Info Security

Subscribe to Info Security  feed
Updated: 18 min 15 sec ago

Canadian Uni Shutters Network After Cryptomining Attack

Fri, 11/09/2018 - 09:49
Canadian Uni Shutters Network After Cryptomining Attack

A Canadian university shut down its entire network last week in response to a cryptomining attack, highlighting the potential disruption that can be caused by this relatively new strain of malware.

St Francis Xavier, which claims to offer the country’s “premier undergraduate experience,” explained in an update on Sunday that it was bringing systems back online in a staggered approach following the outage.

“On Thursday, IT Services, in consultation with security specialists, purposefully disabled all network systems in response to what we learned to be to be an automated attack on our systems known as ‘cryptocoin mining’,” the update continued.

“The malicious software attempted to utilize StFX’s collective computing power in order to create or discover bitcoin for monetary gain. At this time, there is no evidence that any personal information within our network was breached, however, ITS will continue to analyze and monitor for suspicious activity in the days and weeks ahead. ITS has also implemented heightened security measures in response to this event.”

All network passwords were also reset as part of the response to the attack.

Cryptocurrency mining is on the increase. McAfee noted that detections of coin mining malware rose 629% in the first quarter to more than 2.9 million samples, while Trend Micro claimed detections rose 956% between the first half of 2017 and the same period this year.

Don Duncan, director at NuData Security, explained that it’s an increasingly lucrative way to make money without drawing attention to the attack, as ransomware does.

“They just infect users like this college network, and then siphons off power to mine cryptocurrencies. You would not necessarily notice it until all systems start to slow down.

There is also the potential that this breach can be used for other purposes later on, especially if it downloaded another type of malware at the same time, he added.

“The university had no choice but to deprive these hijackers further access by shutting down systems to understand the scope of the issue. In situations such as this real-time visibility into the status of existing systems is critical as it helps to identify potential threats early mitigating future damage.”

Categories: Cyber Risk News

Lazarus Group Targets Bank Networks to Rob ATMs

Thu, 11/08/2018 - 16:09
Lazarus Group Targets Bank Networks to Rob ATMs

In addition to its 2014 attack on Sony Pictures, the Lazarus Group, also known as Hidden Cobra, has been attacking the ATMs of Asian and African banks since 2016, and today Symantec revealed that the group has been successful in its “FASTCash” operations by first targeting the banks' networks.

“The operation known as 'FASTCash' has enabled Lazarus, to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions,” Symantec wrote in today’s blog post.

“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”

By injecting a malicious Advanced Interactive eXecutive (AIX) executable into a legitimate process on the switch application of the network that handles ATM transactions, the attacker is able to monitor incoming messages and intercept fraudulent, attacker-generated transaction requests, preventing them from reaching the switch application.

The malware also contains logic that generates one of three responses to the attacker-generated transaction requests, according to Symantec.

In early October, the Department of Homeland Security (DHS), in combination with the Department of the Treasury (Treasury) and the FBI, identified malware used by the North Korean-linked hacking group, renowned for its cyber-espionage operations, in a US-CERT alert.

According to the alert, the FASTCash schemes “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The US Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.”

On the heels of the US-CERT report, Symantec uncovered the successful tactics used in the financially motivated attacks that allowed Lazarus to steal tens of millions of dollars from ATMs in over 30 different countries. Highly successful and motivated by their continued success and financial earnings, the Lazarus Group poses serious threats to the financial sector, particularly as these FASTCash attacks are not considered part of the group’s core activities.

Categories: Cyber Risk News

Most IT Security Pros Underestimate Phishing Risks

Thu, 11/08/2018 - 15:31
Most IT Security Pros Underestimate Phishing Risks

Based on the results of a new survey, the vast majority of IT security pros fail to understand the actual risks of short-lived but dangerous phishing attacks on the web, said SlashNext.

Conducted over a five day period, a query of 300 IT security decision makers in midsized firms in the US found that 95% of respondents underestimate threats from phishing, revealing a lack of understanding and gaps in protection against modern, fast-moving phishing attacks.

According to the SlashNext 2018 Phishing Survey, most companies do not have adequate defenses against phishing threats on the web, a growing threat that many security pros fail to fully understand. Modern phishing tactics are commonly used to breach networks, a reality that only 5% of survey participants recognize, the report found.

The survey found that 14% of respondents think they experience in excess of 500 phishing attacks per month, while 45% of participants believe they are targeted with more than 50 phishing attacks per month. Yet, phishing attacks on the web differ from the more commonly understood phishing emails. The survey noted the particular distinction between the two is the short-lived duration of today’s fast-moving phishing threats on the web. 

