019.

This is an unprecedented breach for the country. In fact, there were more people’s data in that database than there are people living in Ecuador. As of 2017, the country only had a population of about 16.62 million, as pointed out by the team of vpnMentor researchers – led by Noam Rotem and Ran Locar – who found the breach.

The personally identifying information (PII) of those few extra million people could have come from deceased people, according to Ecuador’s state attorney general’s office and according to the “death date” record the researchers found – among many, many other sensitive types of information – in the database. According to a post from the state AG’s office, the cache also contained the PII of about 7 million minors.

vpnMentor said in its report, released on Monday, that its research team discovered the breach as part of its large-scale web-mapping project. One assumes it’s the same project that recently led the team to a leaky database stuffed with Groupon emails that turned out to belong to crooks who were ripping off ticket sellers using fake email accounts and stolen payment card details.

The leaky Ecuadorian database contained about 18GB of data, mostly pertaining to people apparently located in Ecuador. vpnMentor said that it appears to contain information coming from sources that may include Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess.

According to the country’s telecommunications ministry, it received a report on the breach from vpnMentor on 11 September, and the leak was closed on the same day.


Common storage and router devices are still hopelessly broken

By Danny Bradbury

Don’t be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device – the chances are that it’s no more secure than its predecessors. That’s the finding from a new piece of research that tested multiple devices for security bugs.

In 2013, Baltimore-based security consulting company Independent Security Evaluators (ISE) tested 13 small office/home office (SOHO) routers and wireless access points. It found 57 security bugs and was able to take over 11 of them from outside the local network. No wonder it called its report SOHOpelessly Broken.

So, the industry would have taken this to heart and enhanced its security in the last six years, right? Wrong.

In its update to the test, called SOHOpelessly Broken 2.0, ISE tested another 13 devices, some from the same vendors and some new. They found more than double the number of flaws, filing 125 CVE bugs based on their research. This time around, it got remote root access on 12 of the devices.

The team tested equipment from ASUS, Buffalo, Drobo, Lenovo, Netgear, QNAP, TerraMaster, Seagate, Synology, Xiaomi, Zyxel, and Zioncom.

Typical attacks included bypassing authentication mechanisms altogether. On one device, the team was able to hijack a cookie authentication system by changing the IP address to and issue unauthorized requests via the API.

The project found that some things had changed since 2013, and others had not. Device vendors had taken newer steps to try and protect their software. For example, several used address-space layout randomization (ASLR), which randomizes the memory that programs use and is supposed to make memory-based attacks like buffer overflows difficult. However, they could exploit other flaws to break ASLR and launch their buffer overflow attacks anyway.

One device encrypted the PHP files used to process requests through its web interface but had to store the decryption key on the device, which the team used to access the files and exploit those using PHP’s system() function, gaining shell access.


Teenage gamer jailed over lethal swatting

By Lisa Vaas

An Ohio gamer who got into a spat over a $1.50 wager that led to the death-by-swatting of an innocent man has been sentenced to 15 months in prison, the Department of Justice (DOJ) announced on Friday.

Casey S. Viner, 19, pleaded guilty to one count of conspiracy and one count of obstructing justice.

Viner admitted to arguing with another gamer – co-defendant Shane Gaskill – while playing Call of Duty World War II online. The two gamers were disputing a $1.50 wager. Apparently, one had accidentally “killed” a teammate in the first-person shooter game.

So, as Viner admitted in his plea agreement, he contacted known swatter Tyler Barriss and asked him to swat Gaskill.

Swatting (or SWATting), which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

Barriss did as he was asked: he first taunted Gaskill in Twitter direct messages. Gaskill challenged Barriss to go ahead and swat him, according to court records.

But Gaskill then sent Barriss the wrong address: that of a home nearby, at 1033 W. McCormick, in Wichita, Kansas, where he once lived. That misdirection led police to show up at the wrong house – the home of 28-year-old Andrew Finch.

In the recording of the emergency call that cost Finch his life, Barriss told operators that he’d shot his father in the head. He also said that he was holding his mother and a sibling at gunpoint in a closet. Barriss said he’d poured gasoline all over the house and that he was thinking of lighting the place on fire.


Robocalls now flooding US phones with 200m calls per day

By Lisa Vaas

This is unlikely to surprise anybody who owns a phone: according to a new report, nearly 30% of all US calls placed in the first half of this year were garbage, as in, nuisance, scam or fraud calls. That puts the approximate volume of sludge coming into people’s phones at a mind-boggling 200 million unwanted calls per day.

The TNS 2019 Robocall Investigation Report comes from Transaction Network Services (TNS), which markets a big-data analytics engine that aims to suppress unwanted calls to consumers by applying machine learning, as well as an authentication hub to help carriers combat illegal spoofing and to help consumers fend off robocalls.

TNS’s analysis crunched approximately one billion daily calls, placed via hundreds of carriers. TNS defines “high-risk” robocalls – i.e., scam/fraudulent calls – as those that try to shake down targets for personal information and/or money. It defines “nuisance” robocalls as those that are, well, just nuisances that lack malicious intent and that don’t reflect negligent non-compliance.

“Nuisance” calls aren’t always defined to exclude scams, but we can look to the UK for what strikes me as an example of TNS’s definition…

A few years back, Home Logic, a UK firm that offers energy-saving solutions, was made £50,000 lighter thanks to a penalty issued by the Information Commissioner’s Office (ICO) for making marketing calls to people who had made it clear – via the free Telephone Preference Service (TPS)  – that they didn’t want to be contacted in that way.

It was a tech glitch, Home Logic said at the time. What happened was that it licensed the numbers it used to make marketing calls from third-party providers. It then uploaded that data to an electronic dialer system that screened the numbers against the TPS register. One of the third-party providers left it up to Home Logic UK to ensure that the data supplied was screened against the TPS.

Technical issues knocked the system out for 90 days out of 220 between April 2015 and March 2016. That didn’t slow down Home Logic, though: the unsolicited marketing calls kept right on coming, but with no screening against the TPS register.


Former hacker warns against password reuse

By Danny Bradbury

Kyle Milliken is back from jail, and he has some advice for you.

The 30-year-old hacker from Arkansas, according to his blog, at age 17 began phishing celebrity Myspace accounts and using them to send internet marketing spam. After earning $5,000 per week, he evolved to hack millions of email, forum, and social media accounts. Some of his largest thefts included Disqus (17.5 million), Kickstarter (5.2 million) and Imgur (1.7 million). He also claims to have hit Twitter and Pinterest among many others.

Milliken used lists of login credentials to target accounts automatically, relying on the fact that many people reuse passwords across multiple online services. When he obtained access to an account, he could use it to send spam messages to all that account’s contacts.

He accessed account credentials in numerous ways, including hijacking Yahoo session cookies so that he could spam from users’ accounts, and, in the case of Disqus, by compromising a site developer’s GitHub account and getting at access credentials to its online database.

By the end of his run, he had 168 million login credentials and had earned around $1.4 million. He cooperated with the FBI, gave up a black hat colleague, and received a 17-month prison term in a federal work camp.

Milliken’s own poor security was what undid him. He hacked his targets via a hosted server that he rented under an alias, and always accessed it via a VPN to protect his IP. When he hacked Disqus, he forgot to use the VPN, and in 2014 the FBI caught him.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation