Infosec Island Latest Articles https://www.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 Backdoor Abuses TeamViewer to Load Malicious Library https://www.infosecisland.com/blogview/24766-Backdoor-Abuses-TeamViewer-to-Load-Malicious-Library.html https://www.infosecisland.com/blogview/24766-Backdoor-Abuses-TeamViewer-to-Load-Malicious-Library.html Mon, 30 May 2016 09:04:00 -0500 Malicious programs have been long known to abuse TeamViewer to gain unauthorized access to infected machines, and a new piece of malware leverages the popular remote control tool in new ways, security firm Doctor Web has discovered.

Dubbed BackDoor.TeamViewer.49, the new Trojan was discovered by Dr. Web and Yandex earlier this month being distributed via a fake Flash Player update. The bogus update package, however, turns out to be a different malicious application called Trojan.MulDrop6.39120, which acts as a dropper, Dr. Web researchers say.

After landing on the target machine, the MulDrop6 Trojan installs the actual Flash Player, while also displaying a legitimate installation window for the popular plugin. In the background, however, the Trojan also covertly downloads TeamViewer, BackDoor.TeamViewer.49, and a necessary configuration file onto the compromised system. 

The newly observed BackDoor.TeamViewer.49 doesn’t leverage TeamViewer to get access to the user’s computer, since it has already managed to infiltrate the machine. As soon as the remote control app has been launched, the backdoor removes its icon from the Windows notification area, disables error reporting, and implements a mechanism that prevents it from being restarted.

The Trojan uses various internal functions of TeamViewer’s process and also abuses the fact that the application calls for a library called avicap32.dll. By creating a malicious library with the same name in the application’s folder, malware authors can have it automatically loaded to the memory at launch of TeamViewer.

The backdoor saves operational parameters in the configuration file and registers itself to autorun, which allows it to operate in infinite loop. It then hides its download folder, the malicious library, and the configuration file, while also assigning them the “system” attributes. If it fails, the Trojan starts removing the TeamViewer keys from the system registry.

Responsible for the backdoor’s malicious activity is an encrypted library hardcoded in the Trojan's body, which contains names of the servers from which instructions can be delivered. The Trojan can execute several commands on the infected machines and uses encryption when communicating with the server.

Doctor Web researchers say that the backdoor’s main functions are “to establish connection to the server (including authorization to it) and to redirect traffic from the server to the specified remote server via the infected computer.” This approach allows cybercriminals to remain anonymous on the Web when connecting to remote servers, because they can use infected computers as proxy servers.

TeamViewer has already published a statement on this issue, explaining that it is not a TeamViewer security breach, but a scenario in which a piece of malware abuses TeamViewer’s legitimate software. The real problem here is that, once it has infiltrated a computer, a malicious program allows perpetrators to virtually do anything.

"The perpetrators spread TeamViewer through a malware. This does not make TeamViewer a malware or vulnerable program. In fact, this procedure can be applied to any number of legitimate programs such as TeamViewer," the statement reads.

In February, CrowdStrike’s 2015 Global Threat Report revealed that TeamViewer malware has been used in cyber espionage operations. However, malicious programs intended solely for criminal purposes are abusing this legitimate application as well, including the Cherry Picker POS malware that was detailed in November last year.

*Updated to mention TeamViewer's statement.

Copyright 2010 Respective Author at Infosec Island]]>
2016 SecurityWeek CISO Forum to Take Place on June 1-2 at Half Moon Bay https://www.infosecisland.com/blogview/24765-2016-SecurityWeek-CISO-Forum-to-Take-Place-on-June-1-2-at-Half-Moon-Bay.html https://www.infosecisland.com/blogview/24765-2016-SecurityWeek-CISO-Forum-to-Take-Place-on-June-1-2-at-Half-Moon-Bay.html Thu, 26 May 2016 12:15:00 -0500 SecurityWeek’s 2016 CISO Forum will take place on June 1-2, 2016 at the Ritz Carlton, Half Moon Bay.

This invitation-only, high level event will bring together security leaders to discuss, share and learn information security strategies in an intimate environment. 

“SecurityWeek’s CISO Forum was specifically designed to bring together senior level security executives in an intimate environment for the ultimate exchange of knowledge and insights,” said Mike Lennon, Managing Director at SecurityWeek. “Our invite only approach ensures an ideal mix of enterprise security leaders who can learn from each other and gain knowledge of strategies, tools and techniques to better defend their enterprises.”

Select sessions at the 2016 CISO Forum include:

  • The State of Endpoint Security
  • In-CISO-mnia - What Keeps Security Leaders up at Night?
  • Eliminating The Attack Surface Inside Data Centers & Clouds
  • Maximizing the Value of Threat Intelligence
  • Playing Cyberwar Games to Win 
  • Blockchain as an Enterprise Security and Compliance Tool
  • Using Machine Learning for Next Generation Cyber Defense
  • Reporting Security and Risk Management to the Board - Moderated by Gartner's Ash Ahuja

Interested enterprise cybersecurity and risk management professionals may request a complimentary invitation by visiting: http://www.cisoforum.com/

Following the 2016 CISO Forum, delegates will have the option to play in the 3rd Annual SecurityWeek Golf Classic, taking place on the afternoon of June 2nd at the Ocean Course at Half Moon Bay.

Sponsors for the 2016 CISO Forum include Illumio, SentinelOne, FireEye, Darktrace, Digital Shadows, SafeBreach, Vera, Cavirin and CA Technologies.

Copyright 2010 Respective Author at Infosec Island]]>
Avoiding Ransomware with Strong Endpoint Security https://www.infosecisland.com/blogview/24764-Avoiding-Ransomware-with-Strong-Endpoint-Security.html https://www.infosecisland.com/blogview/24764-Avoiding-Ransomware-with-Strong-Endpoint-Security.html Thu, 26 May 2016 06:00:37 -0500 Ransomware attacks are growing in volume and sophistication—now not only damaging corporate data, but harming operations, reputations and finances as well. The FBI reported that it received over 900 complaints related to ransomware attacks, and the attacks ultimately resulted in more than $18 million in losses between April 2014 and June 2015.

By weaponizing encryption, ransomware attackers can debilitate basic operations and run up costs each day the organization isn’t able to do business. Organizations are often forced to quickly pay ransoms to get basic operations running again. Hollywood Presbyterian Medical Center made headlines back in February when the organization was forced to pay $17 thousand in Bitcoin to recover data that was encrypted during a ransomware attack. Paying the ransom was the fastest way for the medical center to restore administrative functions.

Victims of ransomware attacks can pay the ransom and hope that law enforcement will catch the attackers, but lately, police departments have also been targeted. Last year, a police department in Massachusetts fell victim to CryptoLocker, a well-known ransomware virus that was able to encrypt essential files. The police department had to pay the $500 ransom to recover their files, even after the FBI spent four days trying to help.

As ransomware becomes the latest epidemic in the cybersecurity space, a new report (PDF) from the Institute for Critical Infrastructure Technology (ICIT) notes that poor endpoint security practices are to blame for the rise in successful attacks. The report says that ransomware typically enters systems through vulnerabilities in the host operating system, but the code to exploit the ransomware is delivered via malicious email attachments and drive-by downloads.

High-value vulnerable endpoints that exist within the enterprise include servers, personal computers, and mobile devices. Servers are highly targeted by attackers, since they are essential to keeping business operations running. Personal computers and mobile devices with poor endpoint security pose a threat to organizations with BYOD policies because an infected personal device can infect an entire corporate network. Unlike other types of malware, ransomware relies on user interaction to be successful.

The first line of defense against ransomware attacks is end users, but uneducated end users can leave networks vulnerable to ransomware attacks. Organizations can spend time educating their employees about how ransomware is executed, and how attackers typically target employees. Because ransomware can be leveraged through malicious code sent via email, employees should know to only open email attachments from trusted sources.

IT security teams can also blacklist untrustworthy email servers and website domains as an added precaution, but this isn’t enough to protect from ransomware. Back in March, ads on trusted news websites like the BBC and the New York Times were hijacked by malware campaigns that tried to install ransomware onto user computers. Because even trusted websites aren’t entirely trustworthy, security teams should regularly monitor networks for suspicious activity. Continuous monitoring can help organizations catch ransomware before it’s executed and causes damage.