Targeted phishing attacks have expanded into ads as well as coming in through search results, pop-ups, social media, IM and chat applications, rogue browser extensions and apps. Given the increasing frequency with which these threats on the web or in free apps occur, more than half of the survey respondents identified phishing attack vectors beyond email as their third most concerning threat. Only 32% of survey participants said their existing threat feeds and block lists provide sufficient protections.

Coming in as the top two concerns with regard to phishing attacks were spoofed websites and insufficient employee training. More than half (64%) of respondents expressed concerns with their existing employee awareness training.

“Phishing tactics have evolved to using very fast-moving phishing sites and attack vectors that evade existing security controls. And with such legitimate-looking phishing sites manipulating users, there is little to protect employees, not even phishing awareness training,” said Atif Mushtaq, CEO and founder of SlashNext, in a press release. “The solution involves a phishing detection system that can analyze and detect malicious sites like a team of cybersecurity researchers, but do it in real time to protect users.”

Categories: Cyber Risk News

Nearly 4,000 Breaches Disclosed in 2018

Thu, 11/08/2018 - 14:56
Nearly 4,000 Breaches Disclosed in 2018

While it is likely that the breach activity of 2018 won’t reach the level of 2017, a look back at the first nine months suggests that 2018 is on pace to be another significant year for breaches, according to Risk Based Security.

The 2018 Q3 Data Breach QuickView Report found that 3,676 data compromise events were disclosed between 1 January and 30 September, exposing 3.6 billion records. However high those numbers might seem, and despite the consistent pace at which disclosures are reported, 2018 is not expected to see the record number of breaches reported in 2017. In fact, the report found that when compared to the same point in 2017, the number of reported breaches fell by 8%, and the number of exposed records decreased by 49% from 7 billion.

“The number of reported breaches shows some improvement compared to 2017 and the number of records exposed has dropped dramatically,” said Inga Goddijn, executive vice president for Risk Based Security, in a press release. “However, an improvement from 2017 is only part of the story, since 2018 is on track to have the second most reported breaches and the third most records exposed since 2005. Despite the decrease from 2017, the overall trend continues to be more breaches and more ‘mega breaches’ impacting tens of millions, if not hundreds of millions, of records at once.”

The report looked at breaches by sector and found that business made up 38% of reported breaches. Though 43% of reported breaches couldn’t be classified into a sector category, the research did find that government represented 8.2% of the overall breaches while medical trailed slightly behind at 7.8%. The education sector represented only 3.9% of the classifiable breaches.

Of the 3.6 billion records exposed, 63.6% were from the business sector, and 100 million or more records were stolen in only seven of the 3,676 breaches. In addition, the 10 largest breaches accounted for 84.5% of the records exposed year to date.

According to the report, criminals often used fraud, which was in the top spot for the breach type compromising the most records and accounting for 35.7% of exposed records, while hacking led the pack in number of incidents, accounting for 57.1% of reported breaches.

An additional key finding of the report noted the lack of transparency that continues to reign among breached organizations in 2018, with 34.5% of impacted companies unwilling or unable to disclose the number of records exposed.

Categories: Cyber Risk News

Spam Botnet of Over 100K Routers Abuses UPnP

Thu, 11/08/2018 - 11:23
Spam Botnet of Over 100K Routers Abuses UPnP

Security researchers have uncovered a major new botnet of over 100,000 compromised machines, made up mainly of home routers with UPnP enabled.

Netlab 360 researchers Hui Wang and ‘RootKiter’ explained in a blog post that the main target is a vulnerability in the UPnP feature from Broadcom, which is widely available: in fact, 116 infected device models were found. These included routers made by D-Link, Linksys, ZTE, TP-Link, Zyxel, Technicolor and many more.

“The interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL,” they explained.

“After getting the proper URL, it takes another four packet exchanges for the attacker to figure out where the shellcode's execution start address in memory is so a right exploit payload can be crafted and fed to the target.”

Once a target is infected it will communicate with popular mail servers like Outlook, Hotmail, and Yahoo Mail — leading the researchers to believe the botnet’s primary purpose is to send spam.

Scanning activity is not regular, but occurs every 1-3 days, although it sweeps 100,000 IPs each time. According to a Shodan search for exposed devices, the eventual number of infected machines could reach 400,000, the researchers claimed.

Most infected devices discovered so far appear to be in India (147,700), followed by China (19,200) and the US (22,300).

The so-called “BCMUPnP_Hunter” botnet is likely to be the work of a fairly sophisticated coder, according to Netlab 360.

“The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines),” it wrote. “It seems that the author has profound skills and is not a typical script kid.”

