As the attacks either directly impact e-commerce websites or a third party’s software libraries, which merchants rely upon “these service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.”
Troy Leach, chief technology officer, PCI Security Standards Council, said: “We have heard from many of our stakeholders in the payment community that these types of attacks are a growing trend for many businesses, large and small. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the retail and hospitality sector who battle these threats daily.”
The alert warned that any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. “There are ways to prevent these difficult-to-detect attacks however,” said Leach. “A defense-in-depth approach with ongoing commitment to security, especially by third-party partners, will help guard against becoming a victim of this threat.”
Carlos Kizzee, vice-president, intelligence at the Retail and Hospitality ISAC, added that these attack techniques are of increasing significance to the retail and hospitality industry, and it is important that businesses grow their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them.
Kizzee said: “The bulletin we are jointly issuing today should be a call to action to those in the business community to enhance their awareness of and vigilance against these techniques. No one should presume that they couldn’t or won’t be used to target their enterprise.
“We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”
Global automobile manufacturer Honda leaked a database of company data that exposed 134 million documents, roughly 40GB of information.
In a blog post, researcher xxdesmus revealed how he discovered an Elasticsearch database without any authentication.
“The data contained within this database was related to the internal network and computers of Honda Motor Company. The information available in the database appeared to be something like an inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. I would like to thank the security team at Honda Motor Company for their very prompt action to secure the database shortly after being notified.”
A statement from Honda to the researcher read: “The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.”
Igor Baikalov, chief scientist at Securonix, said, “This is a hacker’s dream, a treasure trove of the most sought-after information. Whoever has it can own Honda’s network. While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda.”
If an attacker has already gained access they could use the data to carry out further attacks and gain deeper access to Honda’s networks causing substantial damage, he added.
“This incident should be a lesson to organizations that any documents, servers or databases should be secured and at the very least password protected. What may seem like meaningless logs to an organization could actually provide a wealth of opportunity to a skilled and knowledgeable attacker.”
Dwindling resources, experience and skills are the biggest challenges facing the cybersecurity profession today, according to new research from the Chartered Institute of Information Security.
Nearly half (45%) of those polled for the institute’s annual survey, The Security Profession in 2018/19, pointed to lack of resources as the biggest issue they face, followed by lack of experience (37%) and skills shortages (31%).
The latter have been an issue for years, with global shortages estimated at nearly three million, including 142,000 in EMEA.
What industry professionals there are threaten to be swamped by the black hats: just 11% of respondents said security budgets were rising in line with, or ahead of, threat levels, while the majority (52%) said budgets were rising, but not quickly enough.
When asked to choose between people, process and technology, the vast majority of professionals polled for this report claimed that people (75%) were the biggest challenge to cybersecurity, rather than process (12%) and technology (13%).
“Clearly, this could be a shortage of skilled security architects, the fact that developers seldom create secure code, the user awareness problem where passwords and phishing emails are concerned; probably it is a combination of people related issues,” the report explained.
On the plus side, the dearth of qualified professionals led a majority of respondents to claim this is a good time to join the industry: 86% said the industry will grow over the next three years and 13% said it will “boom.”
In addition, over 60% claimed the profession is getting better – or much better – at dealing with security incidents when they occur, while less than half (48%) said the same about defending systems from attack and protecting data. In fact, 14% said the profession is getting worse at this.
This highlights a general trend of organizations being forced to broaden their approach from prevention alone to include incident response.
“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO of the Chartered Institute of Information Security.
“As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”
Cisco has agreed to pay $8.6m to settle a lawsuit filed by a client alleging the networking giant knowingly sold video surveillance kit containing serious security vulnerabilities.
US law firm Phillips & Cohen said it filed a qui tam, or whistleblower, lawsuit on behalf of James Glenn, a consultant for a Cisco partner company of Danish origin. The firm is said to have fired Glenn after he submitted a report to Cisco detailing the flaws.
Although Cisco eventually fixed the software flaws, the lawsuit alleged that the firm potentially exposed the federal and state-level agencies that used the equipment.
The settlement covers sales of Cisco’s Video Surveillance Manager from 2007 to 2014. The system allows customers to manage and connect multiple internet-connected cameras through a central server.
