Women Sorts Books in Public Library, Cyberattack, Liquid Video Technologies

Cyberattack hits Augusta

Cyberattack hits Augusta municipal operations; City Center closed

Officials say a nasty, intentionally deployed virus shut down public safety computers and made the city’s entire network unusable, but the phone system and public safety radio system were not affected.

AUGUSTA — A malicious computer virus that targeted — and squarely hit — the city early Thursday morning forced the closure of Augusta City Center.

The virus froze the city’s computer network and rapidly spread to laptops and other devices.

Augusta City Center, on July 12, 2016. Kennebec Journal photo by Joe Phelan

Officials said Thursday afternoon they had located the virus are working on a fix, and no data was taken in the apparent cyberattack. Once they confirm the virus has been removed from the network and all devices associated with it, they plan to restore the city’s servers and get the system up and running again.

Because so many municipal functions there rely on computers — and restoring servers and fixing the damage done is expected to be a cumbersome process — Augusta City Center will remain closed until at least Monday, while the network and servers are restored.

Fred Kahl, director of the information technology department for both the city and schools, said a piece of malicious software somehow got into the city’s computer network, spread rapidly and damaged servers. He said it appears it was a targeted attack. But he also said no data, such as personal information about residents, was taken in the incident.

“Nothing got out, no names or anything like that. It just became inaccessible,” Kahl said late Thursday afternoon about data stored on city servers.”Nothing went anywhere, guaranteed.”

The virus, which officials said was inflicted upon the city’s servers intentionally, also shut down computers used by public safety dispatchers — but not the city’s phone system or the public safety radio system used by dispatchers and police, fire and ambulance staff members in the field to communicate. Dispatchers, who don’t have access to their usual computer-aided dispatching system, tracked calls and the activity and whereabouts of police officers, firefighters and ambulance crews manually.

“It’s not a threat to public safety,” Ralph St. Pierre, finance director and assistant city manager, said Thursday morning from the closed city center. “Dispatch is still answering. The phones are still working.”

What isn’t working is anything that relies on the computer network at Augusta City Center, including municipal financial systems, billing, automobile excise tax records, assessor’s records or general assistance.

All those systems became inaccessible when the city’s network was hit by a virus around 3:20 a.m. Thursday, which froze up the network.

“All our servers are locked up,” St. Pierre said. “This was a particularly bad (virus). This one exploded, it got all the data, all the servers, they froze rock solid, and you can’t pierce it. It’s pretty widespread and impactful.”

He clarified that while the city’s servers and data have been frozen and are inaccessible, it is not believed city data has been breached.

“It was not a breaching of the data. It was a locking down of the data,” St. Pierre said. “This was intentional.”

Professor Henry Felch, program coordinator of the University of Maine at Augusta’s cybersecurity program, which he said is the largest such program in the state, speculated it could have been an inside job, perhaps by a disgruntled current or former employee or someone else with knowledge of and access to the city network.

“If someone did want to do something to bring Augusta to a screeching halt for a couple of days, it could be an act of revenge, or it could be someone is making a statement,” Felch said. “Usually a virus is more widespread than just one locality, if the goal is to infect a lot of computers. This sounds like it was directed toward Augusta. It was a very targeted attack.”

He said the city should involve state police, because what occurred appears to be a crime. He said it appeared the malicious software was intended more to destroy data than to capture data.

St. Pierre said the city’s data is intact, and all its backup systems are fine, meaning the city can start restoring servers. He said restoration work will include contacting software providers so they can reinstall their software. He said it could take until as late as Tuesday to have the network up and running and reopen city center.

Kahl said officials know when the attack was initiated, around 3:20 a.m. Thursday, but he believes the city might never know with 100 percent certainty how the software got into city servers.

He said the city did not pay a ransom payment, as some Maine municipalities and even the Lincoln County Sheriff’s Office have done previously, to have the software removed.

