Info Security

Subscribe to Info Security  feed
Updated: 2 hours 10 min ago

Pen Testers Breach Perimeter Through Web Apps

Fri, 08/17/2018 - 16:27
Pen Testers Breach Perimeter Through Web Apps

Penetration tests help organizations gain a better understanding of how protected they are against cyber-attacks, and when Kaspersky Lab’s performed several dozen cybersecurity assessment tests on corporate networks, it found that the overall level of protection against external attackers was low or extremely low for almost half of the analyzed companies.

The report, Security Assessment of Corporate Information Systems in 2017, found that three-quarters (73%) of successful perimeter breaches in 2017 were achieved using vulnerable web applications. 

Using weak or default credentials to attack publicly available management interfaces was also a common vector threat actors employed to penetrate the network perimeter. Experts gained administrative access to IT infrastructure in 29% of the external penetration tests performed, but the success rate soared to 86% of the analyzed companies when testing against internal attackers. In 42% of those cases, it took penetration testers only two steps to gain the highest privileges granting them access to important business systems.

“An extremely low level of protection corresponds to those cases where we were able to penetrate the network perimeter and gain access to the critical resources of the internal network,” the report stated.

While the level of protection against internal threats – a threat actor inside the corporate network – was low or extremely low for 93% of the analyzed companies, the analysis showed that organizations are better protected against external threats. The overall level of protection against external threats – an outside intruder from the internet – was low or extremely low for 43% of organizations.

“Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance,” said Sergey Okhotin, senior security analyst of security services analysis at Kaspersky Lab in a press release. “For example, half of the attack vectors could have been prevented by restricting access to management interfaces.”

Categories: Cyber Risk News

Trump Takes Offensive Cybersecurity Step Forward

Fri, 08/17/2018 - 16:23
Trump Takes Offensive Cybersecurity Step Forward

The Obama Presidential Policy Directive 20 (PPD-20) that outlined the interagency communications required for the US to deploy cyber-weapons was reversed by President Trump, according to a report from the Wall Street Journal Wednesday 15 August.

Infosecurity Magazine contacted the White House for comment, but the Trump administration reportedly has not issued an official statement on the decision to reverse PPD-20. A National Security Council spokesman told Inside Cybersecurity that the administration was not planning on issuing a public statement.

Cyber-threats and cyber-attacks from nation-state actors require action, but planning and executing offensive actions necessary to protect US interests and assets from foreign aggressions can take months or years, said John Gunn, chief marketing officer at OneSpan. “With proper safeguards, this is a positive initiative that will raise our security.”

The US is not the first country to permit offensive techniques in order to prevent cyber-attacks from reaching its borders. Many experts, including Joseph Carson, chief security scientist at Thycotic, are in favor of cyber-offensive capabilities. Yet challenges exist in cyberspace.

“The biggest problem we have is absolute attribution to knowing who exactly carried out the cyber-attack and is it possible that it was a misdirection to put political pressure on two or more countries,” Carson said.

“We have AI and other techniques, but cyber-criminals have the ability to make it look like someone else committed the crime," Carson continued. "With cyber-mercenaries on the increase, the only way to get attribution is to go back to the old methods of having human spies who can confirm the attack happened and was initiated by aggressive cyber-countries. Many countries are already committing cyber-attacks on a large scale, and the US has been poor at responding to such attacks. For example, the attack on the DNC and OPM. My personal stance is that cyber-offensive should only be carried out by government agencies and not permitted by citizens.”

The reversal of PPD-20 also sends a global message at a critical time for the US. "The change in the US government stance on cyber weapons being used for cyber-offensive against adversaries comes just ahead of the US midterm elections. This is very likely a public indication that any nation-state who tries to hack or manipulate the upcoming elections, the US government has taken the gloves off and will respond," Carson said.

Categories: Cyber Risk News

Firewall Still Critical Tool in Network Security

Fri, 08/17/2018 - 16:09
Firewall Still Critical Tool in Network Security

The increased number of firewalls within security infrastructures has created challenges, leaving many organizations struggling with basic firewall management, according to a new report from FireMon.

In its fourth annual State of the Firewall report, FireMon polled 334 C-suite executives, IT practitioners and security professionals at global companies of all sizes to understand both the state of firewall management and the impact of emerging technologies.

The report found that companies planning to adopt hybrid cloud models face the potential of increased risk with network security policy management if they are not practicing basic firewall hygiene. For the vast majority of participating organizations, the firewall remains a critical tool in their overall security ecosystem. In fact, 94% said firewalls are either as critical as or more critical than they have ever been and believe the firewall will still be as critical or more critical over the next five years.

