Microsoft 365 services back online after hours‑long outage

Microsoft resolves a service disruption that affected Office 365, Outlook.com, Teams and other cloud-based services

Microsoft has fixed problems affecting its online authentication systems that left a portion of its userbase locked out of multiple cloud-based services unless they were logged in already.

The issues, which occurred on Monday evening, have since been resolved and the services seem to be up and running normally again. Most customers saw their access restored and systems fully recovered after Microsoft’s engineers were able to successfully roll back their systems on early Tuesday morning.

According to the Azure status history page, the downtime started approximately at 21:25 UTC on Monday and affected users who were trying to login into its various services including Microsoft 365, Azure, Dynamics 365, as well as into other custom applications that use Azure Active Directory (AAD) authentication.

⚠️ We are investigating an issue impacting Azure AD Authentication. More information and updates can be found on the Azure Status page at https://t.co/Dw19fIGsXf

— Azure Support (@AzureSupport) September 28, 2020

“Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. Impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect,” said Microsoft.

In another tweet, the Azure Support account confirmed that both the Azure Public and Azure Government clouds were affected by the issue impacting AAD authentication.

Engineers have confirmed that an issue that impacted Azure AD Authentication in the Azure Public and Azure Government clouds is now mitigated. A detailed resolution statement has been posted to the Azure Status History page at https://t.co/yK1I9ll9jj.

— Azure Support (@AzureSupport) September 29, 2020

While the results of Microsoft’s in-depth investigation are still a few days away, the company has identified the likely culprits behind the whole situation. The root cause seems to be a combination of three separate and unrelated issues, including a code defect in a service update, a tooling error in the Azure AD safe deployment system, and a code defect in Azure AD’s rollback mechanism.

Needless to say, after the COVID-19 crisis struck earlier this year, cloud-based workplace applications have been vital for many businesses and their newly-remote staff.

FBI, CISA warn of disinformation campaigns about hacked voting systems

Threat actors may spread false claims about compromised voting systems in order to undermine confidence in the electoral process

The United States’  Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint announcement aimed at raising awareness about threats posed by disinformation campaigns that may target voters during the 2020 election season.

“During the 2020 election season, foreign actors and cybercriminals are spreading false and inconsistent information through various online platforms in an attempt to manipulate public opinion, sow discord, discredit the electoral process, and undermine confidence in U.S. democratic institutions,” reads the public service announcement (PSA) issued by the agencies.

PSA: The #FBI and @CISAgov warn that cyber actors may spread false claims about hacked voter information to cast doubt on the legitimacy of U.S. elections. Beware of disinformation regarding cyberattacks on voter registration databases or voting systems. https://t.co/Q1N6WuktJN pic.twitter.com/ItiCt2HQ9O

— FBI (@FBI) September 28, 2020

With just over a month to go before the November election, they went on to warn that threat actors could use these platforms to claim or insinuate that successful cyberattacks have been carried out against the election infrastructure, leading to the leaking or hacking of US voter registration data.

However, gaining access to voter data in the US doesn’t require hacking or breaching the election infrastructure; most of it can be either found using publicly available sources, or alternatively, the data could be purchased. The agencies admitted that threat actors have in recent years acquired voter registration data, but gave assurances that this did not have any adverse effect on the voting process or the integrity of the results.

“In addition, the FBI and CISA have no information suggesting any cyberattack on U.S. election infrastructure has prevented an election from occurring, compromised the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast,” reads the statement. Last week, the same two agencies rang the alarm bells over attempts by threat actors to spread disinformation around the results of the upcoming elections.

RELATED READING: Black Hat 2020: Fixing voting issues – boiling the ocean?

The new announcement also sets out a list of recommendations to help citizens and potential voters distinguish between truthful, verifiable information and disinformation attempts. The list includes advice such as verifying the source of the data and evaluating its trustworthiness, relying on state and local officials when searching for information, being skeptical about early and unverified information, as well as reporting any signs of election crimes. Voters are also advised to use the reporting features of various social media platforms if they come across suspicious posts aiming to spread disinformation.