UPnP was designed to improve information sharing and connectivity across home and corporate networks, but is often hijacked by hackers to build botnets.

Categories: Cyber Risk News

Privacy International Files GDPR Complaints

Thu, 11/08/2018 - 10:48
Privacy International Files GDPR Complaints

Privacy International has filed complaints against seven companies including Experian, Equifax and Oracle for alleged contravention of the GDPR.

The rights group is hoping to highlight what it believes is illegal use of customer data, particularly for profiling purposes. It’s part of a wider campaign designed to make it easier for consumers to demand companies delete their data under the new legislation.

The complaints — based on 50 Data Subject Access Requests and information gathered from the companies’ privacy policies and marketing material — also target data broker Acxiom, and ad-tech firms Criteo, Quantcast and Tapad.

According to Privacy International, the company's practices have breached the GDPR principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy.

The firms also allegedly have no legal basis for using data in the way they do, a key requirement of the GDPR. PI claims that neither consent nor legitimate interest are applicable in these cases, and there’s no basis for processing sensitive data.

Specifically, they fail to demonstrate consent was “freely given, specific, informed, and unambiguous,” and in the case of legitimate interest they have twisted the meaning to fit their own interests without considering the impact on individuals’ rights, PI claimed.

“The data broker and ad-tech industries are premised on exploiting people's data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives,” argued Privacy International legal officer, Ailidh Callander.

“The GDPR sets clear limits on the abuse of personal data. PI's complaints set out why we consider these companies' practices are failing to meet the standard — yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”

Both Experian and Equifax have, of course, suffered major data breaches in the past, the latter affecting 148 million consumers.

Categories: Cyber Risk News

Pakistan Banks Not Breached, but Probably Skimmed

Thu, 11/08/2018 - 10:00
Pakistan Banks Not Breached, but Probably Skimmed

Pakistan’s central bank has sought to quash reports that the country’s lenders have been hacked en masse, following an apparent coordinated skimming campaign.

Mohammad Shoaib, head of the Federal Investigation Agency’s cyber-crime unit, apparently told two TV stations that “almost all” banks had been hacked, with a “large amount of money” stolen.

However, the State Bank of Pakistan (SBP) tweeted yesterday that it “categorically rejects reports of banks' data being hacked.” It added later that “no #bank or law enforcement agency has provided any evidence/info about #databreach to #SBP as yet.”

It ‘clarified’ that just one bank had been hacked, although it's unclear which lender this was.

BankIslami temporarily shut down its international and online payments system on October 27 after noticing unusual transactions of 2.6 million rupees ($20,000), according to a PakCERT report seen by Reuters.

“Subsequently, several other banks issued security alerts and either completely blocked customers’ debit and credit cards or blocked their online and international use,” the report continued.

The activity was apparently related to a skimming operation which harvested the details of 20,000 debit and credit cards from 22 Pakistani banks, which were subsequently put on the dark web for sale.

It appears they were then used to carry out the fraudulent online transactions, which were eventually spotted by the lenders. A small number of foreign cards were also caught in the data dump, presumably those which had been used by visitors at the affected skimming ATMs or merchant terminals.

It’s not just banks in Pakistan that are being targeted with ever-greater frequency. US financial services firms suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016, according to Bitglass.

Verizon’s latest Data Breach Investigations Report also warned of the growing threat from ATM skimming and jackpotting.

Categories: Cyber Risk News

Flaw Leads to RCE in WordPress Plugins, WooCommerce

Wed, 11/07/2018 - 16:05
Flaw Leads to RCE in WordPress Plugins, WooCommerce

A WordPress design flaw could grant an attacker remote code execution, leading to a privilege escalation in WooCommerce and other WordPress plugins, according to RIPS Technologies.

In a 6 November blog post, researchers said that if the vulnerability is exploited, it would give shop managers – employees of the store that can manage orders, products and customers – the ability to delete files on the server and take over any administrator account.

The file deletion vulnerability was first detected and reported in WooCommerce. Though not considered critical, the vulnerability was fixed in version 3.4.6. Researchers found that deleting certain plugin files in WordPress can actually lead to a full-site takeover. This can occur if security checks are disabled in an unpatched design flaw within the privilege system of WordPress.

“Affected were over 4 million WooCommerce shops. No other requirements other than an attacker being in control of an account with the user role shop manager were required,” researchers wrote. “Such access could be obtained via XSS vulnerabilities or phishing attacks. Once the vulnerability described here is exploited, the shop manager can take over any administrator account and then execute code on the server.”

To assign privileges, WordPress gives certain capabilities to different roles, such as the shop manager. When this role is defined, it is able to edit customer accounts, which happens during the installation process of the plugin, researchers said. That role is stored as a core setting of WordPress in the database, making it independent of the plugin.