Another way organizations can protect their data from ransomware attacks is by regularly making backups. Large corporations should have no trouble dedicating time and resources to creating data backups, but this task can be difficult for smaller enterprises. Smaller organizations lacking time, resources, and technical knowledge can choose to use a third-party cloud service to store their data. Unfortunately, cloud service providers aren’t immune to ransomware attacks, and are often targeted because they store troves of data, and their business model is dependent on providing subscribers uninterrupted access to that data.

Some organizations opt to get the best of both worlds by adopting a hybrid cloud environment, where data is stored on private and public cloud services. Because the public and private cloud infrastructures function independently of each other, a ransomware attack on one isn’t likely to affect the other.

To best defend against ransomware, users must ensure that their machines remain up to date with the latest patches and security updates. If you fall victim to ransomware, you are either going to have to pay to get your files unlocked, or lose them forever. Don’t fall victim to these thieves and ensure you are backing up your files each day in case you had to restore the machine.

Ransomware attacks threaten all systems that are connected to the Internet, which makes it increasingly harder for organizations to not invest in good endpoint security practices. Left unaddressed, ransomware can rapidly spread to endpoints across the enterprise. Good endpoint security practices are essential to keeping ransomware from compromising critical information and potentially risking long-term damage to an organization’s brand.

About the author: Dean Dyche is World Wide Senior Director of Sales Engineering at Promisec, a pioneer in endpoint detection and response, and a leader in the Endpoint Detection and Response (EDR) market defined by Gartner. Promisec’s patented, agentless technology assures users that their endpoints are secure, audits are clean, regulations are met and vulnerabilities are addressed proactively to ensure the integrity of enterprise IT. 

Copyright 2010 Respective Author at Infosec Island]]>
Making the Most of User Entity Behavior Analytics: Expectations, Features and Best Practices https://www.infosecisland.com/blogview/24763-Making-the-Most-of-User-Entity-Behavior-Analytics-Expectations-Features-and-Best-Practices.html https://www.infosecisland.com/blogview/24763-Making-the-Most-of-User-Entity-Behavior-Analytics-Expectations-Features-and-Best-Practices.html Tue, 24 May 2016 05:43:06 -0500 User Entity Behavior Analytics (UEBA) has recently emerged as an advanced approach to detecting cyber threats. UEBA solutions leverage machine learning to surface threats; and in many instances, do so much faster than legacy SIEMs or other solutions can. They zero in on anomalous events with great accuracy.

If this description reminds you of other analytics tools, that’s no coincidence. User behavior analytics has materialized as a security-specific application of the same basic principles involved in all smart business analytics.

How does it work? What should I expect from UEBA?

First, UEBA solutions collect information emerging from many nodes in the network. The best solutions will collect data from network devices, systems, applications, databases and users. Using this data, they then create a baseline to determine what normal means under different conditions.

Once the baseline is established, UEBA solutions continue to aggregate data, looking for patterns that are deemed not normal. These determinations assess just how, and how much, a new event is unusual in context, and prioritizes the event’s significance and possible business impact. Custom rules typically can also be created by user behavior analytics administrators to tailor the solution more closely to the organization and its unique services, data, and processes.

One important principle to understand is that UEBA addresses anomalous behavior much more than infrastructure events in general. This focused approach helps address some of the most puzzling issues organizations face today:

  • Determining when a valid privileged account has been compromised
  • Surfacing insider threats
  • Determining when a system or application has been compromised

Key Features of UEBA: What to Look for in Vendor Solutions

Many vendors have begun claiming UEBA capabilities in their products, and there is a small, but growing number of what I call true UEBA providers. These vendors' products all function in a similar way. Essentially, they are all built on a platform with a core engine running proprietary analytics algorithms that takes in data feeds from existing sources and analyzes the data. The tools then display their findings in a user dashboard. The goal is to provide information security and IT professionals with actionable information to address the threats.

At present, most of these tools don't actively respond to threats themselves, but merely provide security operators with the insight to determine whether action should be taken and the ability to orchestrate such action. Platforms available today will likely continue on a path to integrate with firewalls, endpoints, and other network nodes to enable automated response within the next year.

Security analytics algorithms are the "secret sauce" that command these platforms. When assessing UEBA platforms, security professionals should be sure to ask for details of how these algorithms work. Many vendors will claim that this is their intellectual property. However, if the vendor has an insider threat model, ask if the model is based on specific events and/or flow messages such as logins and data access from devices, applications and hosts with set thresholds. If it is, this likely isn’t machine learning, but pre-configured correlation rules. This is an easy way to determine whether the vendor is just marketing machine learning or actually has machine learning in their solution. Other important differentiators between UEBA products include the following:

  • Supported data sources – These are the types of data the tool integrates with, including the supported formats (CSV, Excel, databases, etc.) and types of log files (from hosts, applications, routers, firewalls, VPNs, file systems, and even big data solutions such as Hadoop). Ask about whether or not these are built-in pre-existing integrations or if these require professional services to build. Seek to understand if the UEBA solution only collects basic event and flow data or goes beyond to capture more details. If the former, there may be critical user, system, and application data that is left behind because, unfortunately, logs and flow don’t always contain all the activity. Lastly, consider if it is possible to configure these data sources directly from the platforms’ user interface.
  • Partnerships – Vendors that tend to have a wide array of partnerships tend provide a measure of just how credible the tool is and how well it is integrated.
  • The time is takes to establish a baseline – This relates to whether the tool establishes the baseline in an entirely automated and dynamic fashion, or requires the manual input of a user to tune and tweak it. Some platforms make determinations based on just a few days of historical records; others can take weeks to about a month. Experience tells us that longer records tend to provide far more accurate baselines, because they can take into consideration seasonal variations, such as the end-of-quarter close, or another big event. However, some platforms have much more compute capacity available for running multiple advanced algorithms that can do a better job at dynamic learning and can both improve the ability to surface threats more accurately.
  • Time to results (TTR) – Referring to how quickly after initial integration the solution begins to produce actionable threat results. There is no obvious metric here: A clear definition of results is delivering previously unknown insights around abnormal behavior following the initial configuration and establishment of a baseline.  Furthermore, some solutions claim they can do this in real-time—be sure to ask the vendor to define metrics around such claims, and if they provide a means to test such claims.
  • Dashboard flexibility – Understand if the UEBA platform was designed with the assumption that the dashboard operator would be a security analyst or manager or a less sophisticated user. Many UEBA tools can be customized to provide detailed or executive-level reporting.
  • Platform delivery – Understand how the platform is delivered.  Most vendors typically offer an on-premises version of the product (either software-only or an appliance). Most vendors also offer a cloud-based version as well. One major challenge with cloud products is that UEBA platforms require close integration with many data sources that companies consider proprietary or sensitive (e.g., financial data feeds, HR systems, medical records, etc.) and don't wish to expose this data to the cloud. The exception here is if the UEBA platform vendors secure that data over an encrypted channel from the cloud to the premises.  In the next few years sensitive data will increasingly move to the cloud, and so cloud-based delivery of UEBA is likely to become a more popular option for enterprises.

UEBA Best Practices: How to obtain optimal results

Basic best practices to get optimal results from your UEBA tools include:

  • Take both external and internal threats into account when choosing a UEBA solution.
  • Look for solutions that feature analytical strengths in areas important to your organization, such as insider threat and compromised credentials. Choose a solution that fully surfaces the threat, such as an insider taking intellectual property and emailing it out using their Hotmail or Gmail account.  Many UEBA platforms lack this basic ability.
  • Consider carefully which team members have access and who gets alerted.
  • Don’t assume standard accounts are harmless. Many attacks create a cascade effect, compromising assets in sequence to arrive finally at the control of a privileged account or escalation from an account without privileges.