Whistleblower attorney, Claire Sylvia, argued that many federal and state agencies depended on Cisco’s video surveillance systems to help monitor security at their facilities.
“Our client raised important security concerns. We alleged in our complaint that the software flaws were so severe that they compromised the security of the video surveillance systems and any computer system connected to them,” said Sylvia.
“Cybersecurity products are an important piece of government spending these days, and it’s essential that those products comply with critical regulatory and contractual requirements. The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.”
Cisco will pay the federal government and 15 states, as well as various cities, counties and other regional US administrations. Glenn himself will receive around $1.6m.
According to Cisco, this payment settles litigation originally brought in 2011. It revealed in a blog post that the software in question came from an acquisition of Broadware in 2007.
“Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached. In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us,” explained general counsel, Mark Chandler.
“In July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September, 2014.”
At the final day of the Cyber: Secured Forum in Dallas, moderators hosted a series of discussions in which attendees played a crucial part in putting forth solutions to some of the the most pressing cyber–physical topics facing the security industry.
Attendees were divided into four different groups to collaborate on responses to some of the biggest cyber–physical challenges, including:
- The Tenants of a Cybersecurity Hardening Guide
- Privacy in the Age of Connected Devices
- Show Me the Money: The Considerations for Monetizing Cybersecurity as an Integrator
- Gap Analysis – How the Security Industry Should Address Cybersecurity
In coming together to share their responses, attendees expressed their collective ideas. One of the key concerns for integrators is understanding how to monetize cybersecurity. In order to do this successfully, integrators need to acquire an array of skill sets that they might not have. For those that are looking to grow and be the experienced industry provider, they need to rely on the skills of others while they themselves grow and learn.
While it’s not all about the money, business is all about the money. Unfortunately, connectivity has opened up a Pandora’s box of opportunity and challenges for the physical security industry. Integrators are seeking to monetize cybersecurity services while ensuring new threats to their customers are mitigated in the systems they deploy.
In looking at privacy in the age of connected devices, attendees recognize that the lack of security in the internet of things poses not only digital but also physical privacy vulnerabilities. As such, solutions providers are working to ensure that their connected products are hardened out of the box and that the folks deploying them have the guidance to ensure that they provide customer value, not cybersecurity headaches.
The security industry needs to shift its siloed thinking order to really address cybersecurity. One overarching theme of the Cyber: Secured Forum was that the lines between physical and cybersecurity are slowing disappearing. The vulnerabilities are overlapping, the risks are expanding and the ability to mitigate risks is hampered by an ever-growing skills gap. Collaboration, now more than ever, is key.
“There’s not really a difference from the hacker perspective. They are trying to use whatever avenue they can to exploit your company,” Finney said. Where once penetration testers might have only tested the network, now Finney has pen testers come to campus and try to break into the wireless network or use social engineering methods to access areas of campus where they aren’t supposed to be.
While the university is charged with protecting student data, Finney said, “We also want to protect them, wherever they are.”
The security industry is made up of people. In physical and cybersecurity, “both of us make our spouses sit with their backs to the restaurant so that we can see all the exits. We both integrate highly complex technologies, and we both know that the bad guys are going to figure out what our defenses are,” Finney said.
For years, it was believed that you couldn't have cybersecurity without physical security, but today, Finney said, the opposite is also true.
Finney shared lessons he learned as the CISO of Southern Methodist University, which has integrated support for physical security technologies and cybersecurity on the same team, promoted by a major event on campus.
The opening ceremony of the George W. Bush Presidential Library and Museum was planned on the SMU campus, and Finney explained that the Secret Service told him that the event would be the biggest security event because five living presidents would be in attendance.
Finney said that his team has completed a campus-wide lock-down initiative, centralized support and increased response time to improve security for the event with the help of an integrator. The initiatives then had the lingering effect of improving the student experience, which has successfully helped to reduce crime on campus – all while hardening systems against hacking.
Senior ministers from the UK, Australia, Canada, New Zealand and the United States have announced their support of weakening encryption, essentially asking tech companies to install backdoors in encrypted communications.