That 24% of companies invest more than 25% of their total network security budget and 39% of companies allocate 10% to 24% of it in firewall technologies confirms that firewalls will remain a signature tool in the overall security architecture.

Those firewall technologies do present challenges, though. For nearly a third (30%) of the responding companies, rule complexity is a top challenge. Policy compliance and audit readiness is problematic for 17% of companies and 14% are pained by firewall rule optimization.

With more than 26% of companies managing over 100 firewalls on their network, organizations are challenged with firewall management. A third of participating companies said they have 10 to 99 firewalls on their network. The increased number of firewalls companies are managing produces overwhelming numbers of change requests each week, leaving 40% of companies processing 10 to 99 requests.

“Many companies are still trying to manage firewall rules manually, but in this era of next-gen architectures and sophisticated malware, this is no longer an effective way to enforce access policies and mitigate risk,” said FireMon CEO Satin Mirchandani in a press release.

“With more than half of survey respondents stating that three or more teams are involved in change management, the high number of change requests alone can drain valuable time, resources and budget from any security program. Factor in new technology adoption, and the stage is set for further policy management problems.”

Categories: Cyber Risk News

Smart Home Alert as MQTT Mistakes Expose Users

Fri, 08/17/2018 - 09:56
Smart Home Alert as MQTT Mistakes Expose Users

Security experts are warning of another major smart home security threat after revealing that as many as 32,000 businesses and homes have failed to protect systems exposed via the internet.

The issue resides in the lightweight Message Queuing Telemetry Transport (MQTT) protocol, favored in IoT networks to transfer data between machines.

When implementing it at home, users are required to set-up a server, usually on a PC or mini-computer like a Raspberry Pi, that the devices can communicate with.

Unfortunately, security vendor Avast found 49,000 such MQTT servers publicly visible on the internet via a simple Shodan search, with 32,000 featuring no password protection. This global figure might seem rather low, but the vendor clarified to Infosecurity that the protocol is used mainly by more "advanced tech users."

This could be creating cybersecurity, privacy and even physical security risks for users, according to Avast researcher, Martin Hron.

“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” he argued. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”

Hron painted several scenarios where these MQTT issues could be exploited by attackers.

With access to MQTT data, they could read the status of smart window and door sensors and locks and smart lighting, and even insert their own commands into the data to open doors, he claimed.

If the server is protected, hackers could try the smart home dashboard running on the same IP address, as these are often either not password protected or easily crackable. If that avenue fails, they could try open and insecure SMB shares running on the popular Home Assistant platform, including passwords and keys stored in plaintext, which could give them complete control over the smart home, the vendor claimed.

Avast also warned that hackers could track users’ location if they use the MQTT-compatible OwnTracks app.

Categories: Cyber Risk News

Security Experts Welcome Rise in Students Taking Computing A-Level

Fri, 08/17/2018 - 09:05
Security Experts Welcome Rise in Students Taking Computing A-Level

Cybersecurity experts have welcomed the greater numbers of students taking the Computing A-level exam in the UK this year but warned more is needed to fill the talent pipeline for workplace roles.

A-level results were announced on Thursday and revealed an increase in numbers taking the IT course, from 8299 last year to 10,286 in 2018.

Grades were also up slightly. Some 3.3% gained an A*, up from 3%, while 18.2% got an A-grade, up from 16.9%. The number gaining B-grades also jumped slightly (1.7%) to reach a total of 39.3% while Cs jumped 1.3% to 62.5%.

Although the vast majority taking the course (88%) were male students, they were outperformed again by their female counterparts.

Although these figures are slightly improved from the 90% of male students who took the course last year, the gender imbalance is an ongoing challenge which is mirrored in university courses, explained Ivanti director and UK Women in Tech ambassador, Sarah Lewis.

“The digital skills gap is a massive issue in the UK and globally, as technology — including malevolent technology such as the tools used by cyber-criminals — evolves at a rapid pace. Bring the number of women working in computing up so that it is equal to men and you've doubled the talent pool,” she argued.

“It sounds simple in theory, but in practice it requires businesses and governments to invest in programs and schemes to break down barriers stopping young women from viewing a career in computing, and technology more widely, as viable. The future must be female in order to bridge the digital skills gap.”

Trend Micro principal security strategist, Bharat Mistry, also argued that more work is needed to build a stronger pipeline of talent to enter the workforce.