City Manager William Bridgeo said city information technology staff members all were working on the problem, and an outside software consulting firm from Portland also had specialists working on the problem in Augusta.

St. Pierre said officials stopped the virus before it spread to School Department files or servers, which are connected to the same network, and they have been shut off from the network to protect them. He said the city’s email server is at the school department and is still up and running, so city staff members with smartphones can still respond to email.

To make sure all devices that might have been infected with the virus were cleared of it, about 15 Augusta police workers, most of them officers, underwent about a half-hour of training from Kahl and then set out to check every city facility — or anywhere else an infected laptop or other device might be — to see if they had the virus on them. The 10 or so devices that were infected were taken to Kahl’s office so the virus could be removed.

A sign tells patrons about computer system problems on Thursday at Lithgow Public Library in Augusta. Kennebec Journal photo by Joe Phelan

City Center, where nearly all functions rely to some extent on computer access, is expected to remain closed at least through Friday. Other city facilities never closed and are expected to remain open. St. Pierre said Hatch Hill was open and manually billing customers, the library was open, and the Buker Community Center — including youth programming there — was open and running but couldn’t take new registrations, and public works employees were working.

The Augusta Civic Center also was affected by the virus, since its computers are integrated into the city network, but officials said they were still able to access its ticket-selling firm and could sell tickets to events for cash, but not credit cards, on Thursday.

At Lithgow Public Library, the virus’ effect was — in some ways — to send the library back to its past, one based around books, not computers. Its computers were down and unable to access the internet, but people still could read books there. And, according to Julie Olson, assistant director and adult services librarian, they still could check out books and other materials. The public library’s usual circulation system was down, but they were able to use a backup system.

“For our patrons, the biggest impact was we don’t have internet,” Olson said. “We’ve got no computer access at all, they’re all connected to the city’s server, so we can’t access anything. But you can check out books, return books and renew books. We just can’t do the other parts.”

Bridgeo said the city buys “cyber liability” insurance through Maine Municipal Association, and as part of that, about a month ago it had an assessment done of the security of the city’s network. He said he just read a report on the findings of that assessment about a week ago and found that Augusta “got pretty high grades for how we stand.”

Felch said municipalities could be tempting targets for cyberattacks because of all the data they have, or because some of them have control over water treatment systems and other crucial resources. He said the best thing municipalities can do is emphasize training and awareness among staff on how to avoid allowing cyberattacks to be successful. But he said if the malicious software came from inside, via someone with access to the network, there might be nothing the city could do.

He said the city might want to look at its network defenses to see if such attacks could be detected faster.

Felch said the state needs to provide resources to help municipalities fend off cyberattacks.

“What happened to Augusta could probably happen to other municipalities around here, because it’s easy to do and it’s easy to get something started,” he said. “Maine has a lot of smaller municipalities, which makes it a target for someone who may want to practice, and hone the skills they might need to attack a larger city in the future. I think state government needs to do more to help these small municipalities be able to provide protection.”

Augusta police Chief Jared Mills agreed the cyberattack does not pose a threat to public safety. He said the only real effect was not being able to enter information directly into a computer. He said dispatchers were recording things manually and clerks were working to help dispatchers with that task.

Mills said there is “no threat to public safety. This is exactly how we completed reports when I started 20 years ago. Everything was handwritten and our response time then was the same as it is today.”

Felch, an Augusta resident who was turned away Thursday from City Center when he went there to get a new permit to use the Hatch Hill landfill, though at the time he didn’t know why, said students and faculty of UMA’s cybersecurity program would be willing to help Augusta and other municipalities protect themselves.

Article Provided By: centralmaine

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Leaking Bucket- Liquid Video Technologies

Unsecured Databases Leak 60 Million Records

Unsecured Databases Leak 60 Million Records of Scraped LinkedIn Data

Eight unsecured databases were found leaking approximately 60 million records of LinkedIn user information. While most of the information is publicly available, the databases contain the email addresses of the LinkedIn users.