UEBA platforms are very promising. In the near future, expect to see user behavior analytics platforms integrate more directly with infrastructure and with automated response. We are already seeing this with firewalls and other network devices that can be configured to take user behavior analytics-derived insight and create new traffic rules immediately, shutting down invasive threats long before human talent would even notice they’re there.

About the author: Brian Soldato is Director of Product Management for Seceon. A 17-year security technology veteran, Brian is responsible for driving Seceon’s product vision and strategy. Prior to Seceon, Brian led product management for various SIEM solutions, including Intel Security’s SIEM product line.

Copyright 2010 Respective Author at Infosec Island]]>
“EITest” Exploit Kit Redirection Campaign Running Strong https://www.infosecisland.com/blogview/24762-EITest-Exploit-Kit-Redirection-Campaign-Running-Strong.html https://www.infosecisland.com/blogview/24762-EITest-Exploit-Kit-Redirection-Campaign-Running-Strong.html Sun, 22 May 2016 20:39:00 -0500 A long-lasting website infection campaign meant to redirect users to exploit kits (EKs) such as Angler and Neutrino continues to run strong roughly one year and a half after being originally discovered.

Dubbed “EITest” because of a variable consistently found in injected code across infected websites, the infection campaign was initially described in October 2014, but continued to affect websites in 2015 as well. As it turns out, the campaign is still ongoing, with numerous websites still getting hacked and injected with code that redirects users to exploit kits.

In 2014, Malwarebytes explained that compromised websites were essentially injected with code for a Flash application that also packed a series of parameters to make it invisible to the user. The EITest variable was present in the code, hence the campaign’s name, and visiting IP addresses were flagged so that the redirection would occur only during the initial visit, thus making the website infection more difficult to detect.

In March this year, Rackspace security researcher Brad Duncan revealed that the campaign’s patterns for injected script remained almost unchanged, but that the URLs and variable names have changed over time. Today, the researcher says that, earlier this month, the EITest campaign also switched to redirecting users to the Neutrino EK. Usually, the campaign uses Angler, but Neutrino is also used from time to time, it seems.

According to Duncan, the EITest campaign has been using 85.93.0.0/24 for a gate between the compromised website and the EK ever since the beginning of this year. The TLD for these gate domains is either.tk or .co.uk, the latter emerging mainly this week.

The researcher was able to generate two full infection chains from the same compromised website, both pertaining to the EITest campaign: one redirected to Neutrino, which instead downloaded the Gootkit malware, while the other used Angler and dropped a 24 KB executable (which hasn’t been analyzed yet) as the payload.

The EITest gate observed in this particular case was true.imwright.co.uk, with the Neutrino EK hosted on ndczaqefc.anein.top, while the Angler EK was served from kmgb0.yle6to.top. The two infection chains occurred within 11 minutes of each other, the researcher says.

Duncan also explains that the test machine was running Adobe Flash Player 20.0.0.306, which is vulnerable to CVE-2016-1019, and that both Angler and Neutrino EK pack exploits for this vulnerability. The same as with other EK infections, the malicious payload is dropped in the background, while the user continues to browse the web, even if they access only legitimate websites (but which have been compromised).

Cybercriminals have been long looking to hack websites and abuse them in EK attacks, but users can stay protected, by keeping their applications updated at all times and making sure that they have the latest patches for their Windows operating system installed. An up-to-date anti-virus program would also ensure that computers are not infected when running across such campaigns.

Related: EC Council Website Hacked to Serve Angler Exploit Kit

Related: Exploit Kits Leverage Vulnerability One Week After Patch

Related: Exploit Kits Mutate, Increase Activity: Report

Copyright 2010 Respective Author at Infosec Island]]>
Baiting the Phishermen: When Companies Strike Back at Scammers (Do Not Try This at Home) https://www.infosecisland.com/blogview/24761-Baiting-the-Phishermen-When-Companies-Strike-Back-at-Scammers-Do-Not-Try-This-at-Home.html https://www.infosecisland.com/blogview/24761-Baiting-the-Phishermen-When-Companies-Strike-Back-at-Scammers-Do-Not-Try-This-at-Home.html Mon, 16 May 2016 05:02:10 -0500 Dangerous computer hackers and internet scams do not always have to be complicated. With a simple ‘typo’ in a domain name, hackers can impersonate senior executives while attempting to trick employees into transferring money. This scam is a type of phishing known as whaling or business e-mail compromise (B.E.C). The scammer researches employees who manage money, then uses language from the company to target organizations that commonly work with foreign suppliers, or companies that regularly perform wire transfer payments. While the process is not complex, it has been effective for cybercriminals.

The Federal Bureau of Investigation stated that whaling costs companies more than $2.3 billion in losses over the past three years. Since January 2015, the FBI has seen a 270% increase in identified victims and exposed loss. This has gone global, with Law enforcement received complaints from victims in every U.S. state and in at least 79 countries.

Employees need to be reminded to pay attention to the details in emails, especially those asking for money. Hackers use tricks in the details of email URLs, for example, turning ‘i’s into ‘1’s and ‘l’s. If your employees receive an email like this, they should immediately get in touch with your organization’s security team to ensure the proper steps are put in motion. It is very likely that the scammer will try to extort money from more than one employee, acting fast will give your company a chance to turn the predator into the prey.

Security companies are not immune to such attacks and our most recent attack serves as an example of what to do. The hackers did their research, they had my name and used it in an attempt to steal money from our company, Centripetal Networks. Luckily, as a threat intelligence company, our employees can quickly spot a phishing campaign. We not only took the steps necessary to protect ourselves, we took the opportunity to turn the tables on the scammer and see where it led.

On Monday April 11th, a Centripetal Network sales person received an email claiming to be CEO Steven Rogers requesting an immediate wire transfer in the amount of $32,780. The email originated from a similar domain, with one spelling change, centripatalnetworks.com. Looking quickly, it is hardly noticeable and the email looks like I sent it. Due to our salesperson’s keen eye, he knew it was not me and instead forwarded it to our security team for analysis.

After ensuring the company network was safe and employees were aware of the attack, the security team planned to get to the root of the problem. Our security team alerted the Secret Service and then proceeded to engage the attackers in several email exchanges, gathering key information about the plan such as bank routing and account numbers, several user locations including Malaysia and Nigeria, and the name of an individual who was to receive the funds in Texas.

Of course, once engaged, our security team also set out to take down the operation that owned the misspelled domain name. What we found in doing this was a list of 77 other misspelled domains that the attackers had also commandeered.

It is never too late to remind employees about phishing emails and where to route suspicious finds. 

Steven Rogers, CEO of Centripetal Networks

Copyright 2010 Respective Author at Infosec Island]]>
Cloudflare vs Tor: Is IP Blocking Causing More Harm than Good? https://www.infosecisland.com/blogview/24759-Cloudflare-vs-Tor-Is-IP-Blocking-Causing-More-Harm-than-Good.html https://www.infosecisland.com/blogview/24759-Cloudflare-vs-Tor-Is-IP-Blocking-Causing-More-Harm-than-Good.html Tue, 10 May 2016 13:05:48 -0500 To some, the Tor network is believed to be a haven for threat actors, as well as a platform for launching web based attacks. Tor is an anonymous network designed for those who seek anonymity while browsing. It was conceived as a way for political dissidents and marginalized members of society, living under oppressive regimes, to use the Internet without fear of government surveillance and reprisal.

Today CloudFlare is under fire for blacklisting Tor exit node IP addresses. Blocking them prevents site access by Tor users, who tend to be from developing and third world nations. CloudFlare is drawing accusations of discrimination because of its wholesale action.

Here is a diagram showing how clients reach web servers over Tor:

 

CloudFlare has an aggressive Tor IP blacklisting agenda, going so far as to publish data claiming that 94% of Tor traffic is malicious (mostly automated attacks). The company’s blog reads:

“Like all IP addresses that connect to our network, we check the requests that they make and assign a threat score to the IP. Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.”

The problem is that CloudFlare’s data isn’t representative of Tor traffic. Rather, it’s based on the percentage of observed exit nodes that spread malicious traffic. It’s guilt by association.

The Tor Project blog refutes CloudFlare’s claims. “The underlying issue is CloudFlare's design assumption that an IP address represents a single user. Yet there may be millions of users behind a handful of IP addresses.”