“Closing this gap isn’t just a challenge for the public sector to solve, businesses have their role too,” he said.

“Whether that’s through hosting hacking competitions aimed at students and young professionals, or offering up their experts to help train school leavers, businesses can help those interested in cybersecurity build on their technical skills and learn how to solve real-world problems in a dynamic environment — making them workplace-ready.”

Alex Hinchliffe, a threat intelligence analyst at Palo Alto Networks' Unit 42, argued that even those not taking IT-related courses at school should be encouraged to consider a career in cybersecurity.

“People who studied humanities, for example, are often better at predicting malware patterns based on previous information,” he claimed. “Threat research degrees have also recently become available as the industry booms, and while maths may be necessary for certain roles, humanities and social science graduates are just as valuable to a threat intelligence team.”

Categories: Cyber Risk News

UK Researchers Warn of Serious WordPress PHP Flaw

Fri, 08/17/2018 - 08:43
UK Researchers Warn of Serious WordPress PHP Flaw

A British researcher has published details of a serious WordPress flaw left unfixed for over a year which could allow for complete system compromise.

Sam Thomas, head of research at Secarma, presented the paper It’s a PHP Unserialization Vulnerability Jim, but Not as We Know It — to attendees at the BSides conference in Manchester on Thursday.

By uploading a specially crafted file to the targeted app, attackers can trigger a file operation through the "phar://" stream wrapper. That in turn triggers eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF) flaws which force the app to "unserialize" metadata contained in the file, potentially resulting in execution of malicious code.

Secarma claimed its research reveals that a category of vulnerabilities previously not considered critical can in fact have a major impact on victim systems.

“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” said Thomas. “We must constantly be aware of the security impact of such mechanisms being exposed to attackers.”

WordPress is used by millions of web owners around the world including 30% of the world’s top 1000 websites, according to Secarma, meaning hackers could reach a potentially huge number of victims.

The popular open source CMS platform was notified in February 2017 but has yet to fully resolve the issue, according to the UK research firm.

“WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all manner of businesses. It’s not uncommon to uncover vulnerabilities in systems and it’s important that organizations react quickly to protect their customers when something like this is discovered,” said Secarma CEO Lawrence Jones.

“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.”

Categories: Cyber Risk News

PUB File That Drops Ammyy Targeted 2,700 Banks

Thu, 08/16/2018 - 17:17
PUB File That Drops Ammyy Targeted 2,700 Banks

A campaign that began weeks ago and targeted approximately 2,700 Fortune 100 banking institutions in the US and around the world with a widespread botnet attack came to a sudden halt as of 15:37 EST on 15 August, according to researchers at Cofense. The phishing emails appeared to be coming from India and contained the subject lines “Request BOI” or “Payment Advice.”

Malware analysts had been tracking the Necurs botnet for the last several months and observed the highly targeted phishing campaign as an attempt to go after the financial sector for the first time. The threat actors were reportedly attempting to get a foothold on the banks’ infrastructure and set the stage for potential further attacks.

First observed in 2012 and famed for sending Locky a few years ago, Necurs rootkit couples multiple Domain Generation Algorithms (DGAs) with .bit domain names and P2P communications.

After studying the increased botnet campaigns over the last several weeks, researchers found that all of the recipients were employed at banks. In addition, researchers noted a new file extension .pub, which belongs to Microsoft Publisher, attached to the phishing campaigns.

This unexpected change in file extension happened at 7:30 am on 15 August. “Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from malicious Word docs, Necurs adapts and throws you a curve ball,” researchers wrote.

“The banks range from small regional banks all the way up to the largest financial institutions in the world. We have not yet determined the actor(s) behind this specific campaign or the final goal.”

The .pub extension contained an embedded macro that, when executed, downloaded from a remote host, resulting in the FlawedAmmyy remote access Trojan (RAT). With this final payload, the attackers gained full remote control of the compromised host, enabling both credentials theft and the potential of future lateral movement within the banking institution.

Categories: Cyber Risk News

Deals Get Phishy for Real Estate Sector

Thu, 08/16/2018 - 16:38
Deals Get Phishy for Real Estate Sector

Cyber-criminals are leveraging on the shift from pen and paper to electronic signatures in real estate transactions. According to new research from  Proofpoint, fraudulent real estate transactions are being used to steal people’s credentials.

Attackers are capitalizing on the number of unfamiliar parties and documents involved in a typical real estate transaction to lure unsuspecting homebuyers into clicking on fake landing pages.

