Nefarious actors who successfully exploit a newly discovered vulnerability in Apple code signing can potentially deceive third-party tools into believing their code is Apple approved. Today, the Okta Research and Exploitation (REX) researcher who uncovered the security issue publicly disclosed the vulnerability that could allow threat actors to bypass a core security function to impersonate Apple.
Once researcher Josh Pitts contacted Apple, the CERT Coordination Center and all third-party developers, he recommended that a public blog post was the best means of reaching third parties that use code signing application programming interfaces (APIs) in a private manner.
Code signing is the process by which public key infrastructure is used to digitally sign compiled code and scripting languages in order to validate that the code has not been modified. Pitts discovered a vulnerability that breaks the trust in code signed by Apple used in MacOS security.
Recognizing that code signing has had a slew of security issues, Pitts wrote in his public disclosure, "Unlike some of the prior work, this current vulnerability does not require admin access, does not require JIT’ing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid."
If exploited, all third-party security, forensic, and incident response tools that use the code-signing API would be affected, along with the millions of consumers and businesses that use Mac machines.
"By exploiting this vulnerability, threat actors can trick even the most security-savvy people and bypass a core security function that most end users don’t know or think about as they go about their digital activities. And, with the proliferation of apps for the workplace and personal use in everybody’s daily lives, bad actors can easily abuse this vulnerability," Matias Brutti wrote in an Okta REX blog post today.
On 22 February 2018, Pitts submitted a proof of concept that was able to bypass third-party security tools, and Apple responded on 1 March advising the researcher to use kSecCSCheckAllArchitectures and kSecCSStrictValidate with SecStaticCodeCheckValidity, adding that API and developer documentation will be updated.
Despite additional information submitted on 6 March and 16 March to it, Apple stated on 20 March that it did not see this as a security issue that needed to be directly addressed. According to Pitts, on 29 March, "Apple stated that documentation could be updated and new features could be pushed out, but: '[…], third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.'”
While mobile app security is an issue across all sectors, 50% of apps that come from media and entertainment businesses are putting users at risk. New research from BitSight found that a significant percentage of mobile apps across multiple industries have high-severity vulnerabilities.
“Mobile apps pose significant risks, such as data leakage, credential theft and unencrypted personally identifiable information when not properly secured,” Dan Dahlberg, technical director, Bitsight, said in an email.
Analyzing data from over 10,000 companies across the categories of business services, finance, tech, education and media, BitSight learned that more than half of the music, news, media, publishing and entertainment companies failed their high-severity tests. Over 10% of those media and entertainment apps that failed have unencrypted location data, which could allow attackers to access a user’s GPS location.
In addition, the research suggested that because one in four finance companies offers risky mobile apps, there is potentially higher risk of bank accounts being accessed without proper authorization.
“The Finance industry had the highest rate of broken SSL configurations (invalid TLS/SSL certificates): over 34% of applications that failed high severity tests in the Finance industry could be vulnerable to man-in-the-middle (MITM) and other attacks that can compromise data,” BitSight wrote in today’s blog post.
In the business services and education industry, 32% of the mobile apps BitSight tested are not encrypting end-user data, including the devices' IP addresses.
"Businesses need comprehensive, objective visibility into the security performance of the third and fourth parties they do business with. This includes understanding whether they offer apps that are predisposed to vulnerabilities, which could be detrimental to the entire vendor network, if compromised," Dahlberg wrote.
In related news, despite the woes of mobile app security the market is swiftly burgeoning. Today ABNewsWire announced that the global mobile application security market forecasts a compound annual growth rate (CAGR) of 25.96%. The new report, Application Security Market 2018 Global Analysis, Growth, Trends and Opportunities Research Report Forecasting to 2023, looks at what is both driving and restricting the demand of application security.
The US government has slapped sanctions on a further five Russian organizations and three Russian nationals in response to recent Kremlin-sponsored cyber-attacks including NotPetya.
The Treasury Department took action under Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, and Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), which was passed last year despite protests from President Trump.
It claimed that one of the “designated entities” named in the order, Kvant Scientific Research Institute (Kvant), is controlled by and has provided material and technological support to Russia’s Federal Security Service (FSB).
Two others, Divetechnoservices and Digital Security, are said to have provided the FSB with material and technological support. The other two organizations, Embedi and ERPScan, are apparently owned by Digital Security.
