Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 How Does UC in the Cloud Impact Your Security Posture? Thu, 20 Jul 2017 03:11:00 -0500 Session border controllers (SBCs) provide the protection UC applications require – and data firewalls lack – enabling enterprises to make the leap to the cloud

Chief security officers have a lot on their plate these days, from a daily influx of zero-day vulnerabilities to increasingly sophisticated denial-of-service (DoS) attacks. It’s a good bet that securing their unified communications (UC) application isn’t keeping them up at night. But maybe it should be?  

Traditionally, enterprise security has centered around data: customer data, corporate data, credit card data, etc. There is a thriving, global, cybercriminal community built just around the goal of stealing data or, increasingly, encrypting it and holding it for ransom (known as ransomware). Enterprises collectively spend billions of dollars each year protecting their data through firewalls and other data-centric security devices. In a sense, enterprises have locked their data doors tightly, but have they left another window open?    

UC applications such as voice, video, messaging and file sharing are transmitted over the same IP network as web and data applications, and thus are prone to the same type of network attacks. Where UC applications differ from their purely data-based counterparts is in the fact that they are real-time applications that use the Session Initiation Protocol (SIP) for signaling between UC stacks and endpoints. Unsecured UC expands an enterprise’s potential risk by introducing data exfiltration, Denial of Service (DoS), telephony denial-of-service (TDoS) attacks and eavesdropping into the equation. And data firewalls – even advanced next-generation firewalls – don’t have the deep, stateful knowledge of SIP to protect SIP-based real-time applications. For that, you need a session border controller (SBC).  

As many enterprises are adopting a zero-trust model for security, every application must be secured. SBCs play many important roles in enterprise communications networks by providing intelligent routing, signaling interworking, and media services to ensure quality of experience. But the SBC’s primary function is to protect the UC network from SIP-based attacks. With inherent security features such as per-session state awareness, protocol filtering, topology hiding, encryption and dynamic blacklisting, SBCs can secure voice calls and prevent telephony-based attacks from happening.  

As traditional circuit-switched communications have evolved into IP-based UC, the attack surface has grown. It’s now possible, and easier, to mount DDoS attacks, spoof caller IDs for toll fraud, or use media or signaling UDP/TCP ports to exfiltrate data. The importance of SBCs to secure UC has likewise grown – many enterprises today use SBCs as a UC firewall, a demark point for SIP trunking services, and a tool to encrypt and interwork their UC assets.    

These perimeter-based SBCs are intended to secure UC applications that are deployed within the enterprise—for example, on an internal Skype for Business server. But what happens when UC moves into the cloud? It’s a question that many enterprises will need to answer in the coming years. According to IHS, the number of UC and VoIP subscribers in the cloud will double over the next few years, reaching over 75 million by 2020.  

The cloud represents a much larger surface area for attack. Cloud-based services are comprised of many different virtual machines (VMs) and potentially dozens of different microservices, each with their own security weakpoints. Every weakpoint – whether in code, access or protocol – can expose an application to a potential security breach, and once an application is hacked, intruders can move laterally within a cloud-based network to access other applications and data. You can think of a cloud service as being composed of hundreds of different Lego-like blocks. In the cloud, your security posture is only as strong as your weakest block.  

Enterprises cannot solely rely on their cloud service provider to completely secure the myriad UC connections taking place—especially if the enterprise is in a compliance-restricted industry, such as finance or healthcare. The increased surface area of the cloud provides more attack points for hackers. And compared to an on-premises UC deployment, enterprises will have less control. For these reasons, enterprises need to scrutinize their security practices so that they can ensure they’re protecting their networks appropriately.   

To create a consistent defense system against network attacks, it is critical for enterprises to integrate SBCs into their security posture at the edge of their network. Just as an enterprise wouldn’t think of connecting its data network to the internet without a firewall or performing commerce over the internet without encryption, an SBC is just as critical to real-time SIP communications.  