The news comes following a two-day security summit in London, where home affairs, interior security and immigration ministers of the ‘Five Eyes’ countries discussed current and emerging threats which could undermine national and global security.
As detailed in the an official UK government release, “During a roundtable with tech firms, ministers stressed that law enforcement agencies’ efforts to investigate and prosecute the most serious crimes would be hampered if the industry carries out plans to implement end-to-end encryption, without the necessary safeguards.”
Home Secretary Priti Patel said: “The Five Eyes are united that tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk.
“We heard today about the devastating and lifelong impact of child sexual exploitation and abuse, and agreed firm commitments to collaborate to get ahead of the threat.
“As Governments, protecting our citizens is our top priority, which is why through the unique and binding partnership of Five Eyes we will tackle these emerging threats together.”
Also speaking at the conclusion of the two-day conference was United States Attorney General William P. Barr. Barr said that encryption presents a unique challenge and the Five Eyes partnership has a duty to protect public safety, including those related to the internet.
“We must ensure that we do not stand by as advances in technology create spaces where criminal activity of the most heinous kind can go undetected and unpunished.”
However, Javvad Malik, security awareness advocate at KnowBe4, said that calls to weaken encryption, or to place backdoors in, are periodically made by ill-informed politicians.
“No matter how hotly this is debated, it can't change the maths behind encryption, which will either work or not. Weakening encryption will do more harm than good, as it will leave all communication vulnerable and allow bad actors to compromise legitimate traffic,” he argued.
Organizations in the financial services sector have repeatedly been impacted by attackers leveraging credential stuffing and unique phishing attempts, according to newly released data in Akamai’s 2019 State of the Internet/Security Financial Services Attack Economy Report.
The report found that 50% of all the companies impacted by observed phishing domains were in the financial services sector. The report reflects the analysis of 3.5 billion attempts during an 18-month period that have put the personal data and banking information of financial services customers at risk.
Researchers observed that, between December 2, 2018, and May 4, 2019, 197,524 phishing domains were discovered. Customers were directly targeted in 66% of those attacks. In addition, “94% of the attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period), based on Akamai’s calculations,” according to the report.
“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”
Criminals are using "bank drops," which researchers explained are packages of data that include a person’s stolen identity, that can be used to open accounts at a given financial institution. The packages are known as "fullz" by criminals online and include an individual’s name, address, date of birth, Social Security details, driver’s license information and credit score.
While financial institutions are trying to understand the methods criminals are using to open these drop accounts, attackers are gaining more success because they continue to target the financial services industry.
“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyses, and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”
UK businesses are stepping up their preparations for a potentially tortuous split from the EU, with a third moving some operations to the continent to avoid data privacy regulatory issues, according to new research.
Business process outsourcer Parseq polled 500 decision makers in businesses with 250+ employees about how Brexit might impact their current data privacy obligations.
Although the GDPR is technically transposed into UK law, the country will require an “adequacy decision” from the European Commission to ensure unhindered data flows after it leaves the trading bloc – something that is certainly not guaranteed.
That’s why the vast majority (89%) of firms polled by Parseq said they’d taken proactive measures.
Around a third (35%) said they’d refocused their client base to the UK, while a similar number (32%) had transferred operations to the EU.
Nearly two-fifths (37%) said they have audited data flows to and from the EU and even more (42%) have sought advice from regulator the Information Commissioner’s Office (ICO).
Craig Naylor-Smith, managing director at Parseq, argued that UK firms are currently operating on shifting sands given the lack of clarity over post-Brexit data transfer arrangements.
“The Data Protection Act (2018) transposed the GDPR into UK law, but if the rules in Europe diverge once we leave the EU it could make transferring personal data to and from the continent more difficult — a vital consideration for businesses in our increasingly connected, digital world,” he added.
“With this in mind, it’s encouraging to see so many firms take proactive steps to prepare for the prospect of regulatory changes. However, with an even proportion of firms increasing their European presence and refocusing their position to the UK, it’s clear the best course of action will depend on individual strategies.”
The bottom line is: UK businesses must consider how Brexit could impact data privacy regulations as a matter of urgency, he said.
