How Sim Swap Scam works:

The scammer may call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone they own.

If your mobile service provider believes the story and activates the new SIM card, the scammer will get a sim with your number on it and will get all your text messages, calls, and data on the new phone.

The scammer could open new cellular accounts in your name or buy new phones using your information.

They could also log in to your accounts that use text messages as a form of multi-factor authentication. How? Because they’ll get a text message with the verification code they need to log in.

Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts. And they could change the passwords and lock you out of your accounts.

How can you protect yourself from Sim Swap Scam

  • Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
  • Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and login to your accounts.
  • Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
  • Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use Multi-Factor Authentication, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.
  • Consider using Google Authenticator or similar Time-Based OTP app as multifactor authentication instead of SMS wherever possible

What to do if you are a target of a SIM swap scam

  • Contact your cellular service provider immediately to take back control of your phone number. After you regain access to your phone number, change your account passwords.
  • Check your credit card, bank, and other financial accounts for unauthorized charges or changes. If you see any, report them to the company or institution.

TCP Selective Acknowledgment (SACK) has to be disabled on the Linux kernel. TCP Selective Acknowledgment (SACK) is used to improve performance of data transfer on TCP stack.

When TCP SACK is enabled the TCP packet capture will have TCP options similar to below screenshot

TCP packet capture sample when TCP SACK is enabled

Disable TCP SACK

To disable SACK run the below command on Linux cli as root.

# sudo echo “net.ipv4.tcp_sack = 0” >> /etc/sysctl.conf
# sudo sysctl -p

After running the above commands the Linux server needs to be rebooted to apply the new configuration.

Once the server is rebooted the Linux server will not do TCP SACK any more.

Disabling TCP SACK will negatively effect the data transfer performance. The magnitude of performance hit depends on type of data transfer.

Microsoft has released an out of band patch to fix the “Meltdown” vulnerability on 3rd of Jan 2018. More details of the patch can be found on the official KB4056892 page.

This patch is available only for Windows 10 OS. The patch will install automatically once the PC connects to internet.

 

There has been multiple reports of some application not being compatible with this latest patch. Certain Antiviruses are causing blue-screen after installing the Meltdown patch.

There has been reports of some SSL VPN applications not connecting to the server after the patch is applied

Antivirus vendors are releasing patch to fix the compatibility issues but it may take a few days for all of them to be available.

I would recommend you to update all the important application installed on the PC before applying this patch to prevent any incompatibility issues.

If you the patch is already installed and there is some critical application causing issues, you can try to uninstall the patch and check if the application works without this patch.

 

Spectre

Spectre is the latest vulnerability discovered in processors which allow amalicious application to trick another application into exposing its memory to read by the malicious application.

This vulnerability affects almost all the processor variants from Intel/AMD/ARM. Which means that all computers both Desktop/Laptop and SBC and all the smartphones are affected by this Vulnerability.

 

More information about this vulnerability can be found at https://spectreattack.com/

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

All OS manufacturers are releasing patches to fix these vulnerability, You can follow below steps to update the OS and patch the vulnerability.

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Type the following yum command:

sudo yum update

You must reboot your Linux server using shutdown/reboot command:

sudo reboot

Run the following dnf command if you are using a Fedora Linux:

sudo dnf –refresh update kernel

OR

sudo dnf update

Reboot the Linux box:

sudo reboot
.

Fix the Spectre on a Debian/Ubuntu Linux.

Use the following apt-get command/apt command:

sudo apt-get update
sudo apt-get upgrade
sudo shutdown -r 0

Fix the Spectre on an Amazon Linux running on AWS

Just run yum command:

yum update kernel

 

Recently  Mathy Vanhoef of imec-DistriNet has discovered a vulnerability in WPA2 standard which enables a Man in the Middle to sniff and decrypt packets over the wireless network. The details about this vulnerability is provided on https://www.krackattacks.com/

WPA2 is used to secure the wireless communication between the clients and access point. It was considered as unbreakable untill this vulnerability is discovered. Here are the key things you should know about this vulnerability.

The Positive

  • This vulnerability cannot be exploited remotely. The attacker or his device must be close enough to connect to the targeted wireless network to run the attack. This limits the effect of this vulnerability significantly.
  • There has been no reports of this vulnerability being exploited in the wild, yet.
  • This only enables the attacker to decrypt the wireless frames and expose the payload. Is the communication is over HTTPS/TLS the attacker can still not decrypt the payload and all of your communication data is still safe.
  • The vulnerability was discovered many months ago and was communicated to many vendors whose products are vulnerable. So the patches will be available soon.

The Negative

  • This vulnerability effects every client device that uses wireless as the vulnerability is in the WPA2 standard.
  • There are no patches available to fix it at this moment so till the time the device vendor releases a patch the wireless communication is prone to this attack.
  • This enables the attacker to get private information over wireless communication if the payload is sent over plain text/http protocol.
  • Though the HTTPS communication is safe from this attack, it still exposes your DNS traffic which is in clear text.
  • The attacker can modify the DNS traffic and can redirect you to a malicious website.

Things you should do to keep yourself safe from this attack.

  • Keep an eye on any update released by your device vendor, patch the device as soon as an update is available.
  • Do not send any private information like Username/Password, account login, Payment information, personal details over unencrypted connection. Always check of the website you are submitting the details is using HTTPS for encrypting all the communication related to private information.

  • Ensuring this green lock button on the browser is even more important now as the attacker can modify DNS traffic and redirect you to a malicious website. If that is the case you will get a certificate error on the browser. Do not proceed if your web browser warns you about any problems with the website certificate.
  • If possible always use VPN when connected over wireless, so that all the communication over wireless is protected by an extra layer of VPN encryption.
  • For the paranoids, keep yourself from using wireless at all until this vulnerability is patched.

A new android Malware has been found by Trend Micro which it claims is a successor to a Dress Code malware found earlier.

This malware uses port 22 to establish a SSH session with its Command and Control (CnC) server owned by the attacker.

As it uses SSH all the data between the Android phone and its CnC server are encrypted which makes it difficult for the enterprise security infrastructure to detect it. Security solutions cannot detect the data inside the encrypted connection unless they are doing Deep Packet Inspection of SSH traffic.

MilkyDoor Vulnerability

                                                                                    How MilkyDoor Malware Works

 

Using this SSH session the attacker can run vulnerability scan on the internal network. This is important as many enterprise allows employees to use their own phones connected to the same network as the internal infrastructure.

MilkyDoor was recently found in over 200 Android applications available through the Play Store.

It is important for the enterprise security gateway solutions to block all ports for the BYOD network except the ports necessary.