Meanwhile, tech giants and social media platforms have been gearing up for the upcoming US presidential elections and the 2020 election for some time now. Facebook, for example, has laid out plans aimed at protecting the elections by combating inauthentic behavior as well as by launching the Facebook Protect feature for political figures. Microsoft, for its part, recently rebuted a tool aimed at detecting deepfakes.

Week in security with Tony Anscombe

Bug let hijack Firefox browsers on other phones over Wi-Fi – NIST’s new tool to help firms understand why staff fall for phishing – Almost 200 arrested in dark web crackdown

Mozilla has fixed a security flaw that could allow anyone to take control of all Firefox for Android browsers running on devices connected to the same Wi-Fi network. A new tool, developed by the United States’ NIST, can help security professionals accurately assess why employees click on certain phishing emails. Law enforcement agencies across the world have nabbed almost 200 people suspected of trafficking in illegal goods on the dark web. All this – and more – on WeLiveSecurity.com.

5 tips for better Google Drive security

As cloud storage solutions are becoming more and more popular, we look at several simple steps you can take to secure your files on Google Drive

Cloud storage solutions have steadily become as popular as external storage devices; some may even argue that they are slowly surpassing them. The main selling point of the cloud is that it is quickly, easily, and readily accessible from almost any digital device with an internet connection. Meanwhile, flash drives have to be hauled around and can be only accessed if plugged into a compatible device; and let’s not forget that these can be misplaced or lost.

And although the perks of the cloud are many, we cannot forget about the security of the data stored on it. So, to mark Google’s 22nd anniversary this Sunday, we decided to take a look at what steps you can take to store your data more securely on its cloud storage service – Google Drive.

Securing your account

Most netizens secure their digital identities and accounts using only one security measure – a password. However, this isn’t a foolproof method, especially if you consider the questionable choices people make when creating their passwords: 12345, 123456 and 12356789 were the top 3 most popular passwords of 2019, and as you can imagine, these aren’t tough to crack. Another bad habit people have is recycling passwords, which means that if such a password is part of a data breach, cybercriminals can easily exploit it in a credential-stuffing attack.

That’s where two-factor authentication (2FA) comes in. It’s one of the easiest ways to add an extra layer of security, not just to your cloud storage but other accounts as well. To illustrate, there are three archetypal authentication factors, commonly known as the knowledge factor, possession factor, and existence factor.

The first is something you know, like a password or PIN code, while the second is something you have, like a physical key or a security token; the last is something you are, such as a fingerprint or retina scan. 2FA then requires you to use two of these factors to log in, usually a password and one of the others we’ve mentioned. So even if cybercriminals have your password and try to get access to your account, they will be missing one key piece of the puzzle.

Third-party apps

Third-party add-ons are popular in helping people streamline the tasks they are working on or organizing their work into digestible bits. And even though people are trying to “work smarter not harder”, they should not forget about working safely as well.

G Suite’s Marketplace offers a plethora of add-ons designed to help users boost their productivity. However, since these are offered by third-party developers, users have to be careful and evaluate each app they want to install. The first step they should take is to read the reviews and ratings of the addon they’re considering installing.

The next step, although rarely done, should be reading through the vendor’s privacy policy, terms of service, and deletion policy. Directly contacting the vendor to ask your questions is also worth considering, especially since you’ll have proof of communication if something goes awry.

Encrypting your data

While being able to access your data on the go is one of the greatest perks that cloud storage such as Google Drive provides, it does introduce its own set of challenges. Although cloud storage services have improved their security measures by leaps and bounds since they have become a mainstream option, breaches may still occur either because of human error or sufficiently motivated cybercriminals.

RELATED READING: Is it safe to store corporate information on Google Drive (or similar services)?

While your data in various G Suite services is encrypted both in transit and at rest, you can up the ante by encrypting any files on your end before you upload them to the cloud. With encryption in place, even if black hats are able to worm their way into your drive or its contents get spilled all over the interwebs, the data would prove useless without the decryption key. There are myriad solutions to choose from based on your preferences, but you should focus on those that offer Advanced Encryption Standard (AES) encryption at least.

Granting permissions

Besides uploading, storing, and downloading files, you can use Google Drive to share them and even collaborate on documents with other people. As nifty as that option is, you have to think about what kind of permissions you are granting the people you are sharing the files with.