Only privileged users can edit another user, and default settings and meta capabilities that can be added to plugins are only executed when the plugin is active, which researchers identified as a design flaw.

“The issue is that user roles get stored in the database and exist even if the plugin is disabled. This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with 'edit_users' to edit any user, even administrators, would occur. This would allow shop managers to update the password of the admin account and then take over the entire site.”

Categories: Cyber Risk News

High Turnover Rate Expected for IT Pros in 2019

Wed, 11/07/2018 - 15:35
High Turnover Rate Expected for IT Pros in 2019

Many IT professionals will seek increased salaries and opportunities to advance their skills outside of their current organizations come 2019, according to the 2019 State of IT Careers published today by Spiceworks. While fewer than 10% of IT professionals plan to leave the industry altogether, more than a quarter say they will look for new roles within the sector.

The report found that 43% of IT pros in Europe have plans to find a new employer next year, in large part because they are seeking a pay raise, though more than half (51%) want to advance their skills and 37% would prefer an improved work/life balance.

“2019 will see significant turnover in IT teams across Europe, with many employees looking to move on and companies planning to step up hiring,” said Peter Tsai, senior technology analyst at Spiceworks in a press release.

“Acquiring the right skills will be pivotal for both employers and employees to make a success of this shift, but the signs are positive. IT professionals are prioritizing skills development as a central part of their career plans which can only bode well for the businesses that are in need of more specialists.”

According to the report, 32% of organizations intend to hire more IT staff in 2019, which will hopefully allow them to overcome their biggest challenge of keeping IT infrastructure up-to-date. While 45% of respondents said that refreshing aging infrastructure is expected to be their greatest obstacle, 43% of organizations in Europe noted that regulations will likely be a struggle for them.

When hiring new staff, participating organizations said that cybersecurity skills and AI expertise will be the top skill sets they look for in recruits.

“Companies looking to maximize efficiencies and grow profits understand the potential artificial intelligence has to automate tasks and reduce the cost of doing business. But to effectively deploy and manage AI-enabled tech, organizations need workers with relevant AI skill sets and experience. And large enterprises, which often have resources dedicated to R&D, are already ahead of the game when it comes to experimenting with and getting value out of AI," Tsai said in the report.

While larger enterprises are looking for cybersecurity and AI expertise, midsize companies intend to hire staff adept in DevOps, and smaller companies will likely seek out IT professionals well-versed in hardware and infrastructure, according to the report. Still, 59% of responding companies have no plans to make changes to their IT staff next year, while 5% will decrease their IT staff and 8% remain unsure of what will happen with IT staffing.

Categories: Cyber Risk News

National School for Cybersecurity Opens in Senegal

Wed, 11/07/2018 - 15:07
National School for Cybersecurity Opens in Senegal

The French minister for Europe and foreign affairs, Jean-Yves Le Drian, has taken a step toward fighting cybercrime in Senegal with the opening of a new cybersecurity school, according to France Diplomatie.

The school, set to begin training students in 2019, will serve as a best-practice hub in Africa. Reportedly the first of its kind in all of Africa, the National School of Cybersecurity is located in Dakar, where it is temporarily housed in Senegal’s National School of Public Administration. To provide security professionals of African states with enhanced capabilities to fight cybercrime and improve cooperation on security and defense between France and Africa, the school will train cybersecurity experts who currently hold high-level positions in the industry.

Offering primarily short trainings that will run over the course of days or weeks, the program will focus on legal and governance issues as well as information systems security and threat intelligence strategies. Specific to fighting cybercrime, the school has two tracks for diplomas in specialized digital investigations and digital tracing techniques.

The school is targeting executives and managers who already play an important role in digital security, and the trainings are designed to expose them to new skills. The academy also hopes to be able to expand the training programs to reach universities and civil society.

Alongside Senegal’s foreign minister, Sidiki Kaba, Le Drian participated in a ceremony celebrating the start of the school, which will play a significant role in helping other West African countries combat cybercrime for security services, judiciary and private enterprise, French officials told

The announcement coincided with the Dakar International Forum for Peace and Security, which took place on November 5 at the Centre International de Conference Abdou Dio, where Senegalese President Macky Sall said that African countries need to strengthen cybersecurity in the face of evolving threats, according to The Guardian.

“We’re all exposed, nobody is secure and each country is potentially under threat of terrorism,” President Sall reportedly said. “We’re ticklish when we talk of freedom online but the risks online are real. Cybercrime can become a weapon of mass destruction of communities and their values.”