The US-CERT has been forced to issue an ICS alert after a security researcher revealed major cybersecurity shortcomings in small aircraft which could enable attackers to cause crashes.
The issues lie with the CAN bus networks, a common feature of automobiles which connect electronic sensors and actuators.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the alert noted.
“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
The research itself was carried out by Rapid7’s Patrick Kiley, who is also a pilot. He spotted an over-reliance in the avionics sector on physical security and called for more defense-in-depth.
“Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less,” he argued in a blog post introducing the research.
“Think about it: if you felt like your internal LAN was totally and completely untouchable by attackers, you probably wouldn't worry much about software patching or password management. Of course, LANs aren't impregnable, and neither are CAN bus networks, so we're worried about this mindset when it comes to avionics security.”
The hope is that, just as greater scrutiny of these systems in the automotive industry has led to steps being taken to mitigate risk, the same can happen in the light aircraft space.
Researchers are warning of a potentially serious Android ransomware threat that spreads via malicious links in SMS messages and posts in forums.
ESET malware researcher, Lukas Stefanko, explained in a blog post that Android/Filecoder.C has been active since at least July 12 — distributed via Reddit posts and an Android developers forum known as “XDA Developers.”
“Using victims’ contact lists, it spreads further via SMS with malicious links,” he continued.
“Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.”
Once the malware sends itself out via malicious SMS links it will encrypt most files on the victim device and request a ransom. The texts that contacts of the victim receive try to socially engineer them into clicking by claiming that their photos have been found in an app.
Most of the malicious forum and Reddit posts discuss porn-related topics, although some are also tech-related. Links, sometimes shortened, or QR codes are used to point to the malware, explained Stefanko.
“To maximize its reach, the ransomware has the 42 language versions of the message template seen in Figure 5. Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” he continued.
“The malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service.”
If users delete the ransomware app then their device will be encrypted for good, although there’s nothing to support the claim on the lock screen that affected data will be lost after 72 hours, ESET said.
The ransom itself is relatively small, around $94-$188.
The security vendor urged Android users to stick to the official Google Play store for app downloads, keep their devices up-to-date at all times, pay attention to permissions requested by apps and download AV to their handsets.
Customers reportedly received an email in which the company explained that an unauthorized third party had gotten access to the personal information of “some customers,” reportedly those in Australia, Hong Kong, Indonesia, Malaysia, New Zealand, the Philippines, Singapore and Thailand.
The exposed information included the users’ first and last name, date of birth, gender, email address, encrypted password and data related to “beauty preferences,” according to what Alia Gogi, managing director of Sephora Southeast Asia, reportedly wrote in an email.
Additionally, Gogi added that no credit card information was accessed and the company has “no reason to believe that any personal data has been misused,” the report said.
"It is a great challenge for many organizations to standardize their cybersecurity operations globally. Varying regulations for both security and privacy come into play, especially when dealing with an enterprise that operates around the globe,” said George Wrenn, founder and CEO of CyberSaint Security.
“This breakdown is why we see many large organizations flock to an integrated risk management (IRM) approach. IRM is allowing organizations to aggregate risk and compliance data from all business units and make smarter and more informed decisions. With the patchwork of regulations that are emerging around the world, cybersecurity leaders must be prepared to integrate their organizations to stay wholly aware of the posture of their organization."
Fraudsters and cyber-criminals have easy access to customer data given the mega breaches of the past few years, and Kevin Gosschalk, CEO, Arkose Labs, said that each subsequent breach only adds to the available information on the dark web, creating a paradigm of fraudulent activity.
“These types of incidents provide cyber-criminals with the incentive and tools they need in order to commit ongoing, lucrative and easy fraud. In this case, the information hackers had access to, including encrypted passwords and email addresses, can now be weaponized in future account takeover (ATO) attacks. While Sephora has cancelled all existing passwords as an immediate first step, customers are inherently still at risk,” Gosschalk added.
"There is an ongoing onus on Sephora to safeguard its customers against future cybercrime associated with their password vulnerabilities. Our reality is that cybercrime is a well-funded and connected business where fraudsters have access to sophisticated tools and resources to launch attacks. This breach is yet another incident that provides them with the exact ammunition they need. The longer-term solution will come from eliminating the economic incentives behind these attacks through the use of integrated strategies that detect fraud in real time and block attacks from being successful.”
