Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Insider Threat: Why Negligence Is More Dangerous Than Malevolence Fri, 26 Aug 2016 08:00:00 -0500 Security threats can come from anywhere, but they most often occur from the inside. These types of threats are on the rise: in a recent report, 39% of IT professionals admitted they were more concerned about the threat from their own employees than the threat from outside hackers.

In May 2014, the U.S. Department of Homeland Security defined Insider Threat as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information nor information systems.”

The potential risks associated with an Insider Threat are particularly disturbing, since Insiders already have the necessary credentials and access to do significant damage to your organization. Traditional data security tools such as encryption are meaningless since Insiders are already authorized to bypass these security barriers in the same way they can use their network credentials to access your sensitive data.

As a recent example, customer records at AT&T Services were accessed by employees who stole information to sell to unauthorized third parties. As a result, in late 2015, AT&T Services had to pay a civil penalty of $25 million to resolve consumer privacy violations.

While we should not ignore the very real danger posed by this type of intentional threat, we must also recognize the role of negligent employees in delivering a similar result. The fact is that the road to a cyberattack is often paved with the best of intentions.

In February 2016, Snapchat announced that one of its employees had responded to a phishing scam, by sharing payroll information with the company’s Chief Executive Officer, or so they thought. Instead, they opened an email sent by an external actor who exploited the employee’s negligence to obtain sensitive information. While it was an honest mistake, the employee’s actions resulted in devastating consequences for the organization as well as the individuals whose data was breached. According to the FBI, this form of business email compromise has cost more than $1.2 billion over the past two years.

Cyberattacks originating from negligent employees are rapidly increasing. Employees have access to sensitive information that, if exposed, could negatively impact their organization. Yet most corporate research and investment on the Insider Threat has focused on those defined by Homeland Security: malicious behavior of purposeful hackers. We need to understand that the Insider Threat is considerably broader.

Contrary to popular belief, Insider Threats should not be restricted to these malicious profiles.  In fact, many would argue that the threat from well-intentioned, negligent employees like the Snapchat case presents a much greater risk. In fact, IT decision makers view the employee as the greatest risk to the security of their organization (46%). Of these respondents, the ‘accidental’ threat outweighed the ‘intentional’ threat by double.

While no one can prevent all Insider Threats, adopting a transparent security policy is a key step in securing employee support while building greater trust between employees and employers. IT should work closely with senior leadership to integrate responsible IT security behavior training, including random user testing, and pre-emptive alerts established to call out unusual activity or access.

Organizations must also implement technology that delivers proactive and intelligence-driven approaches to security to help reduce risk and enable IT to effectively support business initiatives.

The successful prevention of any threat depends on our ability to accurately define and identify it – ideally before it has infiltrated our networks and data.  When addressing the risk of Insider Threats, we must look beyond those who are intentionally doing harm and place equal emphasis on those who are simply doing their job.

About the author: Eric Aarrestad, Senior Vice President, Product Management, leads Absolute’s focus on defining and driving requirements for Absolute’s product portfolio. Under Eric’s guidance, the product management team defines and communicates the product strategy and roadmap for all segments of the business. Eric is a seasoned information security executive, with a proven track record of market impact through building, scaling and growing global cloud, SaaS, mobile, data analytics and security products and services. Eric has worked in enterprise information security for more than 20 years, having previously held leadership positions at Microsoft, HEAT Software and WatchGuard Technologies.

Copyright 2010 Respective Author at Infosec Island]]>
Mr. Robot-Inspired FSociety Ransomware Emerges Wed, 24 Aug 2016 06:57:20 -0500 Real-life experiences are often transformed into successful movies, but a piece of ransomware inspired by the Mr. Robot TV series proves that the reverse is also possible. 

The new ransowmare family was named FSociety because it uses an image that appeared in the Mr. Robot show as the logo of an infamous hacking group called FSociety. According to Bleeping Computer, the malware’s creator appears to be a fan of the show, but the ransomware itself is in its early stages of development.

For the time being, the ransomware doesn’t display a ransom note and does not provide users with information on how they can contact the author. Despite that, however, the malware does encrypt users’ files. However, researchers discovered that only a test folder on the Windows desktop is targeted at the moment.

Discovered by Michael Gillespie, the FSociety ransomware is based on the EDA2 educational ransomware that already spawned numerous variants earlier this year. Released in the beginning of 2016, the educational ransomware has been already retired by its developer, Utku Sen.

The same as other EDA2 variants out there, the newly spotted ransomware family was designed to encrypt users’ files using AES encryption. Next, the malware would upload the RSA encrypted decryption key to a command and control (C&C) server.

The new threat is likely to receive improvements shortly, but it remains to be seen what these will be and whether they will improve the code enough to prevent security researchers from cracking it.

Previously, researchers were able to neutralize EDA2-based ransomware fast, because of a backdoor that Utku Sen included in the code. In fact, flaws that were packed in the Hidden Tear’s code allowed security researchers to crack the encryption of this ransomware’s offsprings as well.

Related: Variants Spawn From Hidden Tear Ransomware

Related: Radamant C&C Server Manipulated to Spew Decryption Keys

Copyright 2010 Respective Author at Infosec Island]]>
What Elements Are Needed for Security Analytics Success? Tue, 23 Aug 2016 04:10:00 -0500 Over the course of the last 18 months, it has become increasingly evident that organizations need to do more to stop the growing epidemic of security failures and data breaches that are threatening the very ability to conduct business. Customers’ sensitive financial and personal information needs to be protected.

In response, many companies now realize they need to shore up their efforts internally to deal with the attackers that dwell on the inside for months looking for their target. In the process, the sheer number and the targeted specificity of attacks have made it clear that it is impossible for any single company’s IT department to weed through the potential problems and possible attack notifications to find the real threats. Even as they deploy next generation firewalls, endpoint detection and response products that move away from signatures to indicators of compromise (IOC) that promise to close the gap on detection and dwell time exposure, alert fatigue continues to plague many IT security teams.

In order to step up their game, businesses and organizations have been implementing security analytics technologies. The promise of security analytics is that it will do what humans in an IT department cannot – review endless amounts of data and flag what the real threats are you should pay attention to.

Not all security analytics solutions are created equal, however. There are five key characteristics critically important to ensuring that your security analytics are effective and capable of stopping today’s advanced threats.

Extreme Flexibility to Task and Data

Security analytics must be ready and willing to take on any problem presented to it. Strong and useful security analytics has to do more than security software that detects simple intrusions. It must be able to consider everything that potentially could be a problem. To do this it has to be applicable for any source of data – be that a network, device, server, user log, etc. Think a broad amount of use cases.

However, just being able to interface with these information silos is not enough. Security analytics needs to analyze several different features of the data – from metrics like response times or counts, to information coming from users, hosts and agents. It also needs to be smart enough to detect patterns like ‘beaconing’ and high information content in communication packets – and then be able to draw conclusions about them and form insights into what is actually happening and where.

In other words, to be successful, security analytics needs to be able to use every data source, data feature and potential problem laid out in front of it to detect unusual behaviors related to advanced attacks; then analyze them and present results to the user.

Speedy, Accurate, Real-Time Analysis

With true security analytics implemented, the analysis should be fast – giving results in near real-time, making the user feel like it is almost automatic. Speed in processing of data is important when it comes to security issues – as any delays in identifying problems can be quite costly for companies, especially when an active data breach is occurring.

At the same time, while speed in processing is very important – it is second to the most important element of security analytics processing: security analytics needs to understand what it’s looking at and draw conclusions about what is important to the end user.