Categories: Cyber Risk News

Enterprises Sinking Under 100+ Critical Flaws Per Day

Wed, 11/07/2018 - 11:45
Enterprises Sinking Under 100+ Critical Flaws Per Day

Enterprises are forced to deal with an estimated 100+ critical vulnerabilities each day, with Flash and Microsoft Office accounting for the majority of top app flaws, according to new research from Tenable.

The security vendor analyzed anonymized data from 900,000 vulnerability assessments across 2100 enterprises to compile its latest Vulnerability Intelligence Report.

It predicted that the industry is set to disclose 19,000 new vulnerabilities this year, up 27% from last year — although other estimates put the 2017 figure at nearly 20,000.

Other stats from the Tenable report highlighted the increasing challenge facing system administrators tasked with prioritizing patches.

It claimed that, on average, an enterprise finds 870 vulnerabilities per day across 960 assets, with 61% listed as high severity. Yet just 7% have public exploits available, making it difficult to know which of the remaining 93% to fix first, the firm argued.

That’s especially true when one considers that many hackers deliberately target older vulnerabilities that may have been forgotten about.

Out of the 20 application vulnerabilities affecting the largest number of enterprises, several came from 2015.

Half of that top 20 related to Adobe Flash bugs, followed by Microsoft Office at 20%, with the eight top web browser CVEs from Google and Microsoft impacting 20-30% of enterprises on a single day.

“When everything is urgent, triage fails. As an industry, we need to realize that effective reduction in cyber risk starts with effective prioritization of issues,” said Tom Parsons, senior director of product management, Tenable.

“To keep up with the current volume and velocity of new vulnerabilities, organizations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game. This means organizations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used.”

Categories: Cyber Risk News

Elon Musk Bitcoin Scammers Hijack Verified Status Accounts

Wed, 11/07/2018 - 10:45
Elon Musk Bitcoin Scammers Hijack Verified Status Accounts

Scammers are back on Twitter impersonating their favorite celebrity, Elon Musk, in a bid to convince people to invest in their phony Bitcoin scheme.

This time, the scheme raises serious questions over how easy it is to hijack and alter verified accounts on the social network. In this case, two US lawmakers with verified status, Frank Pallone and Brenda Lawrence, reportedly had their accounts taken over, alongside corporate accounts such as those belonging to film production firm Pathe UK.

The scammers then changed the display name to ‘Elon Musk,’ using one non-standard character to avoid setting off any alarms at Twitter HQ.

The error-strewn tweet itself read: “I’m giving 10 000 Bitcoic (BTC) to all community! I left the post of director of Tesla, thank you all for your suppoot! I decided to make the biggest crypto-giveaway in the world, for all my readers who use Bitcoin. Participate in giveaway…”

A further message then asks users to send anywhere between 0.1 and 2 BTC to a payment address below to receive from 1 to 20 BTC in return.

One report suggested over 400 people had already sent virtual currency to the address, netting the scammers in the region of $180,000. However, others claimed that fraudsters in these situations typically fill their wallets with funds to make the ‘giveaway’ look more legitimate.

Either way, it raises more questions about Twitter’s ability to police fraud on its site.

While those who had their account hijacked could have largely prevented this by turning on two-factor authentication, the changing of verified status display names should have raised the alarm, according to experts.

"The nature of this scam brings to light some seemingly obvious issues with Twitter's verified account system. The thieves hacked verified accounts and switched the name to Elon Musk to get attention and credibility,” explained Comparitech privacy advocate, Paul Bischoff.

“If the purpose of the blue check mark is to assure a person's handle matches their real identity, then why is it possible to change a verified account's display name? Changing the name should immediately invalidate the verified status."

Reports in March claimed that Twitter was planning to ban most crypto-currency advertising in a bid to head off rising levels of fraud.

Categories: Cyber Risk News

HSBC Customer Accounts Breached in US

Wed, 11/07/2018 - 09:46
HSBC Customer Accounts Breached in US

HSBC has revealed that unauthorized third parties accessed some of its customers' accounts, in what appears to have been an incident confined to its US operations.

The UK lender explained in a customer message posted online by the California Attorney General's Office that the attacks lasted from October 4 to 14.

“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account. You may have received a call or email from us so we could help you change your online banking credentials and access your account,” it stated.

“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”

It’s believed that less than 1% of its US customers have been affected, but they’re not limited to Californians.

HSBC said it has “enhanced” its authentication process, presumably to include some form of multi-factor log-in.

Experts agreed the hackers most likely used credential stuffing techniques to force their way into user accounts with previously breached log-ins, rather than effecting a more sophisticated central breach of HSBC’s IT systems.