But enterprises need to be mindful that not all SBCs are created equal. They may support static blacklists, but not the dynamic generation of new blacklists. They may identify malformed SIP packets, but not anomalous network behavior that could indicate an attack. Or encryption may be turned off, because turning it on causes performance and jitter issues. These security gaps are points of exposure that cybercriminals can, and will, exploit.   

The cloud is already the future of IT and, for many enterprises, it is the future of UC as well. There is much intrinsic value in UC-as-a-Service (UCaaS), from cost stabilization to unified messaging across multiple devices/locations. But it does require a different security posture than an on-premises system. Cybercriminals are actively targeting cloud platforms, and enterprises need to be proactive in their defense against cloud-based attacks—particularly from traditionally under-secured vectors such as SIP-based communications.  

The best approach is to remember that moving an application into the cloud doesn’t shift the responsibility of security to the cloud. To maintain the security posture of unified communications, enterprises must implement a holistic approach to security that extends from their infrastructure to the cloud.  

About the author: Mykola Konrad is the Vice President, Product Management and Marketing at Sonus Networks. At Sonus, Mykola is leading the introduction of the Sonus portfolio of products to the Enterprise customer segment.

Copyright 2010 Respective Author at Infosec Island]]>
How to Prevent Ransomware and Cyberattacks Fri, 14 Jul 2017 11:58:00 -0500 The impacts of ransomware and other breaches, which exploit failures in risk management, are preventable. The WannaCry ransomware attack was the most widespread of its kind in history. It took advantage of a Windows vulnerability – one detected and resolved months ago – encrypting victims’ data and demanding a ransom payment for un-encryption.

More recently, many organizations in Europe and the US have been crippled by a second ransomware attack, known as “NotPetya” or “GoldenEye.” NotPetya was a malicious, destructive attack disguised as ransomware.

The scope and speed of these new attacks are major wakeup calls for organizations around the globe; an attack can come at any time, and failing to implement a strong prevention strategy is a recipe for disaster. Often, when a cyberattack is resolved (or even while it’s still ongoing), unaffected organizations may instinctively dismiss its significance, assuming the dangerous mindset that their business’ operations are different and won’t be affected. This frame of mind fails to acknowledge that mistakes made by cyberattack victims are typically shared by many others.

Consider the ever-increasing capabilities of cyberattackers. Constantly improving technologies allow attackers to evolve their strategies, find new points of entry, and make themselves harder to detect. Your security and business continuity programs must stay one step ahead of this evolution, a process that requires implementation across departments and levels.

Cyberattacks – alongside all risk management failures – are entirely preventable with good governance and integrated risk management processes. The standardization and automation of these components does not require a revolution in your operational structure. They are achieved by using centralized monitoring and policy operationalization, making sure you adhere to best practices without exception. Senior leadership can then use the information gathered to make informed strategic decisions.

The traditional understanding of departmental interaction – namely that each department conducts its own operations and is most qualified to evaluate its own risk profile – creates cracks through which incidents and attacks can slip. A truly integrated approach, requiring strong governance and board oversight, illuminates vulnerabilities shared by departments. This allows for efficiency (and efficacy) through collaboration and allocation of responsibilities.

Poor governance and operationalization have led to risk management failures including those seen at Target, Ashley Madison, Dwolla, and Wendy’s. These breaches would have been prevented not with complex, expensive technology, but with improved governance processes.

Strengthening Cybersecurity and Preventing Surprises with Good Governance

Enterprise risk management accomplishes more than simply identifying new risks and to-do items. By revealing the interdependencies and interactions between departments, applications, vendors, and other resources, it closes the gap between policies and everyday operations. This makes it easier to resolve known issues and prevent scandals. For example, which applications contain sensitive data that might have a material impact on your reputation? Which departments use those applications, and which policies and controls (if any) currently address those weaknesses? Are these policies and other mitigation activities effective in addressing this risk?

Going back to WannaCry, prevention would have been as simple as automated alerts. Alerts would have prompted verification that appropriate Windows patches were implemented, followed by a report of all critical systems not covered by patch deployments. This is a good example of the importance of governance over existing processes, as opposed to the wasteful alternative of expensive technology solutions that may not even address future issues.