The Treasury notice drew attention to recent Russian attempts to destabilize its geopolitical rivals in the West including the NotPetya ransomware campaign, attacks on the US energy grid and the VPNFilter campaign to compromise network devices around the world.
It also called out Russian efforts to track the underwater communication cables that carry most of the world’s telecommunications data.
“The United States is engaged in an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russia’s offensive cyber capabilities. The entities designated today have directly contributed to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies,” said Treasury secretary Steven Mnuchin.
“The United States is committed to aggressively targeting any entity or individual working at the direction of the FSB whose work threatens the United States and will continue to utilize our sanctions authorities, including those provided under CAATSA, to counter the constantly evolving threats emanating from Russia.”
The move comes as Donald Trump continues to advocate closer ties with the Putin administration. This week he called for Russia to be re-admitted to the G7 group of leading nations and blamed his predecessor Barack Obama for the country’s annexation of the Crimea.
Four in five EMEA organizations faced an email-borne attack over the past year, with the frequency and cost of attacks increasing, according to new research from Barracuda Networks.
The security vendor polled 145 IT security leaders in small, mid-sized and enterprise businesses across the region as part of a wider global study into the email threat.
While 80% said they’d been hit by an attack in the past year, 73% claimed the frequency of attacks is increasing and 72% said the cost of email-related breaches is rising.
Those costs can sometimes be indirect: 65% claimed attacks distract IT teams from more pressing strategic priorities, over half (52%) said they impact staff productivity and over two-fifths (44%) claimed reputation and remediation can be expensive.
Unsurprisingly, 70% are more concerned about email security now than they were five years ago.
The findings chime with other industry figures: phishing represented 93% of all breaches investigated by Verizon in its 2018 Data Breach Investigations Report, and email-borne attacks accounted for 85% of the 66.4 billion online threats blocked by Trend Micro last year.
What’s more, the FBI claimed in its most recent IC3 report for 2017 that Business Email Compromise incurred the highest losses of any threat category, at over $676m.
Email threats increasingly aim to socially engineer the victim into clicking on malicious links, opening malware-laden attachments, divulging sensitive info or making unsanctioned bank transfers. So it was understandable to see 79% of respondents to the Barracuda report claim poor employee behavior is a greater concern than inadequate tools.
Unsurprisingly a large majority (89%) also claimed end-user training and awareness is increasingly important to combat this risk. Of some concern, however, is the fact that over a third (35%) of organizations in EMEA still don’t train employees on how to spot phishing attacks.
Several law enforcement agencies across the globe have announced a joint effort to disrupt Business Email Compromise (BEC) campaigns designed to defraud businesses and individuals.
Operation WireWire saw the FBI work with police in Canada, Mauritius, Indonesia, Poland and Malaysia to arrest 74 suspects, including 42 in the US.
Domestically, the Feds said they teamed up with the Department of Homeland Security, the Department of the Treasury and the US Postal Inspection Service in a six-month program which began in January and resulted in a fortnight of “law enforcement activity.”
The operation also led to the seizure of nearly $2.4m and the “disruption and recovery” of around $14m in fraudulent wire transfers.
Many of these cases involved international criminal organizations which defrauded not only small-to-large sized businesses but also individuals including real estate purchasers and the elderly.
BEC incurred the highest losses of any internet-based crime category in 2017, according to the most recent FBI IC3 report. It made over $676m for the scammers, more than three-times the size of the next category down, confidence/romance fraud.
“This operation demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” said FBI Director, Christopher Wray. “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”
Separate research by Proofpoint released in February claimed that by the end of 2017, nearly 89% of all organizations studied were targeted by at least one BEC attack — a large jump from the 75% targeted in Q4 2016.
The average number of people targeted in each organization was 13.
Although there are AI-powered tools which can help to detect these scams, one of the best strategies for defense is improved user education and awareness alongside water-tight processes that forbid the transfer of large volumes of cash outside the organization without certain checks.
In the months that have followed Mark Zuckerberg's testimony before Congress, Facebook has repeatedly found itself in the headlines. Once again, it has come to light the the social media giant has been less than transparent, with the Wall Street Journal reporting that certain companies deemed to provide particular value to Facebook were placed on what was internally dubbed as "whitelists," granting them access to customer data.