Researchers have identified schemes employed by attackers targeting homebuyers with DocuSign lures and fake Office 365 login pages associated with bogus real estate documents. In addition, the computer networks of real estate firms have been directly attacked with remote access Trojans (RATs) to obtain confidential information.

The electronic signature has proven to be an effective target for threat actors, and click rates for DocuSign lures are averaging five times higher than click rates for the top 20 lures, according to a 15 August blog post.

The goal, however, is not to steal users’ DocuSign credentials. Rather, the lure is to have victims log in to fake DocuSign landing pages with third-party credentials such as Microsoft Office 365 or other generic email credentials.

“These landing pages are linked in phishing emails; the URLs for the links suggest targeting for homebuyers and generally reside on compromised sites, the administrators of which have all been notified,” Proofpoint wrote.

In addition to abusing the DocuSign brand to harvest credentials on phishing pages, attackers have used other phishing templates specific to mortgage closings. The phishing landing page – complete with national realtor and Norton logos – tricks users into thinking they are opening documents containing their closing disclosure.

Though less frequent than real estate phishing, attackers are also targeting real estate businesses, including realtors and homeowner insurance agencies, using RATs. “Because of the nature of the transactions in which these business engage, RATs and information stealers offer additional opportunities for threat actors to steal a range of personal and banking information.”

Categories: Cyber Risk News

Trump Signs NIST Act to Benefit Small Businesses

Thu, 08/16/2018 - 16:34
Trump Signs NIST Act to Benefit Small Businesses

Small businesses will soon receive help implementing voluntary cybersecurity frameworks as defined by the National Institute of Standards and Technology (NIST) after President Trump signed the “NIST Small Business Cybersecurity Act” S. 770 on 15 August.

In addition to providing resources to small businesses, the bill, which requires NIST develop and disseminate resources for small businesses to help reduce their cybersecurity risk, also states that future NIST standards consider the needs of small businesses.

The bill represents a step forward for both the cybersecurity industry and for SMBs struggling to be in accordance with the NIST standards. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” said Dr. Bret Fund, founder and CEO at SecureSet.

Widely seen as a step in the right direction toward cybersecurity compliance and readiness for SMBs, Fund said the bill also signals President Trump's intent to improve cybersecurity overall.

“With the increase in cyber-attacks, it is great to see the administration continue to invest in cybersecurity initiatives. Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks,” said Dirk Morris, chief product officer at Untangle.

Small businesses have long been at risk of cyber-attacks as nefarious actors know that SMBs are limited in both budgets and staff, making it difficult for most small businesses to implement strong security strategies. “Recent reports show that smaller businesses lose proportionately more to cyber-attacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures,” said Anupam Sahai, vice president of product management at Cavirin.

“This is a very positive step, as smaller enterprises may not have the skills or budget to implement a broad-based program. The Act will help with focus. The proof will be how the necessary resources are actually made available.”

Categories: Cyber Risk News

Customer Files $223m SIM Fraud Suit Against AT&T

Thu, 08/16/2018 - 09:54
Customer Files $223m SIM Fraud Suit Against AT&T

A US entrepreneur and cryptocurrency investor has filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud.

Lawyers acting on behalf of Michael Terpin filed 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and other charges in a US District Court in Los Angeles yesterday.

On January 7, an AT&T agent in a Connecticut store is alleged to have agreed to transfer Terpin's mobile phone number to a new SIM, which an “international criminal gang” then used to commit major identity fraud.

Specifically, they were able to circumvent 2FA security on his cryptocurrency accounts by intercepting one-time SMS passcodes to access them and then transfer funds to the tune of $24m elsewhere.

“Even after AT&T had placed vaunted additional protection on his account after an earlier incident, an imposter posing as Mr Terpin was able to easily obtain Mr Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password,” the complaint alleges.

“It was AT&T’s act of providing hackers with access to Mr Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewellery in the safe from the rightful owner.”

The complaint further alleges that AT&T’s 140 million customers are at a similar risk of SIM swap fraud “because it has become too big to care.”

AT&T is disputing the allegations and claims to be looking forward to “presenting our case in court.”

Categories: Cyber Risk News

UK Identity Fraud Falls but Online Scams Rise

Thu, 08/16/2018 - 09:30
UK Identity Fraud Falls but Online Scams Rise

Identity fraud in the UK has fallen for the first time in four years but the number of online scams continue to rise, especially in the retail sector, according to Cifas.

The not-for-profit fraud prevention organization claimed a drop in identity fraud of 5% in the first six months of 2018 compared to the same period last year.