“Consumers need to increase their vigilance. Reused passwords lost in one breach then become a free ticket to your other accounts,” warned Arxan Technologies VP, Rusty Carter.

“Consumers should employ unique passwords for every site and service they use and change them at least once a year, unless there’s a breach then of course sooner. Secure, paid service or locally run password managers make this easier in many cases than using a password you’ll remember.”

Jarrod Overson, director of engineering at Shape Security, said his firm sees over 232 million account takeover attempts at global financial institutions each day.

“Credential stuffing attacks against banks typically result in about one account takeover per 2,000 attempts, which sounds small but adds up to thousands of accounts over the course of a multi-day or multi-week attack,” he continued. “The damage doesn't stop there — the impact can easily extend to many other services including online retailers, gaming providers, airlines, and other financial institutions."

Categories: Cyber Risk News

Symantec Acquires Appthority and Javelin Networks

Tue, 11/06/2018 - 14:07
Symantec Acquires Appthority and Javelin Networks

On November 5, Symantec announced that it acquired Appthority and Javelin Networks in an effort to enhance its endpoint security solutions, adding key technology integrations to Symantec’s Integrated Cyber Defense Platform.

Through its acquisition of Appthority, Symantec will enable its customers to analyze mobile apps and identify malicious behaviors and vulnerabilities. Building Appthority’s technology into Symantec endpoint protection mobile will augment its ability to deliver a broad spectrum of protections for modern endpoints and operating systems.

“Mobile apps are a critical threat vector that every company must address to protect their enterprise security,” said Adi Sharabani, SVP, modern OS security, in a press release. “The Appthority technology extends SEP Mobile’s capabilities in limiting unwanted app behaviors, supporting regulatory compliance and assessing vulnerabilities.”

“Mobile users increase the enterprise attack surface with each app they install. This acquisition unites Appthority with Symantec’s comprehensive endpoint security portfolio, which is the first solution on the market that can protect all traditional and modern endpoints and now apps,” said Domingo J. Guerra, Appthority co-founder.

“Armed with Symantec’s industry-leading security research and tools, SEP Mobile integrated with Appthority technology is expected to deliver the most comprehensive Mobile Threat Defense solution, with enhanced app analysis capabilities, both in real time and on-demand,” added Anne Bonaparte, Appthority CEO.

Javelin Networks, a privately held company founded by red team post-exploitation experts, protects enterprises against active directory-based attacks. Effective November 5, the Javelin Networks team became part of Symantec’s endpoint security business.

“In the cloud generation, identity management services, such as Active Directory, are a critical part of a user’s interaction with their organization’s applications and services. They are also a critical information repository that attackers regularly exploit,” said Javed Hasan, senior vice president of endpoint and data center products, Symantec.

“The addition of Javelin Networks technology to our industry-leading endpoint security portfolio gives Symantec customers a unique advantage in one of the most vulnerable and critical areas of IT infrastructure. Most importantly, it can help expose exploitable backdoors in AD and stop attacks at the point of breach while preventing lateral movement.”

Categories: Cyber Risk News

Side-Channel Vulnerability PortSmash Steals Keys

Tue, 11/06/2018 - 13:28
Side-Channel Vulnerability PortSmash Steals Keys

Researchers have found that Intel processors are being impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.

The new side-channel vulnerability, called PortSmash, was discovered by researchers Billy Bob Brumley, Cesar Pereida García, Sohaib ul Hassan and Nicola Tuveri from the Tampere University of Technology in Finland and Alejandro Cabrera Aldaya from the Universidad Tecnológica de la Habana.

According to the proof of concept, the only prerequisite to exploit the vulnerability, identified as CVE-2018-5407, is a CPU featuring simultaneous multithreading (SMT), such as Intel’s hyper-threading. An attacker uses a timing attack to steal information from other processes running in the same CPU core with hyper-threading.

Because it is a local attack, in order to steal the private decryption keys, the attacker and victim must be running on the same physical core, such as an OpenSSL.

“News of a side-channel vulnerability should be very concerning for security and IT professionals alike,” said Justin Jett, director of audit and compliance for Plixer. “Malicious actors can take these newly generated keys and decrypt any conversation that would otherwise have been protected by the key.

“Additionally, because the malware writer is already on the machine, they have a better understanding of where these keys may be used (for example, were the keys then moved to a specific folder that is being used by an application installed on the machine).”

Similar to other processor vulnerabilities, like Meltdown and Spectre, PortSmash is a reminder that we have to rotate the keys and certificates that serve as machine identities, much more frequently than we do, according to Kevin Bocek, VP of security strategy and threat intelligence at Venafi.

“Our machine identities are kept around for years, and it’s crazy to think machine that they won’t be attacked. This is especially true a cloud and microservices environments, where these kinds of vulnerabilities are most dangerous.