Two companies identified as making the whitelist include the Royal Bank of Canada and Nissan Motor Co., a source familiar with the matter reportedly told the Journal. In addition to phone numbers, the information the companies were able to access included a "friend link" metric, which provided data on the degrees of separation among users and their friends.
While no additional names of whitelisted companies have been disclosed, Facebook has justified the deals, reportedly claiming that the access was granted with the intention of both improving the user experience and allowing third parties and partners the time needed to conclude their previously existing data-sharing projects.
Facebook acknowledged the "small group" had been granted extended access beyond 2015 May as part of what Ime Archibong, vice president of product partnerships, Facebook, called the company's consistent and principled approach to working with developers.
“As we were winding down over the year, there was a small number of companies that asked for short-term extensions, and that, we worked through with them,” Archibong reportedly said. “But other than that, things were shut down.”
This newest whitelist revelation is separate from the data-sharing partnerships with device makers that was reported last week. A Facebook spokeswoman is reported to have confirmed that the company has been sharing users’ data with at least 60 different device producers, including Apple, Microsoft and Samsung, since 2007.
Despite its claim to have stopped third-party access to information on users's friends data back in 2015, NordVPN wrote that "Facebook does not internally consider device makers to be third parties, so it did not disclose the fact that it was sharing the same exact data with those companies."
In an attempt to expedite legislation to secure US election systems, senators have introduced a new version of the Secure Elections Act as an amendment to the National Defense Authorization Act (NDAA).
With discussions of the NDAA reportedly on next week's agenda, Sens. James Lankford (R-Olka.) and Amy Klobuchar (D-Minn.) – backed by bipartisan cosponsors – have inserted their legislation as part of the annual defense policy legislation, according to The Hill.
In December of last year, after it was confirmed that Russian hackers had attempted to influence the 2016 election by targeting the election-related systems in 21 states, lawmakers introduced the Secure Elections Act, aimed at fortifying election systems.
Leading the effort to mitigate the risk of any foreign interference in future elections, Sens. Lankford and Klobuchar have since been revising the legislation amid concerns of the federal government taking over control of elections.
“The security of our election systems is a major national security issue, and it is appropriate for this legislation to be included in the National Defense Authorization Act,” Lankford said in a statement. “This legislation will help states prepare our election infrastructure for the possibility of interference from Russia, Iran, North Korea, or a domestic hacktivist group.”
The most recent version of the bill has eliminated a grant program that was originally intended to aid states in updating vulnerable systems; however, a recently approved omnibus package reportedly negated the need for such a grant, as the package includes $380m for states to secure their election systems. That money is to be distributed across all 50 states.
According to John Sebes, co-founder of the OSET Institute and CTO of its TrustTheVote Project, and William Crowell partner at Alsop Louie Partners, “The recent $380 million of federal funding to replace paperless voting machinery and improve cybersecurity is desperately needed, but it is unlikely to ensure the long-term cybersecurity of U.S. election technology.”
As the nation coasts toward the 2018 midterm election, “there are likely a number of vulnerabilities that states may not even be aware of yet,” wrote Sergio Valente, author, OSET Institute, “not to mention budget constraints and a lack of clarity whether states’ allocations of the recent $380 million of federal funding to improve cybersecurity or replace paperless voting machines will have desired impact in time.”
A collective group of stakeholders invested $60m in a Series B funding round for Claroty, a cybersecurity software provider for industrial control networks. With the backing of the collective group, the company's total investment climbed to $93m, making the round unprecedented.
Underscoring the urgency of defending critical infrastructure, this round, led by global investment firm Temasek, comes from venture capitalists that specialize in industrial control system (ICS) security, along with both the major control system vendors and the industrial assets owners and operators, including Rockwell, Siemens and Schneider Electric.
“Our unparalleled investor syndicate, which includes some of the most important industrial companies in the world, is a ringing endorsement of Claroty’s technology and the progress our team has made,” Amir Zilberstein, Claroty co-founder and CEO, said in today's press release.
The investor composition highlights the collective mission to secure the most critical networks against "economic warfare," or those attacks that are more difficult to detect but cause damage to or disrupt supply chains to manufacturing systems on underappreciated critical infrastructure.