However, identity fraud still comprises over half of all fraud reported by Cifas, with online accounting for 87%. That figure is up from the last time Infosecurity contacted the non-profit in April, when a spokesperson said that 84% of identity fraud occurs through online channels.

Identity fraud against online retail accounts has risen by 24% (1232 cases), while there has been a steep rise in fraudulent applications for credit and debit cards (12%).

On the other side, Cifas recorded a 12% reduction in the volume of bank accounts being targeted by identity fraudsters, and a 34% reduction in attempts to obtain mobile phone contracts.

The most popular ways to obtain the digital identity data needed to make fraudulent applications online are still by buying it off the cybercrime underground, social engineering and ‘hacking’, it said.

Sandra Peaston, director of strategy, policy and insight at Cifas, pointed out that identity fraud hit an all-time-high at the end of 2017, so any reversal of this trend should be viewed positively.

“However, these new figures demonstrate that identity fraudsters adapt quickly to try and circumvent security measures. The re-targeting of plastic cards, following a drop in 2017, is a prime example of this,” she added.

“With identity fraud remaining uncomfortably high, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility. Everyone should play their part, from individuals and organizations taking steps to protect personal data to businesses ensuring their fraud prevention practices effectively defend against evolving tactics employed by identity fraudsters.”

Categories: Cyber Risk News

Indian Bank Loses $13.5m in Global Attack

Thu, 08/16/2018 - 08:47
Indian Bank Loses $13.5m in Global Attack

An Indian bank has lost nearly 944m rupees ($13.5m) after hackers withdrew the funds from ATMs around the world and made other fraudulent SWIFT transfers.

Pune-headquartered Cosmos Bank claimed the attackers first stole customer information by installing malware on the firm’s ATM server, before conducting the globally co-ordinated withdrawals in 28 countries on August 11.

An alert from the FBI warned unnamed banks on Friday of an imminent “global Automated Teller Machine (ATM) cash-out scheme” but was unable to halt the sophisticated plot.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” it noted. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

The self-styled “leading co-operative bank in India” was also hit by three unauthorized transfers via SWIFT to a Hong Kong company’s account worth 139m rupees ($2m).

The lender claimed that the hackers managed to bypass the main switching system used for debit card payments.

“During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system,” it said in a press release seen by Reuters.

The case will bring to mind a series of high-profile raids on financial institutions over the past few years, many of them involving the SWIFT interbank transfer network.

Tamil Nadu-headquartered City Union Bank was targeted in February, when an alleged international group of hackers tried to make $2m worth of illegal transfers, although they only succeeded in getting half of that.

The run of attacks on lenders began with a major $81m raid on Bangladesh Bank back in 2016 which was subsequently blamed on the infamous North Korea-linked Lazarus Group.

Categories: Cyber Risk News

What Drives Hackers to a Life of Cybercrime?

Wed, 08/15/2018 - 14:58
What Drives Hackers to a Life of Cybercrime?

It likely comes as no surprise that cyber-criminals are financially motivated, but according to new research, many nefarious actors in the cyber world are also driven to a life of digital crime by ego as well as socioeconomic and psychological factors.

As follow-up to the recent report Under the Hoodie: Lessons from a Season of Penetration Testing published by Rapid 7, Wendy Zamora, malware intelligence at Malwarebytes, set to work on a months-long research piece exploring the psychology, motivations and other underlying factors that drive people to cybercrime.

The results of her work were published today in the long-form article "Under the Hoodie: Why Money, Power, and Ego Drive Hackers to Cybercrime" which includes interviews with reformed and active cyber-criminals as well as research from forensic psychologists, law enforcement officials and professors of criminology.

Zamora's research reveals that the main motivations for cyber-criminals include socioeconomic factors, technical skill and psychological drivers such as revenge and ego. Throughout the article, she breaks down each factor to create a general cyber-criminal persona, pinpointing the various motivations to particular forms of cybercrime, such as social engineering and malware creation.

In reference to interviews with one of her subjects who became enamored by the ease with which he could earn money, Zamora writes, “What’s not to like? Money, popularity, and a quiet 'screw you' to the man. He was proud of his ability to hack into and modify programs built by professionals.”

The results of her research highlight the value of criminal profiling, a psychological assessment that looks at both personality and physical characteristics. Criminal profiles are not as useful in identifying the individual perpetrator as much as they are helpful in narrowing the field of suspects.  

Understanding what motivates cyber-criminals can also serve as a pathway to help them transition from cyber-criminals to white hat hackers. “There’s a razor thin line separating the white hats from the black,” Zamora describes.

