Info Security

Subscribe to Info Security  feed
Updated: 1 hour 9 min ago

Security Pros: Soft Skills Like Good Communication Critical for Cyber Success

3 hours 17 min ago
Security Pros: Soft Skills Like Good Communication Critical for Cyber Success

Organizations want non-security functions like IT operations, risk management and compliance to get more involved in cybersecurity, research has revealed.

A Tripwire survey of 315 IT security professionals at companies with over 100 employees conducted by Dimensional Research found that respondents were unanimous in believing that soft skills are important when hiring for their security teams.

The three most important soft-skill attributes cited were: Analytical thinker (selected by 65%); good communicator (60%); and troubleshooter (59%). Tied for fourth place was “strong integrity and ethical behavior” and “ability to work under pressure,” both selected by 58% of participants.

“The cybersecurity industry should not overlook the soft skills that are needed to build a strong security program,” said Tim Erlin, vice president of product management and strategy at Tripwire. “The reality is that today’s security pros need to go beyond technical expertise. Security practitioners need to be good communicators who can connect cybersecurity issues to business priorities, rally the rest of the organization to get involved, solve tough problems and handle sensitive issues with integrity.”

Respondents were also asked if the need for soft skills has changed over the last two years, and 72% said the need had increased. A fifth (21%) said that soft skills are actually more important than technical skills when hiring staff—a notable statistic in light of the fact that 17% said they expect to hire people without security-specific expertise over the next two years.

In addition, nearly all respondents (98%) believe non-security functions need to be more involved in cybersecurity in the future. Of those, 74% said IT operations needs to be more involved, 60% said risk management, 53% said compliance and 45% said legal needs to be brought into the fold. Other mentions included human resources (32%) and marketing (11%).  

“With security-related regulations like GDPR on the rise, it’s unsurprising that respondents expect their legal and compliance teams to get more involved in cybersecurity,” said Erlin. “It’s become increasingly apparent that security is a shared responsibility, even for those without any technical cybersecurity experience. Employees from other functions can partner with their security teams to help them look at issues from different perspectives, help further the broader organization’s understanding of cybersecurity, and help enforce best security practices across the organization.”

Categories: Cyber Risk News

GCHQ Collects Mass Social Media Data on Millions in UK—Report

3 hours 59 min ago
GCHQ Collects Mass Social Media Data on Millions in UK—Report

British intelligence agency Government Communications Headquarters (GCHQ) may have been collecting mass amounts of social-media data on millions of UK residents for decades—and sharing it with foreign intelligence and other law enforcement agencies.

Privacy International (PI), a privacy watchdog, claims to have documents that show that the spy agency collected and continues to access social-media information from private companies’ databases. It also has mounted litigation to expose the practice, challenging the right of the UK government to have such access.

PI said that it has obtained letters that confirm that “inappropriate and uncontrolled/uncontrollable sharing with industry third parties” is ongoing, without any proper oversight. It also alleges that government contractors have system access rights which could allow them to enter an agency’s system, extract data and then cover their tracks.

“It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified, such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’,” PI added.

"This is the first time on record we know bulk personal data sets contain social media data and sensitive medical records," Millie Graham Wood, a solicitor at PI, told the International Business Times. "To know they have large-scale social media data on an untargeted basis is pretty shocking. We don't know how long it's been going on for, or whether it's shared with foreign governments, industry and other departments like HMRC [Revenue and Customs]. If you think about how sensitive social media data are, it's so dangerous if there is no oversight."

PI also said that the Investigatory Powers Commissioner was unaware of the collection activities until PI brought it to light in the lawsuit, and that it has sought immediate inspection.

"We have just started our audit process and will continue to do a series of inspections on whether [intelligence agencies'] practices are lawful or not," an IPCO spokesperson told the IBT.

As for the validity of the accusations, Lee Munson, security researcher at Comparitech.com, said that they seem feasible.

"If GCHQ has collected a massive amount of information on every man, woman and child in the United Kingdom I do not think anyone can really be surprised,” he said, via email. “After all, we have known for many years that former Home Secretary, and now Prime Minister, Teresa May was keen for the security services to have access to as much data as possible, via the Investigatory Powers Act 2016.”

That act, aka the “Snoopers Charter”, has been highly controversial. It requires service providers to store the browsing history of the entire populace—as well as their emails, phone call and text records—for a year. They can then be handed over to the authorities for analysis at will. It also gives the government broad powers to read communications and listen in on calls without requiring suspicion of criminal activity; and bulk personal datasets, which allows agencies to acquire mass databases held by public or private sector bodies, which could contain highly personal details on things like religion, ethnic origin, sexuality, political leanings and health problems.

Muson added, “The fact that the legislation explicitly mentions bulk communications data acquisition would, I suspect, make any collection of social media, financial or health data at this time quite legal, even without any kind of court warrant being required,” Munson added. “Of course, the legality of any such bulk data swipes prior to 2016 are questionable, as is the collection of information from private databases, if true, but the fact remains that GCHQ almost certainly has far more information at its finger tips than many people realize.”

Social networking sites, especially, are a goldmine.