“The recent increase in scale, scope and frequency of cyber-attacks on critical infrastructure has led to an uptick in demand for new solutions from companies around the world,” said T.J. Rylander, partner at Next47.
The rising geopolitical tensions with Iran and North Korea affirms the volatility of ICS. When coupled with warnings from DHS/CERT and the discovery of successful campaigns targeting critical infrastructure in the manufacturing industry, the need to address the risks in critical global infrastructures grows more critical.
“A perimeter defense to cybersecurity in today’s connected world is not enough. An end-to-end approach, with solutions that provide deep visibility into operational technology and industrial control systems, is critical for the security of heavy processing environments,” said Hervé Coureil, chief digital officer at Schneider Electric.
Chinese state hackers have stolen a huge trove of sensitive data from a US navy contractor, which could help the nation close the gap further with its rival superpower on the high seas.
The 614GB of material appears to have been focused on submarine-related military projects.
It was stolen from a contractor with the Naval Undersea Warfare Center and included “signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library,” according to the Washington Post.
Perhaps most alarming is the theft of information on a top secret $300m Sea Dragon project which is set to introduce a “disruptive offensive capability” to underwater battle.
Experts the paper spoke to believe that although China is investing huge sums to gain parity with the US on the high seas, it currently falls behind in anti-submarine technology, giving the US a theoretical advantage underwater.
Unnamed officials claimed that the material stolen was stored on the contractor’s unclassified network, but that if aggregated it could be considered as “classified”.
The incident is a reminder that while Russian hackers have become a staple feature of the news over the past couple of years, China’s fearsome intelligence apparatus remains a serious threat to Western governments.
The unit responsible for this raid is thought to have come from a Ministry of State Security (MSS) division in Guangdong.
Although the US struck a non-hacking agreement with China back in 2015, that only covered economic cybercrime and not cyber-espionage attempts focused around national security.
China’s continued militarization of the South China Sea remains a serious threat to US dominance in the region and a long-term strategic failure on the part of Washington, which has largely sat by and watched as the country builds out infrastructure on the islands, shoals and rocky outcrops that dot the area.
A South Korean crypto-currency exchange has lost virtual coins with a reported value of $37m after a cyber-attack on the company.
Coinrail explained in a statement earlier today that the attack came at dawn on Sunday.
“At present, 70% of your coin rail total coin / token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage,” it claimed.
“Two-thirds of the coins confirmed to have been leaked are covered by freezing / recalling through consultation with each coach and related exchanges. The remaining one-third of coins are being investigated with investigators, relevant exchanges and coin developers.”
It’s unclear how many of the ‘stolen’ coins will ultimately be recovered by the exchange. However, it revealed that some of those ‘leaked’ include some of the less popular virtual currencies including Fundus X (NPXS), Aston (ATX), and Enper (NPER).
Coinrail said it is still working out “the exact damage” resulting from the attack. However, local reports suggest the figure is in the region of 40 billion won ($37m).
The firm is co-operating with investigators, although reports suggest the exchange was likely targeted because it did not impose the same high self-regulatory security standards that several counterparts in South Korea have implemented.
The attack has already had a major impact on the market, with the value of Bitcoin apparently falling over 10%.
It’s just the latest in a long line of crypto-currency exchanges targeted by hackers over the past few years.
Ernst & Young warned in January that nearly $400m has been stolen from initial coin offerings (ICOs).
North Korean hackers have been particularly prolific, flagged by researchers as targeting virtual currencies to swell the coffers of the Kim Jong-un regime.
A man credited with helping to prevent the spread of WannaCry has been hit by more hacking charges in the US.
Marcus Hutchins, the “MalwareTech” researcher who helped to find a kill switch for the infamous ransomware, was arrested on his way home from a security conference last August.
At the time he was accused of helping to author the Kronos banking Trojan.
Now he’s been charged with also developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools.
“UPAS Kit allowed for the unauthorized exfiltration of information from protected computers,” court documents claim. “UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.”
In response to the new charges, Hutchins struck a typically dogmatic tone on Twitter.
“While this all sucks a lot, I can't stop laughing at the irony of the superseding indictment coming exactly on the 1 year anniversary of me receiving an award for stopping WannaCry,” he said.
“Wonder how long until I get indicted for conspiracy to commit jaywalking after my parents carried me while crossing the road in 1995.”