“Cyber-criminals are equally passionate and skilled at what they do, but the lens through which they view the world may be blurred by socioeconomic circumstances or psychological hang-ups. There are those that may be beyond hope, but there are also those who are simply too young or too insecure to work a system that feels like it’s set up to watch them fail.”

Categories: Cyber Risk News

NSA Insider Teaches Next-Gen IT Strategies

Wed, 08/15/2018 - 14:18
NSA Insider Teaches Next-Gen IT Strategies

Given the cybersecurity threats that present risks to individuals, organizations and government entities around the globe, cybersecurity professionals need to know how to defend against current and emerging threats. The new book Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time, written by cybersecurity expert and NSA insider O. Sami Saydjari, offers insight into next-generation IT strategies and defenses.

Engineering Trustworthy Systems; Get Cybersecurity Design Right the First Time (McGraw-Hill, July 2018, 672 pages; Trade Paper, $60, ISBN: 978-1-260-11817-9).

Founder and president of Cyber Defense Agency, Saydjari is a cybersecurity thought leader with 35 years of experience who worked for the NSA, DARPA, DoD and NASA, and has consulted leaders on cybersecurity policy and written more than a dozen papers.

“I can think of no person better qualified to write this sorely needed tome. Sami is one of the leading conceptual innovators in the cybersecurity field with over three decades of experience in all aspects of cybersecurity engineering,” said Brian Snow, former National Security Agency, technical director.

“He is internationally recognized and trusted as a talented cybersecurity architect. His understanding of this complex topic is both expansively wide and impressively deep in many areas. Despite that, or perhaps because of it, he has a unique ability to communicate the most complex and subtle content in terms that are clear and easily understood.”

While underscoring the need for increased national investment in cybersecurity, Engineering Trustworthy Systems also defines all aspects of the cybersecurity problem. Practitioners will gain an understanding of how to move forward in solving emerging problems while also looking at the potential pitfalls that can get in the way of designing defenses against attacks.

“This book is for those vulnerable to cyberattacks, the very people who are dependent on information technology – businesses, government, legal, medical and academic sectors,” Saydjari said.

Former National Security Advisor to President Ronald Reagan, John M. Poindexter, PhD, VADM, USN(Ret), said, “This is the 'bible' for cybersecurity, which needs to be consulted as we struggle to solve this enormous threat to our national security.”

The book is intended to be an authoritative guide for crafting cutting-edge cybersecurity solutions to defend against even the most sophisticated attacks. “Much of the information in this book can be found nowhere else and represents the distilled experiences of over three decades of work as a cybersecurity researcher, architect and engineer,” said Saydjari. 

“The book carefully builds from the most foundational elements of cybersecurity to the most complex and nuanced topics that can make your performance in cybersecurity more effective, efficient and stronger.”

Categories: Cyber Risk News

Credential-Stealing Financial Trojan Targets Banks

Wed, 08/15/2018 - 13:46
Credential-Stealing Financial Trojan Targets Banks

Financial institutions have long been the target of cyberattack, and today researchers at Cyberbit announced they have discovered a new variant of Trickbot, a modular malware and well-known financial Trojan that targets customers of large banks and steals their credentials.

Since first discovered in 2016, new variants have emerged, updated with new tricks and modules. Researchers analyzed Trickbot’s most recent infection vector – a malicious Word document – that only executes its macro after a user has both clicked “enable content” and resized the window by zooming in and out of the document.

Upon a user performing both of these functions, the macros execute a PowerShell that downloads and executes the Trickbot. Researchers noted that the variant leverages a variety of new evasion techniques, including a stealthy code-injection technique that performs process hollowing used for unpacking – as was seen in older samples of the Trickbot. With this variant, the process hollowing is done using direct system calls. In addition, by calling long/short sleeps, the malware sleeps for anywhere from 11 to 30 second and avoids sandboxes.

Trickbot also leverages anti-research/analysis using encryptions and useless function calls and avoids detection by disabling and deleting the Windows defender service. Attackers can leverage these techniques to steal users’ credentials and access their bank accounts.  

“Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat,” wrote Hod Gavriel in today’s blog post.

This latest discovery is one of a few emerging threats that banks and their customers are facing. Recent research published by ESET and CERT.PL noted a technique used with the BackSwap banker malware whereby it hooks the Windows message loop events to look for banking activity. According to a 6 August post from Cyberbit, BackSwap also was able to hide its code in fraudulent copies of legitimate computer programs.