With an ever-increasing amount of cyberattacks to worry about, it is easy to see how IT managers are overburdened with alerts that flag a potential breach or other issue that needs attention. Many of these issues are not breaches or problems that even warrant immediate (if any) attention; but with most security software that looks at signatures or ill-defined IOCs, everything is flagged so that nothing is missed. This clearly works in the advantage of the attacker that hides in the noise of the environment it is operating within. With alert fatigue being a dominant complaint, it becomes harder and harder for analysts to see through the waves of alerts many advanced detection products emit.

Learns from the Past, Applies to the Future

Here is where machine-learning technology often enters the discussion. There are limits to what typical security tools and a single human end user can accomplish. There are only so many hours in the day to review alerts or notifications – and once you start self-selecting which ones seem important, you are already increasing the possibility that you miss a critical notification. Furthermore, while many companies deploy rule sets within their SIEM to aid in the filtering of highly relevant events, these are limited to a static understanding of “what is problematic” and not nearly as dynamic as a mechanism that could look to identify anomalies based on detected patterns from baselines.

Machine learning helps security analytics take the analysis of potential issues a step beyond seeing something and saying something. With machine learning technology in place, security analytics can now see something, correlate its significance and then ensure that it is only identifying the most important items based on probability scoring on the data.

Machine learning is a critical part of most security analytics – it can recognize and understand patterns, periodicity of data and anomalies within the data, learning from each instance what is a normal behavior and where the outliers are. This helps make it possible for the IT manager to know to act on every alert received based on the analytical scoring relevance – instead of hoping he or she selected the correct ones.

Ability to Scale

Security analytics should have an ability to grow and scale with organizational growth. As businesses become more established and achieve greater levels of success, the amount of data they generate, the amount of customers they have and the size of their operations all grow. This means that the probability of being “targeted” by cybercriminals or hackers grows as well. However, it is not always the biggest customers that are hit first or most often, it is the ones that are the least prepared to prevent and detect the attackers the best.

Security analytics needs to be able to handle all of these instances and scale as required. An increasing amount of data should not faze strong security analytics solutions. On the contrary, more data should add context to an attack and lead to proper identification of an attacker techniques. 

Ease of Deployment and Understanding Results

This last item could easily be separated into two, but they are two sides of the same coin. There are an increasing number of security analytics-based products on the market, with many new entrants coming from adjacent parts of the security space that incorporate analytics (many times because they generate too much data to be useful). Ease of deployment and understanding results comes down to achieving value on the analytics performed.

It is increasingly important to be able to deploy ready-built and defined “recipes” that are relevant to detect intrusions as part of security analytics. This can be a bit of an iterative cycle to “tune” to the kinds of customer data present, but a successful solution will be the one that is the most flexible and aids in the tuning process.

To utilize security analytics, the results need to convey things like attack progression and classification of threats that fit in with the vernacular of the users. This aspect is often lost or left for the customer to consume and display into his/her own dashboards. The assumption made by many vendors is that there is an army of data scientists on staff at each customer that can utilize the results to “tell the story” to the security analyst. This is simply not the case. Therefore, you should look to shorten the time to value and deploy smart, highly tunable security analytics that speak the language of your security team.


The importance of security analytics cannot be overstated, especially as data breaches, unfortunately, continue to dominate the headlines each day and attackers come up with new, targeted means to circumvent prevention technologies. This is why, to be successful, you first have to understand the key elements of security analytics – to make sure what you implement will check off all of the boxes that should be checked off, and you’re not left wondering why your analytics solution isn’t finding everything it should. By implementing a security analytics solution that closely aligns with the five elements above you will be in a better position to short circuit the next attack on your business.

Copyright 2010 Respective Author at Infosec Island]]>
Hackers Ghosting the Trail Thu, 18 Aug 2016 09:00:00 -0500 If you're a professional hacker looking for the victim of your next big heist, one thing you are going to do is cover your tracks. Eliminating the evidence is a primary concern in many criminal activities. In the physical world, it is finger prints, bullet casings, blood, hair, camera footage, etc. In the virtual world of cyber crime, it largely all comes down to logs. Criminals want to find, delete or alter them and the gate keepers want to save, archive and protect them from the bad guys. After the theft has occurred, if there is going to be any tracking down of the assailant, it will come down to how well the organization has archive and protected the logs and traffic patterns.

For example, when hackers stole at least 45.7 million credit and debit cards from shoppers at off-price retailers including T.J. Maxx and Marshalls. NBC News reported that "TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it."

Removing logs to cover their tracks obviously makes it significantly more difficult but, what if instead of deleting them, the attackers alter their contents. Hackers talk about this strategy on ethical hacking sites.

“Don't delete entire log files, instead, just remove only the incriminating entries from the file. The other question is, is there a backup log file? What if they just look for differences and find the exact things you erased? Always think about your actions. The best thing is to delete random lines of log, including yours.”

Examples of log altering:

  • Hackers stole $101 million from Bangladesh’s central bank.  Investigators learned that the heist was performed by "a sophisticated group who sought to cover their tracks by deleting computer logs as they went". 
  • A phishing attack allowed a perpetrator to infect and compromise JP Morgan Chase, Robert Capps a cybersecurity expert at RedSeal commented that "Getting access to bank records is uncommon but not unheard for hackers, who often change computer logs to cover their tracks but can't always get to more sensitive data." When the FBI was brought in to investigate, CNN reported that “hackers used sophisticated, never-before-seen malware to get deep enough into the banks' computer systems to delete and manipulate records”

How to Protect Logs

All logs should be sent to a separate collection system in real time. Hosting log files locally on the same system that has been compromised isn’t a good idea. It makes it all the easier for the attacker to remove or alter the evidence. Instead, send the logs in real time to an appliance such as a SIEM.

Archive the Traffic Patterns

The traffic patterns to and from all systems on the network can also easily be archived for long periods of time. NetFlow and IPFIX are the leading technologies today for keeping a record of all communication patterns between connected devices. All routers and most major firewall can export these technologies to a flow collection system.  Should an incident occur, log records can be compared to traffic patterns which allow security teams to confirm the validity of events that took place.

Taking the Protection of Logs a Step Further

Due to the critical nature of saving unaltered logs, companies often deploy a UDP Forwarder. These appliances duplicate all received UDP frames (I.e. messages) and forwards them out to multiple collection servers by changing the destination IP address. The source IP address however, is not modified.  As a result, the device performing the UDP forwarding is completely transparent to the destination.

If a hacker were to notice that logs were being off loaded to a 2nd system, they would have to hack UDP Forwarding system, learn where the logs were going and then hack the additional systems. For most hackers, they will omit changing the logs or move on to an easier target.

Keep your Data Safe

Never has there been a time when logs are more important. Attackers are going to get in and you will be required to perform incident response. The first thing the security team will ask for is the logs. When this happens, don’t be the wondering what to do next. Make sure logs are backed up to a 2nd system or 3rd system and make sure a UDP forwarder is relaying the messages. The harder you make it for the attacker, the more likely they are to move onto another victim.

About the author: Michael Patterson, CEO – Plixer: Michael worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University.  He joined Professional Services for a year before he left the ‘Tron’ in 1998 to start Somix which eventually became Plixer.

Copyright 2010 Respective Author at Infosec Island]]>
Paving the Road to Digital Transformation Thu, 18 Aug 2016 08:00:00 -0500 I recently had an “a-ha” moment when I realized I had just experienced digital transformation in practice. It happened while I was driving from Los Angeles to Ottawa – a distance of just about 3,100 miles. As with any road trip, refueling your car is a necessity and, as you can imagine, I was stopping at the gas station a couple times a day on my way to Ottawa.

I’ve been a long-time customer of a particular gasoline/petrol vendor as I have one of their credit cards and am a member of their loyalty program. At one of my first gas station stops along the interstate, my favorite provider wasn’t available, so I pulled into an ExxonMobil gas station. As I proceeded to fill up my tank, an advert for a gas payment app caught my eye:

I noticed the app—known as Speedpass+—supported Apple Pay, so I downloaded it. To my surprise, I was able to authorize the transaction from my smartphone, choose my pump, and fill up my car – all within a matter of seconds. Not once during this transaction did I take out my wallet for a credit card or cash. 