You can share both files and folders by inviting people or sending them a link. If you do it by email, you share it with a specific person and include messages as well as choose their role, either as a viewer or an editor. The former can view the files in the folder while the latter can organize, add, and edit files. The same applies to sending a link by defining the role before you send it. However, in the case of the link, it can be sent on to other people so you should think carefully about choosing that option.

Permissions can be edited even after the folder is created, which means that you can stop sharing the file or folder with people by removing them from the list. You can also restrict the files from being shared, as well as prohibit people from downloading, copying, or printing them.

Who can see my files, anyway?

While managing your permissions is important, keeping in mind what kinds of files and who you are sharing them with is equally important. If the data you’re going to share is sensitive, you need to be certain that you trust the person you’re sharing it with and that they will not pass it on.

If you share a lot of files and folders with various people, you should assess the types of files you’re sharing and the amount of time you are sharing them for. After that, you can restrict or

Ray‑Ban parent company reportedly suffers major ransomware attack

There is no evidence that cybercriminals were also able to steal customer data

Luxottica, the world’s leading eyewear producer, has allegedly fallen victim to a ransomware attack that affected its Italian and Chinese operations alike. The Italy-based eyewear giant – which boasts brands such as Ray-Ban, Oakley, and Persol in its portfolio as well as produces eyeglasses for fashion labels such as Burberry, Prada, Chanel, and Versace – appears to have been hit over the weekend.

Details of the alleged attack are not immediately clear, but according to BleepingComputer, customers began reporting that the company’s Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision websites were down on Friday evening.

The site also quoted Italian security specialist Nicola Vanin, who confirmed the incident, but gave assurances that no data was stolen or leaked. Of late, a number of ransomware operators have indeed engaged in doxing – traversing their victims’ files looking for sensitive information, which they will then threaten to release unless they are paid an additional fee on top of the ransom.

RELATED READING: 5 ways cybercriminals can try to extort you

Meanwhile, a Luxottica employee claimed that the attack occurred on Sunday evening, affecting the company’s global operations, with some offices still reeling from the attack’s aftermath.

Per reports from the Italian press, Luxottica’s offices in Agordo and Sedico in the province of Belluno were experiencing IT problems, with employees receiving text messages that their shifts were suspended due to a “computer system failure”.

At the time of writing, all affected websites seem to be back up and running with no signs of the incident. The company itself has yet to comment on the issue.

Citing information from cybersecurity intelligence company Bad Packets, BleepingComputer wrote that Luxottica had a Citrix ADX controller device susceptible to the critical-rated CVE-2019-19781 vulnerability in Citrix devices.

Further reading:

Buying Ray-Bans? Don’t fall for this Facebook scam
Hitting emails and Facebook: Ray‑Ban scam is back

179 arrested in massive dark web bust

The sting is said to be the US Government’s largest operation targeting crime in the internet’s seedy underbelly

Law enforcement agencies from around the globe have swooped down on dozens of purveyors of illegal goods on the dark web. No fewer than 179 vendors of illicit goods have been handcuffed in an operation dubbed DisrupTor, which comprised several separate but complementary operations and was the result of a collective effort mostly by North American and European authorities.

Europe’s law enforcement agency, Europol, lauded the success of the raids in a press release, with Edvard Šileris, the director of its European Cybercrime Centre, saying: “Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

As noted by the United States’ Department of Justice, DisrupTor comes on the heels of two similar busts from the recent past. In March 2019, a global operation dubbed SaboTor resulted in the arrests of 61 suspected peddlers of illegal goods on the dark web. Two months later, another successful sting brought the takedown of Wall Street Market – the second-largest dark web online market dealing with the sale of illicit wares.

RELATED READING: Europol sets up EU‑wide team to fight dark web crime

The quantitative intelligence the operation yielded allowed investigators to identify suspects behind the accounts used to conduct illegal business. Which led to 179 sellers of illicit wares ending up in custody across Europe and the US, and the seizure of thousands of illegal goods including over US$6.5 million comprising both cash and cryptocurrencies as well as some 500 kilograms worth of addictive substances and drugs, and weapons.