The cybersecurity researcher, who is unable to work whilst in the US but also unable to leave the country, is asking for more money to help support his legal case.
“Spend months and $100k fighting this case, then they go and reset the clock by adding even more bullshit charges like ‘lying to the FBI’,” he said.
WannaCry infected hundreds of thousands of computers in 150 countries around the world when it struck in May 2017, causing widespread damage to the NHS where an estimated 19,000 appointments and operations were cancelled.
Experts believe the impact could have been far worse had the “kill switch” domain not been registered, effectively curtailing the worm.
Open jobs in both the private and public sectors have increased to 301,873 over the 12-month period from April 2017 to March 2018, according to new data from CyberSeek, a free cybersecurity career and workforce resource.
According to CyberSeek, there were 109,000 openings for cybersecurity's largest role – information security analysts – but only 105,000 workers currently employed in those positions, reflecting an annual talent shortfall of 5,000 workers.
On 30 May, the Department of Commerce and Department of Homeland Security responded Executive Order 13800: Growing and Sustaining the Cybersecurity Workforce, with a report that called for improvements in the cybersecurity workforce. To that end, CompTIA and Burning Glass Technologies jointly developed CyberSeek, which is also supported by the National Initiative for Cybersecurity Education (NICE), which is a part of the National Institute of Standards and Technology (NIST).
The CyberSeek data found that "across all jobs, there were 6.5 employed workers per opening from April 2017 through March 2018. In cybersecurity, there are only 2.5 employed workers per opening." The largest job openings (194,224) are in the "operate and maintain" category, which includes roles related to the support, administration and maintenance of IT systems.
While employers struggle to find qualified candidates to fill a variety of cybersecurity-related jobs, open positions that require cloud security skills reportedly go unfilled for an average of 96 days, which is longer than positions for which any other IT skills are a prerequisite.
Part of the CyberSeek project includes a career pathway, which identifies 10 core cybersecurity roles – four of which advertise salaries over $100,000. In addition there are five "feeder" roles considered to be gateways into a cybersecurity career. Currently, the greatest demand within the core roles is for cybersecurity engineers.
“The cybersecurity talent shortage is widespread, impacting all 50 states,” said Matthew Sigelman, chief executive officer at Burning Glass Technologies, in a press release. “In every state, the employed cybersecurity workforce would have to grow by over 50 percent to align with the market average supply and demand ratio.”
In response to the new data, Tim Herbert, senior vice president for market intelligence, CompTIA, said, "There are a number of encouraging signs, such as a greater focus on the human element of cybersecurity. But even with this enhanced focus cybersecurity will likely to get worse before it gets better. That’s why it’s incumbent on us to close the gap between the supply and demand for trained and certified cybersecurity workers.”
Yet another patch has been released with security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS addressing multiple critical vulnerabilities. On 7 June, Adobe Security Bulletin announced that the exploits exist in the wild.
Used to target Windows users, the exploit leverages Office documents with embedded malicious Flash Player content distributed by email in the Adobe Flash Player 220.127.116.11 and earlier versions.
The update patched several vulnerabilities in Adobe Flash, and Adobe acknowledge all of those who disclosed the different flaws, expressing thanks to the individuals who worked to protect Adobe customers.
Trend Micro's Zero Day Initiative anonymously reported two vulnerabilities, CVE-2018-5000 and CVE-2018-5001. In collaboration with Trend Micro's Zero Day Initiative, Jihui Lu of Tencent KeenLab and willJ of Tencent PC Manager, reported vulnerability CVE-2018-4945.
"This is a confusion vulnerability, which means that the code does not properly inspect input data," said Allan Liska, threat intelligence analyst at Recorded Future. "When successfully exploited, this vulnerability allows for remote code execution."
The second critical vulnerability (CVE-2018-5002), reported by multiple sources, is a buffer overflow vulnerability that also allows for remote code execution. Liska noted that this is currently being exploited in the wild as part of several phishing campaigns.
"The exploit takes advantage of a Flash file embedded in a Microsoft Office document," said Liska. "When the victim opens the Office Document the Trojaned Flash code automatically runs and executes shell code, which calls out to the attackers command-and-control servers."