Aside from this being a “cool” app, what was my “a-ha” moment? And more importantly, what’s the connection to digital transformation?

Let me start with a definition: digital transformation is all about embracing and adopting the latest digital technical innovations, with the ultimate goal of driving revenue. You’d have to be a hermit to be unaware of the digital innovations happening all around us. Long gone are the days when we anxiously wait for the latest IBM mainframe or the newest PC to enable new business initiatives. Today, the cloud, advances in mobile computing, and the growing use of these technological innovations are driving our respective customers and end-users to adopt these innovations faster than even our companies can. The digital transformation also gives end-users and customers a more direct connection with a company that had previously been impossible.

The Rise of Mobile Payment Apps

One of the precepts of digital transformation is generating top-line revenue for the company. This was the “a-ha” moment for me. I literally said to myself, “Wow, this app is so cool and it uses Apple Pay, so I’m going to switch to ExxonMobil and use them from now on.” It’s no surprise that mobile payment apps are growing in popularity. A recent study from eMarketer forecasts that in the U.S., mobile payments will triple within the next year as approximately 37.5 million people will make use of the technology.

But what about security? One of my biggest concerns about using my credit card at gas stations is one of credit card fraud as a result of credit card skimming—when crooks install a small device to physically scan and store credit card data from the magnetic stripe. Personally, I’ve had to replace my credit card twice in the last six months so any opportunity to avoid swiping my card is welcome in my book.

While still in their infancy, payment apps are constantly iterating on ways to enhance their security features. According to Security Intelligence, popular mobile payment app Venmo now includes multi-factor authentication, so that if a sign-in attempt is made from a phone or browser that is not already linked to a user’s Venmo account, the company sends out an alert with a six-digit text code to the primary mobile number.

The fact that I was now relying on my mobile device’s security features coupled with those of Apple Pay – versus a traditional credit card reader – tells me the digital transformation is in full force.  

Embracing the digital age with BYOD

Another one of digital transformation’s core tenets is “bring your own device,” which ExxonMobil embraced by implementing a hassle-free, mobile method of payment. Rather than retrofit all ExxonMobil pumps with NFC readers, the company built an app that enabled more than 6,000 stations to immediately accept payment via their Speedpass+ app. By using the phone’s GPS, the app automatically recognizes which station you are at and easily allows you to pick the pump you want to authorize.

Again, this is but one great example of embracing today’s digital transformation through BYOD.

The human element of digital transformation

Speaking from the customer’s perspective, I have a direct interaction with ExxonMobil now. Rather than using a credit card to pay for my purchase, I’m using the Speedpass+ application. On top of this, the application offers customers the ability to provide station feedback directly from the app. Instead of assuming the status quo as a faceless corporation, I’m not only able to, but encouraged to provide direct feedback to ExxonMobil about any station that I visit.

This experience showed me that the digital transformation has arrived and organizations are embracing the latest innovations to provide customers with anytime, anywhere, any way access. Now, ExxonMobil has a new customer and a new revenue stream: me.

About the Author: Currently the senior director of Product Management for Dell Security, Jackson Shaw has been involved with directory, meta-directory and security initiatives for 25 years. He has spoken at various industry events and writes a popular identity management blog. Jackson oversees product direction, strategy and go-to-market activities for Dell’s suite of identity and access management products.

Copyright 2010 Respective Author at Infosec Island]]>
Pragmatic Steps to Manage File Data Leakage Risks Thu, 18 Aug 2016 06:00:00 -0500 Data dissemination and file collaboration are natural parts of most business and operational workflows; thus, security must be an integral part of modern corporate workflow to protect sensitive information. While structured data, or information contained in databases, is well protected in the confines of secure backend systems, unstructured data is a different story. Files are presumed to be secure within domain-controlled network drives and folders within enterprise content manager systems. Most IT professionals associate data and even file protection with backup and encryption technologies within their network or at the gateway.  Unfortunately, the secure access and use of sensitive, and often regulated data within files being shared both internally and externally remains a significant source of exposure within many organizations.

A recent 2015 State of File Collaboration Security report by Enterprise Management Associates (EMA) found a significant gap between file security policies and operations and the capabilities of technical controls in place at large and mid-tier enterprise organizations to monitor and enforce the policies. While the majority of these organizations have enhanced technical controls and auditing, only 16 percent of the survey respondents felt highly confident in their file security investments. The report revealed that more than 80 percent of mid-tier and large enterprise survey participants were aware of data leakage incidents in their organizations, and 50 percent experienced frequent incidents.

Given the necessity of file sharing, respective risks and obligations, and available file protection mechanisms, what is a pragmatic approach for organizations to reduce IP loss, privacy compliance liability and business exposure due to sensitive file data leakage? Here are the top five steps that your organization can put in place today:

  1. File data classification and discovery. Establish a working process to map different classes/types of files based on the information and the respective business or regulatory compliance obligations to protect the data in the file. Identify various sources and categorize different activities where sensitive files requiring protection exists, as well as the users, systems, tasks and business terms related to such activities.
  2. File sharing exposure risk and control gap analysis. Assess how sensitive files in each data classification are currently secured and subsequently shared within and outside the organization across categories of business activity. The process further examines the potential probability and ramifications of exposure in each file data class and sharing activity group. The resulting risk assessment should reveal data protection priorities and gaps. The organization can then systematically assess what additional file data protection process and controls measures are needed.
  3. Policy definition enhancement and dissemination. Examine current data protection policies to determine which policies need to be improved to better manage risk that accommodate new categories of sensitive data and file collaboration activities. These policies should be vetted with, agreed upon and communicated to those managing data sources and data owners. This way the policies can be effectively adopted by IT management and business management.
  4. Technical control application. Take the control gap analysis and policy definition processes into account by identifying where technical controls should be applied. Assess each control’s functional scope, and also consider management, implementation and cost factors. File-based digital rights management (F-DRM) platforms, such as FinalCode, allow organizations to reduce file data leakage risks through file encryption, access and usage control. As in other IT projects, once a control is accepted, deployment, training, usage and administration should be coordinated.
  5. File security management tracking. Track and report on policy adherence, control implementation, exceptions and additions, and control usage. In this way, managements can gain a management vantage point with regards to file data leakage risk reduction, and operations can establish a baseline for continuous improvement.

Alongside the task of maintaining fluid but authorized access to network file storage resources, organizations need to apply file protection that offer appropriate levels of control for the internal users and the variety of external users requiring access to sensitive content. Satisfying these challenges is necessary to protect the intellectual property of the business and its clients, and to manage the reputation and liability risks associated with confidential information obligations. An organization does not have to take an “all or nothing” approach to implement file data protection capabilities. While the steps presented above to reduce file data leakage can be an enterprise-wide initiative, the process can be successfully applied to specific business activities and collaboration projects. Most employees understand and want to protect sensitive information. The key is to make file security easy, intuitive and aligned to corporate policy. Next generation F-DRM solutions offer an effective and flexible technical control that can be applied today to reduce file data leakage risks across different infrastructure, collaboration methods, user types and business requirements.

About the Author: Scott Gordon (CISSP) is the Chief Operating Officer at FinalCode. Scott has over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations. Prior to FinalCode, Scott held several senior management positions at ForeScout Technologies, Protego Networks (acq. Cisco), Axent and McAfee. An infosec authority, speaker and writer, he is the author of “Operationalizing Information Security” and the contributing author of the “Definitive Guide to Next-Gen NAC.” Scott holds a CISSP-ISSMP certification, an MBA, and earned his BA in MIS and marketing from Hofstra University.