US Attorney General Jeffrey Rosen touted the significance of the operation: “Criminals selling fentanyl on the Darknet should pay attention to Operation DisrupTor. The arrest of 179 of them in seven countries—with the seizure of their drug supplies and their money as well—shows that there will be no safe haven for drug dealing in cyberspace.”

While the investigations are still ongoing and law enforcement officers are busy identifying further suspects, arrests have been made in multiple countries. The United States leads the pack with 121 arrests, with Germany following suit on 42. The Netherlands nabbed eight suspects, while the United Kingdom detained four, Austria has apprehended three and Sweden captured one person.

Earlier this year, European law enforcement agencies were also able to crack an encrypted chat network, which ultimately led to the arrest of over 800 suspected criminals.

New tool helps companies assess why employees click on phishing emails

NIST’s tool can help organizations improve the testing of their employees’ phish-spotting prowess

Researchers at the US National Institute of Standards and Technology (NIST) have devised a new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie.

Here’s a quick refresher: in its simplest form, phishing is an unsolicited email or any other form of electronic communication where cybercriminals impersonate a trusted organization and attempt to pilfer your data. Information such as access credentials can be then abused for further attacks or sold on the dark web and used to commit fraud or identity theft.

Therefore, any company or organization that takes its cybersecurity seriously conducts regular phishing training exercises to see if its employees can distinguish between real and phishing emails. These trainings aim to increase employee vigilance as well as teach them to spot signs of phishing attacks masquerading as legitimate emails, which in turn, prevents them from getting hooked and protects their organizations from monetary and reputational damage.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

These exercises are usually overseen by Chief Information Security Officers (CISOs), who evaluate the success or failure of these exercises based on click rates – how often employees click on a phishing email. However, the results are not emblematic of the whole problem.

“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves in the press release announcing the new tool.

Phish Scale looks at two main elements when assessing how difficult it is to detect a potential phishing email. The first variable the tool evaluates is ‘phishing email cues’ – observable signs, such as spelling mistakes, using personal email addresses rather than work emails, or using time-pressuring techniques.

Meanwhile, the second ‘alignment of the email’s context to the user’ leverages a rating system to evaluate if the context is relevant to the target – the more relevant it is, the harder it becomes to identify it as a phishing email. Based on a combination of these factors, Phishing Scale categorizes the difficulty of spotting the phish into three categories: least, moderate, and very difficult.

These can provide valuable insight into the phishing attacks themselves, as well as help ascertain why people are more or less likely to click on these emails.

RELATED READING: This test will tell you how likely you are to fall for fraud

Phish Scale aims to provide CISOs with a better comprehension of their click-rate data, so they don’t solely rely on the number output. “A low click rate for a particular phishing email can have several causes: The phishing training emails are too easy or do not provide relevant context to the user, or the phishing email is similar to a previous exercise. Data like this can create a false sense of security if click rates are analyzed on their own without understanding the phishing email’s difficulty,” NIST said.

While all data that was fed to the Phish Scale has originated from NIST, the institute hopes to test the tool on other organizations and companies to see if it performs up to standard. For further information on the tool and research behind it, you can delve into the article, Categorizing human phishing difficulty: a Phish Scale, published by the researchers Michelle Steves, Kristen Greene, and Mary Theofanos.

Mozilla fixes flaw that let attackers hijack Firefox for Android via Wi‑Fi

Attackers could have exploited the flaw to steal victims’ login credentials or install malware on their devices

Mozilla has patched a security flaw that could allow cybercriminals to hijack all vulnerable Firefox for Android browsers running on devices connected to the same Wi-Fi network. The vulnerability could be abused by black hats to force users to visit websites housing malicious content, which could then be used to execute phishing attacks or to download malware to their devices.

The bug, which resided in Firefox’s Simple Service Discovery Protocol (SSDP), was uncovered by security researcher Chris Moberly and affected Firefox for Android versions of 68.11.0 and below.

ESET malware researcher Lukas Stefanko has tested a proof-of-concept (PoC) exploit that takes advantage of the security hole, running the PoC on three devices connected to the same Wi-Fi router.