Are all Tor users bad?

CloudFlare argues that Tor is overrun with spammers and various threat actors. Tor has also been vilified for enabling various underground, or dark web, activities. It has hosted the infamous Silk Road, as well as sites that distribute pirated content, credit card swapping (carding) forums, and other forms of illicit activity.

The Tor Project points out that its network is also used by human rights defenders, diplomats, government officials, and people of all walks wanting to browse the Internet free of surveillance, thus ensuring their privacy.

In the post-Snowden world, even Americans have turned to anonymous browsing options like Tor. A Pew Research Center study reveals that roughly 9% have adopted sophisticated measures, such as using Tor, to shield their interaction with the Internet.

What does the data say?

In blocking all Tor traffic, CloudFlare is painting with too broad a brush, according to our data. Collected from our customer base, it's a sampling of almost 10,000 IPs and over 40 million page requests over a two week period.

We found that Tor node requests are malicious 48% of the time. (True, this was a higher rate of malicious requests as compared to other proxy networks, those equating to 38%.) So by keeping out Tor users, CloudFlare is blocking legitimate users about half the time.

 

The problem with IP blocking

All organizations use IP blocking in some form. IP blacklists are a staple in the security world, appearing in firewalls, intrusion prevention systems, web application firewalls, fraud prevention, bot mitigation, and more. It’s where many organizations start their security efforts.

The problem is that attackers aren’t dependent on single IPs to carry out attacks. Our 2016 Bad Bot Landscape Report shows that 70% of automated attacks in 2015 used multiple IPs, and 20% of automated attacks used over 100 IPs.

Marty Boos, StubHub’s Director of Technology Operations, explains in his video testimonial, “It takes a matter of seconds, once we block someone on an IP basis, for them to move somewhere else. We found people going from 10k hits for one IP to 2 hits from 10k IPs per hour.”

This was cross-posted from the Distil Networks blog.

Copyright 2010 Respective Author at Infosec Island]]>
Malvertising Hits Top Celebrity News Site https://www.infosecisland.com/blogview/24760-Malvertising-Hits-Top-Celebrity-News-Site.html https://www.infosecisland.com/blogview/24760-Malvertising-Hits-Top-Celebrity-News-Site.html Tue, 10 May 2016 13:05:00 -0500 Malvertising, the malicious activity that involves spreading malware via online advertising, has been trending up over the past few years, and 2016 might become a record-breaking year for it, Cyphort Labs researchers suggest.

Based on the pace at which unique domains used in malvertising have been found since the beginning of the year, Cyphort Labs estimates that 2016 will top 2100 unique domains, more than double compared to 2014. The growing trend was observed last year as well, when the number of unique domains used in malvertising and tracked by the security company reached 1654.

Because millions of users trust high-trafficked, clean sites, malvertisers have started to target them more often, because they promise wider reach and higher success rate for infection. Last year, malvertising campaigns were observed hitting the Yahoo! advertising network, as well as various well-trafficked sites from around the world, including eBay, Answers.com, and TalkTalk.

Earlier this year, security companies noticed that top global sites were hit in a malvertising campaign leveraging the Angler exploit kit (EK), including msn.com, nytimes.com, bbc.com, aol.com, nfl.com, and others. Now, Cyphort researchers reveal that perezhilton.com, which has around half a million daily users, was the most recent target of a malvertising attack.

The Cyphort researchers first noticed that the site was redirecting users to the Angler EK on April 30, 2016, and that the CryptXXX ransomware was being installed on the victim’s machines following the attack. The rogue advertiser in this campaign was som.barkisdesign.com, also used in another operation targeting visitors of KMOV and WBTV, two CBS affiliated TV stations.

In that attack, detailed by Malwarebytes last week, attackers were abusing the Taggify self-serve ad platform, while also hijacking GoDaddy accounts to create various subdomains pointing to malicious servers. While the main malvertising domain was parked, the subdomain was hosting an ad banner that would redirect users to Angler.

The som.barkisdesign.com redirector was used by other popular websites in early May as well, Cyphort says. Furthermore, perezhilton.com was targeted again on May 6. The second time, however, attackers used the ox-d.blogads.servedbyopenx.com and adserver.adtechus.com redirectors, and were abusing Amazon Cloudfront CDN to distribute a different Exploit Kit.

“Malvertising continues to be one of the preferred vectors for attackers to compromise users’ machines with malware. Many users fought back by disabling all advertising to secure themselves. Nearly 200 million now use Adblock, according to Statista. In 2015, this form of ad blocking cost publishers nearly $22 Billion dollars,” researchers say.

In September last year, even Forbes was hit by a malvertising campaign launched through a third-party advertising service. According to FireEye researchers, Forbes.com might have redirected its visitors to Angler and Neutrino EKs between September 8 and September 15.

Related: Malvertising Campaign Abuses Baidu Ad API

Copyright 2010 Respective Author at Infosec Island]]>
Threat Hunting is the New Black in Security: Report https://www.infosecisland.com/blogview/24758-Threat-Hunting-is-the-New-Black-in-Security-Report.html https://www.infosecisland.com/blogview/24758-Threat-Hunting-is-the-New-Black-in-Security-Report.html Mon, 09 May 2016 18:53:01 -0500 Allowing organizations to identify and mitigate network vulnerabilities as early as possible, threat hunting is a new trend in enterprise security, recently released SANS Institute research reveals.

Commissioned by DomainTools, the survey revealed that almost 86 percent of organizations are involved in threat hunting, and they find real value in this emerging area. Of the 494 participants to the survey, 74 percent said that threat hunting helped them reduce attack surfaces.

According to the research, 52 percent of the respondents using threat hunting said that it helped them find previously undetected threats on their enterprise. Furthermore, 59 percent said that the use of this security technique has increased the speed and accuracy of their response.

However, although a large number of organizations are already using threat hunting, more than 40 percent of them don’t have a formal program in place, and the research suggests that companies are still figuring out what such a program should look like. At the moment, respondents rely on known indicators of compromise (IOCs), manual analysis, and on using existing tools and augmenting them with customizable utilities to perform threat hunting.

The survey reveals that 86 percent of organizations believe that anomalies are the biggest trigger driving threat hunting, while 41 percent say hypothesis is a trigger. Moreover, 51 percent of respondents say that threat hunting is also triggered by third-party sources, including threat intelligence.

In the context of traditional security solutions no longer effective at keeping enterprise networks safe, more and more companies are taking the threat hunting approach. According to the survey, 62 percent of respondents revealed plans to increase spending on threat hunting in the coming year, and over 42 percent admitted plans to increase spending by over 25 percent.

Being an emerging area, threat hunting has its shortcomings, and 88 percent of the survey’s respondents admitted that their programs in the segment need improvements. Additionally, 53 percent of respondents say that their hunting is visible to the adversaries, while 56 percent said they not happy with how long it takes them to hunt for threats.

While only 2.2 percent of respondents follow a formal, published, external methodology for threat hunting, 53 percent of organizations admit they perform ad hoc hunting. This means that most organizations don’t have clear metrics to track their overall success and don’t employ a documented process for hunting.

When deploying a threat hunting program, organizations should track their success based on three key indicators, namely dwell time, lateral movement, and reinfection. They should also update their process as soon as new threats are discovered, should use automated methods of hunting as much as possible, and should augment these methods with manual intelligence, the research reveals.

SANS Institute’s survey reveals that IP addresses, network artifacts and patterns, DNS activity, host artifacts and patterns, file monitoring, user behavior and analytics, and software baseline monitoring are the top 7 data sets that support threat hunting. Moreover, the report provides details on hunting methods that organizations should use to ensure the effectiveness of a threat hunting program and also discusses the purpose and benefits of threat hunting.

The survey received responses from organizations from different industries and of different sizes: 22 percent had 1,001 to 5,000 employees, 20 percent had more than 50,000 employees, 18 percent had 100 to 1,000 employees, 17 percent had 10,001 to 50,000 employees, and 12 percent had 5,001 to 10,000 employees, and contractors.