Categories: Cyber Risk News

Just 10% of UK Firms Have No Cyber Insurance

Wed, 08/15/2018 - 10:11
Just 10% of UK Firms Have No Cyber Insurance

UK companies appear to be forging ahead globally when it comes to take-up of cyber insurance, although relatively few have full coverage, according to a new report from Ovum.

Predictive analytics firm FICO commissioned the industry analyst to poll 500 senior executives, mainly from IT, across 11 countries: the UK, US, Canada, Brazil, Mexico, Germany, India, Finland, Norway, Sweden and South Africa.

It found that 90% of UK firms have some form of insurance in place to mitigate the risk of cyber-threats, compared to an average of 76% in all countries surveyed.

Telecoms firms (17%) were most likely to have no insurance, compared to just 5% of financial services firms.

The figures overall are significantly better than last year’s findings, which revealed that just 69% of UK firms reported having cybersecurity insurance.

However, there’s clearly some way to go for the industry: just 38% of UK organizations claimed to have cybersecurity insurance covering all risks.

“Although UK organizations perform well in terms of the uptake of cyber insurance, the fact that fewer than 40% have comprehensive insurance demonstrates there is still some way to go for these firms to have a broad view of their security posture and how to present it for insurance,” said Maxine Holt, research director at Ovum.

“It could also show that these companies have a current security posture that insurers are not prepared to cover comprehensively. We should not detract from the positive news here; 90% of UK organizations have elevated the importance of cybersecurity to a level that requires insuring, even if only partially.”

Cyber insurance is widely regarded as a positive trend for the industry as long as it’s not regarded as a silver bullet. As most policies first require a baseline level of good security practice, it’s thought that the expansion of coverage will drive improvements in this area.

Categories: Cyber Risk News

Microsoft Fixes 60 Flaws Including Two Zero-Days

Wed, 08/15/2018 - 10:01
Microsoft Fixes 60 Flaws Including Two Zero-Days

Microsoft has fixed 60 vulnerabilities this monthly update round, including two zero-days and patches for the newly disclosed Intel L1TF bugs.

August Patch Tuesday saw updates to fix two zero-days already publicly disclosed and being exploited in the wild. These should be the top priorities for admins this month, according to Ivanti director of product management, security, Chris Goettl.

“CVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. Exploitation could result in remote code execution and grants the same privileges as the logged-in user including administrative rights. Because this vulnerability exists in IE 9, 10, and 11, it affects all Windows operating systems from Server 2008 to Windows 10,” he explained.

“The second zero-day vulnerability, CVE-2018-8414, is a code execution vulnerability that exists when the Windows Shell does not properly validate file paths. Exploitation can also result in remote code execution with the privileges of the logged-in user. This vulnerability is not as widespread, existing on only Windows 10 1703 and newer, Server 1709 and Server 1803.”

Microsoft also published an advisory covering the newly disclosed Spectre/Meltdown-like L1TF vulnerabilities. The Redmond giant has released several updates to help mitigate them, but warned that users of VBS or versions of Hyper-V prior to Windows Server 2016 may need to disable Hyper-Threading, which could cause performance degradation.

Elsewhere, Qualys director of product management, Jimmy Graham, urged admins to prioritize browser and scripting engine patches for “workstation-type devices,” especially a fix for CVE-2018-8373.

He also pointed to CVE-2018-8345 for workstations and servers, Exchange flaw CVE-2018-8302, and Microsoft SQL RCE vulnerability CVE-2018-8273 as ones to address urgently.

Not to be outdone, Adobe released more updates on Tuesday, including fixes for five Flash Player updates and two new critical flaws in Reader and Acrobat, to follow the 100 announced last month.

Categories: Cyber Risk News

Intel Reveals Three High Severity Memory Flaws

Wed, 08/15/2018 - 09:04
Intel Reveals Three High Severity Memory Flaws

Intel has revealed details of a new set of Spectre-like vulnerabilities in its Core and Xeon processors which could allow malicious attackers to steal highly sensitive information from memory on PCs or in clouds.

The flaws were found in the chip giant’s Software Guard Extensions (SGX) technology, System Management Mode (SMM) and x86 virtual machines.

Together these speculative execution side-channel flaws have been labelled L1 Terminal Fault (L1TF) bugs because they target access to a chip’s L1 data cache.  

The first, CVE-2018-3615, has been dubbed “Foreshadow” by the researchers that discovered it. It affects the supposedly secure enclave of SGX, to allow “unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local-user access via side-channel analysis.” It can apparently be fixed by applying Intel’s Q2 microcode update.