Approximately two weeks ago, I was contacted by security researcher Sanyam Jain of the GDI foundation about something strange that he was seeing. Jain told BleepingComputer that he kept seeing unsecured databases containing the same LinkedIn data appearing and disappearing from the Internet under different IP addresses.

“According to my analysis the data has been removed every day and loaded on another IP. After some time the database becomes either inaccessible or I can no longer connect to the particular IP, which makes me think it was secured. It is very strange.”

Between all eight databases, there was a combined total of approximately 60 million records that contained what appeared to be scraped public information of LinkedIn users. The total size of all of the 8 DBs is 229 GB, with each database ranging between 25 GB to 32 GB.

Example Database
Example Database

As a test, Jain pulled my record from one of the databases and sent it to me for review. The data contained in this record included my LinkedIn profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated.

Included in the profile was also my email address that I used when registering my LinkedIn account. It is not known how they gained access to this information as I have always had the LinkedIn privacy setting configured to not publicly display my email address.

Profile information for my record
Profile information for my record

After reviewing the data that was sent to me, I found all of the information to be accurate.

In addition to the above public information, each profile also contains what appears to be internal values that describe the type of LinkedIn subscription the user has and whether they utilize a particular email provider. These values are labeled “isProfessional”, “isPersonal”, “isGmail”, “isHotmail”, and “isOutlook”.

Internal Values
Internal Values

While we not able to determine who the database belonged to, we were able to contact Amazon who is hosting the databases for assistance in getting them secured. As of Monday, the databases were secured and are no longer accessible via the Internet.

LinkedIn states it’s not their database

After seeing that the database contained a user’s email addresses and what appeared to be possible internal values, BleepingComputer contacted LinkedIn to see if the database belonged to them.

After they reviewed my sample record, Paul Rockwell, head of Trust & Safety at LinkedIn, told us that this database does not belong to them, but they are aware of third-party databases containing scraped LinkedIn data.

“We are aware of claims of a scraped LinkedIn database. Our investigation indicates that a third-party company exposed a set of data aggregated from LinkedIn public profiles as well as other, non-LinkedIn sources. We have no indication that LinkedIn has been breached.”

When we followed up with questions as to why the databases would contain my email, we were told that in some cases an email address could be public and were provided a link to a privacy page that allows you to configure who can see a profile’s email address.

LinkedIn Email Privacy Settings
LinkedIn Email Privacy Settings

My settings only allow 1st degree connections to see my email address, so unless the scraper is posing as this type of connection, it is still not known how my email address was included in the database.

Article Provided By: BleepingComputer

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Drones Stealing Sensitive Data

Drones Stealing Sensitive Data

DHS warns of Chinese-made drones stealing sensitive data

  • Drones contain components that can steal sensitive data and share on a server accessed beyond the company itself.
  • An industry analysis has revealed that nearly 80% of the drones used in the US and Canada are from DJI, which is headquartered in Shenzhen, China.

The US Department of Homeland Security warns that Chinese-made drones might be sharing sensitive flight data to its manufacturers on a server accessible to the Chinese government.

Contents of the alert

The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has warned that drones are a “potential risk to an organization’s information” and that it contains components that can steal sensitive data and share on a server accessed beyond the company itself.

“Those concerns apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities,” the alert read, CNN reported.

Which drone manufacturers are suspect?

The alert did not specify any manufacturer. However, industry analysis has revealed that nearly 80% of the drones used in the US and Canada are from DJI, which is headquartered in Shenzhen, China.

Key takeaway

Users are warned to be cautious while purchasing drones from China and to take security measures like turning off the device’s internet connection and removing secure digital cards to avoid data theft.


