Speaking on “Testing Your Organization's Social Media Awareness” at Black Hat USA, Jacob Wilkin, network penetration tester and application security consultant, Trustwave SpiderLabs, said that social media phishing is on the rise and is now the “preferred vector for attackers” who now spread more malware via social media than on email.
“You’re three times more likely to get click-throughs on social media, and this is important as companies move to BYOD models and people have devices at home and use social media and bring them into work environments,” he said.
Wilkin highlighted a passive testing tool that he released last year at the Black Hat Arsenal called “Social Mapper,” which allows you to “feed in a LinkedIn company name and it releases names and images of people at the company.” This will then deliver the names of employees who have been found online.
“This is less intrusive as you don’t interact with profiles, you identify them but not testing them and you don’t know if they accept connection requests or clicked on links,” he said. Instead, you get a report detailing people who are recognized as working at a company, and their corresponding social media accounts via facial recognition.
To follow up, this week he released an active testing tool called “Social Attacker,” which requires a fake social media account to be created, and log into a social media site, feed in Social Mapper results and send connection or friend requests to those people to send a phishing test message. This gives you a report at the end to see which profiles have accepted and who clicked on what, with a timestamp.
Wilkin recommended that social media users not use the same name across websites to better protect themselves, as well as not accept connections or messages from people you don’t know and, in a more extreme case, not putting a picture on your social media profile.
“As attackers pivot, it is important to raise awareness and encourage social media sites to prevent and detect attacks and review laws to consider permitting security testing,” he concluded.
In session at the Black Hat USA conference in Las Vegas, F5 Networks researchers outlined the challenges of morphing DDoS attacks and announced the release of a new open source tool called SODA in an effort to help test defenses for attack resilience.
SODA is an acronym for Simulation of DDoS Attacks and provides multiple traffic generation tools to simplify DDoS protection testing. The inspiration for SODA came from a July 2018, attack against encrypted email provider cby an aggressive form of Distributed Denial of Service (DDoS) attack that was constantly morphing its' tactics. The attack and its unique approach to disruption inspired F5 Networks researchers to figure out how to help organizations better defend themselves against the new type of DDoS.
Mudit Tyagi, Architect, Security Products, F5 Networks, explained that the attack vectors used in the Protonmail morphing DDoS attack included common attack methodology including UDP and syn floods.
"What made the attack so complex to defend against that the attacker kept on changing the attack, they kept on morphing," he said.
Tyagi added that after the Protonmail attack, his team took it upon themselves to figure out how to catch morphing attacks. The first step was to build a tool that could simulate morphing attacks, so organizations could test their own defences to see what would happen and what might be lacking. The end result of that effort is SODA.
What made the attack so complex to defend against that the attacker kept on changing the attack, they kept on morphingMudit Tyagi, Architect, Security Products, F5 Networks
"SODA can be used to put down any part of your infrastructure," explained Mikhail Federov, Product Management Engineer, Security, F5 Networks.
The SODA tool integrates a number of integrated DDoS attacks and then morphs the vector with predefined pattern and interval. On the defender or blue team side, Federov explained that the setup brings together multiple components to help simulate an environment. Among the tools is the DVWA (Damned Vulnerable Web Application),the pfSense firewall, telegraf for sending metrics, influxDB for storing the data and then finally Grafana for the dashboard. Users put the DDoS solution of their choice in front of the firewall and can then see how it is able to respond to SODA simulated attacks.
Tyagi said that what typically happens is organizations configure static vectors for DDoS response with set thresholds, for example limiting UDP traffic at a certain traffic volume. Given that morphing DDoS attacks can take aim at different resources, in his view, thresholds don't work. They also don't work because good traffic is also blocked and the potential for false positives is non-trivial.
Federov commented that simply doing anomaly detection at the network level is not accurate either and the lesson learned from testing with SODA is that there is also a need to use anomaly detection at the application level.
Tyagi added that SODA is a tool that can be used by organizations to enable bakeoffs in a way that tests resilience for morphing attacks.
"We don't care what you use for DDoS, ProtontMail got attacked and we got really charged and we wanted to help the community to defend against similar types of attacks," he said. "Whatever you use, .focus on intelligent mitigation and test your posture, we understand it's hard and that's why we give you a kit with SODA."
