Salted Hash Rehashed: The weekly news recap for May 7, 2016

Welcome to another installment of Rehashed, your weekly recap of the news for the week ending May 7, 2016.

Today we’ll talk about leaked passwords, Ransomware, the backlash surrounding the latest Verizon report, and more. Welcome to the weekend! Keep your cameras handy though, just in case.

Hold Security trades social media likes for 272 million usernames and passwords

The headline of the week comes from Reuters. The news agency reported on the discovery of 272 million email addresses and passwords being sold on a Russian forum. The general tone of the story makes it feel as if this is a big data breach, but it isn’t – far from it.

In fact, credential collections like this are traded and sold all the time. Not to mention, rippers (scammers in the criminal world) generate fake lists regularly. If someone hits a solid score (though Phishing or a massive database dump) the criminal isn’t going to immediately share their loot. Valid high-value credentials are hoarded. Once they’re used up, they’ll be dumped to lower-level scammers and script kiddies for pennies on the dollar.

The Source of the Reuters story is Hold Security, and when you read the Reuters piece a second time, it’s clear that none of the major email services have been breached.

In the list obtained by Hold Security, only one out of 200 accounts were new, meaning they haven’t been previously leaked or posted publicly. The source of that list offered up 1.17 billion accounts, 272 million of them were unique, but within that set, 42.5 million (15%) were new.

So when Reuters is talking about 272 million accounts, what they’re really talking about is 42.5 million. With that number, the best bet is that the credentials came from a Phishing attack, not a breach at Google or Microsoft.

In the last month, Salted Hash has seen more than 200,000 Phished credentials posted to various places as we work on a project for story set to run during Black Hat. The idea that someone collected millions of them and added them to other dumps isn’t far fetched. The notion that Gmail was breached is.

Verizon faces backlash over recent Data Breach Investigations Report

The DBIR from Verizon recently came out, and this year’s report isn’t fire, it was set on fire by the very security experts it was created to help. On Thursday, one expert (Dan Guido) wrote a critique of the report stating that organizations following its recommendations will expose themselves to more risk, not less.

The backslash started with a post by Jericho at OSVDB, who thrashed the CVE list used to form the Top 10 attacks. Guido’s post expands on that, and explores other issues. Most notably, the fact that university research and scanning led to the TLS FREAK vulnerability topping the list of targets in 2015.

“Clearly, no one who understands vulnerabilities was involved in the review process. The DBIR team tossed in some data-science vocab for credibility, and a few distracting jokes, and asked for readers’ trust… Professionals and businesses around the world depend on this report to make important security decisions. It’s up to Verizon to remain the dependable source for our industry.”

Officially, Microsoft says it can’t help admins worried about Regsvr32 attacks

Not too long ago, Salted Hash reported on how someone could use Regsvr32 to bypass application whitelisting protections, such Microsoft’s AppLocker. If the technique is used, investigators are in for a long day, as it doesn’t alter the system registry and in some cases comes across as normal Internet Explorer traffic.

Casey Smith, a researcher in Colorado, discovered the function and blogged about it. Salted Hash reached out to Microsoft, asking basic questions and seeking advice on how administrators could protect their networks from an attacker using this method. A spokesperson form Microsoft’s PR agency said the company declined to comment.

We asked Microsoft about the function Smith uses, and why it exists. This was followed by questions about using EMET as a possible layer of protection, and requesting documentation of such methods, as well as any methods that could be used to block outgoing collections, non-host mitigations, and advice for detecting Regsvr32 abuse or other IOCs.

“I have connected with my most appropriate colleagues, and unfortunately we are unable to accommodate your request at this time. I apologize for any inconvenience this may cause,” the spokesperson wrote.

But that’s the official line.

The good news is some Microsoft employees went out on their own to address the issue, including posting instructions on how to use EMET’s ASR to defend against the AppLocker bypass.

Why did they do this? Because while the giant machine might be a pain to deal with at times, Microsoft employs smart and talented people who do honestly care about security.

Stop changing your passwords, it doesn’t improve security

Per Thorsheim, the founder of PasswordsCon (held during BSides Las Vegas), has published a solid argument against changing passwords on a regular basis (e.g. every 90-days), as it doesn’t really help with security and in some cases can make things worse.

Remembering long passwords is hard enough for some people, but when you have to remember a new one every quarter, that’s pushing it a bit. Most people, in order to compensate, will recycle their passwords and use incremental elements, such as adding a number to the end, or the year.

“To make the burden of passwords a little easier, we suggest that you stop changing your passwords frequently. Instead you should create a sentence as your password for each service,” Thorsheim wrote.

The goal is to create a general mindset that passwords should be changed only when they’ve been compromised.

After W-2 Phishing attack, company fires victimized employee

Alpha Payroll fired the employee who was victimized by a Phishing attack seeking W-2 records. In a bit of a twist, the company said that in addition to firing the victimized staffer, they’re redoubling their efforts to improve awareness training and Phishing education.

In related news, thousands of people have been affected by W-2 Phishing attacks this year. Salted Hash has confirmed nearly 70 incidents so far, and Databreaches.net claims that more than 100 organizations have been successfully targeted.

Other Items of note:

• Apple released an update to Xcode in order to patch two flaws in Git, which if exploited gave attackers code execution.
• Millions of websites are at risk due to a bug in ImageMagick, which if exploited would allow an attacker compromise the server hosting them. In addition to impacting ImageMagick compiled along with PHP, the vulnerability impacts servers where the library is compiled with Ruby (rmagick and paperclip) and NodeJS’s ImageMagick.

Neat tool: Pentest Box

A reader suggested Pentest Box as a possible Rehashed inclusion. It’s a penetration testing platform that runs on Windows. The design is clean, the software itself is simple to use, plus it has most of the basic Lunux-based commands and tools that one would need. I’m still playing with it, but so far I like what I see.

FBI releases more Ransomware warnings, releases brochure

The FBI has once again issued a warning to the public over the rise of Ransomware and its impact to businesses. This time, they’ve also produced a brochure on the topic.

That’s all for this week!

Remember, if you come across a blog post or news item next week, or perhaps just something amusing, and you think should be shared on Rehash, feel free to email me a link. General corporate news and product-based items are the only exemptions.