“Security and IT teams know we have to change passwords regularly and why. But we haven’t applied the same logic to machine identities, even though they provide even higher levels of access than most passwords. The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed. These are the machine identities that are most at risk from PortSmash.”

Categories: Cyber Risk News

SCOTUS Refuses to Hear Appeal of Net Neutrality

Tue, 11/06/2018 - 12:44
SCOTUS Refuses to Hear Appeal of Net Neutrality

With no explanation, the Supreme Court declined to hear an appeal of the net neutrality case, according to The Hill.  Justice Kavanaugh and Chief Justice John Roberts recused themselves from the vote. 

In opting not to hear the case, SCOTUS leaves in place the existing high court ruling that the FCC has the authority to regulate broadband like a public utility, which supporters of the 2015 Net Neutrality regulations, established by the Obama administration, saw as a win.

The appeal came from USTelecom, a trade group that represents internet service providers (ISPs). In conjunction with the Trump administration, USTelecom requested that the ruling from the US Court of Appeals for the District of Columbia Circuit be overturned on the basis that the Federal Communications Commission has no congressional authority to impose common-carrier obligations on broadband internet access service, The Hill said.

As a result of the existing high court ruling, ISPs cannot block or throttle web content, nor can they create fast lanes for pay.

"We’re grateful that a majority of the justices saw through the flimsy arguments made by AT&T and Comcast lobbyists," said Matt Wood, the policy director at Free Press, in a statement. "The ISPs went all out to push FCC Chairman Ajit Pai to repeal the agency’s net neutrality rules – and then ran to the Supreme Court looking for a do-over on earlier cases that rightly upheld those rules. There was absolutely no reason for the Supreme Court to take this case, and today’s denial puts to bed the chances of upending the correct appellate-court decisions."

Despite the Supreme Court decision to not hear the case, Republicans remain hopeful that the FCC’s vote last December to repeal net neutrality rules will be upheld, though that decision is being challenged before the DC Circuit.

At issue is which body has the power to determine broadband as an information service. Jonathan Spalter, CEO of USTelecom, and other supporters of the Restoring Internet Freedom order, which negated net neutrality, believe broadband is an information service.

"[The Restoring Internet Freedom order] remains the law of the land and is essential to an open internet that protects consumers and advances innovation," Spalter reported said in a statement.

Categories: Cyber Risk News

Fake Telegram Apps Used to Spy on Iranian Users

Tue, 11/06/2018 - 12:04
Fake Telegram Apps Used to Spy on Iranian Users

Security researchers have uncovered several Iranian state-sponsored campaigns which they suspect are used to spy on domestic users of the banned Telegram and Instagram apps.

Cisco Talos explained that the campaigns “vary in complexity, resource needs and methods” but use three main vectors: fake apps, phishing pages, and BGP hijacking.

The apps capitalize on a latent demand for Telegram and Instagram apps given they are banned in the Islamic Republic. Telegram is estimated to have as many as 40 million users in the country and has been used in the past to organize popular protests against the authoritarian government.

“Once installed, some of these Telegram ‘clones’ have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to back-end servers, which allows the attacker to take full control of the account in use,” Cisco explained.

However, the apps are only classified as greyware or PUPs, because they do still carry out legitimate functions such as sending messages. This makes it more difficult for researchers to detect them.

“We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps,” said Cisco. “Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.”

Also discovered were classic phishing attacks spoofing Telegram log-in pages with domains which Cisco linked to the state-sponsored Charming Kitten group.

Finally, the researchers observed BGP hijacking activity involving an Iranian telco, which could have been used to compromise communications. Cisco branded it “a deliberate act targeting Telegram-based services in the region.”

The firm stopped short of providing a solid link between the three attack types aside from their focus on Telegram, and admitted they could be used by any malicious actor, state-sponsored or not.

However, given the history of how the app is used in the repressive state, and the link to Charming Kitten, it would be understandable to assume Tehran has a hand in them.

Categories: Cyber Risk News

UK Government Warns Telcos of 5G Security Review

Tue, 11/06/2018 - 11:02
UK Government Warns Telcos of 5G Security Review

The UK government has reminded 5G network providers to ensure their suppliers are heavily vetted for security, in what could signal a change of approach to a major Chinese telecoms player.

The 5G supply chain of several UK telecoms firms may be impacted by a review of the UK’s infrastructure launched in July, according to a letter penned to the firms by DCMS head of digital, Matthew Gould, and National Cyber Security Centre (NCSC) boss, Ciaran Martin.

Although Huawei was not named, the letter stated that the “outcome of the review may lead to changes in the current rules,” according to the FT.