“The moral of this story is for people to think twice about the information they share willingly with their actual or virtual friends online because, one day, whether or not they have something to hide will be irrelevant as they will have voluntarily given up all of their privacy rights anyway,” Munson said.

This is of course not the first time a government has been found collecting social media data and other information on its citizens. Famously, Edward Snowden revealed the extent to which the NSA surreptitiously gathered information on US citizens.  

Categories: Cyber Risk News

Employee Snooping is Widespread, with Most Looking for Sensitive Info They Don't Need

4 hours 5 min ago
Employee Snooping is Widespread, with Most Looking for Sensitive Info They Don't Need

Contrary to security best practices, most employees are seeking out, and finding, information that is irrelevant to their jobs.

According to a global survey of more than 900 IT security professionals from One Identity, 92% of respondents reported that they have caught their employees attempting to access information they don’t need for their day-to-day work—and nearly one in four (23%) admitted this behavior happens frequently.

This is also a case of physician, heal thyself: Nearly two in three (66%) IT security professionals admit they have specifically sought out or accessed company information they didn’t need. IT security executives are the guiltiest by level: 71% of executives admit to seeking out extraneous information, compared to 56% of non-manager-level IT security team members. Additionally, 45% of executives admit to snooping for or accessing sensitive company performance information specifically, compared to just 17% of non-manager team members.

It all adds up to a major “snooping” problem among today’s workforce.

The survey, conducted by Dimensional Research, found that the transgressions among IT pros include the abuse of elevated rights attributed to the IT security role. These are used to access a range of sensitive information, but company performance information especially is a hot commodity: More than one in three (36%) of IT pros admit to looking for or accessing sensitive information about their company’s performance, apart from what is required to do for their jobs.

“While insider threats tend to be non-malicious in intent, our research depicts a widespread, intrusive meddling from employees when it comes to information that falls outside their responsibility—and it could be that meddling that ends up putting their employers in hot water,” said John Milburn, president and general manager of One Identity.

The survey also found that the smaller the company, the bigger the snoop: 38% of IT security professionals at companies with 500-2,000 employees admit to looking for or accessing sensitive performance data, versus 29% of professionals at companies with more than 5,000 employees.

Also, workers in technology companies most likely to go on a sensitive information hunt: About 44% of respondents working for technology companies admit to searching for sensitive company performance information, compared to 36% in financial services, 31% in manufacturing and just 21% in healthcare.

 “Without proper governance of access permissions and rights, organizations give employees free reign to move about the enterprise and access sensitive information like financial performance data, confidential customer documentation or a CEO’s personal files,” Milburn added. “If that information winds up in the wrong hands, corporate data loss, customer data exposure or compliance violations are possible risks that could result in irreversible damage to the business’s reputation or financial standing.”

Categories: Cyber Risk News

Third of IoD Members Have Never Heard of GDPR

9 hours 1 min ago
Third of IoD Members Have Never Heard of GDPR

Nearly a third (30%) of UK business leaders have never heard of the GDPR, although those that are aware of the new regulation seem to progressing well on compliance, according to new research from the Institute of Directors (IoD).

The study of nearly 900 IoD members also revealed that 40% didn’t know if the GDPR would affect their business, which is concerning considering the new data protection law will touch almost every public and private sector organization in Europe and beyond.

Half of those surveyed said they haven’t yet discussed GDPR compliance arrangements with partners or vendors with whom they share data; a potentially serious oversight in light of the fact that third parties are often an organization’s weakest link when it comes to data protection.

However, of those that understand the regulation, two-thirds (66%) said they are either “very” or “somewhat” confident they fully understand how it will affect the running of their business.

Plus, 86% claimed they are “very” or “somewhat” confident of being fully compliant by the May 25 2018 deadline.

IoD head of external affairs, Jamie Kerr, claimed firms have clearly not got the message on GDPR compliance despite the potentially huge cost of non-compliance: fines of up to £17m or 4% of global annual turnover, whichever is higher.

He urged the government and ICO to step up outreach efforts and simplify the message on how to comply.

“It is crucial everyone understands just how big this regulatory change will be for business leaders over the next few months,” he added.

“GDPR also comes hot on the heels of a number of big regulatory shifts for business over the past few years. We should also not forget the potential of extensive preparations that will be needed as we depart from the EU. Taken altogether, it’s not the easiest time to do business in the UK.”

Phil Becket, managing director of IT forensics firm Alvarez & Marsal, argued that being able to prepare for and detect cyber-attacks will be key to staying compliant with the GDPR.

“Complacency is no longer an excuse for firms, they need to know what they’re doing with consumer data, or face the consequences. Hackers are persistent and creative, and more often than not they are able to get into systems with ease – just look at the recent breaches seen in the news,” he added.

“Combined with stricter rules and harsher punishments for lax security, firms need to be on the front foot and ignorance is certainly not the right approach.”

Categories: Cyber Risk News

ROCA Crypto Bug Compromises RSA Keys

9 hours 54 min ago
ROCA Crypto Bug Compromises RSA Keys

Researchers have found a serious vulnerability in a commonly used cryptographic library, compromising the security of potentially millions of RSA encryption keys used to protect a wide range of laptops, smart cards and embedded devices.