Copyright 2010 Respective Author at Infosec Island]]>
What the Auto Industry Can Learn from Payments Sector about Cybersecurity Wed, 17 Aug 2016 06:57:41 -0500 Most big automotive brands have been around since the time “before connected cars.” Since automobiles are typically built incrementally through a complex supply chain, combining existing and new technologies developing at different speeds, it is difficult to ensure that a vehicle is entirely connected. This includes being accessible for over the air software updates as well and being protected against security breaches, while protecting a driver’s privacy – all at the same time.

With the increase in connected cars on the roads, and an industry disruptor in the name of Tesla, many in the automotive industry are looking for ways to secure their products. There are some key similarities between the auto industry’s current situation, and what payment companies had to consider with the advent and wider adoption of payment cards.

First, it’s critical for manufacturers to employ encryption best practices since encryption and a trusted, secure Root of Trust is the only surefire way to guard sensitive data. When applied correctly, encryption provides a near-bulletproof barrier, ensuring that only those permitted to view the content are allowed to. True encryption begins with proper key management, examines what data or communications needs protection and ensures the encryption protection keeps all these details private and available only to the right parties. This includes considering how data could be moved to the cloud.

Along with implementing powerful tools such as encryption, it’s also important to develop at least a de-facto industry standard to act as a baseline for manufacturing, design, software systems.  In the financial services industry, where by nature high value assets are at stake, the Payment card industry (PCI) compliance was an essential standard to enable smooth and secure user identification and data transitions. This regulation involved a specific set of security standards developed to protect card information during and after a financial transaction. PCI compliance is required by all card brands, so it sets a baseline that ensures payments are secure. In the auto industry, similar standards are needed to make sure connected cars – which are only growing in number by the day - remain safe to drive.

The industry standard for the automotive industry should also require a system for authenticating communication amongst multiple entities, such as messages sent vehicle-to-vehicle and from a vehicle to an automotive dealership. In order to achieve this, not only the electronic control unit (ECU) of different parts need to have an identity so that can be addressed, authenticated and potentially communicate with each other, but also the vehicle itself needs an identity, as well as any person or diagnostic system, software or event driving data request that wants to be granted access. Chips or ECUs that hold an identity can be added during production process and initiated to a so called Public Key Infrastructure, which is a system that allows issuing certificates necessary for cars, clients and code to be authenticated. When a car is activated, it sends the certificate out to validate communication channels between different areas of the car, such as the tire pressure gauge or the break system. It can authenticate communications between parts within the car, and can authenticate a car’s identity to another vehicle or an automotive dealership where the car is taken for service.

With these kind of complex systems that need to be put in place, of course security cannot come as an afterthought, but an important part of the design and manufacturing process from the beginning. An established Root of Trust, combined with industry standards like those adopted by the payments industry – but not just for payment transactions within a car - and ongoing dialogues among leaders in the field, will ensure the automotive industry stays ahead of security risks associated with connected vehicles and other emerging threats.

Copyright 2010 Respective Author at Infosec Island]]>
Compliance Capabilities: Audit Achievement through Access Management Wed, 17 Aug 2016 05:26:55 -0500 Compliance and meeting government audits are requirements for virtually every organization, but compliance also can have a direct, positive impact on the health of an organization. Depending on the organization’s industry, there are different rules and regulations that they need to follow. Meeting audit compliance can be a difficult task and can require a great deal of time and effort. There are ways, though, to make the process much easier, while also benefiting the long-term growth and health of your organization.

How IAM helps audits and compliance

Identity and access governance technology helps organizations easily meet audit requirements while benefiting the organization in other ways. One of the main requirements of audits is showing that secure data, such as financial statements and customer information, is kept safe. Identity and access governance can help organizations ensure correct access so when an audit occurs, they have all the information needed in one place and can provide it as required.

In the day-to-day activity of employees joining or leaving the organization, it is easy to lose track of who has access to what. An automated account management solution with role-based access control allows a manager to oversee and document exactly who has access to what, and any changes they are making in the systems. Monitoring this activity allows access rights and changes in secure applications to be continually documented for audits in an organized manner. This means leadership can generate views of each user’s activity on demand. The access governance solution automatically logs which employee performs a particular management activity, as well as the time it occurred. If needed, management can follow up on these changes, which is extremely useful for audits.

Long-term organizational health

Identity and access governance solutions also help organizations show the return on investment that such a solution provides. This technology doesn’t just help with audit needs, but can be used to help in many other areas of the organization and promote long-term health of the company and its network.

Thus, the technology helps improve the security of a network; by ensuring the compliance and audit needs with an access governance solution, the organization is putting additional methods in place to keep its network safe. Automated account management solutions allow any change to a user account to be made easily and quickly, and is synched to all connected systems. When an employee is no longer with the organization their account can be disabled quickly, and the organization can ensure that no disgruntled former employees can do damage to the network or access sensitive information.

Also, there’s no network pollution. Leaders can see how many accounts they manage that are without the pollution of inactive accounts or people who are no longer with the organization. This ensures that the network is clean and contains only active accounts. Overviews of the network that can be generated from access governance solutions allow management to see how many people are using each application for licensing reasons. This allows them to easily make decisions on systems and applications that should be renewed based on usage, quickly run queries and have a clear understanding of all people in the network.  

Finally, through the use of access governance technology business leaders are able to ensure that employees are productive. Access rights are very important in the corporate world to ensure that employees can complete a job or project they are working on and with an IAM solution in place, employees can be granted access rights quickly, but securely, to the resources that they need. This ensures that they can be up and running on their first day of employment, as well throughout their employment when they need additional access rights to systems.

Overall, audits can be a huge headache for organizations and their leaders, but identity and access governance technology can reduce the audit scramble while also providing many additional benefits to the organization to promote long-term growth and health of the company.

About the author: Dean Wiech is the managing director of Tools4ever US, a global provider of identity and access governance solutions. 

Copyright 2010 Respective Author at Infosec Island]]>
Keep IT Safe: 5 Ways to Guard Against Olympic-Sized Streaming Threats Fri, 12 Aug 2016 09:56:00 -0500 Big sporting events like the Olympic Games capture the hearts and attention of billions around the world. And with any wildly-popular live broadcast during work hours, IT departments need to be careful.

Some fans (dare we call them fanatics?) will go to great lengths to get their sports fix online, through legitimate means or otherwise. And you can rest assured hackers will take advantage of the situation by setting up ad-laden, malware-infected, or phishing sites that prey upon unsuspecting victims looking to watch the Games “at all costs.”  

In the coming weeks, these Olympic-sized risks will be on the minds of IT departments around the world. According to a recent security poll in Spiceworks, nearly 40 percent of IT pros said Olympic streaming poses a threat to IT security, as employees look to get around web filters or watch the games for free on potentially dangerous, unofficial sites.

Apart from security risks, excessive video streaming can bring corporate network performance to a crawl faster than a record-breaking 100 meter dash run. And it’s a sure bet slow network performance will usher in a wave of complaints and helpdesk tickets from anyone trying to get real work done.

How can companies avoid streaming agony and get high marks for network performance during live events? Here are tips straight from IT professionals on how to emerge victorious in the face of an online streaming challenge.

1. Educate employees on malware dangers

You know what they say, “knowledge is power.” But less computer-savvy users might not be aware of the potential dangers that lurk on the internet. Because one single person installing malware from a shady site could compromise your entire network, everyone needs to know that Googling 'Olympics streaming torrent' and clicking on random links could lead straight into a trap.

User training throughout the year about the dangers of haphazard web surfing, along with friendly safety reminders before an event can go a long way towards keeping corporate networks safe. Additionally, the risks from malware can be mitigated by additional security measures such as domain blocking and anti-virus technologies.