To protect themselves users should immediately upgrade their Adobe Flash and disable macros in Microsoft Office. Adobe recommends accessing the About Flash Player page in order to verify which version of Flash is installed on the system. Users who have selected the option to allow updates in Adobe Flash Player Desktop Runtime for Windows, macOS and Linux should automatically receive the most recent security updates.
New research found that cyber-criminals are using social engineering tactics to trick job seekers into replying to phony listings. According to a 7 June Flashpoint research blog, threats to job listing sites and recruitment portals are on the rise in the deep and dark webs.
Attackers target job listings and recruitment portals because they are ripe with all sorts of personal information. In addition to uploading resumes and cover letters – which include the obvious details of name, address, phone number, and email address – job seekers often are asked to provide additional personal information, such as their race and veteran status. Some online job applications also ask whether applicants have a disability or require a work-visa status.
Analyst David Shear, who researches cybercrime communities, actors and threats, found that cyber-criminals are looking to do more than steal personally identifiable information. When the unsuspecting job seekers reply to phony job listings, they are inadvertently recruited as money mules or lured into money laundering operations.
Recruitment portals also become direct targets when attackers send malicious "job applications" documents – usually a PDF attachment. If the documents are able to slip through weak or nonexistent scanning tools, they can grant an attacker access to data stored on the portal, leaving applicants vulnerable to identity theft.
Noting a marginal increase in the number of mentions on deep and dark web forums related to such activity around recruitment portals, Flashpoint analysts found that many of the mentions involve "advertisements for the availability of compromised accounts, or criminals soliciting business accounts in order to list jobs on the platforms."
"Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge," Shear wrote. Drafting these unwitting mules is a tactic that is growing in prominence on job recruitment portals.
Phishing campaigns have proven widely successful for the criminals, who target recruitment professionals rather than the recruitment portals.
According to Shear, one interesting nuance about the recruitment fraud schemes, is that enterprise organizations are at higher risk for targeting than small to mid size organizations.
"Not only is there more financial benefit to targeting enterprises, but threat actors can actually remain undetected for longer due to the complexity of large scale organizations and lack of communications between different locations of most of these enterprises," said Shear in an email.
Protecting the UK’s physical systems, such as energy grids, telecoms and the NHS, was the hot topic of debate during a keynote panel at Infosecurity Europe 2018 in London.
Spencer Summons, group head of information risk & security at Tullow Oil, kicked off the conversation saying a culture change is needed to make sure cybersecurity becomes front of mind going forward, in an industry that is predominantly focused on physical security and human safety procedures.
“Safety is a huge thing in an offshore environment and I don’t think cyber is seen in the same way as safety – but it’s getting there,” explained Summons, who works for an oil exploration company with many employees working on offshore vessels.
He said the immediacy of a cyber threat is less obvious than the threat to human life on a vessel out at sea, so it is more difficult to get members of staff to adopt further cyber-safety procedures, such as increasing the length of their passwords.
“But we need to ensure we continue to have security and culture change programmes as part of any security piece,” he said. “Part of the solution is about [board level] buy in, but the conversation doesn’t stop there, we need the same conversations at a tactical and operation level – and we can all agree it’s the people on the ground that are in control.”
Summons said it is about introducing emotion into cyberattack prevention. “It has to be real for them, so we’ve been showing hacker demos and showing them what might happen if someone hacks into their machines.”
Peter Gibbons, chief security officer at Network Rail, agreed, he said his employees take “great pride” with the physical assets they are responsible for. “And if they see someone tampering with it they get really upset, but they think cyber is something different.”
Changing the narrative
Network Rail has already been working on communicating the importance of cybersecurity throughout the business. Back in 2012 at the time of the London Olympics, Gibbons said the organisation changed its narrative when it came to cyber-attacks.
“The Olympics was a public transport event, there was no driving to the venues, so if the train stops running and no one gets to see Usain Bolt win the 100 metres, we’d be in the spotlight,” he explained.
“So from a business perspective we changed the narrative from a technical problem to a business problem. The story around cyber is not about losing a server in a rack, it’s about how many people didn’t get to work.”
Balancing cost savings
A question from the audience asked the panel how they balanced the need to upgrade cybersecurity systems versus the business drivers of cost savings and operational efficiency.
Summons replied that it comes down to what businesses believe forms a risk perspective, especially when the company has a huge number of legacy systems.
“How do we address systems already in existence that are arguably working well? We might look at some simple, physical security systems, particularly when looking at a vessel.”