'ROCA' (Return of Coppersmith’s Attack) was revealed this week by researchers from the Czech Republic, UK and Italy.

The newly discovered vulnerability (CVE-2017-15361) was found in the implementation of RSA keypair generation in a cryptographic library used in chips produced by Infineon Technologies, featuring the Trusted Platform Module (TPM) microcontroller.

Unfortunately, it’s in a wide range of products dating back as far as 2012.

A detailed note explaining the attack had the following:

“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required. The vulnerability does NOT depend on a weak or a faulty random number generator – all RSA keys generated by a vulnerable chip are impacted. The attack was practically verified for several randomly selected 1024-bit RSA keys and for several selected 2048-bit keys.”

The bug makes it possible for attackers to use a targeted public RSA key to compute the private part of that key, known as a 'practical factorization attack'.

With the private key, they could decrypt sensitive messages, impersonate the legitimate key owner, forge signatures and other related attacks.

The good news is that, thanks to the eight-month disclosure period agreed with German chipmaker Infineon, many vendors including Fujitsu, Google, Microsoft, HP and Lenovo have had time to release updates and guidelines for mitigation.

However, the vulnerable keys are embedded in a wide range of products, from electronic citizen documents to authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP.

Around 760,000 vulnerable keys have been found so far but the researchers warned that “up to two to three magnitudes more” could be at risk.

The researchers urged organizations to first test to see if they are affected and then contact the affected vendor for help, applying a patch if there’s one available.

Categories: Cyber Risk News

PwC: UK Firms in the Dark Over Cyber-Attacks

10 hours 49 min ago
PwC: UK Firms in the Dark Over Cyber-Attacks

UK organizations are unprepared for cyber-attacks, lack visibility into threats and aren’t doing enough to collaborate internally and externally, according to PwC.

The professional services giant’s Global State of Information Security Survey 2018 polled 560 executives from UK companies and public sector organizations of all sizes.

Over a quarter (28%) claimed they didn’t know how many attacks their organization had suffered over the past year while a third (33%) said they didn’t know how the attacks had occurred.

What’s more, 17% admitted to not running any kind of preparatory cyber-drills and less than half (49%) conduct vital pen tests.

Bharat Mistry, principal security strategist at Trend Micro, was surprised at this lack of preparedness.

“The last thing you want when you have a breach is for staff to be reading the breach response handbook and trying to figure out who should do what. In fact, I would say if you haven’t tested your breach response plan, then it’s not worth the paper it written on,” he told Infosecurity.

“With the looming deadline of GDPR and the consequential fines for breaches of personal data it’s now more imperative than ever to make sure that you not only have a plan but it’s tested and effective to ensure compliance."

The bad news doesn’t end there. Less than half (44%) collaborate with peers in the industry compared to 58% globally, and not many more (53%) form cross-organizational teams featuring finance, legal, risk, HR and IT execs to regularly discuss and strategize over security issues.

“Cybersecurity needs to be viewed as a ‘team sport’ rather than just an issue for the IT team,” said partner Richard Horne. “To be most effective, everyone in an organization should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.”

Perhaps unsurprisingly given the above, there is a general lack of interest in cybersecurity at board level. Just 34% said board members actively participate in strategy, versus 44% worldwide.

UK organizations are also holding back on insurance: only 44% said they had a policy in place compared to 58% globally.

Yet firms are experiencing serious repercussions. UK organizations faced 19 hours of downtime from security incidents during the reporting period, 21% had internal records lost or damaged, 20% had employee records compromised and 23% saw customer records stolen.

The latter in particular bodes badly for GDPR compliance.

Targeting employees is the most common way of attacking a UK firm, up from 20% to 27% in this report, while mobile device breaches (29%) were top globally.

On the plus side, the average security budget for UK organizations last year was £3.9m. What’s more, 64% of respondents said they had an overall security strategy in place and over half (53%) agreed that spending is based exclusively on risk.

Categories: Cyber Risk News

Report: 88% of Java Apps Vulnerable to Attacks from Known Security Defects

11 hours 30 min ago
Report: 88% of Java Apps Vulnerable to Attacks from Known Security Defects

A new report from CA Veracode has exposed the pervasive risks companies face from vulnerable open source components.

In its 2017 State of Software Security Report the firm reviewed application security testing data from scans of its base of 1400 customers, discovering that 88% of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks.

A cause of the problem, in part, is that fewer than 28% of companies carry out regular analysis to see which components are built into their applications, Veracode claimed.

“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Chris Wysopal, CTO, CA Veracode.

There have been plenty of examples of high-profile Java app breaches caused by vulnerabilities in open source or commercial components in the last year, one such being the ‘Struts-Shock’ flaw affecting the Apache Struts 2 web application framework.

“Development teams aren’t going to stop using components – nor should they, but when an exploit becomes available, time is of the essence,” Wysopal added. However, as evidenced in the report, the most severe flaws require significant time to fix (only 22% of very high severity flaws were patched in 30 days or less), with most attackers leveraging vulnerabilities within days of discovery.