Enterprises in the midst of digital transformation are finding that physical security and its convergence with cyber and information security requires that they consider new approaches to risk management, according to a panel of industry leaders at today’s Cyber: Secured Forum in Dallas.
The panelists represented an array of industries from companies such as Southern Methodist University, Glasswing Ventures, McAfee, Comcast Cable and Booking Holdings, all sharing “A View from the CISO’s Office.”
Concerns range from active shooters and the physical safety of students to how to secure the critical data sources that more and more employees within the organization are accessing.
The challenge with cybersecurity in some organizations is that they have to sell cyber within the organization because of existing cultures, but integrating and blending IT and physical security has the potential to bring everything together in a single pane of glass, said Mark Weatherford, global information security strategist at Booking Holdings.
Technology can solve some of the physical and IT integration issues, including those related to the provisioning and de-provisioning of employees. The pace of innovation is accelerating, and the longer you put off a focus on cybersecurity, the greater the challenge will be when you finally address it, according to the panelists.
Security orchestration is an issue that is improving, according to the panelists, which helps organizations manage and identify in order to mitigate risk. In the IT culture, there’s long been a habit of getting rid of products that don’t work, which hasn’t always been the case in the physical security world. “They don’t integrate as fast,” Weatherford said. “In the physical security world it’s been a different culture with respect to buying things.”
The panelists speculated on how convergence and integration will continue to play out over the next several years, and one panelist said there is a great opportunity for physical security companies to acquire cybersecurity providers in order to converge capabilities. The very definition of physical devices is changing, which has created a lot of opportunity for the physical feature set moving forward, one panelist noted.
The biggest challenges in dealing with the convergence of physical and cybersecurity are culture, language, perception and budget, according to Mark Weatherford, global information security strategist at Booking Holdings, who delivered the keynote speech at today’s Cyber: Secured Forum in Dallas.
Weatherford shared an anecdote of a story from a few months ago when he came to realize that “sometimes we get so wrapped up in technology and thinking about how we can solve the world’s problems that we don’t realize the issue is really about money.”
Admittedly hyperbolic, Weatherford said he sees some truth in a quote from Allan Schiffman, who said, “Amateurs study cryptography; professionals study economics.”
The adversary’s goals are about money, which is why the providence of the supply chain is critically important. “Cybersecurity can now interrupt that supply chain in a variety of different ways,” Weatherford said.
Because organizations depend on a vast and complex supply chain ecosystem, the industry is facing a perfect storm in which the internet of things (IoT) is innovating faster than the speed of security. “Laws and law enforcement are limited, inconsistent and unenforced,” Weatherford said.
Despite the rapid pace of innovation, cybersecurity has no national boundaries and no international norms of behavior and is complicated further by the reality that everyone can have anonymous access to vast resources and information. Some companies still rely on 30- to 40-year-old protocols with little to no security.
“The security community hasn’t down ourselves any favors,” said Weatherford. “When a naïve user can take down an entire company by clicking on a bad link, face it, our security stinks.”
Still, businesses are integrating technologies faster than they can keep up with it. “There are three basic components that we always talk about: people, processes and technology. But it is harder to hire people and develop processes, so they buy technology,” said Weatherford.
The good news is, according to Weatherford, that the industry is starting to see a trend where companies that are spending money are having a positive effect on the security of their organizations. Still, insider threats remain the number-one vector into companies today.
“Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises. Both are integral parts of any coherent risk management program,” Weatherford said.
The value proposition in convergence is that it helps eliminate silos, provides situational awareness and more unified and strategic security governance, eliminates duplicate processes, allows for more distributed resources and guides strategic planning, Weatherford said.
The most common configuration problems found in the majority of penetration tests can be easily resolved with straightforward fixes.
- Brute forcing accounts with weak and guessable passwords
- Excessive file system permissions
- Windows Management Instrumentation (WMI) lateral movement
Chris Nickerson, founder of Lares, said that these top five findings were common in “95% of the tests.”
