Cyber Attack on Travelex Currency Exchange Service

The New Year 2020 Eve malware attack forced Travelex employees to resort to manual operations.

 Foreign exchange network Travelex has shut down its mobile app and online services after a malware attack discovered on New Year's Eve.

The London-based organization is a subsidiary of Finablr, a global network for payments and foreign exchange solutions. Travelex has a presence in 27 countries and more than 1,200 retail stores at on-airport and off-airport locations. Its branches are still operating, the Wall Street Journal reports, but workers had to rely on manual transactions on January 2. Travelex's internal email system is also down, the report says.

In a tweet  "we're currently having IT issues and are extremely sorry for any inconvenience. At this stage, we’re unable to perform transactions on the website or through the app. Sorry again for any inconvenience and we’re working around the clock to fix the issues."

On Thursday evening, Travelex said it had taken down its site to contain "the virus and protect data".
That has affected Sainsbury's Bank, Barclays and HSBC, among others, which all use the Travelex platform.

There is no indication when the Travelex website will be restored.

The company said it has been working on the issue since the software virus attack on New Year's Eve.

A number of banks depend on the Travelex platform to provide online travel money services.
The company delivers the foreign currency to stores for customers to collect, as well as operating the software that is used to buy the travel money.

'Planned maintenance'

  Travelex's  has meant the firms that use its services cannot sell currency online.

Virgin Money's site showed an error message, which said: "Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly."

Sainsbury's Bank also said its online travel money services were unavailable, although it said customers could still buy travel money in its stores. In a statement to the BBC, the bank said: "We're in close contact with Travelex so that we can resume our online service as soon as possible."

Meanwhile, a spokesperson for First Direct, which is owned by HSBC, said: "Unfortunately, our online travel money service is currently unavailable due to a service issue with third party service provider, Travelex."

In a statement on Thusday, Travelex boss Tony D'Souza said: "We regret having to suspend some of our services in order to contain the virus and protect data."

The company has resorted to carrying out transactions manually, providing foreign-exchange services over the counter in its branches.
"We apologise to all our customers for any inconvenience caused as a result," Mr D'Souza said in a statement.

HSBC told the BBC that some of its branches also stock dollars and euros, which it is still able to sell.

About

Travelex Group is a foreign exchange company founded by Lloyd Dorfman and headquartered in London. Its main businesses are international payments, bureaux de change, and issuing prepaid credit cards for use by travellers as well as global remittances.
 

Read More

Google suggested Upgrade to Windows 10 to Fix Windows 7 Zero-Day Bug (CVE-2019-5786)

Google advise users of Windows 7 to give it up and move to Microsoft’s latest operating system if they want to keep systems safe from a zero-day vulnerability exploited in the wild.

To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. Google encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

Bug affects Windows win32k.sys kernel driver on Microsoft windows  and leads to privilege escalation on Windows 7. 

Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndexwhen NtUserMNDragOver() system call is called under specific circumstances.

Google strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, Google have only observed active exploitation against Windows 7 32-bit systems.

Google reported it to Microsoft. Also in compliance with Google policy, Google publicly disclosing its existence, because it is a serious vulnerability in Windows that Google know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told Google they are working on a fix.

As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. 

Read More

NSA Tool GHIDRA - Open Source Software Reverse Engineering Framework

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. 

Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.

In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex software reverse engineering efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.

Download Ghidra 9.0 at http://ghidra-sre.org/ or https://github.com/NationalSecurityAgency/ghidra

Ghidra is a software reverse engineering (SRE) framework https://www.nsa.gov/ghidra

Read More

Facebook security issue affects 50M user accounts

According to Guy Rosen, VP of Production Management at Facebook. On Tuesday afternoon, 25 September Facebook engineering team discovered a security issue affecting almost 50M Facebook user accounts.

A flaw in the “View As” feature allowed attackers to steal Facebook access tokens, which could be used to take over user’s accounts. Access tokens are the equivalent of digital keys that allow users to remain logged into Facebook using stole token.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted the “View As” feature’, Facebook stated on their website.

First, Facebook fixed the vulnerability and informed law enforcement.

Second, Facebook have reset the access tokens of the almost 50 million accounts Facebook know were affected to protect their security. Facebook also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, Facebook temporarily turning off the “View As” feature while we conduct a thorough security review.

Read More

ICANN KSK Roll over Postponed

The Internet Corporation for Assigned Names and Numbers ("ICANN") today announced that the plan to change the cryptographic key that helps protect the Domain Name System (DNS) is being postponed.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to the Domain Name System Security Extensions (DNSSEC)-validating resolvers. Based on the estimated number of Internet users who use DNSSEC validating resolvers, an estimated one-in-four global Internet users, or 750 million people, could be affected by the KSK rollover.

The changing or "rolling" of the KSK Key was originally scheduled to occur on 11 October, but it is being delayed because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.

There may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

ICANN is reaching out to its community, including its Security and Stability Advisory Committee, the Regional Internet Registries, Network Operator Groups and others to help explore and resolve the issues.

In the meantime, ICANN believes it prudent to follow its process and to delay the changing of the key rather than run the risk of a significant number of Internet users being adversely affected by the changing of the key. ICANN is committed to continuing its education, communication and engagement with the relevant technical organizations to ensure readiness for the key change.

"The security, stability and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October," said Göran Marby. "It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect its success and could adversely affect the ability of a significant number of end users."

A new date for the Key Roll has not yet been determined. ICANN's Office of the Chief Technology Officer says it is tentatively hoping to reschedule the Key Roll for the first quarter of 2018, but that it will be dependent on more fully understanding the new information and mitigating as many potential failures as possible.

ICANN will provide additional information as it becomes available and the new Key Roll date will be announced as appropriate.

"It's our hope that network operators will use this additional time period to be certain that their systems are ready for the Key Roll," said Marby. "Our testing platform (http://go.icann.org/KSKtest) will help operators ensure that their resolvers are properly configured with the new key and we will continue our engagement and communications to these operators."

About DNSSEC

To easily identify resources on the Internet, the underlying numerical addresses for these resources are represented by human readable strings. The conversion of these strings to numbers is done by the distributed hierarchical Domain Name System (DNS). Increased sophistication in computing and networking since its design in 1983 have made this "phone book" vulnerable to attacks. In response to these threats, the international standards organization, IETF, developed DNSSEC to cryptographically ensure DNS content cannot be modified from its source without being detected. Once fully deployed, DNSSEC will stop the attacker's ability to redirect users using the DNS.

##

ICANN keep informed about KSK Rollover developments go here: https://www.icann.org/resources/pages/ksk-rollover

Read More