“With cyberattacks increasing exponentially each year, it’s no surprise enterprises are attracted to Threat Hunting as a proactive multi-layered approach to discovering and mitigating cyber threats as early as possible. As the findings note, successful Threat Hunting isn’t necessarily about overhauling an existing cybersecurity program, it’s about using the third-party data and technologies that most organizations already possess in order to maximize the chances of proactively finding, attributing and eliminating an adversary before the damage is done,” Tim Chen, CEO of DomainTools, said.

Related: Microsoft Unveils Advanced Threat Protection Service

Related: Threat Intelligence: Putting the Horse Before the Cart

Copyright 2010 Respective Author at Infosec Island]]>
Cloud Security Can’t Be Ignored Anymore, Thanks to Millennials https://www.infosecisland.com/blogview/24757-Cloud-Security-Cant-Be-Ignored-Anymore-Thanks-to-Millennials.html https://www.infosecisland.com/blogview/24757-Cloud-Security-Cant-Be-Ignored-Anymore-Thanks-to-Millennials.html Mon, 09 May 2016 04:57:21 -0500 Industries such as healthcare, IT services, education, and retail, where computing has not been traditionally at the core of the value proposition, understand that they must embrace cloud-computing solutions to reach and retain customers.

This trend is being driven by the consumer habits of millennials, the fastest growing consumer demographic in the world, which prefers the ease of accessibility, convenience and efficiency offered by the digital world. The Millennial Disruption Index points out, for example, that these millennial preferences are transforming banking. This is reflected in the rise of FinTech companies. The health industry too has embraced digitization in many forms including electronic health records (EHRs), home monitoring systems and wearables.

Unfortunately, the importance of security to protect cloud data has been somewhat ignored. Companies tend to underestimate risk and recovery costs after a cyber attack. Using ill-suited security solutions can hinder the productivity of a company's business-critical tasks. Additionally, cloud security still lacks global standards, which can hinder interoperability between private and public clouds.

The Cloud Stampede

Staying relevant and staying close to customers – especially millennials -  in the rapidly changing marketplace is one of the biggest challenges for businesses today. Collecting massive amounts of data on consumer behavior, and mining actionable insights that can help steer the direction of and optimize marketing strategies for different market segments. But big data analytics requires massive storage, network, and computing capabilities with fluctuating demands; capital expenditures to house these capabilities are enormous, and predicting and therefore managing the maximum demand to keep up with customers can be impractical. On the other hand, cloud computing offers scalability while significantly reducing operational costs. This has forced a stampede of companies quickly migrating to the cloud.

But a lack of solid and proven security mechanisms instigated an ever-increasing rate of data breaches. The average cost to remediate data breaches in 2015 was estimated to be a whopping $3.8 million. Additionally, victim companies are subjected to severe public censure, resulting in a harmful brand reputation, costly downtime before full recovery, and expensive lawsuits. Recent security breaches, such as those at Target, Ashley Madison, Anthem and many more, serve as a wake-up call to companies who have been insouciant about the importance of cloud security. In fact, security moved to the number one spot on every CIO’s must-do list in the recent survey conducted by National Association of State Chief Information Officers (NASCIO).

Cloud Security, a major concern against Cloud Adoption

Data security and privacy is a common preeminent concern that deters businesses from migrating to the cloud. Storing data on the cloud would mean lack of visibility into how the data is managed, thereby presenting multiple cloud-specific risks.

  • User access control: Identity theft is a major threat vector for most data breaches till date. Managing access control is not as easy on the cloud as it is on premise. Cloud providers themselves might have some level of access to the data, which further exacerbates the risk.
  • Integrated security solutions: Cloud security needs to be achieved through a host of solutions for various issues, such as data protection, identity management, malware detection, and antivirus. Integrating security across the service, from authentication to activity monitoring, is technically challenging, and not all cloud providers would offer state-of-the-art integration.
  • Data separation: The very model of public cloud implies that the cloud storage and services will be shared. Techniques such as encryption is necessary to prevent unauthorized access. Cloud provider’s data separation policies may not be strong enough to store sensitive data.
  • Compliance: Cloud security issues go beyond data protection. Cloud adoption must be considered while ensuring regulatory and policy compliance. For instance, healthcare providers are bound by HIPAA regulations and financial service providers are required to comply with Payment Card Industry Data Security Standard (PCI DSS). Without autonomous control over cloud data, generating reliable audit trails to demonstrate compliance can be challenging. Furthermore, cloud service providers may not provide a well-defined offering through Service Level Agreements (SLAs) detailing their security measures.

How organizations are dealing with the challenges?

Lack of cloud security standardization has resulted in multiple solutions available in the market. Today, companies pick and choose solutions per their requirements and budgets at various stages of cloud migration. 

  1. Even before businesses migrate to the cloud, companies need cloud security mechanisms, due to the phenomenon called Shadow IT. With a plethora of IT service tools available through cloud services (for file sharing and collaboration) today’s tech-savvy IT employees circumvent the company’s traditional restrictions and, without knowledge and approval, use SaaS and PaaS tools for increased convenience and efficiency. This creates difficulty and opacity in tracking business data, creating high security risks. Companies such as Skyhigh Networks, Netskope, and Bitglass sell cloud security tools that help track and protect business data despite Shadow IT. Companies can also protect business data by encrypting and tokenizing it at the business gateway by using specialized tools offered by companies such as CipherCloud and Vaultive; crucially, the decryption keys are indeed stored on-premise within the business network. DocTrackr allows you to track crucial documents even after the documents are sent out of the company network; it allows to set access privileges to the extent that one can even “unshare” the document. 
  2. In the process of moving to the cloud, one needs to design products with security baked in; security by design is much easier than patching for security after the product has been designed. Tools are available to understand current threat information so as to prepare against it from the get go. One can also detect coding vulnerabilities even before going live using tools from companies such as White Hat Security. 
  3. After moving to the cloud, the major threat vector — human elements/endpoints — needs to be protected in multiple ways. Identity management — not only for employees that access data on the backend but also for forward-facing elements such as partners and clients — is thus a crucial aspect. A host of companies, such as Okta, RSA, and Centrify offer solutions with desirable features such as single sign-on across multiple cloud products and services used by the company. Furthermore, one can even employ fine-grained access control with central privilege provisioning on a single dashboard with these tools. To further protect employees from social-engineering attacks, ProofPoint offers tools to detect, block, and respond to email and social-media based threats. 
  4. While storing and analyzing customer data on the cloud, one needs to employ security mechanisms to protect customers’ privacy even in case of data breaches. The idea is to keep the data encrypted not only at rest and transit, but also during computation. Microsoft’s SQL server and PARC’s Privacy-preserving Analytics (PPA) platform provide security to sensitive data on the cloud even when the data is being analyzed.

Thanks to digital preferences of millennials, increased digitization and cloudification will drive the demand for cloud security  products and services. Ease of access and the other benefits brought about by digitization, coupled with a better sense of security brought about by innovation and adoption of strong cloud-security defense mechanisms will make the world a better place. 

Copyright 2010 Respective Author at Infosec Island]]>
Steam Patches Crypto Code to Prevent Padding Oracle Attacks https://www.infosecisland.com/blogview/24756-Steam-Patches-Crypto-Code-to-Prevent-Padding-Oracle-Attacks-.html https://www.infosecisland.com/blogview/24756-Steam-Patches-Crypto-Code-to-Prevent-Padding-Oracle-Attacks-.html Tue, 03 May 2016 07:00:41 -0500 Steam recently patched security vulnerabilities in its system to prevent attackers from tapping into the data transmitted between a local client and the Steam network to view plain-text passwords or take over accounts.

Although Steam uses encryption to keep sessions and user data secure, it didn’t employ Message Authentication Code (MAC) to provide authenticity, while the connection between the client and Steam was susceptible to a padding oracle attack, a researcher found. Thus, he was able to modify network traffic between the client and Steam, to compromise the user session and take over the account.