2. Make live events easy to watch legitimately

To keep employees from landing on shady sites or hogging bandwidth, many IT departments set up a dedicated room for showing sporting events in a break room or a company meeting area. There’s less incentive for employees to watch the game from a cramped desk when there’s a big flat screen TV and a free show to enjoy in the company of fellow coworkers.

Giving sports fans what they want comes with an added productivity bonus because overly-enthusiastic workers won’t bother other employees who have important work to do. A designated viewing room ensures employees have a safe and legal stream to watch while keeping valuable bandwidth available for business purposes.

3. Keep an eye on and restrict bandwidth usage

Video streaming can drag down network performance, so you might want to actively monitor bandwidth usage and restrict certain employees if they pose a threat to productivity. Network bandwidth monitoring tools can help you pinpoint problem users and devices that slow down the network for everyone else.

Other networking solutions allow you to reserve bandwidth for critical business applications such as VoIP or certain cloud services. There are also ways to put bandwidth caps on specific users or traffic from specific domains. But if you do that, be prepared for complaints from users exclaiming, "I can't watch water polo at my desk!”

4. Block unofficial streaming sites

Big sports events can make people emotional, often causing them to be more careless than usual, which makes them vulnerable to online exploits. By proactively blocking known, dangerous streaming sites you can reduce the risk to your network. Some organizations take it a step further to protect company data by blocking all streaming on the corporate network. Other organizations set up a separate Wi-Fi network for streaming from personal devices to better isolate sensitive data.

5. Set clear security expectations

Some IT departments proactively send an email before a big event to remind employees of established IT usage guidelines along with corresponding penalties for non-compliance. For example, an IT department can help users remember that there’s no streaming on corporate devices outside of the designated watching room. If there is an infraction without business justification, having clear expectations means a company will have already outlined consequences, such as throttling of bandwidth or notes to an employee’s manager. If streaming is allowed, your communications to users could provide a list of officially supported streaming sites so users aren’t tempted to click on random, potentially dangerous links.

Online streaming is an ongoing challenge

Whether it’s the Olympics, the NCAA basketball tournament, the World Cup, or any other big sporting event, you can be sure that people will want to stream it at work. By following the five tips above, organizations can help give fans what they want while keeping networks more secure and making sure bandwidth is available for everyone that needs to get work done.

Copyright 2010 Respective Author at Infosec Island]]>
Back to Basics: How Simple Techniques Can Thwart Complex APT Attacks Thu, 11 Aug 2016 12:00:00 -0500 Advanced Persistent Threats (APTs) are among the most insidious cyberattacks faced by businesses today. We’ve all heard of the Stuxnet worm, and other high-profile attacks including the 2014 Sony Pictures Entertainment hack, described by one observer as ‘the perfect APT’, and 2015’s Carbanak attack, which specifically targets financial institutions.

Will an APT affect your business? Well, ISACA’s 2015 Advanced Persistent Threat Awareness Studyfound that 74% of respondents believe that they will be targeted by an APT, and 28% had already been attacked.  The trouble is, APTs are, by nature, hugely sophisticated. They’re designed to be stealthy and evade detection, enabling them to spread undetected across networks over weeks or even months.

It might seem that mitigating the risk of an APT means deploying highly sophisticated cyber security measures, out of reach of most ordinary organizations.  Not so. In fact, you can go a long way towards mitigating the risk of an APT by going back to basics: understanding the fundamentals of how such an attack is planned and deployed, and how your organization’s network structure can help or hinder such an attack.  Understanding, in short, how to reduce the attack surface you have available to malicious hackers.

Understanding APT structures

However sophisticated they are, all APT attacks typically follow a similar path:

1. Reconnaissance. An information-gathering stag where attackers will typically will use a variety of techniques to gain an intelligent picture of what a business’s network actually looks like in order to establish what security policies and applications are already in place, or identify remote access capabilities that could provide them with access points.

  • Open Source Intelligence (OSINT) which involves scanning externally open services for vulnerabilities
  • Human Source Intelligence (HUSINT ) which involves targeting key employees for access information
  • Foot printing which involves identifying which versions of software or resources an organization is using, and creating a profile of its network infrastructure through techniques such as banner grabs, SNMP sweeps and zone transfers.

2. Exploit delivery.Once an appropriate access point for targeting your networkhas been identified, the attackers deliver a malicious tool or application that enables them to penetrate your network.Chosen attack vectors can include email attachments, so-called ‘water-hole’ attacks, where the attackers compromise an existing website they know a target is likely to visit, or even physical delivery of the exploit on an infected USB stick.

3. Exploration and lateral expansion.Having succeeded in getting inside your network, the attackers’ next aim is to move laterally within your network, to ultimately get to your valuable business data. But this data is usually on another computer system, so the attacker needs to find a path to it. This lateral movement is where an APT’s persistency comes in. Exploration takes time – time during which individual users may reboot their systems, change their security signatures and otherwise make it difficult for the attacker to re-access their machines. Therefore, attackers ideally aim to deploy software directly onto individual machines that will allow them to come back whenever they need to, even if the user has rebooted or patched it.  The most common way to do this is via Remote Administrator Tools (RATs) – the same type of tools that are used for remote troubleshooting or helpdesk functions.  The installation of a RAT gives attackers a backdoor to revisit compromised machines whenever they need to.

4. Exfiltration. Finally the attackers extract the valuable information they’ve been seeking, perhaps by blending it into benign traffic over HTTP, or encrypting it in ways that make it difficult to spot, such as over HTTPS.

Reducing your network attack surface

Whilst it is very difficult to prevent attackers from carrying out the first stage in their APT journey – after all, there’s nothing particularly secretive about many OSINT scanning techniques – it is possible to prevent them from laterally moving across your network in search of your valuable data, with some back-to-basics principles:

  1. Segment your network. Break up your flat internal network into multiple zones, based on the use pattern and category of data processed within each zone. This segmentation then prevents the APT from jumping from one ‘stepping stone’ machine to another.
  2. Place firewalls to filter traffic between those zones. ‘Choke points’ – i.e. firewalls – must be placed between the zones to filter the traffic entering and exiting. In other words, firewalls must be placed on internal, lateral traffic paths, not just your network perimeter.
  3. Write restrictive security policies for those firewalls to enforce. Gartner Researchhas suggested that 99% of firewall breaches are caused by firewall misconfigurations, not firewall flaws. The message is clear – your firewalls absolutely must be configured accurately and intelligently, to analyze and block the kind of internal communications that signal APTs.

When you design your network’s segmentation, consider these two zone types that all networks should be split into. First, identify and define sensitive data zones that encompass systems handling and storing payment and credit card details, employee records, company financials, intellectual property, and regulated data. Second, identify and define human user zones that contain human-accessible desktops, laptops, tablets and smartphones. You are probably already segmenting wireless-access zones, but wired-access desktops should also be segregated. Since an APT’s first point of attack is normally such a desktop, this segmentation then prevents the APT’s lateral movement.

If this sounds remarkably simple, that’s because it is. The important point to bear in mind is that no matter how sophisticated an APT is, it’s operating on your turf. Discovering the signs of an APT inside your network can be challenging, but with intelligent use of security basics, you will go a long way to preventing lateral exploration – and in turn stop the APT in its tracks.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – August 2016 Thu, 11 Aug 2016 08:00:00 -0500 SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key findings

  • SAP Cyber Threat Report 2016 was released. 36000 SAP Systems worldwide are potentially affected.
  • Today SAP released 30 SAP Security notes to close vulnerabilities in SAP products, more than the average number for 2016
  • Some vulnerabilities closed by SAP Security Notes pose significant risks. For instance, Denial of Service vulnerability in SAP Internet Communication Manager can be exploited remotely without authentication. About 560 such servers are exposed to the Internet and thus potentially vulnerable to this attack.