Researchers at ESET have discovered malware-distributing spam campaigns targeting people in France.
Dubbed Varenyky, the malicious payload comes with several dangerous functionalities. Not limited to the sending of spam, it can also steal passwords and even spy on victims’ screens while they watch sexual content online.
The first spike in ESET telemetry for this bot came in May 2019, and after further investigation, researchers were able to identify the specific malware used in the spam’s distribution.
“We believe the spambot is under intense development as it has changed considerably since the first time we saw it. As always, we recommend that users be careful when opening attachments from unknown sources and ensure system and security software are all up to date,” said Alexis Dorais-Joncas, leading researcher at the ESET R&D center in Montreal.
As explained in an ESET blog post, Varenyky first infects victims – exclusively French-speaking users in France – with a fake invoice that lures the target into providing “human verification” of the doc. From there, the spyware executes the malicious payload.
After infection, Varenyky executes Tor software, which enables anonymous communication with its command-and-control (C&C) server.
“It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its command-and-control server on the computer,” added Dorais-Joncas. “One of the most dangerous aspects is that it looks for specific keywords, such as bitcoin and porn-related words, in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server,” he added.
ESET explained that, interestingly, the targets of all the spam runs observed were users of Orange S.A., a French internet service provider.
FireEye has identified a new advanced persistent threat (APT) group, dubbed APT41.
As the firm explained in a blog post, APT41 is “a prolific Chinese cyber-threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations.”
The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors across various jurisdictions, FireEye continued, with operations against higher education, travel services and news/media firms providing some indication that the group also tracks individuals and conducts surveillance. The group’s financially motivated activity has primarily focused on the video game industry, according to FireEye.
FireEye researchers wrote: “APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware.”
Sandra Joyce, SVP of global threat intelligence at FireEye, said: “APT41 is unique among the China-nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain. They are as agile as they are skilled and well resourced. Their aggressive and persistent operations for both espionage and cybercrime purposes distinguish APT41 from other adversaries and make them a major threat across multiple industries.”
Researchers at NCC Group have uncovered 35 “significant” vulnerabilities in models from six popular enterprise printer brands.
It claimed to have been able to find the flaws using “basic tools,” some of which date back 30-40 years. The firm added that some bugs were uncovered within mere minutes.
They include buffer overflows, cross-site scripting, denial of service, information disclosure and other flaws as well as hard-coded credentials and broken access controls.
All of the vulnerabilities discovered have now been patched or are in the process of being fixed and system administrators are urged to update the affected models to the latest firmware.
“Because printers have been around for decades, they’re not typically regarded as enterprise IoT, yet they are embedded devices that connect to sensitive corporate networks, and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT,” argued Martin Lewis, research director at NCC Group.
“Building security into the development lifecycle would mitigate most, if not all, of these vulnerabilities. It’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.”
Lewis added that corporate IT can also improve the resilience of any connected devices in the organization, by making small changes such as altering default settings, developing and enforcing secure printer configuration guides and, of course, applying regular firmware updates.
Last year, researchers found two vulnerabilities in HP all-in-one printers which could enable hackers to attack corporate networks simply by sending a specially crafted fax.
Online merchandise store CafePress has been criticized for poor incident response and cybersecurity after it emerged that over 23 million customers had their personal data stolen.
Breach notification site HaveIBeenPwned? was apparently the first many customers heard about the incident, which it said occurred in February this year.
“The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes,” it said in a brief note. The site appears to have been notified about the incident by security researcher Jim Scott.
There doesn’t appear to be any kind of notification on the official CafePress website or Twitter feed.
In fact, according to some customers who logged in to their accounts, the firm is forcing users to change their credentials but merely as part of a claimed ‘update’ to its password policy.
Stuart Reed, VP cyber at UK firm Nominet, pointed to the fact that half of the passwords in the breach were encrypted with the weak SHA-1 algorithm.
“This puts those passwords and their owners at risk not only from these compromised records but also if the passwords have been reused elsewhere. Given that the passwords have potentially been out in the wild since February, security for those affected has potentially been compromised for the past six months,” he argued.
“It is fundamental that firms identify and take action against data breaches fast. Identifying large scale exfiltration attacks, stopping the attack and keeping those affected informed as quickly as possible is the only way to successfully mitigate the impact.”