“We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”

Categories: Cyber Risk News

Google Rolls Out Advanced Protection for High-Risk Users

Tue, 10/17/2017 - 20:40
Google Rolls Out Advanced Protection for High-Risk Users

Google has implemented additional cyber-protections for users that are at particularly high risk of targeted online attacks, such as campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.

The Advanced Protection Program is a continually updated suite of services that focuses on three core defenses:

Phishing: Advanced Protection requires the use of security keys (small USB or wireless devices) to sign into an account. They use public-key cryptography and digital signatures to prove to Google that it’s really the account holders. Anyone trying to log in who doesn’t have the security key is automatically blocked, even if the person has the password.

Accidental Sharing: Sometimes people inadvertently grant malicious applications access to their Google data. Advanced Protection prevents this by automatically limiting full access to Gmail and Drive to specific apps. For now, these will only be Google apps, but Google expects to expand these in the future, it said.

Fraudulent Account Access: Another common way hackers try to access accounts is by impersonating the account holder and pretending they have been locked out. For Advanced Protection users, extra steps will be put in place to prevent this during the account recovery process, including additional reviews and requests for more details about why the person has lost access to his or her account.

“We've been testing Advanced Protection for the last several weeks and learning from people like Andrew Ford Lyons, a technologist at Internews, an international nonprofit organization that has supported the development of thousands of media outlets worldwide,” said Dario Salice, Advanced Protection product manager at Google, in a blog.

“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," said Lyons. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.”

Anyone with a personal Google Account who is using Chrome (other browsers will be added) can enroll in Advanced Protection.

Charl Van Der Walt, chief security strategy officer at SecureData, applauded the move but did have a caveat: A significant number of successful breaches are still achieved via a compromised desktop, mostly via a malicious document attachment—and these new controls will do little to change this.

“Instead, [high-risk] users should think hard about the platforms they use to access email and how they open attachments,” he said via email. “Simple, limited-use platforms like a Chromebook or a tablet are generally safer to work from, but using a Yubikey with a tablet can be tricky, especially on iOS devices. This seems a pity, and looks to be a trade-off.”

He also brought up the data privacy disconnect that exists between the US and other parts of the world.

“Something else to consider is that although preventing unauthorized remote access to email is part of the equation, there needs to be jurisdictional consideration also,” he added. “Google itself might have access to email and contact data, and that given Google is a US company, the US government may be able to obtain access. This, however, is a ‘political’ consideration rather than a technical one.”

Categories: Cyber Risk News

DHS Mandates DMARC, HTTPS for All US Federal Agencies

Tue, 10/17/2017 - 19:38
DHS Mandates DMARC, HTTPS for All US Federal Agencies

The US Department of Homeland Security (DHS) has announced that it will require federal agencies to use DMARC email security and HTTPS, to protect employees and those corresponding with the federal government.

Assistant DHS Secretary Jeanette Manfra announced that the department would issue a binding directive requiring agencies to use the two security protocols.

A DMARC policy thwarts cyber-criminals who hack into user accounts and then scrape the address books; they then use a different server to spoof messages from the hacked user to his or her own contacts. They do this for spam and fraud purposes, for phishing and to spread malware. DMARC combats this by allowing a sender to indicate that its emails are protected, and authenticates that messages are coming from the domain that they purport to be coming from. In practice, it means that it will be more difficult for nation-state actors or fraudsters to impersonate federal employees.

HTTPS meanwhile provides encrypted communications between a user and a server, preventing communications from being intercepted or eavesdropped upon.

In July, Sen. Ron Wyden (D-Oregon) sent a letter to Manfra asking that DHS require agencies to use DMARC.

The move is similar to what the UK implemented last year. In the US, agencies will have 90 days to implement DMARC and 120 days to upgrade to HTTPS. In a recent survey, just 135 federal email domains had DMARC deployed, out of a total of 1,315, with fewer than half of those actually activated.

Categories: Cyber Risk News

Cyber-criminals, North Korea Embrace Crypto-mining

Tue, 10/17/2017 - 19:29
Cyber-criminals, North Korea Embrace Crypto-mining

A proliferation of mining malware here has started to make its presence known, leading to long-term, low-velocity crypto-mining operations becoming a go-to approach for cyber-criminals. In addition, according to threat intel company Recorded Future, North Korea seems to be getting in on the action.

The firm found in an analysis that cyber-criminals are utilizing cryptocurrency mining as a way to maintain a steady income and avoid the inherent risks involved in running a large-scale ransomware campaign. This year, starting in May 2017, Recorded Future observed a rapid spike of mining malware alerts across a spectrum of analyzed sources. In all, it identified 62 different types of mining malware offered for sale across the criminal underground.

Although some variants are sold for as high as $850, the majority of available mining malware today is offered for less than $50.

Mining malware is readily available, affordable, and easy for a novice to deploy; however, indicators exist that provide a means to detect mining activity on a network,” the firm said.

As for North Korea, while it has not identified any North Korea-specific cryptocurrency mining malware, Recorded Future said that North Korean threat actors have experience in altering publicly available tools, managing botnets and procuring cryptocurrency both legally and illegally.