By:  Ryan Stewart

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Next Generation Endpoint Security

Next Generation Endpoint Security

Getting Past the Hype of Next Generation Endpoint Security

We’ve heard the same story for years. Antivirus software is not effective in stopping cyber-attacks, as hackers have adapted their techniques to evade signature-based detections. Even next-generation antivirus, which applies techniques such as machine learning and behavioral analytics, is no more effective at protecting an organization than its older sibling. But why? The simple answer is that nearly all AV and NGAV solutions focus their primary value on the prevention of malicious files – an attack vector that is slowly but surely disappearing in favor of file-less capabilities and the subversion of users and trusted applications.

Worse than their hyper-focus on the irrelevant, they continue to rely on historical attack analysis as a basis for future detections which leaves them unable to make high fidelity preventions and detections in real-time. They lack the visibility and threat intelligence necessary to understand an attacker’s tactics and techniques, which means these so-called NGAV solutions lack the confidence in their ability to identify malicious activity. The evidence of this is when they introduce unnecessary latency with cloud and human analysis, which do not function at the speed required to defend against modern threats.

So where does that leave companies in their search for better protection?

A modern endpoint protection strategy must include prevention, detection, and response capabilities. Effective automation of threat intelligence for prevention, along with robust detection and response means security analysts can spend their time improving defenses instead of repeatedly reacting to incidents caused by the same lack of real-time capabilities and unnecessary latency.

The convergence of Endpoint Detection and Response (EDR) into the Endpoint Protection Platform (EPP) can replace core AV/NGAV capabilities, but can also improve protection against the following:

  • Malware variants, including malware-based ransomware
  • Obfuscated malware, unknown malware, and zero-day attacks
  • Malicious scripts that leverage PowerShell, Visual Basic, Perl, Python, and Java/JAR
  • Memory-resident attacks and other malware-less attacks
  • Malicious use of good software

Of the hundred plus endpoint security vendors, Endgame’s endpoint protection platform and single autonomous agent simplifies antivirus replacement through:

  • Earliest Prevention – Protection against exploits, malware, file-less attacks, and ransomware
  • Fastest Detection and Response – Stops all attacks at the earliest stages of the MITRE ATT&CK™ matrix
  • Automated Threat Hunting – Built in discovery, deployment, and dissolvable agent

Endgame’s Artemis, the first intelligent security assistant, elevates and accelerates operators and analysts by responding to plain English questions and commands.  With Artemis, analysts can prioritize, triage, and remediate alerts in minutes across hundreds of thousands of endpoints that would have otherwise taken hours or days with traditional tools.

In an extremely crowded market, endpoint security tools must provide a simple, cost-effective replacement for antivirus while increasing value. With Endgame, your organization can quickly prevent malware and modern attacks across the entire MITRE ATT&CK framework with a single, autonomous agent.


Next Generation Endpoint Security  By: Matt Alderman


Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Cyber-Crime Gang Busted

Cyber-Crime Gang Busted

GozNym cyber-crime gang which stole millions busted


An international crime gang which used malware to steal $100m (£77m) from more than 40,000 victims has been dismantled.

A complex police operation conducted investigations in the US, Bulgaria, Germany, Georgia, Moldova, and Ukraine.

The gang infected computers with GozNym malware, which captured online banking details to access bank accounts.

The gang was put together from criminals who advertised their skills on online forums.

The details of the operation were revealed at the headquarters of the European police agency Europol in The Hague.

It said that the investigation was unprecedented, especially in terms of cross-border co-operation.

Cyber-crime service

Ten members of the network have been charged in Pittsburgh, US on a range of offenses, including stealing money and laundering those funds using the US and foreign bank accounts.

Five Russian nationals remain on the run, including one who developed the GozNym malware and oversaw its development and management, including leasing it to other cyber-criminals.