It’s a known fact in the security community that, due to human or technology errors, 10-15% of authorized, scheduled patches are not implemented. Resulting vulnerabilities are often detected by the “right” people (in this case, Windows itself) before they are by the “wrong” people, but when fixes aren’t implemented punctually, the risk remains. Notifications remove the possibility that risk goes unaddressed.

Mitigating risks presented by any cyberattack can take place at your organization today. If necessary, the following steps can be performed on a manual basis, but for long-term sustainability, use a centrally managed, risk-based approach.

Off-site backups are your first and most basic line of defense. Frequency and scope will be different for each organization; your security team should collaborate with senior leadership to determine minimum standards. Has a restoration test been performed, ensuring that your infrastructure and applications infrastructure can be restored? Can back-up data actually be used within your stated recovery time objective (RTO)? Your RTO is the maximum “downtime” window that can be tolerated for a particular process before financial, reputational, or legal damage occurs.

Most organizations have formal internal policies, but few identify the risks associated with these policies. After risks are identified, regularized tests and notifications verify these risks are mitigated. Backups take time, and without using a risk-based approach to prioritize data and the application infrastructure, much existing activity is wasted. The relationships between your people and resources, once identified, reveals what is integral to critical functions.

Backups will compose a piece of your overall business continuity and disaster recovery (BC/DR) plan. The BC/DR plan needs not just be created, but tested regularly. Most back-up systems only preserve data, not the application infrastructure. Doing so requires a second level of testing; can the applications and infrastructure be reestablished, and will they be compatible with restored data? Test your organization’s ability to implement a “clean recovery,” or total restoration of all data. The program cannot be made fully operational until those regular tests are implemented. Without an operationalized BC/DR program, it’s difficult to impossible to recover from an attack within the required timeframe.

Most organizations also understand access rights from a policy point of view. However, are access rights managed effectively by all the users? The principle of least privilege, by which a company grants employees only the access they need to perform their duties, limits vulnerability without compromising efficiency. Begin this process by implementing and enforcing password complexity/change requirements. Rights then need to be defined and updated regularly by engaging front-line managers. Ransomware and breaches target the weakest links in an organization, often through vendors and supply chains.

With an ERM solution, you can maintain an effective asset management process by determining which applications, devices, and other resources require access rights protection. The next step is to create transparency into how effective policies are over these processes.

Through good governance, you can make sure everyday activities are aligned with leadership’s strategic goals. An integrated risk management approach reduces overall exposure and allows the organization to better leverage existing assets and prevent potentially disastrous disruptions like the WannaCry attack – without using additional budget to security technologies.

About the author: Steven Minsky is the CEO of LogicManager, the leading provider of ERM solutions. Steven is also the author of the popular Risk Maturity Model, RIMS State of ERM Report, a frequent contributor to blogs and press, as well as an instructor on many risk management topics.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence report – July 2017 Fri, 14 Jul 2017 10:57:26 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • July’s set of SAP Security Notes consists of 23 patches with the majority of them rated medium.
  • The most severe vulnerabilities of this month affect SAP POS, a point of sale solution. The vulnerabilities allow attackers to Read/write/delete sensitive information and even monitor all content displayed on a receipt window of a POS remotely without authentication.

SAP Security Notes – July 2017

SAP has released the monthly critical patch update for July 2017. This patch update includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.

The most common vulnerability types are Missing Authentication check, Switchable authorization check, and Implementation flaw.

Issues that were patched with the help of ERPScan

This month, several critical vulnerabilities identified by ERPScan’s researchers Dmitry Chastuhin, Mathieu Geli, and Vladimir Egorov were closed by 3 SAP Security Notes.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • Multiple vulnerabilities (Cross-site scripting and Cross-site request forgery) in SAP CRM Internet Sales Administration Console (CVSS Base Score: 6.1). Update is available in SAP Security Note 2478964. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Moreover, an attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights.

About Multiple Missing Authorization Check in SAP Point of Sale

SAP POS, a client-server point-of-sale (POS) solution from the German software maker, is a part of its Retail solution portfolio, which products are in use at 80% of the retailers in the Forbes Global 2000.