Specifically, Lares confirmed that in three of the five most common findings, security basics including password, privilege and patch management could resolve the issues and that “every single vulnerability can be avoided or eliminated through better cybersecurity hygiene practices.”
In the case of brute forcing accounts, this can be resolved with the use of multi-factor authentication or with account lockout policies, while 'kerberoasting' can be managed with strong passwords, both in terms of length and complexity.
Meanwhile, “excessive file system permissions” can be mitigated with tools to detect file permissions abuse, enabling installer detection for all users and limiting the privileges of user accounts and groups.
Also, while they were publicly disclosed in 2017, the EternalBlue vulnerability can be mitigated by applying the Microsoft patch, disabling SMBv1 and blocking inbound SMB at your perimeter.
The only one of the top five which is not resolved with standard 'basics' is WMI lateral movement, which Lares said can be mitigated by disabling WMI or RPCS, restricting non-administrator users from connecting remotely to WMI, and preventing credential overlap across systems of administrator and privileged accounts.
In an email to Infosecurity, Nickerson said that WMI is rarely protected or restricted, so it tends to be a widely used vector for access/execution. “For instance: the most common way we bypass 2FA logins in RDP is using WMI directly,” he explained.
Asked if he felt that this shows a lack of network visibility, or whether that is not really possible as lateral movement is a common issue, he agreed saying “there are ways to correlate logs of using WMI on a host to detect spraying or one to many/many to one execution, so there is opportunity to pick up its use and artefacts of its execution on the host.”
He also said that east/west traffic analysis is lacking in many environments, and “the most optimal solution is to ‘chain’ the detection techniques to correlate UBA, network traffic analysis and host based execution.”
Infosecurity asked Nickerson if he felt that four of the top five most common findings being fixed with common techniques was a positive thing, or if it was demoralizing that basic securty is proving to be so difficult?
Nickerson said: “It seems to me that these techniques are not only the basics, but they have been a common way to compromise enterprises for years. It indicates to me that we are still stuck in the ‘buy a thing to make us secure’ mentality versus ‘tune what we have to work better.’
“The good part is that these techniques are addressable with fairly simple configuration. I think the industry is starting to catch on to the fact that they need to constantly tune their environment and not just buy ‘x’ new product.”
Nickerson praised the work of “purple team” type engagements that focus on defensive improvement, rather than the “traditional hack and report.
“Many teams are still operating from a ‘vulnerability focused perspective,’ the shift to including techniques in their protection/detection strategy is the next evolution of the defensive program and will be a major change in measuring the effectiveness of their controls,” he said.
“Testing for vulnerabilities and techniques (like integrating testing and tuning based on the descriptions provided by Mitre's ATT&CK framework) will help programs stay ahead of the curve and begin tracking how their defenses improve over time, opposed to the never ending vulnerability tail chase.”
Personal information on thousands of Los Angeles Police Department (LAPD) officers and applicants appears to have been stolen in a breach of local government security.
The suspected hacker claims they have their hands on the data of 2500 LAPD officers, trainees and recruits, and around 17,500 police officer applicants.
Reports suggest the City of LA was contacted by the individual last week, and its IT Agency has been forced to apply extra security around its IT systems. Those affected by the breach are said to have been contacted.
It’s not 100% clear if the hacker has access to all of the data they claim, although officer names, dates of birth, Social Security numbers, emails and passwords could be part of the trove.
The LA Police Protective League, a police officers’ union, issued a strongly worded statement in response.
“The data breach that exposed personal information of Los Angeles police officers and those applying to become police officers is a serious issue for our members. We urge the City of Los Angeles to fully investigate the lapse in security and to put in place the strongest measures possible to avoid further breaches in the future,” it said.
“We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence so that they may restore their credit and/or financial standing.”
Total losses of data and devices by the UK’s Ministry of Defence (MoD) have risen by nearly 300% over the past two years, according to official figures.
The figure jumped from 117 incidents in 2017-18 to 463 in 2018-19, according to the MoD’s annual report.
Within that figure, “loss of inadequately protected electronic equipment, devices or paper documents from secured government premises” jumped over 180%, from 22 to 62.
There were fewer losses of that type from outside secured government premises: just 21 in 2018-19, up from 11 over the previous two years.