But Summons said it comes down to making sure there is a representative stakeholder group which meets regularly to identify and prioritise risks, ensuring cyber has a seat at the table.
Nearly two-fifths (39%) of European businesses suffered DNS-related data theft over the past year, raising fears over GDPR non-compliance, according to EfficientIP.
The DNS security firm released findings from interviews with 400 respondents in Europe as part of its 2018 Global DNS Threat Report.
It found European companies are suffering a greater level of DNS-related data theft than the global average of 33%. The average cost per DNS attack has also risen strongly over the past year in Europe, by 43% to reach €734,000 — higher than North America and Asia Pacific.
However, in some countries the increase was even greater: in the UK the figure soared 105%, although firms paid a below-average €684,000. French organizations had the highest cost per attack at €847,000.
The DNS layer is always-on and running in the background, but as such often ignored by system administrators, despite containing multiple vulnerabilities thanks to its open design. That means many whitelist traffic, allowing attacks to proliferate.
These can include denial of service, compromising DNS servers with malware to take the user to malicious or phishing sites, and exfiltrating data via DNS tunnelling techniques.
The top five DNS-based attacks in Europe fall in line with the global top five, according to EfficientIP.
DNS-based malware (39%) was most popular, followed by phishing (34%), DNS DDoS attacks (20%), DNS tunneling (19%), domain lock-up (18%). The latter is a kind of denial-of-service attack in which domains and resolvers set-up by the attackers send random packets to DNS resolvers, “locking up” their resources so they are unable to deal with legitimate requests.
David Williamson, CEO of EfficientIP, said the findings are important in the context of the GDPR, which mandates that organizations follow best practices in securing customer and employee data.
“Surprisingly, our research shows European organizations have invested the least globally in technology which can prevent data theft,” he added. “In the year ahead, it will be interesting to see how European companies prevent data theft and avoid regulatory fines.”
Privacy International (PI) has sent England football manager Gareth Southgate an anti-surveillance kit to help mitigate the risk of rival teams spying on the Three Lions boss at the World Cup.
The rights group sent a Faraday cage specially designed by Agent Provocateur founder Joseph Corré, which can be used to block electromagnetic signals from reaching his devices.
It’s also sent a headline briefing warning the England boss that rival managers and Russia's fearsome security forces could hack his devices; activate the webcam and mic to eavesdrop on team talks and training; intercept phone calls; or even activate GPS tech to track Southgate’s movements, possibly with an eye on blackmail.
“If England are to stand any chance of progressing in the World Cup, Southgate will need to take all the precautions he can, including against spying,” argued PI state surveillance lead, Edin Omanovic.
“It's worth remembering that when governments hack, it's to gain a competitive edge against rival governments. Surely rival managers will all be wanting to gain a competitive advantage over each other in the biggest cup in the world.”
Privacy International is using the publicity stunt to highlight the UK Prime Minister’s flawed approach to encryption. Theresa May has repeatedly warned there should be no “safe spaces” on the internet for terrorists to hide and her new Investigatory Powers Act could even theoretically force providers to build encryption backdoors.
However, that same security is vital to protecting the privacy and security of law-abiding citizens and businesses, including the England manager and team.
The rights group has previous warned any visitors to Russia that their communications could be monitored by the authorities via SORM: the government’s “nationwide system of automated and remote legal interception infrastructure.”
Controversially awarded to Russia amid rumors of corruption and bribery, the FIFA World Cup will kick off next Thursday.
Hinchliffe works in the Unit 42 threat intelligence team at Palo Alto Networks and uses the frameworks ATT&CK and STIX to explore the lifecycle of cyberattacks. He described OilRig as an espionage adversary which over the last two years has been extracting information from governments, financial services companies and a number of non-profits in countries including Turkey, Saudi Arabia, Israel and Lebanon.
While Unit 42 has discovered that OilRig leverages malicious macro documents as part of its attack toolkit, it also uses custom tools, which Hinchliffe said has never been seen anywhere else before.
One example he gave of a malicious macro document attack used an end-point threat called Helminth which uses social engineering to illegally gather data from Microsoft Excel spreadsheets used frequently by governments and financial services.