1. SAP Security Notes – August 2016

SAP has released the monthly critical patch update for August 2016. This patch update closes 30 vulnerabilities in SAP products including 26 SAP Security Patch Day Notes and 4 Support Package Notes. 17 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 14 of all the Notes are updates to previously released Security Notes.

14 of the released SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 7.5.

SAP Security Notes August 2016 by priority

The most common vulnerability type is Cross-site scripting.

SAP Security Notes August 2016 by type

Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Daria Prosochkina, Mathieu Geli, and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerabilities identified by ERPScan researchers.

  • A Denial of service vulnerability in SAP Internet Communication Manager (CVSS Base Score: 7.5). Update is available in SAP Security Note 2313835. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
  • A Denial of service vulnerability in SAP BPM (CVSS Base Score: 6.4). Update is available in SAP Security Note 2296909. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affects business processes, system downtime and, as a result, business reputation.
  • A Directory Traversal vulnerability in SAP Business Partner (CVSS Base Score: 4.3). Update is available in SAP Security Note 2312966. An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
  • A Directory Traversal vulnerability in SAP Telnet Command (CVSS Base Score: 3.4). Update is available in SAP Security Note 2280371. An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

The most critical issues closed by SAP Security Notes August 2016 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2292714: SAP Memory Snapshot Creation has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2319506: SAP Database Monitors for Oracle has a SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can use an SQL injection vulnerability by specially-crafted SQL queries. It allows reading and modifying sensitive information from a database, executing administration operations on a database, destroying data or making it unavailable. Also in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2294866: SAP JMS Provider Service has a Missing authorization check vulnerability (CVSS Base Score: 6.4 ). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality, which has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent risks.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

2. Threats 560 SAP Servers at risk

SAP Security Note 2313835 closes a Denial of Service vulnerability in SAP Internet Communication Manager - SAP’s web application server which provides clients and partners with access to a company’s web applications such as CRM, SRM or Portal. The vulnerability allows an attacker to prevent legitimate users from accessing the company’s services and thus stopping operations. Taking into account that SAP is installed in the largest organizations worldwide, a minute of downtime may cost millions of dollars.

The vulnerability can be exploited remotely without authentication. The scanning conducted by ERPScan Threat Intelligence and research team revealed that at least 559 such servers are exposed to the Internet and possibly open to the DoS attack. The graph below shows that most such services are located in the USA, India, and China.

image image

3. SAP Cybersecurity breaking news

ERPScan released the first comprehensive SAP Cybersecurity Threat Report. It covers 3 main angles of SAP Cybersecurity, namely SAP Product Security, SAP Implementation Security, and SAP Security Awareness.

The most important highlights are as follows:

  • 36000 SAP systems worldwide available via the Internet.
Most of them (69%) should not be available directly via the Internet
  • USA has the highest number (3660) of unnecessarily exposed SAP services. India and China take the second place. Those services have vulnerabilities or misconfigurations or simply should not be configured for remote access
  • The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA.
Because of this, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals. For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices.

SAP customers as well as companies providing SAP Security Assessment, SAP Security Audit, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
Getting Your Records GDPR-Ready Thu, 11 Aug 2016 07:00:00 -0500 A lot can happen in two years. By 2018 we are expected to have witnessed the first human head transplant, Adobe Flash is predicted to be no more, the UK may or may not have left the EU and the flow of data into organisations will have increased by as much as five-fold, according to IDC.

Another significant development due in 2018 is the deadline for meeting new regulations around the treatment of personally identifiable information (PII). When combined with expected volumes in data growth, this could have huge implications for any business which processes personal data.

Earlier this year, the European Parliament passed the final vote on its new General Data Protection Regulation (GDPR), which is designed to protect personal information in an increasingly digital world.  While the new laws won’t be enforced for another two years, it is a relatively short period of time considering that businesses will need to assess the new requirements, evaluate existing measures and plan a path to full compliance.

To help businesses understand the impact of the GDPR on their information management processes and where it fits within the wider regulatory landscape, here are six key steps to getting records GDPR-ready.

What is GDPR?

Designed to protect personal information in an increasingly digital world, the GDPR is by far the largest shake-up of data protection rules so far this century. It includes more than 50 Articles that have far-reaching implications for organisations and their use and storage of personal data. In essence, the legislation protects the right of a European citizen to determine whether, when, how and to whom his or her personal information is revealed and how it can be used.

The advice of the Information Commissioners Office is that businesses need to start planning their approach to GDPR compliance as early as they can. The problem is that many businesses across Europe remain unaware of how the changes will affect them and the impact they have.

There are a number of important steps you can take now to help your organisation can identify where PII resides and understand your obligations towards managing it. With the prospect of multi-million Euro fines for non-compliance, can you afford to wait?

Step 1 – What is personal data and do I have it?

The first step in deciding which parts of the new legislation will apply to your organisation is understanding what is meant by personal data. The definition of ‘personal data’ in the context of the new regulation is data relating to a ‘data subject’ (a person) who can be directly or indirectly identified on the basis of that data. Such data also includes device identifiers, cookies or IP addresses. This means that, under the GDPR, data controllers within organisations should be aware of all personal data under their control and able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks.

Step 2 – Does GDPR apply to me?

Next, it is important to have an understanding of the key terminology included in the GDPR in order to know whether it is relevant to your organisation. As well as ‘personal data’, key terms to understand include ‘territorial scope’, ‘data subject access requests’, ‘data protection impact assessment (DPIA)’, ‘the right to erasure’, ‘data portability’ and ‘consent’. For further information on these you can find a glossary of terms on

Step 3 – Where does data live within my organisation?

In order to meet your statutory obligations, you first need to know where personal data lives. A detailed analysis of the data stored on corporate systems, employees’ personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners (people who process personal data on your behalf) will be required to give you the full picture.

Step 4 – Develop a data map and classify every piece of information

Following this analysis, we recommend creating a data map which provides a 360 degree view of all physical and digital information, including personal data, stored across an organisation. The data map is an important tool to ensure that you can quickly locate, assess and monitor all information on an ongoing basis.

Step 5 – Review and update existing policies

Once you know where your information is, you need to know what you can do with it and how long you are permitted to keep it. This requires making sure that your retention policies are up to date, reflecting legal, regulatory or contractual obligations so that you are only keeping what you should and that you’re destroying personal data (and all other records) when you are required to in a defensible way.

Step 6 – Maintain awareness and responsiveness

Finally, it is important to make sure that the business as a whole is aware of its obligations. Information passes through the hands of employees, contractors and suppliers, so all parties must understand and comply with the same retention policies. Just as regulations change and impose new obligations on organisations over time, your retention policies should remain dynamic and responsive, adaptable to evolving business and regulatory landscapes.

Organisations across Europe have long been familiar with the need to ensure that they store personal data according to the latest regulatory requirements. The introduction of the GDPR, however, and associated penalties for non-compliance – which could result in fines of up to 4% of annual world group turnover or EUR 20 million – means that it has now become critical to get data retention right.

Following these six steps is the starting point for avoiding the wrath of the regulators. Failure to act now will leave you rushing to catch up at a time when a mistake or oversight may be punishable by law and could cost your organisation dearly

Copyright 2010 Respective Author at Infosec Island]]>
Exploit Kits: Infiltrating the Ad Industry with Traditional Tactics Thu, 11 Aug 2016 05:00:00 -0500 From browsing your favorite news site to skimming social media, digital advertisements are unavoidable no matter how many ad blockers you use. How ad tech companies collect and use personal data to serve targeted ads has become a major privacy debate, but what about the cybersecurity risk digital advertisements pose?

Before I explain the ad industry’s cybersecurity issue, let’s talk about exploits kits-- the commercially available hacking toolkits that specifically target vulnerabilities in a web browser to place malware on the system. Attackers who use exploit kits typically lure victims to malicious web pages through social engineering spam or even by infecting trusted websites.