“North Korean threat actors have been conducting cyber operations to generate funds for the Kim regime likely since at least 2015, but appear to have become interested in Bitcoin and cryptocurrency only over the past six months,” Recorded Future said.

Recorded Future analysis discovered in May that users in North Korea had begun to mine Bitcoin. Before then, there had been virtually no activity to Bitcoin-related sites or nodes, or utilizing Bitcoin-specific ports or protocols. Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day.

“The timing of this mining is important, because it began very soon after the May WannaCry ransomware attacks, which the NSA has attributed to North Korea’s intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime,” analysts said. “It is not clear who is running the North Korean Bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control.”

Crypto-mining is more attractive than other approaches, the analysts added. While the potential profitability of fraudulent bank transfers remains at the top of the criminal "food pyramid," to achieve maximum results, threat actors have to work with developers of banking web-injects and automatic money-transferring malware. To receive and launder stolen funds, reliance on a long chain of money-mule handlers is unavoidable, and often funds from completed banking transactions will often be stolen by dishonest intermediaries.

Ransomware, meanwhile, has landed firmly in the sights of law enforcement of late.

Crypto-mining on the other hand can generate a steady income stream without all of the inherent risks.

“In the immediate future, we don't foresee mining malware overtaking ransomware in terms of inflicted infrastructure damages nor monetary gains to its operators,” Recorded Future said. “However, for the first time in the last two years, we are seeing a shift in cyber-criminal mentality and a growing skepticism for widespread ransomware campaigns. As international law enforcement shows exceptional determination, successfully dismantling several high-profile marketplaces and arresting longtime members of the criminal underground, malicious actors are willing to accept less lucrative, but almost risk-free business models.”

Categories: Cyber Risk News

Poorly Secured SSH Keys Exposing Firms to Breaches

Tue, 10/17/2017 - 12:01
Poorly Secured SSH Keys Exposing Firms to Breaches

The vast majority of organizations are mismanaging Secure Shell (SSH) in their IT environments, exposing critical systems and data to attack, according to new research from Venafi.

The certificate security vendor polled over 400 IT security professionals to better understand the level of security controls applied to SSH.

Organizations apply the cryptographic network protocol to secure and automate administrator-to-machine and machine-to-machine access to critical business functions.

However, despite being used to provide the highest privileged access to administrators, SSH is poorly managed by most respondents, Venafi found.

For example, 61% said they don’t limit or monitor the number of administrators who manage SSH, while only 35% enforce policies that prohibit SSH users from configuring their authorized keys. This could leave them wide open to attacks from malicious insiders, the vendor argued.

What’s more, 90% of respondents claimed they don’t have a complete and accurate inventory of all SSH keys, meaning there’s no way to find out if keys have been stolen, misused or should not be trusted.

Keys should also be rotated on a regular basis, in case any hackers have gained access. However, only 23% said they rotate on a quarterly or more frequent basis, and 40% don’t do so at all or rotate only occasionally.

Over half (51%) of IT security professionals polled said they don’t enforce any means to prevent port forwarding for SSH, a feature which could allow attackers to bypass firewalls to reach other parts of a targeted network.

Finally, 54% claimed they don’t limit the locations from which SSH can be used, potentially allowing attackers to use compromised SSH keys remotely.

Nick Hunter, senior technical manager for Venafi, argued that a compromised SSH key could be dangerous in the wrong hands.

“Cyber-criminals can use them to access systems from remote locations, evade security tools, and often use the same key to access more systems,” he added.

“Based on these results, it’s very clear that most organizations have not implemented SSH security policies and restricted SSH access configurations because they do not understand the risks of SSH and how it affects their security posture.”

Categories: Cyber Risk News

Microsoft Kept Quiet About 2013 Bug Database Hack: Report

Tue, 10/17/2017 - 10:05
Microsoft Kept Quiet About 2013 Bug Database Hack: Report

A cyber-attack by a notorious hacking group back in 2013 compromised highly sensitive information on unfixed Microsoft vulnerabilities, data which could have been used to devastating effect, it has emerged.

Microsoft is said to have discovered the breach in early 2013 after a sophisticated hacking group dubbed Wild Neutron also attacked Apple, Facebook, Twitter and others.

It’s unclear whether said group is state-sponsored, although its high skill levels and solid operational security – which have enabled it to keep a relatively low profile over the years – could indicate some state involvement.

Microsoft’s statement at the time downplayed the seriousness of the attack:

“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”

However, according to five former security employees Reuters spoke to, there was widespread concern inside the tech giant at the time that the stolen info would be used in follow-on attacks.

Although they were, Redmond concluded that the attackers could have obtained the same info elsewhere, and so stayed silent about the nature of the breach, the report claimed.

Even Pentagon and Homeland Security bosses were apparently not told the details of the attack.

The breach calls to mind the hacking and theft of the NSA’s trove of hacking tools which ultimately led to the WannaCry and NotPetya attacks earlier this year, with Microsoft president Brad Smith criticizing the spy agency at the time.

Even worse for the tech giant, the database containing details of as-yet-unpatched bugs was allegedly poorly protected by “little more than a password.”