Layered security is vital, covering people, process and technology, he added.
“While two-factor authentication, not using the same passwords, and changing your passwords when a breach has happened are all good practice, there has to be more responsibility taken by breached organizations to prevent, detect and block attacks more quickly,” said Reed.
Martin Jartelius, CSO at Outpost24, argued that the firm could be in breach of GDPR rules if it has failed to respond in a timely manner and EU citizens are affected.
“It is there to decrease the risk of exposing users' private information, and most importantly it is there to ensure that if a company fails to protect users, they have the right to be informed and thereby take corrective actions,” he said.
“The bad habit of user password reuse means that while CafePress logins may be protected by the forced password reset, any re-use of passwords may lead to consequences for users. Sadly withholding this information is a very bad practice.”
Speaking at Black Hat USA in a session titled 'Deconstructing the Phishing Campaigns that Target Gmail Users,' Elie Bursztein, security and anti-abuse research lead at Google and Daniela Oliveira, associate professor at the University of Florida, said that “phishing is 45-times more dangerous than having your data exposed.”
Bursztein said that phishing is an ever-evolving target, and every day Gmail blocks over 100 million phishing emails which it categorizes into three levels of sophistication. These are: spear phishing, which is determined to be an “extreme case of sophistication and highly targeted.” In the middle there is boutique phishing, which are crafted campaigns targeted at individuals in organizations. At the bottom there is bulk phishing, typically mass campaigns spread through botnets.
“Phishing is adversarial, the attacker is shifting and messages keep being changed,” Bursztein added, highlighting a series of phishing messages from the last decade which were all different and have refined colour, shape and appearance to better avoid detection.
“Of the 100 million phishing emails we blocked, 68% had never been seen before,” he said. “It doesn’t mean that they are radically different, it just means that the adversaries have tweaked them in way so they are not exactly the same.”
He said that every day, the system has to account for two-thirds of data that it has never seen before “and this is the difficulty with phishing, where the attacker keeps changing the content.”
The research also showed that a boutique email has a lifespan of around seven minutes from when it is first seen, while a bulk campaign’s life is 13 hours.
“A phishing campaign today is very different from what we will see tomorrow, so we have to take this context and keep investing in better detection techniques,” he said.
Burzstein also pointed out that phishing is targeted, and said that those people with a business email address are 4.8-times more likely to receive a phishing email. “Why? Because phishers are selective,” he said. “Remember, they are financially motivated, so for the highest target, business email compromise is the main problem.”
He added that in order to better educate users, a yellow banner has been implemented as a “soft warning” where it could not confirm if it was phishing, so the user makes the final decision.
Oliveira said that we are “all susceptible to phishing” as phishing tricks the brain in the way we make decisions, especially with deception and detection.
She argued that user awareness is critical to making a decision, and Burzstein concluded by saying that “there is no silver bullet when it comes to defending against phishing” but he recommended using two-factor authentication and user education to help protect users, and highlighted “an ever pressing need to work on improving detections and on classifiers to deal with the onslaught of attacks.”
North Korean hackers have earned the Kim Jong-un regime in the region of $2bn after targeting banks and cryptocurrency exchanges, according to a new UN report.
The effort was likely coordinated by the hermit nation’s top military intelligence agency, the Reconnaissance General Bureau, according to the report, which was leaked to the press on Monday.
“Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programs, with total proceeds to date estimated at up to two billion US dollar,” it noted.
Investigators are said to be looking at “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries designed to generate foreign currency.
By doing so, it is believed that they would be able “to generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector,” as well as being easier to launder.
The news comes following several missile launches by the North Korean regime in May and July, which the UN said had “enhanced its overall ballistic missile capabilities.”
Despite the high-profile meeting of Donald Trump and Kim Jong-un, the country continues to break sanctions by buying WMD-related items and luxury goods, and is enhancing its nuclear and missile program, the UN claimed.
It’s been known for a while that North Korean hackers have been targeting cryptocurrency exchanges, but until now reports were piecemeal, hiding the true scale of the operation.
As far back as 2017 there were reports of state hackers targeting a London cryptocurrency firm and low velocity cryptocurrency mining operations. Last year reports suggested they managed to steal over £31m from South Korean exchange Bithumb.
