Be aware of fraudsters taking advantage of the devastating incident in Beirut

As we have seen in the past, any major breaking news and large events draw the attention of cyber criminals, as they try to take advantage of such situations. It is devastating what happened in Beirut, and many countries have already sent help. 

As a cyber security professional, I would like to seize the opportunity and bring into people’s attention that malicious groups and fraudsters most probably will try to take advantage of the situation in order to profit from it. During such times there is a rise in different types of malicious communications such as, emails pretending to be from legitimate charities, spear phishing messages through all types of social media, even actual phone calls. 

This is a call to everyone to be vigilant, and especially to the security community to come together with a common message, to raise awareness. 

Please do your diligence if you want to help. Do not send money to charities that “pop-up” the last minute without any tangible evidence that these are legitimate. Do not trust links posted on social media about online donations. If you want to send financial aid, do that only through official channels (such as, official government sites). 

Whatever the reason in such difficult times, be always aware that there are malicious groups out there that they only care about taking advantage of such situations. Please keep in mind that every dollar given unintentionally to fraudsters, is a dollar that will be missed by the people who are affected from this unprecedented incident. 

New iOS text bug (aka text bomb) can crash your iPhone

A newly discovered bug is capable of crashing your Apple iPhone or iPad by simply receiving a text notification. The bug occurs when an iOS device user receives a text message or tries to read a tweet which is written using some Sindhi characters. 

This type of bug is known as a "text bomb", because a malicious individual can use it to prank, bully, cause Denial of Service (DoS), or even "troll" their targets by constantly forcing the receiver's app to crash. The original message sent had the Italian flag in it and it was using the hashtag: #CaptureTheFlag. 

It is being reported from different sources on social media that the text message other that your iPhone it also may crash your iPad, Apple Watch, and other Apple Gadgets.

The text bomb looks like any of the following group of Sindhi characters with any emoji in between: 

For obvious reasons I had to take a screenshot so not to be held responsible for propagating this. It was tested and it works. 

Text bombs aren’t something new. There have been numerous cases in the past few years where  random strings of text have caused mobile devices to behave in an unexpected way. However, this one is slightly different as it will crash the iPhone to crash if the phone received a message or notification in any social media chat applications. Unfortunately there is nothing much a user can do to avoid this other that wait to install the new update from Apple. The issue seems to be affecting  all Apple's mobile OS version from 13.3 onwards. 

Note: If you receive this type of message use alternative means, e.g. through your Mac laptop or Twitter app under Windows, to delete the received/posted message. This will allow your phone to be able to have access to the affected app without being forced to crash. If you phone hangs completely, you will need to keep pressing the power and volume up keys, until it reboots.

Awareness around COVID-19 SMS Phishing (Smishing)

This blog-post discusses an issue known for almost 20years, which is related to the online SMS platforms. Given the recent pandemic and the use of the GSM network for sending SMS notifications to the public, it in an opportunity to raise awareness regarding Smishing (SMS Phishing) attempts, targeting the public which is affected by COVID-19.

In Greece, the number 13033 is being used to send SMS confirmations to people who use this particular service, which is used for registering in advance their daily movements when it comes to get essential goods (such as, going to the supermarket, the pharmacy, etc.) before they exit their homes. Due to the COVID-19 pandemic, this process attempts to limit people’s unnecessary movement(s), in an attempt to minimise the risk of getting affected, or contaminating others in case the person is a carrier of the virus.

Given the importance of the pandemic and the necessity of this service, it is mandatory to mention that it is possible to spoof the SEND ID in order to send SMS updates to recipients pretending to be from the original 13033 service number. This action, have the potential to trick the recipients (general public) in clicking on malicious links, or by using Social Engineering (and potentially scare tactics) to ask recipients to pay a fine that has been imposed. 

"Given the current situation, it would be beneficial to everyone if the Ministry in Greece responsible for operating the 13033 service (and other Ministries around the globe that use similar services), could promote a campaign educating all recipients regarding the potential threat of Smishing"

More specifically, the public should be informed that they should under no circumstances visits any URLs received by the 13033 service and that the 13033 service will not send any messages requesting to pay any fines. The public need to be aware that in case they receive such messages, these should be ignored and deleted.  

The proof of concept for the alluded was tested and proven by @DimisMeu and we decided to publish this blog post in order to be able to raise the necessary awareness. 

Gulf Information Security Expo & Conference (GISEC 2019)

The Gulf Information Security Expo & Conference (GISEC) brings together over 6,000 top security professionals to discover cutting-edge solutions, share insights with industry experts and equip themselves with the right tools to protect their businesses from rapidly-evolving cyber attackers.

Supported by Smart Dubai, Dubai Police and the National Cyber Security Center KSA, GISEC is your opportunity to do business and share ideas with the world’s most important tech companies, government officials and private industries.

I was invited to go on stage and present at @GISECDUBAI at the #DarkStage, presenting on “CyberSecurity in Evolutionary Terms”.

#CyberDubai #GISEC #GISEC2019 #SmartDubai #SecurityMindset #ThoughtLeadership


See the GISEC 2019 - Post-show report can be found here

GISEC 2019 Speaker Profile: https://www.gisec.ae/conference-speakers/grigorios-fragkos

Security BSides Athens 2016

It has been a while since my last blog-post and the main reason for that, was the numerous things I had to keep track for organising:

Security BSides Athens 2016 (www.bsidesath.gr) 

It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime. 

Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.  

---

Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event. 

Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.

Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story. 

We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved. 

Ransomware - Did you update your incident response plan?

At the beginning of 2016 an article was published about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.

Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat. As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware.

Have a plan, Be Prepared
Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place. It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom. Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.

Teach your brain to regenerate passwords instead of remembering them

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them! 

Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. 

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

Temporary and Disposable Email: Anonymity, Privacy or Security?

There are several websites available that offer temporary and disposable email addresses, which have become quite popular among Internet users today, as they provide a quick alternative to anyone who wishes for their email address to remain private when sending and receiving emails. 

Some of these temporary and disposable email addresses are available only for a few minutes, while others remain publicly available for anyone to access once they have been created. The same goes for websites that offer access to publicly available mobile numbers for receiving text messages (SMS). There is a wide range of numbers available, from different countries.

Effectively, a user can register to an online service by using a publicly available mobile number and receive any verification texts online.

Some may argue that these temporary and disposable email addresses and SMS services provide some sort of privacy. That might be true, especially under specific circumstances, but do not confuse anonymity with privacy, and security.

Entering fake details while using a disposable email allows users to subscribe avoiding any future incoming communications from that particular website to their email or phone, but at what cost?