Mozilla suffered something similar in 2015 when attackers managed to find a database featuring details on 10 critical and unpatched flaws, but it went public with the details to better protect customers and update industry stakeholders.

Categories: Cyber Risk News

FT30 Firms at Risk from Equifax-Style Breach

Tue, 10/17/2017 - 09:27
FT30 Firms at Risk from Equifax-Style Breach

The UK’s top companies could be at risk from an Equifax-style breach after new research from RiskIQ found that they are each running on average over 200 vulnerable servers and web frameworks.

The security vendor analyzed the FT30 group of firms to get a representative sample of UK companies, studying 99,467 live websites and associated infrastructure.

It found 5127 vulnerable servers – an average of 171 per organization – and 68 vulnerable frameworks per firm.

Credit agency Equifax was breached after attackers exploited a known vulnerability in the Apache Struts web application framework, allowing them to access highly sensitive data on 145.5 million Americans and nearly 700,00 British customers.

The bad news doesn’t end there for UK firms: RiskIQ also found 1051 expired certificates – 35 per organization – and 7503 untrusted certificates, or 250 per organization.

This could open these firms up to further security risks if data is not transmitted securely, and will lead to users being presented with a warning message in their browser not to visit the affected pages.

RiskIQ also found 574 OpenSSL instances, or 19 per organization, that are potentially vulnerable to Heartbleed and 1332 SHA-1 certificates now considered unsafe.

On average, each FT30 firm studied was running 440 pages collecting user info of one sort or another via login boxes or data input forms.

Unfortunately, nearly a third (29%) were using no encryption and 5% were using old encryption or expired certificates, exposing these organizations to the risk of breaches and – soon – possible GDPR fines.

Part of the problem is the rapid expansion of companies’ web presence, leading to much infrastructure being created outside of the IT department’s control.

For example, RiskIQ spotted a "long tail" of registrars outside the trusted small group used for most web domain registrations, indicating a decentralized process.

In fact, over 4000 domains – or more than 130 per firm – were registered with an employee email address as contact. This can cause issues with domain renewals when this employee leaves or changes roles, said the vendor.

The firm told Infosecurity that organizations need to appoint dedicated external threat teams consisting of analyst 'hunters' responsible for working with incident response teams and 'defenders' focused on reducing the attack surface, for example by uncovering new flaws.

“The growth of digital assets is occurring ‘outside the firewall’ and is not protected by the layers of defense that sit inside the corporate network which includes both the investment in security products and the security teams tasked with managing those solutions,” it added. 

Categories: Cyber Risk News

Pizza Hut Serves Up a Slice of Data Breach

Mon, 10/16/2017 - 21:04
Pizza Hut Serves Up a Slice of Data Breach

Pizza Hut has become the latest household name to suffer a payment card breach.

The company admitted the incident on Saturday in an email sent to affected customers, nearly two weeks after it discovered and remediated the issue. According to the email, shared on social media by some recipients, affected customers placed orders on the company's mobile app or website for about 28 hours between the morning of October 1 and midday on October 2.

The “temporary security intrusion” resulted in hackers accessing names, billing ZIP codes, delivery addresses, email addresses and payment card information (account numbers, expiration dates and CVV numbers). The company didn’t say how many customers were affected.

Some of the affected expressed anger that it took the franchise two weeks to let them know.

“@pizzahut great security there & thanks for the delay in notifying us after thieves already charged our accts. Keep up the excellent work,” tweeted one victim.

“Any company that captures and stores such critically sensitive customer information must mitigate the risk of leakage, otherwise they may run afoul of mass social media anger,” said Christopher Littlejohns, EMEA manager at Synopsys. “As we have seen, this can be commercially damaging. Legislative bodies worldwide are waking up and tackling this issue, a great example being the forthcoming GDPR regulations which oblige companies to ensure they are applying appropriate diligence at risk of receiving major fines if negligence is proven.”

At least one security researcher said that the backlash was somewhat unwarranted.

“The Pizza Hut card breach poses an interesting question about how quickly a company should come clean with its customers,” said Lee Munson, security researcher at Comparitech. “While a two-week period between breach and notification may sound like two weeks too many to affected customers, it is in fact a very quick response versus industry norms which often see no disclosure made at all.”

Meanwhile, Javvad Malik, security advocate at AlienVault, also praised the company for detecting the incident quickly: “Compared to many recent breaches pizza hut detected the breach relatively quickly and so limited the number of customer card details stolen. It goes to illustrate the importance and value of having good threat detection and response controls in place so as to limit exposure."

Categories: Cyber Risk News

Fresh Adobe Zero-Day Spotted in the Wild

Mon, 10/16/2017 - 20:49
Fresh Adobe Zero-Day Spotted in the Wild

A newly discovered Adobe Flash zero-day exploit has been uncovered delivering the FinSpy commercial malware.

Kaspersky Lab spotted it being used in the wild on Oct. 10, by a group of attackers known as BlackOasis. An exploit delivers its payload through a Microsoft Word document.