At Black Hat USA in Las Vegas, Anomali threat research team manager Joakim Kennedy explained to Eleanor Dallaway why he believes the open source movement in the cybersecurity industry will help to address the skills gap.
“One way of opening up the industry to more people is to provide good free tools accessible to everyone.” The open source movement allows people “to take the toolkits and moderate them.” This, he said, is particularly relevant to teenagers and people outside of the cybersecurity industry that may have an interest in joining. “The best way to learn is to get hold of toolkits and play with them, moderate them,” he said, explaining that his own path into the industry began as a teenager, “using whatever tools were available” and self-educating himself.
Making these open source tools available “will trigger the interest of the next generation of potential employees by giving them the tools to play with for free and get their interest. We need to get more interested people into the field and there’s a high threshold to get started.” He explained this high threshold means that the paid products and tools in the industry are very expensive. “The license price is too high.”
Anomali’s Kennedy explained that when new starters are employed without industry background, “it takes a lot of training to teach them new tools and techniques.” If open source toolkits were used in university programs, that would be helpful exposure to industry candidates, and would expose them to the tools they’ll need in future roles. “Imagine having to train new employees in Microsoft Office,” said Kennedy, to emphasize his point.The evolution in the industry means our tools have to be modified to fit what is current. That’s the benefit of open-source...Joakim Kennedy
What makes a good cybersecurity professional, explained Kennedy, is “being a good problem solver, having curiosity and a willingness to learn.” If a candidate has those qualities, they can be trained, said Kennedy.
Open source toolkits are useful for researchers, but “the market isn’t there to sell it. We write them to give back to the research community. The evolution in the industry means our tools have to be modified to fit what is current. That’s the benefit of open-source – it can evolve with the industry.”
Eco-systems are being built around open source toolkits, explained Kennedy. “A lot of paid tools allow for open source plug-ins to automate tasks. A lot of these plug-ins are being released freely to support commercial services.”
Kennedy doesn’t understand why CISOs are often reluctant to allow open source tools into their organizations. “What are they afraid of? They can audit them – which you can’t do with a propriety product. They have to put their trust in that vendor for that. With open source, they can audit it themselves.”
When asked what new threats his team are observing, he responded “threats are just evolutions of older threats. What we’ve seen in the past year has been a shift in the way ransomware is being used.” Ransomware was taken over by cryptomining but when the crypto market crashed, ransomware took over once again. “Now, however, rather than targeting the masses, ransomware attacks are more targeted and focused in their approach. Gone are the days of spam and send-to-all targets. Now they specifically target their entrance and how to get in more closely.”
“Ultimately,” concluded Kennedy, “Security is being better than your neighbors so they break into them and not you. A lot of criminals just look at low-hanging fruit, so make it as hard for them as possible.”
After the previously announced keynote speaker Will Hurd was withdrawn among criticism among the security community over his voting record, Zovi took the opportunity to focus on the “shift left” concept and how he had worked his way through events like Pwn2Own and security jobs where he had seen differing security cultures.
He said that starting his job at Square in 2014, he was able to overcome some of the collaboration problems he had seen in other jobs, and especially where there was a culture of collaboration and empathy, “as security engineers wrote code like everyone else.”
“A software team member said 'hello, security friends' and asked a question, and someone voluntarily talked to security. It took me a while to figure out what the ingredients were, and that was the transformative change for me.”
He said that when he saw this firsthand, he was critical and went to demonstrating his capabilities because “we are not insiders anymore” and we need to opportunities to demonstrate what we have learned.
To be better at security, he recommended looking at three transformative lessons:
- Work backwards from the job
- Seek and apply leverage
The first lesson is “what customers hire us for,” as agility “is important as threats change, and it is important to keep up.”
The second lesson should be about the fact that “we are still a small community and problems we tackle are huge,” Zovi said. If we have better feedback loops, he said, we can measure attacking and succeeding and consequently develop better software.
The third lesson is that culture is hard, and “ops and devs jobs are hard and to allow change, we need to allow change to happen.” He also said that it is about cultivating a culture of empathy. Instead of saying no, “say yes and how we can help” and move away from a culture of blame.