That could be bad news for the Shenzhen giant, which has already been blocked from competition in 5G by the US and Australian governments on national security fears.

Those fears were further stoked by a report in The Australian over the weekend citing a national security source that claimed Huawei staff helped Chinese intelligence “get access codes to infiltrate a foreign network.” It’s a story the telecoms kit maker has strenuously denied.

Even before this, there were signs of a changing relationship with Huawei in the UK, which has historically been more friendly to the firm.

In July, the Huawei Cyber Security Evaluation Centre (HCSEC), overseen by GCHQ, highlighted significant shortcomings in the firm’s processes that “exposed new risks in UK telecoms networks.”

The report concluded that the HCSEC has “only limited assurance” that Huawei equipment poses no threat to national security.

BT and Three are both said to be working with Huawei on 5G networks.

The move comes as new data reveals the effect of growing US-China tensions on Huawei’s Shenzhen rival ZTE.

The number of ZTE smartphones on prepaid operator shelves fell 48% from June 2018 to September 2018 as carriers backed away from the firm following political pressure, according to GlobalData.

Washington banned US suppliers from selling to it, after it broke an agreement not to sell handsets to Iran and then lied about it.

ZTE has already been labelled a national security risk by GCHQ.

Categories: Cyber Risk News

National Guard on Standby for Midterm Election Day

Tue, 11/06/2018 - 10:28
National Guard on Standby for Midterm Election Day

Cyber units from the National Guard have been supporting several states in the run up to the mid-term elections and are standing by in the event of any incident today, according to reports.

Wisconsin, Washington and Illinois have been confirmed as using the reserves to help improve cyber resilience, but there are likely to be more states doing the same.

In the north-west, the Washington Air National Guard has been supporting the state's Office of the Secretary of State in what has been dubbed a “great partnership” of “outstanding cooperation” by Kenneth Borchers, commander of the 252nd Cyberspace Operation Group, according to Guard News.

The initiative began with a two-week assessment of the relevant IT networks, followed by a similar time frame devoted to making system improvements, and finally a search for any deeper problems.

"We call it the hunt mission. Now that we have situational awareness, we've secured terrain, we're going to do a deep dive and see what we can find,” said Thomas Pries, commander of the 262nd Cyberspace Operations Squadron.

On Friday it was revealed that Wisconsin National Guard cyber-response teams had been put on standby by the governor Scott Walker to assist if any serious incidents arise on election day.

As part-timers, National Guard troops have jobs outside of their role with the reserve military, which means cybersecurity skill levels can sometimes be higher than in parts of the regular forces.

In fact, lawmakers introduced a bipartisan bill last year designed to give the Department of Defense greater visibility into cybersecurity skills capabilities in the National Guard, in case it needs to draw upon this reserve in times of crisis.

“Our National Guard is uniquely positioned to recruit and retain some of our best cyber warriors, and this bill would help make sure that our military is taking advantage of this extraordinary talent,” said report co-sponsor, senator Kirsten Gillibrand, at the time.

Categories: Cyber Risk News

Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

Mon, 11/05/2018 - 17:09
Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

Private equity investment firm Thoma Bravo has agreed to acquire Veracode for $950 million, on the same day that its parent CA Technologies were acquired by Broadcom for a reported $18.9 billion.

Veracode were acquired by CA Technologies in March 2017 for $614m. Today’s Thoma Bravo announcement is expected to close in Q4 of 2018.

“In today’s digital economy practically every company is turning into a software company through their own digital transformation,” said Chip Virnig, a partner at Thoma Bravo.

“As these companies continue to build complex applications, many of which contain sensitive data, the applications themselves increasingly become the target of more sophisticated and omnipresent cyber-attacks. As such, applications need to be built with security in mind day one, and we see a significant, growing market opportunity for Veracode’s product offerings.”

Broadcom is a designer, developer and supplier of products based on analog and digital semi-conductor technologies. The acquisition will see CA Technologies operate as a wholly owned subsidiary of Broadcom.

Sam King, current senior vice president and general manager of Veracode, will become the CEO of Veracode following the close of the transaction. She said that partnering with Thoma Bravo, a proven security software investor, is expected to extend its market reach “and further fuel our innovation so that we can offer the broadest software security platform and empower us to accelerate growth — all to allow us to transform the way companies achieve their software security goals.”

The announcement follow’s last month’s announcement that Thoma Bravo had acquired Imperva for around $2.1 billion.

“As long-term investors in cybersecurity software, we are impressed with the speed and quality of innovation at Veracode,” said Seth Boro, a managing partner at Thoma Bravo.

Categories: Cyber Risk News