Various other gang members now face prosecution in other countries, including:

  • The leader of the network, along with his technical assistant, faces charges in Georgia
  • Another member, whose role was to take over different bank accounts, has been extradited to the US from Bulgaria to face trial
  • A gang member who encrypted GozNym malware to make sure it was not detected on networks faces prosecution in Moldova
  • Two more face charges in Germany for money-laundering

Among the victims were small businesses, law firms, international corporations, and non-profit organizations.

Cyber-Crime Gang Busted

Europol said it was a great example of cross-border co-operation | Image copyright Getty IMAGES

One of the things that the operation has highlighted is how common the selling of nefarious cyber-skills has become, says Prof Alan Woodward, a computer scientist from University of Surrey.

“The developers of this malware advertised their ‘product’ so that other criminals could use their service to conduct banking fraud.

“What is known as ‘crime as a service’ has been a growing feature in recent years, allowing organized crime gangs to switch from their traditional haunts of drugs to much more lucrative cyber-crime.”

What is GozNym?

It is a hybrid of two other pieces of malware, Nymaim, and Gozi.

The first of these is what is known as a “dropper”, software that is designed to sneak other malware on to a device and install it. Up until 2015, Nymaim was used primarily to get ransomware on to devices.

Gozi has been around since 2007. Over the years it has resurfaced with new techniques, all aimed at stealing financial information. It was used in concerted attacks on US banks.

Combining the two created what one expert called a “double-headed monster”.

Presentational grey line

Analysis: Anna Holligan, BBC Hague correspondent

Cyber-Crime Gang Busted

Scott Brady said the case represented a “milestone” in the fight against international cybercrime


Unsuspecting citizens thought they were clicking a simple link – instead, they gave hackers access to their most intimate details.

US attorney for the Western District of Pennsylvania, Scott Brady stood alongside prosecutors and cyber-crime fighters from five other nations inside Europol’s high-security headquarters, to announce the takedown of what he described as a “global conspiracy”.

The suspected ringleader used GozNym malware and contracted different cyber-crime services – hard to detect bulletproof hosting platforms, money mules and spammers – to control more than 41,000 computers and enable cyber-thieves to steal and whitewash an estimated $100m from victims’ bank accounts.

Gang members in four countries have been charged – a coup for cyber-crime fighters who say the discovery of this sophisticated scam demonstrates the borderless nature of cyber-crime and need for cross border co-operation to detect and disrupt these networks.


By: Jane Wakefield

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Mid-April Security Alerts

Mid-April Security Alerts

Cisco Issues 31 Mid-April Security Alerts

Among them, two are critical and six are of high importance.

A busy month for Cisco router owners got busier yesterday when the networking giant introduced 31 new advisories and alerts. These announcements came on top of 11 high- and medium-impact vulnerabilities announced earlier in the month.

Of the 31 alerts, 23 are of medium impact, six are of high impact, and two are of critical impact to the organization and its security team.

Most of the medium-impact alerts are for cross-site scripting vulnerabilities, denial-of-service vulnerabilities, or vulnerabilities affecting unauthorized users and access. These were found on devices ranging from LAN controllers to wireless network access points to Cisco’s new Umbrella security framework.

The two critical alerts are for two very different vulnerabilities. In one, a vulnerability in Cisco IOS and IOS XE could allow an attacker to reload the system on a device (potentially replacing the legitimate system with one containing malicious code), or remotely execute code at a privilege level above the level of the user being spoofed to gain access.

This vulnerability is found in the Cisco Cluster Management Protocol (CMP) and was discovered when the documents in the infamous Vault 7 disclosurewere analyzed. That’s bad news because those documents have been available to hackers around the world for more than two years. And the news gets worse: Researchers at Cisco Talos have published a blog post showing this vulnerability has been exploited in the wild as part of a DNS hijacking campaign dubbed “Sea Turtle.”

Cisco already has released a software patch for this critical vulnerability, which has no operational workaround for successful remediation.