“If we do this better, it will shape our strategy and shape our tactics and have an impact on results. And that is why we should focus on generating generative cultures,” he said. “Security teams are afraid and there are good reasons to be afraid, as there is a lot of bad activity going on out there, a lot of breaches, a lot of scary things and new stuff every day. But fear misguides us, as it is irrational, and if we are afraid of tail risks we could have a deprioritization of our resources. We may focus completely on targeted zero-day attacks and completely ignore credential stuffing attacks, which are far more common and way more likely to affect most people.”
He concluded by encouraging the world “to start with yes” as it keeps the conversation going and is collaborative and constructive. “That is how we have real change and have real impact.”
The LokiBot malware continues to evolve and is now using steganography to cloak its malicious files, according to a report from Trend Micro this week.
Recently highlighted as one of the top three malware strains of 2018, LokiBot started out as a password- and cryptocurrency wallet–stealing malware on hacker forums as early as 2015, but it has evolved, according to Trend Micro. It has taken to abusing the Windows installer and updating the methods that it uses to stay on the victim's system.
Now, Trend Micro has identified a new variant of the malware that uses steganography to help hide its malicious intent. It installed itself as a .exe file, along with a separate .jpg image file. The image file opens, but it also contains data that LokiBot uses when unpacking itself.
This LokiBot variant drops the image and the .exe file into a directory that it creates, along with a Visual Basic script file that runs the LokiBot file. Its unpacking program uses a custom decryption algorithm to extract the encrypted binary from the image.
Trend Micro has seen LokiBot hiding inside image files before. In April, it reported a variant of the malware that hid a .zipx attachment inside a .png file.
Steganography has two benefits for malware authors, warned the researchers. First, it provides another layer of obfuscation, helping the malware to slip past some email security systems. Second, it provides the malware authors with more flexibility. This variant used the VBScript file interpreter to execute the malware rather than relying on the malware to execute itself. This means that the authors can change the script to alter the technique that LokiBot uses to install itself.
Steganography is becoming an increasingly common form of obfuscation for malware authors. Other notable uses of the technique include the Stegoloader backdoor Trojan, and the Vawtrak malware, which hid update files in favicons. The 2019 the VeryMal campaign also used the technique to hide malware in advertising images.
You've heard about wardriving, but what about warshipping? Researchers at IBM X-Force Red have detailed a new tactic that they say can break into victims' Wi-Fi networks from far.
The company calls the technique warshipping, and it is a more efficient evolution of wardriving, a popular technique among hackers seeking access to any wireless network they can find. Whereas wardrivers drive around a wide area with a directional antenna looking for wireless networks to crack, IBM's researchers took a more targeted approach.
Speaking at Black Hat USA, IBM researchers explained how they used off-the-shelf components costing under $100 to create a single-board computer with Wi-Fi and 3G capability. This enables it to connect to a Wi-Fi network to harvest data locally and then send it to a remote location using its cellular connection. The small device runs on a cell phone battery and easily fits into a small package.
Attackers can then send the device to a company via regular mail, where it will probably languish in a mail room for a while. During this time, it can connect to any Wi-Fi networks it finds in the building and harvest data – typically a hashed network access code. It sends this back to the attacker, who can then use their own resources (or a cloud-based cracking service) to extract the original access code. At this point, they have access to the company's Wi-Fi network.
The warship device could access the Wi-Fi network and mount a man-in-the-middle attack, impersonating a legitimate Wi-Fi access point and coaxing company employees to access it. It would then be able to harvest their credentials and other secrets, IBM explained.
The device could be programmed to wake up periodically and use its 3G network to check a command and control server for instructions on whether to begin its attack or go back to sleep. This would help preserve its battery, IBM said.
The concept works in practice, warned the company, which said: "In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems."
Chris Henderson, global head of IBM X-Force Red, has written up the attack at SecurityIntelligence.
Researchers at the Black Hat security conference this week have revealed vulnerabilities in a leading child's tablet product.
The flaws revolved around Pet Chat, an app that lets children talk to each other in a virtual room using pet avatars and predefined phrases. The app creates a peer-to-peer Wi-Fi connection (also known as Ad Hoc mode) that broadcasts the tablet's presence to similar devices using the SSID Pet Chat.