Nathaniel Theis, who goes by the name of XMPPwocky, explains that, in older versions of steam, an attacker observing the client connecting to Steam could sniff transmitted data using said techniques. The attack would allow bad actors view plain-text passwords, bypass SteamGuard, and take over the account, the researcher also says.

Steam uses AES-256-CBC to encrypt its network connection, and the AES key (session key) is generated securely on the client, encrypted with RSA-1024 and a hardcoded public key, and sent to Steam, but didn’t use a MAC to provide authenticity. Thus, an attacker trying to make changes to transmitted data cannot be immediately discovered, and the Steam encryption was completely unauthenticated.

The researcher notes that the lack of authentication alone is a vulnerability, but that exploitation for meaningful gain would be hard, especially since HTTPS is used for data transmission.

The researcher discovered that CMsgClientLogon, the message sent between client and Steam to identify users, included enough data to account for gaining access to the user account. Next, Theis concluded that Steam was vulnerable to a padding oracle attack (PDF) and, together with another researcher, came up with a proof-of-concept exploit.

While analyzing Steam session, Theis observed that, after the initial handshaking and setup, the client asks Steam to encrypt the channel by sending the encrypted session key in a ChannelEncryptResponse message. The server responds with a ChannelEncryptResult and the communication between the client and the server is then encrypted with the session key.

Thus, an attacker who can capture the ChannelEncryptResponse message could send to Steam the encrypted session key from the session they want to target. Basically, although the attacker cannot decrypt the session key, Steam would use that key and will decrypt it, meaning that the attack would be successful.

“Because of this replay attack, I could take a simple .PCAP of somebody connecting to Steam, and decrypt that entire session. No need for MITM- just the ability to eavesdrop. No issues with time- as long as I see the start of the connection, I’ve got what I need. And if the connection was closed, I could just restart it. I could even run the attack in parallel, between all Steam servers, massively speeding it up,” the researcher says.

He contacted Valve to report the issue and says that the company deployed mitigations against attacks targeting logon credentials within 12 hours after receiving the report. After that, Valve rolled out new crypto code to use MAC and also “includes a nonce in the ChannelEncryptRequest message that the client must include in the ChannelEncryptResponse to prevent replay attacks,” Theis notes.

Related: Details of 34,000 Steam Users Exposed During DDoS Attack

Related: Vulnerability Allowed Hackers to Hijack Steam Accounts

Copyright 2010 Respective Author at Infosec Island]]>
The Role of CASBs in Protection Against the 2016 “Treacherous 12" https://www.infosecisland.com/blogview/24755-The-Role-of-CASBs-in-Protection-Against-the-2016-Treacherous-12.html https://www.infosecisland.com/blogview/24755-The-Role-of-CASBs-in-Protection-Against-the-2016-Treacherous-12.html Tue, 03 May 2016 06:59:00 -0500 In early 2015, health insurance giant Anthem disclosed that hackers had broken into its servers and stolen more than 80 million customer records, including names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information. A third-party cloud service had been used to transfer the huge data store from the company’s network to the public cloud.

This headline-making attack, and many others the last few years, have raised new questions about cloud security. It used to be that most questions about cloud security revolved around concerns regarding compliance and insider threats. But lately, attention has turned to a troubling new worry: whether cloud services are falling victim to the same level of external attack as the data center.

As Software as a Service (SaaS) reshapes the way nearly every organization approaches IT, and with Infrastructure as a Service (IaaS) on the rise, cloud services now hold an array of mission-critical enterprise data, intellectual property, and other valuable assets. Which makes them a prime target for bad actors – from both inside and outside the organization.

A vivid illustration of the cloud threat landscape came Feb. 29 when the Cloud Security Alliance, an organization dedicated to defining and raising awareness of best practices for cloud security, issued a report titled “The Treacherous 12: Cloud Computing Top Threats in 2016.” Though cloud services deliver business-supporting technology more efficiently than ever before, the CSA concluded, they also bring significant risk.

Why do these risks occur?  The CSA said a major factor is that enterprise business units often acquire cloud services independently of the IT department, and often without regard for security. In addition, regardless of whether the IT department sanctions new cloud services, the door is wide open for the Treacherous 12.

Because all cloud services (sanctioned or not) present risks, the CSA asserts that businesses need to take security policies, processes, and best practices into account.

That makes sense, but is it enough?

Consider this surprising finding by Gartner. The analyst firm predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault (1). This does not necessarily mean that customers lack security expertise, but it illustrates that it’s no longer sufficient to know how to make decisions about risk mitigation in the cloud. To reliably address cloud security, more is needed – automation.

Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB can help automate visibility, compliance, data security and threat protection for cloud services.

We looked at how well CASBs would fare in helping enterprises survive the treacherous 12 and guess what? CASBs clearly address nine of the treacherous 12 (along with many other risks not mentioned in the report). These include: 

#1   Data breach

#2   Weak ID, credential, and access management

#3   Insecure APIs

#4   System and application vulnerabilities

#5   Account hijacking

#6   Malicious insiders

#7   Advanced persistent threats

#10 Abuse and nefarious use of cloud services

#12 Shared technology issues

There are countless examples of why being protected against the Treacherous 12 is important. Some of the more high profile ones:

  • Data breach: In the 2015 Anthem breach, hackers used a third-party cloud service  to steal over 80M customer credentials.
  • Insecure APIs: A mid-2015 breach at the IRS exposed more than 300,000 records. While that’s a big number, the more interesting one is that it only took one vulnerable API to allow the breach to happen.
  • Malicious Insiders: Uber reported that its main database was improperly accessed. The unauthorized individual downloaded 50,000 names and numbers to a cloud service. Was it their former employee, the current Lyft CTO? That was Uber’s opinion. The DOJ disagreed and a lawsuit ensued. 

In each of these cases, a CASB could have helped. A CASB can:

  • Help detect data breaches by monitoring privileged users, encryption policies, and movement of sensitive data.
  • Detect unusual activity within cloud services that originate from API calls, and support risk scoring of external APIs and applications based on the activity.
  • Spot malicious insiders by monitoring for overly-privileged user accounts as well as user profiles, roles and privileges that drift from compliant baselines.
  • Spot malicious user activity through user behavior analytics.

You’re probably wondering about the three of the 12 threats that aren’t covered by a CASB -- data loss (#8), insufficient due diligence (#9) and denial of services (#11).

The cost of data loss is huge. A now-defunct company named Code Spaces had to close down when its corporate assets were destroyed, because it did not follow best practices  for business continuity and disaster recovery. Data loss prevention is a primary corporate responsibility, and a CASB can’t detect whether it is in place.

Insufficient due diligence is the responsibility of the organization leveraging the cloud service, not the service provider. Executives need a good roadmap and checklist for due diligence. A CASB can provide advice, but they don’t automate the process.

Finally, denial of service attacks are intended to take the provider down. It is the provider’s responsibility to take precautions to mitigate DoS attacks.

As cloud security becomes one of the most pressing issues in IT, the power of the CASB can not be ignored.

1. “Gartner Press Release, “Gartner Reveals Top Predictions for IT Organizations and Users for 2016 and Beyond,” October 6, 2015, http://www.gartner.com/newsroom/id/3143718. 

Copyright 2010 Respective Author at Infosec Island]]>
Nemucod Malware Downloader Evolves into Ransomware https://www.infosecisland.com/blogview/24754-Nemucod-Malware-Downloader-Evolves-into-Ransomware.html https://www.infosecisland.com/blogview/24754-Nemucod-Malware-Downloader-Evolves-into-Ransomware.html Tue, 26 Apr 2016 21:16:55 -0500 Nemucod, a previously known JavaScript malware family designed to download additional malicious software onto the compromised computers, has evolved into ransomware and is now using 7-Zip to encrypt its victims’ files.

The malware was observed downloading TeslaCrypt and also trying to drop ransomware from its body, Fortinet’s Roland Dela Paz explains. The Nemucod variant was delivered via encrypted JavaScript attachments in spam emails and tried to download an executable file on the user’s temporary directory from compromised websites.

Should the download succeed, the malware downloads the ransom note, then drops and runs a batch file to encrypt user’s data, while adding the .crypted extension to all affected files. As soon as the process is completed, the malicious application displays the ransom text and performs its usual routine: it downloads and executes additional malware to the system.