“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”

Analysis reveals that, upon successful exploitation of the vulnerability, the FinSpy malware (also known as FinFisher) is installed on the target computer, equipped with multiple anti-analysis techniques to make forensic analysis more difficult. After installation, the malware establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data.

FinSpy is typically sold to nation states and law enforcement agencies to conduct surveillance. In the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets.

BlackOasis is a significant exception to this, and uses it against a wide range of targets across the world. This appears to suggest that FinSpy is now fueling global intelligence operations, Kaspersky Lab said, with one country using it against another.

Based on Kaspersky Lab’s assessment, the interests of BlackOasis span a whole gamut of figures involved in Middle Eastern politics, including prominent figures in the United Nations, opposition bloggers and activists, as well as regional news correspondents. They also appear to have an interest in verticals of particular relevance to the region. During 2016, the company’s researchers observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering and other activities. There is also an interest in international activists and think tanks.

So far, victims of BlackOasis have been observed in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.

The researchers believe that the group behind the attack was also responsible for CVE-2017-8759, another zero day, reported in September.

Kaspersky Lab reported the vulnerability to Adobe, CVE-2017-11292, which has issued an advisory with a patch.

Categories: Cyber Risk News

CyberWarrior Scholarships Debut for Returning Vets

Mon, 10/16/2017 - 20:43
CyberWarrior Scholarships Debut for Returning Vets

Engility Holdings and the Center for Cyber Safety and Education have created a program to help returning military veterans reenter the civilian world, by offering cybersecurity certification training scholarships.

The Engility CyberWarrior Scholarship program is open to military veterans honorably discharged from one of the five branches of the military by December 21, or those serving as active members in the National Guard or Reserves. The scholarships will include everything the recipients need to prepare to become certified for a career in cybersecurity, including training classes, textbooks and materials, and exam vouchers for the (ISC)2 certification of their choice.

“I cannot think of a worthier and more qualified group than our vets to look to for cybersecurity missions,” said Lynn Dugle, **** Engility *** www.engility.com  CEO. “Our global security relies on having a pipeline of highly skilled, dedicated cyber-experts to ensure that our country is prepared as we move into the future.”

At the end of the training, the veterans will have enhanced opportunities to secure cybersecurity jobs such as security analyst, security engineer, security auditor and security architect.

The program focuses on six (ISC)² certifications: Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Certified Cloud Security Professional (CCSP), HealthCare Information Security and Privacy Practitioner (HCISPP), Certified Authorization Professional (CAP) and Systems Security Certified Practitioner (SSCP).

The US workforce is currently suffering from a cybersecurity worker shortage, according to a 2017 Global Information Security Workforce Study commissioned by (ISC)2 and the Center. The survey shows two-thirds of U.S. cybersecurity workers think there is a lack of cybersecurity employees in their place of business because of a skills gap in the workforce. The study also predicts a 1.8 million cyber security workforce gap by the year 2022; a gap that has grown 20% since the previous survey just two years prior.

“We are looking to serve a critical need of workforce development in cybersecurity,” said Patrick Craven, director of the Center for Cyber Safety and Education. “Our vets are deeply committed to our national security and are uniquely qualified for this mission.”

Categories: Cyber Risk News

New Scam Impersonates VAT Form to Deliver Malware

Mon, 10/16/2017 - 10:47
New Scam Impersonates VAT Form to Deliver Malware

Researchers from Trustwave have unearthed a scam impersonating Her Majesty’s Revenue & Customs (HMRC) to trick victims into downloading malware.

According to the security firm, on September 6 2017, scammers launched an email phishing attack disguised as a HMRC VAT return document, which contained links to the infamous JRAT malware. The email was sent using a registered HMRC-like domain (hmirc-gov.co.uk).

Trustwave explained that the body of the email encourages the user to click on an embedded image of a PDF doc citing an error in their recently submitted VAT return, taking the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file – inside is a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts. There is no actual attachment sent with the message.

Analyzing the Jar file, Trustwave explained that it is the jRAT's bot agent. 

“Each bot has its own configuration and this particular sample has an anti-analysis mechanism where it prevents execution of well-known security and forensic related tools. It adds the process name to ‘Image File Execution’ registry key so that ‘svchost.exe’ will be executed instead”, wrote Dr Fahim Abbasi, Gerald Carsula and Rodel Mendrez.

The Java RAT trojan provides complete remote control over the victim’s computer, they added, citing an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service).

“We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defenses. Users need to be particularly careful since such scams are quite active during tax return season.”

Speaking to Infosecurity Luis Corrons, PandaLabs technical director, Panda Security, said that this attack shows how creative attackers can be in order to fool users into infecting themselves.

“The technique they use in this particular attack is pretty smart, as it avoids the use of an attachment in an email,” he explained. “The only thing we can ask users for is to be sceptic and to not execute/open anything that comes from an unknown source.”

However, this can only work for so long, he adds. “The security measures in place are the ones that have to take care of these attacks (not the users!), and that is why having a solution capable of classifying all running processes in the computers of a corporate network with real time monitoring and a threat hunting service is the only viable approach to be effectively safe.”