“Sadly with most attacks it is phishing emails and using the human as the weakest link,” he said, explaining how the attackers will send an Excel document to its victim and even attach a .png image showing their victim how they want them to open the document.
“They are literally spelling it out for the victim.”
The compatibility warning in the excel was created by OilRig to look very similar to Microsoft’s own warning, tricking the user into running the code, which is hidden in the cells behind the manmade warning.
Custom attack tools
But it is when OilRig attacks servers directly with custom tools which is where the attack becomes unique.
Hinchliffe described how the first recorded attack of this type was called Two Face, where the attacker connected to a publically-facing webserver run by the victim, accessed by a webshell.
“It’s a lot more sophisticated than the end-point malware,” he said.
Meanwhile, a more recent server attack called an RG Door infection sees malware which “hooks” onto every get request or post request made to the victim’s webpage. This information passes through the adversary’s RG Door first, so it can manipulate the data.
Commenting on these direct server attacks, Hinchliffe said: “It’s a sophisticated way to communicate. And it prevents you having that beacon – that regular heartbeat saying ‘I’m here, I’m here’ – across the network, which is a bit more stealth.”
The now infamous VPNFilter malware thought to be the work of Kremlin-sponsored hacking group is worse than previously thought, affecting several new SOHO device manufacturers and containing additional threat capabilities, Cisco Talos has revealed.
The security vendor claimed in a new post this week that the attack campaign also affects devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. This is in addition to the original line-up of routers from Linksys, MikroTik, NETGEAR and TP-Link in 54 countries, as well as some QNAP network-attached storage (NAS) devices.
Cisco also revealed a newly discovered stage 3 module, named “ssler”, which “injects malicious content into web traffic as it passes through a network device.”
“At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge),” the firm noted.
“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”
That’s a dangerous new capability as it means the malware can attempt an exploit without a user having to visit a compromised site, click a link or open a malicious email attachment, according to Mounir Hahad, head of Juniper Threat Labs.
“It is obvious that the scope of this campaign is far bigger than initially thought. The ability to infect endpoints introduces a new variable and the clean-up process is more involved than just rebooting routers. Any exploit could have been used by the threat actors to target the computers behind infected routers,” he explained.
“At this point, it is important for people who had routers in the list of affected devices to make sure they have an updated anti-virus software running on their endpoints.”
Even though it's been more than two months and $2.7 million since a major ransomware attack nearly crippled the city of Atlanta, the aftershock continues to impact municipal employees across several departments.
At a 6 June Department of Atlanta Information Management (AIM) meeting, a city official requested an additional $9.5 million to try and correct the affected systems. Infosecurity Magazine attempted to contact AIM but has not received a response.
The city continues to work with private and government partners to understand the full scope of the attacks impact, but Atlanta's interim chief information office, Daphne Rackey, reportedly said that the number of impacted applications is more than 30% of the 424 mission critical programs. That number "seems to grow every day," Rackey reportedly told the Atlanta city council.
The attack, which came with the demand for $51,000 worth of Bitcoin that the city said it did not pay, encrypted city files, leaving customers unable to access city applications. Information on current city operations is available to residents, but whether any lost data has been restored is unclear because the city's website has not updated information on the attack since 30 March.
Several different agencies are said to have told the city council on 6 June that their workplace has yet to return to normal. "This has been painful on many fronts," Atlanta police chief Erika Shields told WSB-TV in a live interview on 1 June. Referring to the police dashcam data that was lost in the attack, Shields said, "That is lost and will not be recovered. That could compromise potentially a DUI case."
It's unclear what has been most painful for the department, however, because Shields also said that she is not overly concerned. "It's a tool, a useful tool, but the dashcam doesn't make cases for us."
Perhaps the greatest pains come from trying to investigate existing cases. A police department investigator, Matthew Condland, whose 105,000 files were corrupted, cited the attack as the primary reason he has yet to produce a key piece of evidence. Others expressed dismay over the dissemination of information since the attack, even though Atlanta implemented a new employee notification system, NotifyATL, after the attack.
The website's information for employees section explains that NotifyATL "will be used to inform you of critical work-related information by text, email and phone calls. If you have not yet registered, please do so. NotifyATL will be used for notifications in the future, so all employees will need to register to receive these work-related alerts. Go to the employee alert portal (bit.ly/CoA-Employee-Alerts) and click the sign-up link."