Checkmarx researchers used WiGLE, a wireless network mapping website, to track the location of LeapPads using Pet Chat. The vulnerability would allow anyone online to find the location of a LeapPad using Pet Chat by seeking them out on public Wi-Fi or tracking the device's MAC address.
Because Pet Chat didn't require authentication between devices, anyone near a LeapPad running the app could send an unsolicited message to the child with it, potentially using the preset phrases to lure the child into danger.
The LeapPad's outgoing traffic was also unencrypted, using HTTP rather than the TLS/SSL-encrypted HTTPS, the researchers warned.
They disclosed the Pet Chat vulnerability to LeapFrog in December 2018, although the company didn't remove it until June 2019.
This isn't the first time that children have been exposed by technology that purports to help them. In February, security consulting firm Pen Test Partners discovered that cybersecurity in children's smart watches had failed to improve following a report from the Norwegian Consumer Council in early 2018. The European Commission issued a recall order for one smartwatch, called Safe-KID-One, from German company ENOX, which sent information including location history and phone numbers in the clear. Malicious users could send commands to any watch making it call another number of their choosing.
LeapFrog didn't return our request for comment by press time.
In a panel at Black Hat USA, cryptographer Bruce Schneier; Camille Francois, research and analysis director at Graphika and fellow at Harvard Law School Berkman Center; and Eva Galperin, director of cybersecurity at the EFF, talked about the benefits of technologists to society.
In a panel titled “Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society,” Francois said that the concept of technologists are not new “and not tied to the nature of Black Hat and DEFCON.” Meanwhile, Galperin talked of how the EFF’s need to add technologists was expanded in the 1990s as people “who explained things to lawyers or take on large challenges like securing endpoints,” but the role of the technologist requires a different set of skills and day-to-day work from what most companies were doing.
This is because the “notion of adversarial research is an act of public interest technology,” Schneier said, and that it is "not new to me, or new to the community.”
Schneier said that the concept of finding systems that are sold and relied on, and tested without the permission of the company or government, should be welcome as "they are evaluated and determine whether they should they be used."
“When we do this as academics or in a threat lab, we are engaging in the public interest,” Schneier said.
Francois asked about when the Edward Snowden leaks were disclosed, saying that there was a reliance on technologists to help journalists with stories. “I was called by Glenn Greenwald to look at the documents, and journalists needed associate technologists to figure out what was going on,” Schneier said.
Francois said that there is a need to better prove the capabilities of technologists who serve the public interest. Schneier said: “We are seeing a lot more groups trying to bridge technology and policy and especially our area of tech security. Some is for fame and glory, some is for funding. Technologists want to do collaboration.”
Galperin said that the EFF’s niche of human rights in technology is “now touching everyone’s lives” and as technologists become more mainstream and important, “the opportunity for misunderstanding is higher.” She said that she is finding that battles that were thought to have been won, such as backdoors in end-to-end encryption, are being re-fought.
Moss said that a lot of the talks over the past 20+ years at Black Hat had been on wanting the attention of management and political leaders and the board. Now they are listening, he questions what the industry are going to do with that.
“How we communicate really determines our outcomes, so for example now that the spotlight is on us, if we communicate well to the board you might get more budget, and if you communicate poorly to the board, you might get fired,” he said.
He asked how you communicate what “cyber” or “security” is and the language we use causes us to think of problems in a certain way and “leads in a direction we may not want to go in.”
Moss used the example of cyber being seen as the fifth domain by the military, but said that does not mean it is equal “and we are using language in a way that doesn’t fit.”
Moss said that despite being in the early days of the internet, there are going to be several defining trends, including “centralized versus decentralized”, which Moss said he believes in the latter “but there are efficiency gains in centralized.”
Moss said that we’re in a “centralization phase” and that will enable law enforcement and regulation and if the trend continues, he speculated, none of us will be surprised that we are more regulated.
“I’m a big believer that most of our problems are communications problems,” he said, saying that inDEFCON post-mortems, 80% of the problems are communications related and “totally fixable communications problems.”
Moss concluded by saying: “This gives me a lot of hope because we can fix communications problems. We are not inventing a new kind of maths, but what we have to do is reorder the way we think about things and reorder the way in which we communicate things and once we do that, you’ll see we will get completely different outcomes. Whether it is outcomes from our boss, or politicians or regulation. It is a bit of a soft skill that leads to better outcomes.”