From a technical point of view, SAP POS consists of Client applications, Store Server side (serve connective, operative and administrative needs) and applications running in the head office to allow central configuration.


This month, SAP released Security Note 2476601 to close multiple severe vulnerabilities in SAP POS Xpress Server. The component lacks authentication checks for critical functionality. The missing authorization checks would allow an attacker to:

  • Read/write/delete files stored on SAP POS server;
  • Shutdown the Xpress Server application;
  • Monitor all content displayed on a receipt window of a POS.

The described malicious actions can be performed over the network without authentication.

The vulnerabilities were rated at 8.1 by CVSS base score v.3, with all 3 impact metrics (Confidentiality, Integrity, and Availability) assessed High

According to the rules of responsible disclosure, ERPScan doesn’t disclose technical details to allow SAP customers a period of time to patch the issues. Researchers who identified the vulnerabilities will deliver a talk at Hack in the Box Singapore (August 24) where they will demonstrate an attack vector against SAP POS.

Other critical issues closed by SAP Security Notes July

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on code type, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack. Install this SAP Security Note to prevent the risks.
  • 2409262: SAP BI Promotion Management Application has an XML external entity vulnerability (CVSS Base Score: 6.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
  • 2398144: SAP Business Objects Titan has an XML external entity vulnerability (CVSS Base Score: 5.4). An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorized access to OS filesystem. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
WannaCry: How We Created an Ideal Environment for Malware to Thrive, and How to Fix It Wed, 12 Jul 2017 10:29:29 -0500 On May 12, 2017 a ransomware attack began impacting organizations all over the globe and in just a few days had spread to over 230,000 computers across 150 countries. It’s quite a story with the vulnerability used to spread the ransomware coming from leaked NSA data, speculation that the malware authors were not particularly sophisticated despite the breadth of the attack, possible links to North Korea, and a security researcher stumbling upon a kill switch that largely halted further spread of the malware. Although these aspects are fascinating and worthy of investigation, there is a larger question that needs to be answered: How in the world did we end up with a security paradigm where a malware infection can spread so rapidly and so broadly? And, most importantly, how do we begin to fix it?

The ultimate scope of the WannaCry ransomware attack was a result of two primary factors: the ability to communicate laterally across environments without restriction and an abundance of vulnerable machines to compromise. It is perhaps not surprising that as malware has dramatically evolved over the preceding decades, security architectures would also need to have evolved to effectively defend against these attacks. However, as we look at the security infrastructures used by organizations today, it is clear that most organizations have not evolved their security approaches enough to keep pace with emerging threat vectors.

Standard practice for security teams only a few years ago was to construct as strong a barrier as possible between the internal resources of a network and the chaos of the internet. This perimeter-centric approach made sense at the time when the resources on the network were more or less stationary.  But things have changed.  The capabilities introduced by mobile computing, BYOD, IOT, cloud computing, and increased interconnectivity between business partners and third parties has created a situation where the old perimeter is near impossible to define, let alone control.

With adversaries able to cross an organization's perimeter with little trouble, they are able to reach the largely unprotected interior of the network and data center and then operate with very little standing in their way. A good example of this was observed during the Target breach in 2013 when attackers were able to communicate with a Point of Sale (POS) system in one Target store by connecting to it from a network-connected deli meat slicer in a second store location. The solution to this situation is fairly obvious: implement security policies to isolate machines that should not be talking to each other. For example, POS systems should only be able to communicate with other payment components, different store locations should only be able to access inventory systems for other store locations, and deli meat slicers shouldn’t be able to communicate with very much at all. The industry term for this approach to dividing up a network and data center into smaller zones of communication is called segmentation.

Without proper segmentation of an organization’s network infrastructure, adversaries are able to move about at will - either manually, or in the case of WannaCry, automatically via a computer worm

The second factor that contributed to the scale of the WannaCry attack was the sheer number of machines that were vulnerable to the EternalBlue exploit being leveraged. These vulnerable machines fall into one of two categories: either they were supported OSes that had not had critical security patches applied (Microsoft released a patch for the vulnerability on March 14, 2017 following the NSA leak), or they were unsupported OSes where no security patches were available (Microsoft has since released patches for these older OSes as well).