The second critical vulnerability could allow a remote attacker to gain access to applications running on a sysadmin virtual machine (VM) that is operating on Cisco ASR 9000 series Aggregation Services Routers. This vulnerability, Cisco says, was found during internal testing and has not yet been used in the wild. The source of the vulnerability – insufficient isolation of the management interface from internal applications – has been fixed in a pair of Cisco IOS XR software releases and does not, therefore, warrant a separate update, Cisco says.

Between the medium and critical vulnerabilities are six high-importance vulnerabilities that affect systems including telepresence video servers, wireless LAN controllers (three separate vulnerabilities), Aironet wireless access points, and the SNMP service.


Cisco ranks the severity of vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 3. Vulnerabilities with a CVSS score of 9.0 to 10.0 are critical, those in the range of 7.0 to 8.9 are high, and a score of 4.0 to 6.9 warrants a medium label. Anything ranking below medium is given an informational alert only.


Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like to discuss how Liquid Video Technologies can help you secure your data or would like to discuss your next Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, needs.  Please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Cyber Security Doesn't Discriminate

Cyber Security Doesn’t Discriminate

Russian hackers are targeting European embassies, according to new report

Russian hackers recently attacked a number of embassies in Europe by emailing malicious attachments disguised as official State Department documents to officials, according to a new report from Check Point Research.

The hackers targeted European embassies in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon, among others. They typically emailed the officials Microsoft Excel sheets with malicious macros that appeared to have originated from the United States State Department. Once opened, the hackers were able to gain full control of the infected computer by weaponizing installed software called Team Viewer, a popular remote access service.

“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting,” the press release says, “since it was not after a specific region and the victims came from different places in the world.”

Government finance officials were also subject to these attacks, and Check Point notes that these victims were of particular interest to the hackers. “They all appear to be handpicked government officials from several revenue authorities,” the press release says.

The hackers appeared to be highly sophisticated, carefully planning out the attacks, using decoy documents tailored to their victim’s interests, and targeting specific government officials. At the same time, other stages of the attack were carried out with less caution leaving personal information and browsing history belonging to the perpetrator exposed.

Check Point identified several other similar attack campaigns, including some targeting Russian-speaking victims as well.

While Russian in origin, it’s unlikely that these attacks were state-sponsored. One perpetrator was traced back a hacking and carding forum and registered under the same username, “EvaPiks,” on both. EvaPiks posted instructions for how to carry out this kind of cyber attack on forums and advised other users as well.

Due to the attackers’ background in the illegal carding community, Check Point suggested that they could have been “financially motivated.”

Updated 4/22/19 at 12:20 p.m. EST: The previous headline suggested that the Russian hackers attacked U.S. embassies, when the attackers targeted European embassies. The article has been updated to clarify this.


By: Makena Kelly


Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.


As Threats Evolve So Should You

As Threats Evolve So Should You

Microsoft Office now the most targeted platform, as browser security improves

Microsoft Office has become cybercriminals’ preferred platform when carrying out attacks, and the number of incidents keeps increasing, Kaspersky Lab researchers said during the company’s annual conference, Security Analyst Summit, in Singapore. Boris Larin, Vlad Stolyarov and Alexander Liskin showed that the threat landscape has changed in the past two years and urged users to keep their software up-to-date and to avoid opening files that come from untrusted sources to reduce the risk of infection.

Today, more than 70% of all the attacks Kaspersky Lab catches are targeting Microsoft Office, and only 14% take advantage of browser vulnerabilities. Two years ago, it was the opposite: Web-based vulnerabilities accounted for 45% of the attacks, while Microsoft Office had a 16% share.

Kaspersky researchers presented data showing increase in Microsoft Office exploits since 2016As Threats Evolve So Should You

Researchers said that this is because hacking browsers has become more expensive, as browser security has improved. “Browser developers put much effort into different kinds of security protections and mitigations,” Liskin said. “Attackers were looking for a new target, and MS Office has become a star.”