So, how do exploit kits impact the digital advertising industry? Exploit kits are increasingly using the evil twin of an advertisement, a malvertisement, as a gateway to a web browser. Customization is easy with this method, as attackers can target specific times of day for malicious ads to run, serve ads to specific browsers, avoid mobile platforms and more.

In 2014, the reigning champ among exploit kits was RIG 3.0, a pioneer of using malvertising as a delivery system in exploit kits. Researchers from Trustwave discovered that RIG 3.0-related malvertising was served to a whopping 3.5 million machines, 1.5 million of which were infected. In March 2015, Trustwave researchers unearthed a major malvertising campaign that compromised ads on several high-traffic websites-- directing victims straight to the Angler exploit kit.

Much like their mainstream cousins in legitimate advertising, malvertisements use a number of different techniques to reach intended recipients. Infected ads can exploit vulnerabilities in browsers and add-ons and appear as videos, images and even text-only advertisements (similar to those in the Google AdWords and AdSense programs). This method works because it imitates traditional advertising techniques, almost like monarch mimicry. Attackers typically initiate malvertising campaigns with ads and credentials that are squeaky clean and only change the payload to malicious content after a campaign is approved and running. Although this traditional technique is easy to implement, its effectiveness is limited by the fact that one must click on the ad to be exposed.

However, a new malvertising method that’s gaining popularity removes that limitation. Ad networks that allow advertisers to upload full HTML or Flash files enable hackers to compromise a computer without the user clicking anything. Flash makes this especially easy given the massive number of vulnerabilities Adobe patches every month. By substituting a malicious Flash file into a previously harmless advertisement, attackers can circumvent the click requirement and deliver the malware as soon as the Flash file loads on the page.

Are cybercriminals aware of and actively using this no-click download method with Flash to serve up malvertising? Absolutely. In 2015, the development team behind the Angler exploit kit found four zero-day vulnerabilities in Adobe Flash. Since the vulnerabilities were discovered by criminals before ethical hackers, there were no security patches to stop them from being exploited.

How is malvertising forcing its way onto popular websites? Much like traditional entrepreneurs, cybercriminals are always looking to make the most bang for their buck, which in this case means buying cheap campaigns from smaller ad networks for as little as $0.20 per thousand impressions. Do these small malvertising campaigns really turn a profit for attackers? You bet. An initial investment of $5,900 can potentially yield a 1,425% return on investment, or over $84,000, in just 30 days. When these malicious ads match demographic details from browser cookie data, they can “trickle up” to larger ad networks where they match with visitor profiles. The introduction of malvertising to the traditional matchmaking system of digital advertising is posing significant challenges to ad networks and publishers as they try to stay one step ahead of attackers.

Despite ad networks’ filtering and scanning tools and consumer protections like anti-virus and browser sandboxing, malvertisements can serve inescapable exploit kits. By carefully picking its battles, using a thick skin of obfuscating code and adapting quickly to its environment, an exploit kit is able to avoid and/or survive a majority of protections offered by modern Web browsers.

Once contained to porn and video pirating sites, malvertising has now succeeded in penetrating some of the Internet’s most popular websites. By leveraging traditional business strategies and advertising techniques to make everyday ads malicious, attackers who use malvertising-based exploit kits have established themselves as innovators in the cybercrime industry. The emergence of malvertising as a significant exploit delivery mechanism has rendered the conventional idea of staying safe by simply avoiding dark corners of the Internet as insufficient.

About the author: Karl Sigler is Threat Intelligence Manager at Trustwave where he is responsible for research and analysis of current vulnerabilities, malware and threat trends. Karl and his team run the email advisory service, serve as liaison with Microsoft MAPP program, and coordinate disclosures of discovered vulnerabilities. In addition, Karl hosts the popular and informative weekly SpiderLabs Radio podcast.

Copyright 2010 Respective Author at Infosec Island]]>
One Encryption Backdoor Is One Too Many Thu, 11 Aug 2016 00:48:00 -0500 Although the FBI no longer needs to force Apple to unlock an iPhone that belonged to one of the San Bernardino terrorists, the debate must continue. This is too important an issue to let fade from the national discourse until the FBI or any other government agency makes another similar request of any technology developer or provider. Technologically complex topics like encryption and backdoors can be difficult to understand by non-technologists, including those who seek to legislate or adjudicate on the matter. Backdoors undermine the effectiveness of encryption by making it either reversible or otherwise defeatable, thereby eroding any reasonable expectation of privacy. That is why Sophos strongly opposes any future mandate or request to put backdoors or shared keys in our products, or in other solution providers’ software and hardware products. To defend the right to privacy of the law abiding, we must prevent future court decisions or the passage of legislation that will weaken all of our rights to privacy. But we also must identify less societally costly alternatives for law enforcement to employ while working to identify and apprehend terrorists and other criminals. This article identifies such alternatives.

The FBI’s request raised two significant red flags.

First, asking Apple to create a unique piece of firmware that will: a) disable the lockouts, and b) allow passcodes to be entered electronically may sound innocuous. But, if the FBI receives permission for this kind of special firmware, that opens the door for it to request special firmware for whatever purposes it may decide it needs for future cases.

Second, no one can offer a 100 percent guarantee that any one-off decryption key or similar tool will never fall into the wrong hands. As Apple’s Tim Cook warned in his public letter to customers,

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Sophos stands firmly by its position of strongly opposing any mandate or request by any government, intelligence or law enforcement body or business to put backdoors or shared keys in products, based on the following principles:

1. Encryption protects the fundamental human rights to privacy and security.

Encryption protects individuals from identity theft, extortion and political or religious persecution. It protects organizations from industrial espionage and liability for data loss, and ensures the security of commerce. Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.

2. Encryption is vital for our modern, Internet-driven global economy.

Strong encryption is essential to the integrity of Internet commerce and banking. Ubiquitous, strong encryption ensures consumer trust by preventing online fraud and theft of financial or personal information. Encryption is a key element of the communications technologies that foster economic growth and expand access to and participation in the global economy. Implementation, enforcement and management of backdoors would be impractical and enormously costly to technology companies, stifling innovation and harming our competitiveness in the global economy.

3. Encryption is essential for effective cybersecurity.

In today’s connected society, even with all the sophisticated technology used to defend against online threats, we will never be secure against cyberattacks without strong encryption. Today’s cyberattacks are becoming more complex, with advanced attackers using multiple points of entry to get around security software. Encryption is the last line of defense in a cybersecurity strategy that requires multiple layers of protection.

4. Governments should not undermine the effectiveness and security of encryption.

Backdoors for some would mean backdoors for all, including repressive regimes, malicious insiders, foreign spies and criminal hackers. Sophos agrees with the world’s leading cryptographers that backdoors in encryption would subvert its effectiveness by introducing enormous risk of security vulnerabilities. Backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities and communications. Recent advances in homomorphic cryptography have produced proposals such as PrivaTegrity from David Chaum, which promises strong encryption that can be reversed only by a specially chosen council of nine. Putting aside the opaque matter of the selection of members of the council, as well as the arguable matter of this possibly only raising the bar for illicit use of the backdoor, there is one simple reason why this is not a solution: you can’t make the bad guys use it. Industry experts and non-experts alike with any capacity for forethought or consideration of consequences have sensibly warned that either outlawing encryption or introducing backdoors will only force criminals and terrorists to create proprietary forms of uncontrolled encryption, subjecting only the law abiding among us to eavesdropping or compromise. We have recently seen evidence of this.

5. Technology companies, academia and governments should work together against terrorism without compromising the security and privacy of all.

We welcome the conversation about encryption and are pleased to help educate legislators and others about the technical issues involved. However, we will stand firm in our conviction that backdoors are not the answer to the problem of bad people doing bad things. Technology companies, academia, governments and law enforcement agencies should work together to find alternative solutions that will improve our collective security without compromising the privacy and integrity of the individual.