The second flaw, which Intel discovered, (CVE-2018-3620) affects SMM and OS kernels and allows “unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.” Applying the aforementioned microcode and OS kernel patches is required.

Finally, CVE-2018-3646, also found by Intel, affects hypervisors and VMs. Chips that use speculative execution and address translations “may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis." It would therefore make it feasible for guest VMs on a cloud platform to steal info from other VMs.

Admins will need to apply the microcode, as well as OS and hypervisor updates.

The good news is that there are no reports of the flaws being used in real world exploits, new Cascade Lake chips are being produced to mitigate the vulnerabilities and patches are being released by Intel and industry partners.

“As long as users install the update, they’ll be fine. And in fact, the vast majority of PC owners don’t use SGX, so it’s not likely to become a major problem right now,” said Foreshadow report author Thomas Wenisch, of the SGX flaw. “The real danger lies in the future, if SGX becomes more popular and there are still large numbers of machines that haven’t been updated. That’s why this update is so important.”

Categories: Cyber Risk News

For Google, No Tracking Means We Still Track You

Tue, 08/14/2018 - 17:12
For Google, No Tracking Means We Still Track You

Google is so intrigued by the places users go that it continues to track their locations even after users turn off the Location History, according to findings from a recent AP investigation conducted by computer-science researchers at Princeton.

For a global conglomerate like Google, "no" doesn’t necessarily mean "no" when it comes to tracking user locations. Users do have the option to adjust their privacy settings so that location information is turned off or only on while an app like Google Maps is in use. However, when Gunes Acar, a privacy researcher at Princeton, turned off his Location History and took to the road to verify that he was not being tracked, he discovered that the privacy settings were ineffective.

The results of what the location data collected over the course of three days was compiled in a map and included “Acar’s train commute on two trips to New York and visits to The High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem,” according to AP.

Users have long been suspicious about actually being able to shut off Google’s location services. As it turns out, those suspicions were warranted. Acar confirmed that his travels were indeed tracked and stored, even without his consent.

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web and App Activity and through device-level Location Services,” a Google spokesperson said in a statement to the AP. “We provide clear descriptions of these tools and robust controls so people can turn them on or off, and delete their histories at any time.”

The report raises several different privacy questions, particularly when it comes to user consent of data collection. “When it comes to information privacy, we need to start asking a different set of questions, such as: What data may legitimately be collected? What are legitimate uses for data that is collected?” said Todd Shollenbarger, chief global strategist, Veridium.

Categories: Cyber Risk News

Stopping Russian Attacks on Candidate Websites

Tue, 08/14/2018 - 16:13
Stopping Russian Attacks on Candidate Websites

As the midterm elections grow closer, concerns for voting security continue to mount, particularly in light of research unveiled after this year’s Def Con security conference, which found that the websites of nearly one-third of the US House candidates are vulnerable to attack.

Independent researchers unveiled the alarming security problems that exist in the websites of three in every 10 candidates - both Republican and Democrat - running for the US House of Representatives, according to news from Reuters.

Under the leadership of former National Institutes for Standards and Technology (NIST) security expert Joshua Franklin, a team of four independent researchers used automated scans to test the websites of candidates on both sides of the aisle and reportedly found multiple vulnerabilities. Franklin told Reuters that the team is trying to contact all the candidates so that they can fix the problems.

Earlier this month, the ever-present threats from cyber-criminals became a reality for Tabitha Isner, the Democratic candidate running in Alabama's second congressional district, who alleged Russians attempted to hack her campaign website. Just this week Sen. Bill Nelson (D-Fla.) said that Russians penetrated voter registration systems in Florida.  

As candidates struggle to shore up their websites, vendors in the cybersecurity space are moving forward in the development of new technologies to help candidates running for office.

Thycotic announced today that it has released a free Cybersecurity Election Protection Toolkit to help campaigns for federal, state and local elected offices prevent attacks on their credentials/passwords amid recent cyber-threats by Russian hackers and other cyber-criminals.

The toolkit includes links to additional free online tools, such as Password Strength Checker and Strong Password Generator, which is available to any organization looking to protect its critical data assets.

“With many in the U.S. House of Representatives and the Senate up for reelection in November, along with a host of newcomers on the political scene, our goal in offering this Election Protection Toolkit is to help ensure the integrity of our midterm elections,” said Steve Kahan, chief marketing officer at Thycotic.

Categories: Cyber Risk News