Liskin added that there are plenty of reasons why cybercriminals choose to attack the popular suite. “Microsoft Office has a huge number of different file formats,” he said. “It is deeply integrated into the Windows operating system.”

He also argued that when Microsoft created Office, it made several decisions that, in hindsight, aren’t optimal security-wise and are currently difficult to change. Making such alterations would have a significant impact on all the versions of the products, Liskin said.

The researchers pointed out that the most exploited vulnerabilities from the past two years are not in MS Office itself, but rather in related components. Two of those vulnerabilities, CVE-2017-11882 and CVE-2018-0802, exploit bugs found in Equation Editor. Cybercriminals prefer to use them because they can be found in every version of Microsoft Word released in the past 17 years. Moreover, building exploits for them does not require advanced skilled, because the Equation Editor binary lacks modern protections and mitigations. These are simple, logical vulnerabilities, the researchers said.

Exploit uses Internet Explorer to hack Office

Another interesting vulnerability is CVE-2018-8174. In this unusual case, the vulnerability was actually in Internet Explorer, but the exploit was found in an Office file. “The exploit was delivered as an obfuscated RTF document,” researcher Larin said. “This is the first exploit to use a vulnerability in Internet Explorer to hack Microsoft Office.”

The infection chain has three steps. First, the victim opens the malicious document. As they do this, a second stage of the exploit is downloaded: an HTML page that contains a VBScript code. This then triggers the third step, ause after free (UAF) vulnerability, and executes shellcode. UAF bugs are a type of memory corruption vulnerability that have been very successful in the past for browser exploitation. The technique works by referencing memory after it has been freed, causing the software to crash or allowing an attacker to execute code.

Cybercriminals act fast on Microsoft exploits

What intrigues Larin, Stolyarov and Liskin the most about the cases they’ve studied is how fast cybercriminals operate. Most incidents start with a Microsoft Office zero-day that’s used in a targeted campaign. Once it becomes public, it’s only a matter of days until exploits appear on the dark web. Sometimes, it can even be faster, as has happened with CVE-2017-11882, the first Office Equation Editor vulnerability Kaspersky Lab researchers uncovered. The publication of the proof of concept was followed by a massive spam campaign that began on the very same day.

Microsoft Office vulnerabilities might become even more common in the near future, as attackers continue to target the suite. Larin advised users to keep their software updated, and to pay attention to the files they receive from dubious email addresses. “Our best recommendation is not to open links and files received from untrusted sources, and have installed security solutions with advanced detection of exploits,” Larin added.


As Threats Evolve So Should You By Andrada Fiscutean


Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.



U.S. Patent Granted for Blockchain

U.S. Patent Granted for Blockchain

Blockchain Patent Granted to Cybersecurity Company Owned by U.S. Defense Contractor


Documents published by the United States Patent and Trademark Office (USPTO) on April 16 reveal that Texas-based cybersecurity company Forcepoint has been awarded a blockchain-related patent.

Forcepoint is owned by U.S. defense contractor Raytheon and private equity firm Vista Equity Partners, and Crunchbase estimates its yearly revenue to be $600 million.

The system described in the patent appears to be a complex user behavior monitoring and management system. The system would aim to store data about electronically-observable user interactions and then use this data to identify known good, anomalous and malevolent user actions to enhance the system’s cybersecurity.

Some versions of the system employ blockchain technology, according to the patent:

“In certain embodiments, the association of the additional context may be accomplished via a blockchain block within a user behavior profile blockchain […] implemented with appropriate time stamping to allow for versioning over time. ”

Furthermore, the patent also provides the possibility of storing user behavior data on the blockchain directly, noting that advantages of the solution are immutability and tamper-evident.

As Cointelegraph recently reported, digital payments giant PayPal has won a cybersecurity patentto protect users from crypto ransomware.

Also, at the beginning of the current month, global consulting company Accenture has patentedtwo solutions focused on blockchain interoperability.

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.