The alternatives for investigators

U.S. intelligence and law enforcement communities still hold a common misperception that encryption technologies handicap their investigations. They use the term “going dark” to describe their worries that end-to-end encryption in certain applications and on mobile devices enable terrorists and criminals to conceal their communications from surveillance.

However, that argument falls down when you consider that terrorist organizations and rogue nation states are very sophisticated when it comes to developing and using technology for their evil purposes. There’s nothing to stop them from creating their own encryption technologies that can’t be cracked by law enforcement or tech companies. 

Turning the tables

The Berkman Center for Internet & Society at Harvard University recently convened a diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community to examine the enduring problems of surveillance and cybersecurity. The resulting report concludes that forcing technology companies to create backdoors would be a futile effort.  (Source: Berkman Center for Internet & Society at Harvard University - PDF)

The report also describes how the rapid evolution of technologies can help law enforcement, even if terrorists try to use encryption. For example, networked sensors and the Internet of Things are projected to grow substantially, which would significantly improve law enforcement’s surveillance efforts. An inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.

Also, consider that metadata is not encrypted, either by design (e.g. any non-HTTPS site), accident (neglect to encrypt payloads), or necessity (e.g. native TCP/IP flow data). This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.

Exploiting vulnerabilities

So long as people write software, or even the software that writes software in the not too distant future, there will be bugs in software to exploit. In the San Bernardino case, the FBI admitted to doing just that. They paid an individual to exploit a vulnerability and now have access to the iPhone in question. While it might seem unorthodox, we do support law enforcement’s exploitation of such defects. However, even though the FBI have classified the method used as a “state secret,” they have yet to decide whether to disclose this vulnerability to Apple. It is likely that at some point the FBI would have to disclose how they obtained the evidence, leaving many iPhones insecure. This remains a concern, so I will caveat my support of this practice only with the following stipulations:

1.       Disclose vulnerabilities immediately:Law enforcement must alert a vendor to a bug or other issue it discovers as soon as possible. The time it takes for a vendor to develop and distribute a patch or other fix will provide a sufficient window for investigators. This will also benefit technology providers because this will help us make our products better, and the competition will prevent criminals from exploiting these vulnerabilities.

2.       Establish clear rules of engagement:Such exploitation should only be used to obtain that information which the court-issued warrant stipulates. Judicial oversight must ensure the government is fully transparent to the public.

Government agencies must realize that a backdoor for one is a backdoor for all. It violates the public’s trust and can actually enable, not handicap, terrorists. It’s the exact same reason we believe security companies overall should not build backdoors into antivirus software - that would leave hospitals, businesses, banks, and all our other business and consumer customers vulnerable.

The approach instead should be to use technology to collect and analyze the ever-growing volumes of data that terrorists and other criminals create when they use social media networks, instant messaging clients, email, and even online video game chat rooms to communicate and distribute propaganda.

Clearly, strong encryption that cannot be exploited by external or internal actors is a must for any organization. For this reason, Sophos stands firmly by its position of strongly opposing any mandate or request by any government, intelligence or law enforcement body or business to put backdoors of any form into products.

Copyright 2010 Respective Author at Infosec Island]]>
Vawtrak Banking Trojan Gets Improved Persistence Tue, 09 Aug 2016 05:42:00 -0500 The operators of Vawtrak, a banking Trojan that has been around for a few years, have recently improved the malware’s persistence mechanism, PhishLabs researchers warn.

Also known as Neverquest2, the Trojan has received various updates over the years, and was also observed expanding its targets. Now, PhishLabs researchers discovered that the threat started using a domain generation algorithm (DGA) to identify its command and control (C&C) server, compared to the previous variants that used hardcoded domains, thus making mitigation easier.

In addition to DGA, the new Vawtrak variant also has a smaller codebase, most probably because of compiler optimization. PhishLabs notes that this optimization makes it difficult for researchers to use previous Vawtrak analysis techniques to inspect the threat and to ensure efficient mitigation.

Courtesy of DGA, Vawtrak now calculates a list of C&C domains based on an embedded formula, after which it goes through the list to connect to a server that is operational and responsive. From a researcher’s perspective, this makes it difficult to find the malicious servers that collect exfiltrated data, because basic tools can be used to blacklist only domains active at the time of execution during analysis.

Basically, researchers need to crack the DGA to block future domains and to ensure that the Trojan cannot communicate with the C&C server, as it happened with the Mad Max botnet's DGA last month. Recently, cybercriminals have started using new DGAs in live attacks, some creating domain names using random characters and digits.

“The longer criminals have a server collecting credentials, the more money they can make. By hiding their server domains behind an algorithm, the campaign becomes more resilient and a much more significant threat,” PhishLabs says.

After taking a close look at the DGA, security researchers discovered the TLD (top-level domain) appended to the actual domain would always be “.ru”. The algorithm would call the domain generation function in a loop until 150 domains have been generated, a number that was predetermined by the threat actor. The generated domains have names between 7 and 11 bytes long, researchers also note.

In addition, the newly observed Vawtrak samples show that the malware’s authors use a compiler optimization, most probably in an attempt to hinder analysis or looking to shrink the payload size. This change makes it difficult to correlate the new variants with the patterns found in previously observed samples.

Earlier this year, researchers observed that Tinba, another piece of malware targeting financial institutions, also started using DGA for persistence. While Vawtrak’s DGA can generate up to 150 domains, other malware was seen generating thousands of domains each day.

Copyright 2010 Respective Author at Infosec Island]]>
FossHub Hacked, Distributes Malware-Packed Audacity and Classic Shell Fri, 05 Aug 2016 09:12:58 -0500 Hackers this week managed to compromise FossHub and replace app installers distributed through it with malware-packed files, but not before hundreds of users downloaded the infected executables.

The attack was carried out by a hacking group that goes by the name of PeggleCrew, and resulted in the Windows installers of some of the largest projects on FossHub being infected, including Audacity and Classic Shell. The hackers replaced the original installers with their own versions, which included a MBR-overwriting Trojan.

Hackers gained access to FossHub via a compromised user, the service explains. Soon after, multiple user accounts were found compromised, as hackers managed to escalate. According to FossHub, hackers were able to get hold of account passwords.

The incident happened on August 2 and was detected only several hours later, which minimized the impact of the attack. However, FossHub explains that the compromised Classic Shell installer was downloaded around 300 times. No details on the number of users impacted by the infected Audacity installer have been provided as of now.

“We removed the file [Classic Shell] in several minutes and we changed all passwords for all services we had,” FossHub says.

According to a tweet from one of the hacking group’s members, all downloads were actually compromised during the incident, not only Audacity and Classic Shell.

While investigating the issue, the download service discovered that the attackers managed to gain access to the system through an FTP account, which prompted FossHub to shut down the main server on August 3, to ensure the compromise is contained. To clean the infection, FossHub decided to “reinstall everything, change all access rights, passwords and run up under new security rules.”

“The attackers tried to gain access to DNSMadeEasy (our DNS provider), to CloudFlare, personal emails, CDN services etc. The login-logs shows no successful logins, only FAILED attempts,” FossHub also says. However, the website was compromised and was also taken offline as a security measure.

The Audacity infrastructure wasn’t compromised during the incident, but the team says that they should have been more vigilant about their external downloads, to avoid situations like this from happening.

“We did not have the right safeguards in place, namely, to monitor external files.  We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization,” Audacity says.

The Classic Shell developer also acknowledged the breach and informed users on how to spot infected installers, starting with the fact that they won’t be signed by Ivaylo Beltchev, as the proper installers would.

Related: New OS X Ransomware Delivered via BitTorrent Client

Copyright 2010 Respective Author at Infosec Island]]>