What researchers discovered last month was that the ransomware didn’t use RSA-1024 to encrypt files, but that it only encrypted the first 2048 bytes of each file with XOR encryption. The ransomware was using a pre-defined 255 long key embedded in the downloaded executable component, and a decryptor was released for it toward the end of March.

Additionally, users could restore their PCs using system restore and could restore files via Volume Shadow Copies. Fortinet researchers also discovered that the ransomware’s code resembles that of KeyBTC, although it has a simpler implementation, although they couldn’t establish a direct relationship between KeyBTC and Nemucod actors.

Most recently, the Nemucod ransomware has received another update, and is now using the 7-Zip application to actually encrypt the files, it seems. Additionally, the malware authors have lowered the ransom from the original 0.60358 Bitcoins (around $267), to 0.49731 Bitcoins (around $220).

A recent post on Bart Blaze’s blog explains that, after the malware’s execution, users can see in Task Manage the following processes: a0.exe (which masquerades 7-Zip), a1.exe, a2.exe, cmd.exe, and wscript.exe. To stop the encryption operation, users should end all of these processes.

The malware is removable with the help of anti-virus programs, but users are advised to maintain a copy of the ransom note, to identify the ransomware. As mentioned above, a Nemucod decryptor exists, but it was designed to the previous variant of the malware, and might not work with the newer one, at least not yet.

Related: Kovter Ad Fraud Trojan Evolves Into Ransomware

Related: Links Found Between Different Ransomware Families

Copyright 2010 Respective Author at Infosec Island]]>
Bangladesh Bank: Why Aren't We Talking About Privileged Account Management? https://www.infosecisland.com/blogview/24752-Bangladesh-Bank-Why-Arent-We-Talking-About-Privileged-Account-Management.html https://www.infosecisland.com/blogview/24752-Bangladesh-Bank-Why-Arent-We-Talking-About-Privileged-Account-Management.html Tue, 26 Apr 2016 12:05:00 -0500 Remember back in February when those hackers stole more than $80 million from Bangladesh Bank?

According to a report from Jim Finkle at Reuters, not only did they get away with a large amount of money, they may have also hacked the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an organization which provides a network that enables financial institutions to exchange information about financial transaction details.

Investigators researching the recent Bangladesh Bank heist previously said the still-unidentified hackers had broken into computers and took control of credentials that were used to log into the SWIFT system. But it appears that the SWIFT software on the bank computers was probably compromised in order to erase records of illegal transfers.

So why is this such a big deal?

According to reports, the SWIFT messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software. Exploiting privileged accounts is a critical stage of an attack lifecycle – and that is what appears to have happened when the SWIFT Software was compromised – resulting in an $81 million loss to the bank.

Today’s typical, advanced cyber-attacks are normally designed to evade traditional threat prevention technologies that are focused on protecting the perimeter from outside breach. Once inside a network, many of these modern attacks follow a common lifecycle. Attackers usually attempt to advance from the initial breach, escalating their privileges and moving laterally through the system to identify and access valuable targets and confidential information so they can access their target systems and information.

Once an attacker has hijacked the privileged credentials of an authorized user, its activities blend in with legitimate traffic and is therefore much more difficult to detect. Attackers can therefore operate undetected inside an organization for long periods of time.

More than likely, this is how this particular breach happened:

Perimeter compromise. Attackers gain entry into a corporate network through multiple attack vectors including email, web and endpoints. Attackers have become highly sophisticated and are increasingly finding ways to evade traditional network perimeter threat detection technologies. In most cases, immediately after the initial compromise, attackers download malware tools and establish a connection to a command-and-control server to enable ongoing control.

Escalate privileges. External attackers, after the initial compromise, target privileged accounts to facilitate the future stages of the attack. Through a variety of tactics, attackers attempt to gain possession of the credentials used to access privileged accounts. Privilege escalation appears to have been the critical stage of the attack, because if privileged credentials are compromised, the attacker is able to move closer to sensitive data while remaining undetected.

Reconnaissance and lateral movement. Once armed with privileged credentials, attackers may conduct stealth reconnaissance across the network to locate other vulnerable systems, and then spread laterally across the network in search of target data and systems. As the attacker identifies an additional interesting target, it may again need to escalate its privileges to gain access to the newly identified system and then continue its reconnaissance.

Data exfiltration. The final stage of an attack lifecycle is typically to exfiltrate the desired information from the target’s corporate network to a location that the attacker controls. Once the target information has been gathered in a staging area and is ready for exfiltration, the attacker can use its privileged access to bypass controls and monitoring technologies designed to prevent or detect exfiltration.

Enter Privileged Account Management

Clearly, there needs to be a solution put in place to protect organizations in the future from a similar incident. A Privileged Account Security Solution will provide organizations with the following capabilities that could be a critical part of solution:

Comprehensive platform for proactive protection of privileged credentials and target assets from cyber-attacks. A solution for privileged account security enables to proactively protect against and automatically detect and respond to in-progress cyber-attacks before they strike vital systems and compromise sensitive data.

Automatic identification and understanding of the scope of privileged account risk. A PAM solution automatically detects privileged accounts across the enterprise and helps customers visualize the resulting compliance gaps and security vulnerabilities. This automated process reduces the time-consuming and error-prone task of manually tracking and updating privileged credentials, thereby decreasing IT operational costs. This enhanced visibility significantly improves the security posture of our customers and facilitates adherence to rigorous audit and compliance standards.

Continuous monitoring, recording and secure storage of privileged account activity. A PAM solution monitors, collects and records individual privileged session activity down to every mouse click and keystroke. It also provides highly secure storage of privileged session recordings and robust search capabilities allowing organizations to meet their audit and compliance requirements. Session recordings also provide a full forensics record of privileged activity to facilitate a more rapid and precise response to malicious activity.

Organizations have invested heavily in security products to protect their IT infrastructure and valuable information. According to IDC, worldwide spending on IT security products is expected to grow from $32.0 billion in 2013 to $42.0 billion by 2017. Historically, the majority of this spending has been focused on perimeter threat protection products such as firewalls, network and web security.

While prevention of the initial breach is an important layer of an enterprise security strategy, at Thycotic, we do not believe that perimeter-based threat protection alone is sufficient to protect against today’s increasingly sophisticated and targeted external security threats.

Despite significant investments in perimeter-based threat protection solutions, most enterprises are still being breached. Therefore, we believe that in the future, a greater portion of the overall spend must be dedicated to security solutions focused on the inside of the enterprise.

About the author: Jim Legg is the President and CEO of Thycotic and has more than 25 years of managerial and sales experience in guiding technology companies to accelerated, sustained growth.

Copyright 2010 Respective Author at Infosec Island]]>
End-to-end Encryption, Today -- Loophole Closed or Moved? https://www.infosecisland.com/blogview/24751-End-to-end-Encryption-Today-Loophole-Closed-or-Moved.html https://www.infosecisland.com/blogview/24751-End-to-end-Encryption-Today-Loophole-Closed-or-Moved.html Fri, 22 Apr 2016 15:31:42 -0500 Instant messaging is a big part of today’s digitally connected era, and there are a plethora of instant messaging apps, offering various features. Security, especially because of the latest developments with the Apple “back door” discussion, has become critical for these apps. The top apps with vaunted security features include iMessage and Snapchat. Despite the attention that app developers bestow on security, these apps possess vulnerability that is fairly easy to exploit.

It was recently shown (by security researchers at John Hopkins University) that attackers could intercept encrypted messages sent through iMessage and retrieve texts, photos and videos by exploiting a specific security weakness in iMessage. Snapchat messages, or snaps, delete themselves after a short period of time. But, it was recently shown (by security researchers at Gibson Security) that Snapchat also suffers from weak security, allowing attackers to poach usernames and phone numbers of users.

Thanks to increased security awareness, companies are making strides toward offering better security. Following in the footsteps of Apple, WhatsApp (owned by Facebook) and Viber recently enabled end-to-end encryption to their millions of customers, with the objective of securing privacy of their customers’ conversations.