When you pull those threads a bit, it’s clear to see that organizations not having rigorous procedures for ensuring OSes are kept up to date with critical security patches directly led to the ability of WannaCry to spread as rapidly and broadly as it did. At the same time, the sheer number of organizations using older, unsupported OSes where critical security updates are no longer made available is shocking. According to the Spiceworks 2017 OS Adoption Trends survey, 52% of companies across North America, Europe, the Middle East, and Africa are still running some number of Windows XP systems. This means that more than half of all companies were vulnerable to WannaCry by default.

It’s easy to fault companies still running OSes that have been unsupported for years, however most of these companies are simply maintaining legacy applications they neither fully understand nor have the resources to recreate on a more current platform. They are in a tough spot needing to maintain these older systems while also needing to secure them in wide-open networks where attackers can move about freely. This is the exact situation that created the opportunity for WannaCry to thrive.

Obviously keeping systems up to date with security updates and retiring/migrating systems once their OS is no longer supported can go a long way toward preventing the spread of malware inside an environment, but this approach isn’t always viable. For all the companies that need to maintain legacy systems, regardless of the reason, focusing on isolating these systems as much as possible is a much more effective strategy.

The important points for all organizations to remember are: 1) keep your systems as patched and up to date as possible, and 2) do not leave your network wide open for adversaries to take advantage of but begin segmenting your infrastructure and reducing your attack surfaces. We’re sure to see additional widespread attacks going forward, but by keeping systems up to date and preventing unauthorized communications via segmentation, your organization will be in a much better position to avoid being impacted by those threats.

About the author: Jesse McKenna is Director, Cybersecurity Product Management at vArmour. With over 12 years experience in designing leading edge detection systems, he possesses deep expertise in fraud, security, behavioral analytics, and how theoretical detection and analytics concepts can be applied and operationalized in real world environments.

Copyright 2010 Respective Author at Infosec Island]]>
NotPetya — 'Ransomware' That Spreads like a Worm Wed, 12 Jul 2017 07:48:00 -0500 Barely out of the woods with WannaCry, another global ransomware attack, a new variant of ‘Petya,’ began infecting organizations throughout Europe and into the Americas. Upon initial analysis and investigation, the attack was thought to be a variant of Petya ransomware, as the the threat actors behind the attack carefully designed it to look the same. However, upon further analysis, it was discovered that the main distribution and payment schemes were inconsistent with Petya.

NotPetya, as it turned out, was disseminated via the compromised software from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. Hackers seemed to have breached the firm’s computer systems and compromised a software update that was published to customers on June 22 -- leading the malware to spread to more than 12,000 systems throughout Europe and America. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE. The SMB exploit used in NotPetya, was in fact the same SMB exploit method used by the devastating WannaCry ransomware attack.

Once NotPetya infects a system, it establishes encryption routines and attempts to spread over the network. What makes NotPetya unique however, is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other key difference between NotPetya and WannaCry is that while WannaCry used a killswitch domain, NotPetya doesn’t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the internet.

What Makes ‘NotPetya’ Unique

Ransomware locks up files on infected machines and demands payment to retrieve the data. NotPetya differentiated itself from this through its unique encryption process. It presented a fake chkdsk page, which encrypts the hard disk master boot record if a privileges user executes it. From there, it schedules a task to restart the system and prompts the ransom note. If it is unable to execute the payload as a privileged user, it moves to encrypt the file types annotated below and writes a README.TXT ransom note.

Prior Petya campaigns operated on a single organized payment and decryption key distribution system accessed via the Tor network. By contrast, this particular attack relied upon a single email account for coordinating ransom payments and decryption keys. As a result, the email address was identified and deactivated early on, leading investigators to conclude it was unlikely that attackers intended it to remain operational throughout the campaign. Thus, these unique NotPetya techniques led many researchers to believe the true goals of the attack may have been disruption rather than monetary gain.