Things Aren't As They Seem

Things Aren’t As They Seem

Mueller report details how Russians reached millions of US Facebook and Twitter users and brought them out to real-life rallies

Special counsel Robert Mueller’s report released Thursday says Russia’s Internet Research Agency, or IRA, reached millions of U.S. users on Twitter, Facebook and Instagram leading up to the 2016 presidential election. Russian operatives also communicated with the Trump campaign under false identities “without revealing their Russian association” and interacted with prominent pro-Trump activists to arrange political rallies, “confederate” events and even a #KidsforTrump organization, the report says.

“IRA-controlled Twitter accounts separately had tens of thousands of followers, including multiple U.S. political figures, who retweeted IRA-created content,” the report says. Facebook has estimated that IRA-controlled accounts reached up to 126 million people, with Twitter notifying 1.4 million people they may have been in contact with a Russia-controlled account.

The Mueller document gives a fuller picture of how both technical and in-person intelligence operatives worked together to influence sentiment leading up to the 2016 election.

An odyssey that ramped up in 2014

Russian operatives had been dabbling in social media until around 2014, when they consolidated their efforts under a single program known internally as the “translator department,” according to the report. They later began sending operatives to the U.S. to further the election goals of the program.

In June 2014, four members of the department lied to the U.S. State Department, claiming to be “friends who met at a party.” Two of them, Anna Bogacheva and Aleksandra Krylova, received visas to enter the U.S. In 2016, other operatives were seen holding up signs at an event near the White House purportedly celebrating the birthday of Yevgeniy Prigozhin, a Russian tycoon alleged to have funded some of the interference campaigns and their associated social media ad buys.

On Twitter, the IRA program broke its operation into two strategies: creating real Twitter accounts meant to represent “individual U.S. personas,” and a separate, IRA-controlled network of automated Twitter bots “that enabled the IRA to amplify existing content on Twitter.”

One of the IRA accounts, which claimed to be that of a Trump supporter from Texas, had 70,000 followers. Another anti-immigration persona had 24,000 followers. A third, called @march_for_trump, organized a series of rallies in support of Trump across the U.S. The accounts posted 175,993 tweets, though the report says only 8.4% of those were election-related.

“U.S. media outlets also quoted tweets from IRA-controlled accounts and attributed them to the reactions of real U.S. persons,” the report says.

Influential conservatives also interacted with the accounts, including TV commentator Sean Hannity, Roger Stone, former U.S. Ambassador to Russia Michael McFaul and Michael Flynn Jr.

From Twitter to real life

“The Office identified dozens of U.S. rallies organized by the IRA,” the report says. “The earliest evidence … was a ‘confederate rally’ in November 2015. The IRA continued to organize rallies even after the 2016 U.S. presidential election.”

Many of the rallies drew few participants, while others drew hundreds. “The reach and success of these rallies was closely monitored” by the Russian team, the report says.

The report clarifies that in the cases in which a pro-Trump, IRA-organized rally also coordinated with Trump’s campaign, the campaign was not aware of the origins of the organizers. “The IRA’s contacts included requests for signs and other materials to use at rallies, as well as requests to promote the rallies and help coordinate logistics.”

“The investigation has not identified evidence that any Trump campaign official understood the requests were coming from foreign nationals,” the report says.

Another two-part campaign, against Hillary Clinton

As with the IRA’s Twitter strategy, Russia’s GRU intelligence agency broke its campaign of interference against Hillary Clinton’s presidential campaign into two parts. One group developed specialized malware — malicious software used, in this case, to monitor communications. A second group was charged with honing and launching mass spearphishing operations, meant to identify key targets within Clinton’s campaign and craft believable emails persuading them to click and, therefore, install the custom malware.

The GRU officers sent hundreds of these emails to Clinton staffers, including official campaign accounts and Google accounts used by staffers.


Things Aren't As They Seem By: Kate Fazzini



Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

1 2 3 4