What is End-to-End Encryption?

End-to-end encryption has been the go-to security solution for instant-messaging apps. It aims to add a shield where nobody other than the sender and receiver of a message can see the message, not even the company offering the instant-messaging service. This is performed by encrypting the message with keys derived from passwords of the sender and receiver.

Is the Loophole closed or just moved?

The current end-to-end encryption implementations raise a number of questions. If a user needs to reset her password (perhaps after losing her device or forgetting the password), the chat histories will no longer be available, to anyone. Because of the encryption method, the history is encrypted with keys derived from the old password, which cannot be decrypted with any other keys, including those derived from the new password. This holds true even if the app server has backed-up the encrypted chat histories.

Currently, this issue is addressed by allowing users to easily back up chat histories on storage from third-party vendors such as Google Drive, iCloud, or by using the device’s internal memory. Having the ability to access previous chats is a crucial feature in most instant-messaging apps, and resorting to third-party storage providers has been the usual method of addressing this 'loss of history' situation.

Because there are now third party services in the picture, the overall security is now only as secure as the external services. This is extremely concerning, especially for companies that staunchly support security and privacy, since now, the responsibility of securing customer data has fallen on external shoulders. What if WhatsApp data is stored in a cloud server owned by a third party, and a hacker steals personal WhatsApp chat history? Who is held accountable — Facebook (WhatsApp) or Apple (through iCloud storage)? Legal teams will have to define this clearly. Furthermore, Apple has direct access to the data of WhatsApp’s customers on iCloud. This is because, the keys to encrypted data on iCloud are owned and held by Apple — not the users, like in most other cloud storage providers. So, WhatsApp can no longer hold an independent stand on protecting customer privacy against providing access to the government. However, requiring storage is inherent in the functionality of end-to-end encryption.

Can technology help solve the issue?

If the instant-messaging service company stores encrypted chat histories, then control on securing data back is up to itself, forcing it to answer the same legal question: who owns the encryption keys? If the company owns the keys, it can’t claim that it holds no access to content. If customers own the keys (passwords), then the original issue of forgetting the keys and being locked out of encrypted data still exists. For this reason, I believe this solution isn’t viable. It is clear that using traditional keys (passwords), which are easily forgotten, does not work either. The solution to the problem at hand necessitates key derivation that does not involve memory.

Let’s use our fingers

Biometric cryptography is an active area of research, and many recent advances provide secure tools to perform biometric secure key derivation. Also, backing up keys need not be performed after every message; but perhaps, every time the device is accessed is reasonable frequency. With biometric identification technology already implemented in devices such as iPhones, technology overhead might be minimal. With a key derivation method that does not require memory and with the technology already in place for use, I believe biometric cryptography offers a potential solution to the problem.

An alternate approach for password management is to use Password Managers. A Password Manager is a software, using which a user only need to deal with a single master secret; using this master secret, the Password Manager derives passwords for all the user’s accounts. The master key is either stored on the user’s device or on the service provider’s cloud. If stored on the user’s device, the issue of losing the password upon losing the device still persists. Also, storing the master password on the provider’s cloud gives clear access to the provider, defeating the original objective of securing user's privacy.

It is, however, important that instant-messaging service providers invest in research and development of a viable solution that patches the loophole and gives full control of data to its customers.

One thing is clear: end-to-end encryption does not solve the problem, despite the common perception that it is the holy grail of instant-messaging security. It is necessary that service providers shift their attention toward non-traditional key-derivation mechanisms to close the loophole. Biometric cryptography is a potential candidate because it is the embodiment of storing information that doesn’t require memory. Also, biometrics is already mainstream, and it’s being embedded on our devices now and into the future. 

Copyright 2010 Respective Author at Infosec Island]]>
Access Management Increases Security, Cuts Costs https://www.infosecisland.com/blogview/24750-Access-Management-Increases-Security-Cuts-Costs.html https://www.infosecisland.com/blogview/24750-Access-Management-Increases-Security-Cuts-Costs.html Fri, 22 Apr 2016 07:27:14 -0500 While organizations are constantly trying to reduce spending, there are certain areas that they actually aren’t cutting back on and are actually increasing budgets. Several recent surveys and studies have shown that organizations in both the US and UK continue to invest heavily in identity and access management (IAM) solutions.

The main reason why respondents said they were continuing to invest are somewhat obvious: security issues. As technology continues to advance in an attempt to become more secure, hackers and their ways of breaching an organizations network also become more sophisticated. IAM solutions must be able to protect against advanced attack, as well as secure new technology, such as mobile devices and cloud applications.

The second priority for the continued investment in IAM solutions is an attempt to save money in the long run. Though IAM solutions require an initial investment, they help organizations save money in many areas of the company over time.

Continued Security Threats

No matter how secure you think your organization’s network is there are always hackers, both outside and within, the company that will find ways around your company’s security measures. IAM solutions continually evolve to stay one step ahead of these hackers and keep the network safe. Not only do organizations need to ensure the security of their in house computers, but they also now need to do that same for the many mobile devices which employees are using outside of the network to access cloud applications. Any type of hack, whether large or small, can cost the organization a great deal, which is why they believe this type of investment in a solution is important. So how can an IAM solution help with security?

Most importantly, the organization needs to ensure correct access rights for their entire network and applications being used inside and outside the organization. IAM solutions allow for automation of account management which can ensure security while also making it easy to achieve. For example, when an employee joins the organization they need to receive the correct access rights. Automation allows for the account to be set up both easily and accurately so that the employee doesn’t accidently receive too many, or too few, access rights. A manager or member of the HR department simply adds the employee to the HR system and can easily have accounts in any system or application automatically created for them.

The organization needs to ensure that access is revoked once the employee is no longer with the organization; one of the most common access issues. An IAM solution can allow for a manager to easily disable an account to ensure that this critical process is not overlooked. For example, when an employee leaves the organization, a manager can easily disable the employees account in the source system, for example, PeopleSoft, and have all of their accounts and access rights revoked with one click, ensuring that they no longer have access.

In a similar fashion to how IAM solutions automate the account management process for in-house applications, they can also can be set up to seamlessly work with cloud applications, such as Office 365, Google Apps, TOPdesk, etc. This allows a manager to easily create, change or disable the accounts of an employee who has left the organization, which ensures security of the network and data.

This is just one of the basic parts of an IAM solution. There are many other modules that help with security as well. For example, another way that access rights can be monitored is with an attestation module. The network and applications can be scanned on a regular basis for the current access rights which are compared against a predefined matrix, which contains the standard or accepted rights. If any differences are found, the attestation module will alert a manager and system owner for review. If this difference is okay, an electronic signature should be sent. If the rights are found to be unauthorized, a workflow process can automatically remove the rights, with notifications emails to the appropriate parties involved.

Long-term Investment

Though IAM solutions are an investment at first, over time they actually save the organization a substantial amount of money. This is mainly because there no longer needs to be one or more full-time employees handling account management, and these employees can be utilized elsewhere in the organization. IAM solutions automate the complete end user lifecycle, requiring little to no manual tasks be performed. For example, in education, at the beginning of each semester, several employees need to dedicate days of their time just to add new students and employees and move graduates to alumni status.

Another way IAM solutions can save money is through licensing costs. Organizations tend to not review how many licenses they are paying for and how many are actually being used. This has also been a major issue with employees who leave the organization. Often, an ex-employee will still have access to an application that the company is unknowingly paying for. Many IAM solutions provide an overview of access rights, allowing managers to see exactly who has access to what systems and applications to ensure they are paying for the correct number of licenses. If there are any errors in access rights, an automated account management solution allows them to easily be corrected.

Over the years, IAM solutions have become very flexible, making them more cost efficient to implement. An organization can easily pick and choose which modules their organization needs and customize it to their needs. So, a smaller company does not need to purchase a large enterprise IAM solution, and can chose the modules that they need for their immediate issues.

So, while IT spending may be cut back, investments in IAM solutions continue to grow because of security issues, flexibility and an overall cost savings.

Copyright 2010 Respective Author at Infosec Island]]>