A Pakistani man has been charged with multiple offenses after allegedly bribing AT&T staff to the tune of hundreds of thousands of dollars to help him fraudulently unlock two million customer mobile phones.
Muhammad Fahd, 34, was arrested in Hong Kong in February 2018 and extradited to the US last Friday. He’s charged with conspiracy to commit wire fraud and violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.
He is alleged to have bribed staff at the US telco giant over a five-year period ending in 2017, paying one individual as much as $428,500. Three have so far pleaded guilty to their involvement.
“Initially, Fahd allegedly would send the employees batches of international mobile equipment identity (IMEI) numbers for cell phones that were not eligible to be removed from AT&T’s network. The employees would then unlock the phones,” explained a DoJ news statement.
“After some of the co-conspirators were terminated by AT&T, the remaining co-conspirator employees aided Fahd in developing and installing additional tools that would allow Fahd to use the AT&T computers to unlock cell phones from a remote location.”
This effectively meant installing malware and unauthorized hardware on AT&T’s network so he could sell phone unlocking services to the general public, depriving the telco “of the stream of payments that were due under the service contracts and instalment plans,” according to the indictment.
Another co-conspirator, Ghulam Jiwani, was also arrested in Hong Kong but died before he could be extradited to the US. Fahd is facing a maximum of 20 years behind bars if found guilty.
“This defendant thought he could safely run his bribery and hacking scheme from overseas, making millions of dollars while he induced young workers to choose greed over ethical conduct,” said US attorney Brian Moran. “Now he will be held accountable for the fraud and the lives he has derailed.”
Over half of organizations are struggling to protect their workloads, claiming the maturity of their security posture can’t keep up with the rapid pace of cloud adoption, according to Symantec.
The security giant polled 1250 IT decision-makers in 11 countries worldwide to compile its 2019 Cloud Security Threat Report.
It revealed that while 53% of enterprise workloads have now been migrated to the cloud, a similar percentage of organizations (54%) are struggling to keep pace with the expansion of cloud apps.
Most (93%) said they are having trouble keeping track of workloads and estimated that more than a third of files in the cloud shouldn’t be there.
Some 83% claimed they don’t have the right processes in place to effectively manage security incidents, meaning a quarter of alerts go unaddressed.
Nearly three-quarters (73%) said they’ve experienced an incident because their cloud security isn’t mature enough – i.e. they lack controls like encryption and multi-factor authentication (MFA) and are poorly configured. Some 65% of organizations failed to implement MFA in IaaS environments and 80% don’t use encryption, according to the report.
As a result, they face an increased risk of insider threats – ranked by respondents as the third biggest threat to cloud infrastructure.
Nico Popp, Symantec’s senior vice-president of cloud & information protection, explained that 69% of responding organizations believe their data is already on the dark web for sale and fear an increased risk of data breaches because of their cloud migration.
“The adoption of new technology has almost always led to gaps in security, but we’ve found the gap created by cloud computing poses a greater risk than we realize, given the troves of sensitive and business-critical data stored in the cloud,” he added.
“Data breaches can have a clear impact on enterprises’ bottom line, and security teams are desperate to prevent them. However, it’s not the underlying cloud technology that has exacerbated the data breach problem – it’s the immature security practices, overtaxed IT staff and risky end-user behavior surrounding cloud adoption.”
Security researchers are warning of a new speculative execution vulnerability affecting all modern Intel processors which could allow attackers to access sensitive data stored in the kernel.
The CVE-2019-1125 flaw bypasses all mitigations put in place after the discovery of Spectre and Meltdown in early 2018, according to Bitdefender. It’s said to affect all processors built since 2012, running on Windows, Linux or FreeBSD laptops and servers – meaning consumers and enterprises are at risk.
It could enable a side-channel attack that abuses a little-known system instruction called SWAPGS, exposing data in privileged portions of the kernel memory such as passwords, tokens, private conversations, encryption and more.
“This attack exposes sensitive information from the OS kernel by abusing speculative execution of SWAPGS instruction. An attacker can force arbitrary memory dereferences in kernel, which leaves traces within the data caches,” explained Bitdefender.