However, “unauthorized disclosure” incidents soared from 73 to 352 over the period.
“It’s very concerning to see sensitive documents or equipment go missing from secure locations, particularly as the UK faces a growing range of threats,” said shadow defense secretary, Nia Griffith.
“The new secretary of state must ensure his department does everything it can to trace these devices and prevent future security breaches.”
Andy Harcup of data of data security firm Absolute Software, also argued that rising thefts of mobiles and laptops pose a serious security risk.
“Each device contains a goldmine of confidential data which could be exploited by hackers, foreign states or even a rogue employee,” he added.
“It’s vital all government organizations ensure devices are properly protected with endpoint security, so they can track, secure and freeze them if they fall into the wrong hands.”
This isn’t the first time the MoD has been found wanting over cybersecurity. Last year reports emerged that there were 37 recorded breaches of security protocol over the previous 12 months.
These include: sending sensitive information unprotected over the internet, connecting mobile devices to ministry networks without checking first for malware and devices, documents and rooms left unsecured.
Capital One has announced a major breach of customers’ personal data, affecting over 100 million Americans and a further six million in Canada.
The financial institution blamed “unauthorized access by an outside individual” who has been arrested by the FBI and is now in custody.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the firm explained.
“This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
However, the trove also included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.
The bank blamed a “configuration vulnerability” exploited by the suspected attacker, but said “this type of vulnerability is not specific to the cloud.
“The elements of infrastructure involved are common to both cloud and on-premises data center environments,” it added.
In fact, according to a statement from the US Department of Justice, it appears as if the individual is “a former Seattle technology company software engineer” at a cloud computing provider who posted the details of the breach on GitHub.
Reports suggest the person in question, Paige Thompson, worked at Amazon Web Services.
“The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” it revealed.
“On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.”
The revelation that a tech insider stole highly sensitive customer data from a client should not affect the overall migration to public cloud environments, according to Igor Baikalov, chief scientist at Securonix.
“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds,” he argued.
“This fact alone shouldn't be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third-party security and insider threat programs for both providers and consumers of public cloud services."
New vulnerabilities give hackers the ability to bypass the payment limits on Visa contactless cards regardless of the card terminal, according to new research from Positive Technologies.
In a July 29 press release, Positive Technologies said that researchers tested the flaws several times with five major UK banks and with cards and terminals outside of the UK. They found that the limits could be bypassed 100% of the time and could allow an attacker to steal from accounts.
“The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer 'I can’t do that,' which prevents against making payments over this limit. Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone,” the press release said.
Checks were bypassed by using a device acting as a proxy to intercept communication between the payment terminal and the card, an attack known as man in the middle (MITM). These MITM attacks can also be accomplished using mobile wallets, allowing a fraudster to charge up to £30 without unlocking the phone.
“The device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” according to the release.
"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Tim Yunusov, head of banking security for Positive Technologies. "While it’s a relatively new type of fraud and might not be the number-one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."
Working in the security operations center (SOC) is growing increasingly more painful because of an increasing workload and alert fatigue, according to new research, Improving the Effectiveness of the Security Operations Center, published by the Ponemon Institute and sponsored by Devo Security.
Respondents cited malware (98%), known vulnerabilities (80%), spear-phishing (69%) and insider threats (68%) as the most identified exploits in the SOC.
“Most respondents rate their SOC’s effectiveness as low and almost half say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats and workplace stress on the SOC team are diminishing its effectiveness,” the report said.
In fact, 65% of respondents said that these pain factors would cause them to consider changing careers or leaving their job, and those frustrations exist even in those organizations that consider the SOC essential to their cybersecurity strategy, according to the report. SOCs are struggling, and most of the participants ranked their SOC’s effectiveness as low, with nearly half reporting the SOC is not fully aligned with business needs.
As a result of these problems, 78% of respondents say the mean time to resolution (MTTR) can be weeks to months – even years. “Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years,” according to the report. In addition to the lack of visibility, threat hunting was also ranked as a top challenge.
“Threat hunting teams have a difficult time identifying threats because they have too many IOCs [indicators of compromise] to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives,” the report said.