Categories: Cyber Risk News

Wi-Fi Alert: Researchers Discover Serious Flaw in WPA2

Mon, 10/16/2017 - 10:42
Wi-Fi Alert: Researchers Discover Serious Flaw in WPA2

Security researchers claim to have discovered new weaknesses in the WPA2 Wi-Fi security protocol which could allow hackers to steal sensitive info or even inject malware into websites.

Discovered by Mathy Vanhoef of the Katholieke Universiteit Leuven, the so-called key reinstallation attacks (KRACKs) are set to be unveiled at the ACM Computer and Communications Security (CCS) conference on Wednesday.

The attack works by focusing on the four-way handshake used by WPA2 to confirm that client and access point have the correct network password and to negotiate a new encryption key to be used to encrypt all subsequent traffic.

This key is installed following message three of the four-way handshake, but because messages can sometimes be dropped or lost, the access point will re-transmit message three several times if it doesn’t receive the correct response in acknowledgement.

This means that the client device may receive message three several times, each time reinstalling the same encryption key but resetting the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.

Vanhoef explained:

“We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message three of the four-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”

Effectively, it is the reset of transmit nonces that makes decryption of packets possible.

“Essentially, to guarantee security, a key should only be installed and used once,” said Vanhoef. “Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

Android smartphones are said to be particularly at risk because Android and Linux can be tricked into re-installing an all-zero encryption key instead of the real key. This makes it easy for an attacker to both intercept and manipulate traffic sent by Android devices.

Currently, over two-fifths (41%) of Android devices are vulnerable to this kind of attack.

Vanhoef listed 10 CVEs discovered as part of the research: each relating to a specific protocol vulnerability, so “many vendors” are affected by each., according to Vanhoef.

The US-CERT has already released an advisory to a limited set of organizations, with consumer and enterprise WPA1 and WPA2 networks affected.

The full research can be found here.

Categories: Cyber Risk News

Iran Blamed for June Parliament Cyber-Attack

Mon, 10/16/2017 - 09:46
Iran Blamed for June Parliament Cyber-Attack

Iran was responsible for a major cyber-attack on the UK parliament over the summer which tried to crack account holders’ passwords, according to British intelligence.

The unpublished report, seen by outlets including the Guardian, laid blame at the feet of state-sponsored snoopers, although it’s still unclear what they were after.

Every member of parliament has an account to conduct official business with their constituents, including Prime Minister Theresa May and cabinet ministers.

In the end only 1% of the 9000 accounts were compromised, according to an official notice at the time which suggested these users had failed to follow best practice guidance issued by the Parliamentary Digital Service.

Several commentators questioned at the time why this guidance was merely optional and strong passwords – or the more secure two-factor authentication – weren’t enforced. Either tactic would have made it harder to 'brute force' the accounts.

Interestingly, those responsible are said to have launched follow-on vishing attacks soon after, trying to trick users into divulging their log-ins over the phone.

An email sent to parliamentary account holders at the time had the following:

"This afternoon we've heard reports of parliamentary users being telephoned and asked for their parliamentary username and password.

"The caller is informing users that they have been employed by the digital service to help with the cyber-attack. These calls are not from the digital service. We will never ask you for your password."

The link to Tehran comes at a particularly testing time geopolitically, with US President Donald Trump said to be preparing moves to tear-up a landmark nuclear deal with the Islamic republic.

European nations, including the UK, are looking to maintain the status quo and keep the JCPOA.

It must be clarified that there’s still no official comment on attribution of the June parliament attacks.

Categories: Cyber Risk News

DoubleLocker Ransomware Changes PIN and Encrypts Data

Mon, 10/16/2017 - 09:18
DoubleLocker Ransomware Changes PIN and Encrypts Data

Security researchers are warning of a new breed of Android ransomware designed to both encrypt data on a victim’s device and lock them out by changing the PIN code.

DoubleLocker is based on code from banking trojan Android.BankBot.211.origin which forces users to grant it access to the smartphone’s accessibility service.

Once launched, typically from a fake Adobe Flash Player app on compromised website, it will try to obtain accessibility permissions.

It will then use these to activate device admin rights and set itself up as the home application on the phone.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” explained Eset malware researcher, Lukáš Štefanko. “Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”

True to its name, the ransomware uses two techniques to force its victims to pay up.

First, it changes the device PIN to a new credential which isn’t stored on the phone or sent anywhere. The PIN is only reset by the attacker following payment of the ransom.

Second, it encrypts all files from the device’s primary storage directory, using the AES algorithm and the “.cryeye” extension. There’s no way to recover the files without the encryption key, according to Štefanko.

The ransom to be paid within the 24-hour deadline is just 0.0130 BTC ($54).

For those not wanting to pay up, the only option for affected users is to start a factory reset, cleaning the device of ransomware, although all data will also be lost.

There’s another workaround for rooted devices, but still no way to recover the encrypted data.

Interestingly, although DoubleLocker doesn’t contain any functionality related to harvesting banking credentials, it could be turned into a so-called “ransom-banker”, according to Štefanko.

“[This is] two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom,” he explained. “Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May 2017.”

Categories: Cyber Risk News

Pages