“These signals can be picked-up by the attacker to infer the value located at the given kernel address. Consequently, attackers can exploit this vulnerability to search values in kernel memory (check if a given value is located at a given kernel address) or leak values from arbitrary kernel addresses.”
Bitdefender has been working with Intel for over a year on this research and claims its Hypervisor Introspection (HVI) tool will provide protection until patches are available, instrumenting each vulnerable SWAPGS instruction to ensure it will not execute speculatively.
Patches are apparently being readied by ecosystem partners like Microsoft and users are urged to implement them as soon as they're available.
“Criminals with knowledge of these attacks would have the power to uncover the most vital, best-protected information of both companies and private individuals around the world, and the corresponding power to steal, blackmail, sabotage and spy,” said Gavin Hill, vice-president, datacenter and network security products at Bitdefender.
“Research into these attacks is on the cutting edge as it gets to the very roots of how modern CPUs operate and requires a thorough understanding of CPU internals, OS internals, and speculative-execution side-channel attacks in-general.”
Lord, who also served as CISO of Yahoo, Netscape and Rapid7, talked about stories such as the Yahoo attack and breach, and how the lessons learned “should be talked about,” but there are too many cases where we “talk technology but have forgotten how to tell stories to executives.”
He said that this problem of communication is “repeated breach after breach” and that the industry often fails to tell a story and be heard.
Pointing to his current work at the DNC, Lord said that this involves working with state parties and campaigns, which have separate funding and separate charters, and are separate legal entities with different levels of maturity.
This led to a suggestion to kill the checklist of security best practice, which Lord called “a roadmap of our failure to build usable security in products”. The only way to resolve it, he offered, is to sit down one-on-one to get it done. That, he countered, doesn’t scale.
He said: “We realize doing the basics is hard and time consuming” and if have to do it one-on-one we have “failed users” and we need to take a more active role and move to “secure by design.” This includes making updates painless, automatic and transparent, enabling encryption on laptops which doesn’t have to be paid for, and is not hard to install.
Lord also called for better security standardization, especially in authentication. Instructing someone how to use a password manager, he said, “is a real struggle to help someone under the best circumstances.”
He pointed at the case of 2FA. If a user has to search for how to enable 2FA, he said, then “something is not quite right.” He also advised against connecting to “sketchy wifi,” but conceded that it is hard to determine what a “sketchy wifi” network looks like.
“You shouldn’t have to pay more to be good at security,” Lord said. “Don’t treat it as a luxury item.”
He concluded by saying that things should be more “secure for default for average folks, in all devices and services, with no action required by users” and praised the work of FIDO Alliance which he said is “a real game changer in making things secure for the average person.”
Marking the sixth birthday of the 'I Am the Cavalry' concept of driving better security standards, co-founder Josh Corman spoke at BSides Las Vegas on what the initiative had achieved so far, and what more had to be done.
Corman said that over the past year, he had looked at what the movement had achieved, and what the milestones were and he determined that “we are sort of there for cars and part there for medical” and if there were an attack on medical devices, “we would probably be safe.”
However he felt that whilst a lot had been done for medical to make it “trustworthy and safe”, he believes the movement was “stuck” and needs to get back to its first principles. Corman said that there is a theme of “getting our asses kicked over and over” and whilst he still had a lot of fight in him, “someday we will fight our last fight.”
Looking at the concept of the cyber kill chain, Corman said that if we are being kicked again and again, we need to determine that “if we disrupt one link, the breach doesn’t happen.” We need to know, he said, what steps to take “so there are no mass casualties in hospitals” and so we can build trust in regulators.
Corman said that steps need to be taken to “start workshopping how to define a lifeline”. We need to determine how long it is and how many links are in the rope, he said. Further, we need to know “how many have to die first” and still catch it and accept it.
He said that by building trust with the founding principles of empathy, focusing on future success and not on past failures and using better language, the founders “didn’t know it if would work but it did.”
Despite this, Corman said that “we are one noise away from mass casualty” and that is a sobering shot down to reality, as there is a lot more work to do. “Every time we got a new team mate, we solved the next step of puzzle,” he said.
Corman concluded by saying that the movement needs to “lead by example” and that the next step is to consider who else to bring into the fold and what aptitudes to bring in.