Exploitation of LAN vulnerability found in Firefox for Android

I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq

— Lukas Stefanko (@LukasStefanko) September 18, 2020

“This is a serious issue that allows to trigger any Android Intent on the same Wi-Fi network without any user interaction if you have a vulnerable version of Firefox for Android installed on your device,” said Stefanko.

He went on to warn that successful exploitation of the bug could lead to a phishing attack on public Wi-Fi networks, by requesting personal user information or login credentials from all users connected to the network who were running unpatched versions of the browser. “It makes exploitation of this issue really easy,” he added.

In a write-up of the problem on his GitLab page, Moberly explained that vulnerable versions of the Firefox browser routinely send out SSDP discovery messages, looking for second-screen devices connected to the same local network that they can cast to (imagine a Chromecast, Roku, or similar gizmo).

Devices connected on that local network can respond to these broadcasted messages, providing the location of an XML (eXtensible Markup Language) file containing their configuration details, which Firefox will then attempt to access.

However, that’s the moment when cybercriminals could make their move. “Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself,” said Moberly, shedding some light on how the vulnerability could be exploited. The security researcher added that he reported the vulnerability to Mozilla.

The bug has been fixed with the release of Firefox for Android 79, the direct successor to version 68.11.0. If you’re a Firefox for Android user, we suggest that you check whether you use the browser’s version 79, or even better, its latest version (80); if not, you should update your browser immediately.

Week in security with Tony Anscombe

Zoom now supports two-factor authentication. A cyber attack, which affected 14 inboxes belonging to Quebec’s Department of Justice, was confirmed by ESET researchers.

Zoom now supports phone calls, text messages and authentication apps as forms of two-factor authentication. Sports and training data are more sophisticated and affordable than ever. With the democratization of (sports) performance data, are your personal information safe? A cyber attack, which affected 14 inboxes belonging to Quebec’s Department of Justice, was confirmed by ESET researchers. All this – and more – on WeLiveSecurity.com.

5 ways cybercriminals can try to extort you

When it comes to coercing people into parting with their money, cybercriminals seem to have an endless bag of tricks to choose from. There are some tricks, that they favor more than others, one of which is extortion. According to the FBI’s latest Internet Crime Report, US victims of extortion lost some US$107.5 million to these crimes last year.

One thing to keep in mind is that blackmailers won’t just stick to one trick but will employ multiple flavors of extortion to try to force their victims into doing their bidding – be  it paying them a handsome sum or even performing tasks on their behalf.

Ransomware

Ransomware is by far one of the best-known examples of extortion employed by hackers around the globe, with targets ranging from companies, through governments to individuals. The basic premise is that your device will be infested by ransomware using one of the various tactics hackers employ, such as duping you into clicking on a malicious link found in an email or posted on social media or shared with you through a direct instant message.

After the malware makes its way into your device: it will either encrypt your files and won’t allow you to access them, or it will lock you out of your computer altogether, until you pay the ransom. It is also worth mentioning that some ransomware groups have added a new functionality; a form of doxing wherein they traverse your files looking for sensitive information, which they will threaten to release unless you pay them an additional fee.  This could be considered a form of double extortion.

Before wondering whether to pay or not, you should check if a decryption tool has been released for the ransomware strain that has infested your device; also, the answer is: don’t pay. For additional advice on protecting against ransomware attacks, you can check out our  excellent, in-depth article Ransomware:Expert advice on how to keep safe and secure.

Hack and extort

The title is pretty much self-explanatory, but to make things abundantly clear, the extortionist will infiltrate your device or online accounts, go through your files looking for any sensitive or valuable data,and steal it. Although it may echo ransomware in some respects, in this case, the breaking-and-entering of your device is done manually and the cybercriminal will have to invest time and resources into doing so. Well, unless your password was part of a large-scale data breach, in which case the effort put insignificantly drops. The successfully targeted individual then receives an email in which the criminal tries to coerce the intended victim into paying by threatening to expose this data, listing examples for added effect.

To protect yourself, you should consider encrypting your data and adequately securing all your accounts using a strong passphrase, as well as activating two-factor authentication whenever it is available.