According to an open-source intelligence analysis by Infoblox, the campaign involved the following major actions:

  1. Implanted trojan: Attackers disguised a trojan to appear as though it was a legitimate update for MeDoc software. Since MeDoc is one of the two tax accounting software vendors approved by the Ukrainian government for this work, the threat actors knew this software would be essential to the financial sector and companies doing business in Ukraine.
  2. Watering-hole attack: Attackers often compromise a website or create a look-alike domain to function as a watering-hole attack where victims will visit without being lured. What made this attack so effective was the compromise of the software supply chain by compromising MeDoc and using their software update service to deliver the trojan. Because the update service was genuinely operated by the real vendor, updates would most likely have been trusted by the customer and automatically deployed.  
  3. Enhanced malware: Attackers enhanced the malware in order to harvest user credentials and use the capabilities inherent in the operation systems to move lateral and spread the malware.

Best Practices

Throughout recent months, ransomware has emerged as one of this year’s biggest threats. More than $1B was paid out to ransomware criminals in 2016 alone, and 2017 has seen a 6,000 percent increase in ransomware infected emails, compared to 2016. As attacks of this scale and ambiguity are likely to continue, organizations must adopt to certain best practices to stay protected and keep themselves and their customers safe. 

  1. Backup: Always backup essential data and test the restore procedures.
  2. Timely Patches: Prioritize and apply security updates and patches. Since a known vulnerability in the Microsoft Server Message Block (SMB) was used in this attack, installing updates in the Microsoft March 2017 Security Bulletin will resolve the weakness. It is also recommended that SMB be disabled until the proper patches can be applied to the system. (How to Disable SMB)
  3. Network Hygiene: Segment networks to limit the propagation of malware.
  4. User Training: Train your employees to delete emails with attachments received from unknown senders, and to disable Microsoft Office document macros by default. It is also important to not allow documents to open additional files or execute macros without external confirmation (e.g. phone, in person, etc.) that the sender is valid.
  5. High quality, curated-threat intelligence feeds: Using high quality curated threat intelligence that is fully up-to-date can protect users from unwanted DNS communications, all while maximizing DNS protection. In addition, using RPZ-based security capability integrated with DNS to detect and block communications to bad sites and command and control servers can help stop the spread of advanced malware and ransomware.

About the author: As Director of Cyber Intelligence for Infoblox, Sean Tierney leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence. His team collaborates with industry peers, Fortune 500 companies, and government agencies to identify emerging cybersecurity threats.

Copyright 2010 Respective Author at Infosec Island]]>
Convenience Comes at a Steep Price: Password Management Systems & SSO Wed, 12 Jul 2017 03:47:02 -0500 In today’s environment, it can often be a challenge (if not impossible) to memorize and keep track of all our login credentials for our daily interaction with online apps and services. Users also typically circumvent unwanted, extra layers of security in favor of convenience. Many consumers and businesses are flocking to the mirage of safety offered by password management firms, which are only as strong as their weakest link (often humans), and we must continuously reinforce the need for advanced authentication methods for nearly everyone – consumers, employees, suppliers, etc.

While password management firms may seem like a great idea given the increasing number of digital tools and devices that we rely on every day, they are not a “fix-all” solution. Their protection is only as strong as the password you create to use with the service itself, or the one the administrator/operator creates to secure the system’s database. Moreover, if the credentials associated with password management firms become compromised, the impact is far worse – akin to losing the “Keys to the Castle.” Given the fact that more than 81 percent of data breaches last year involved either stolen and/or weak passwords, the issue must become a central theme in any conversation about online security (2016 Verizon Breach Report).

Users frequently utilize the same username and password combination for multiple accounts, and use social media applications (such as Facebook & Twitter) to automatically create accounts for new products. However, while this is convenient, it’s clearly not secure. According to a 2016 survey, 73% of adults in the United States and UK use the same password (or a simple variation) for all of their accounts.

Many large organizations are switching to another, convenience-driven solution to ease the time and burden of logging into multiple systems by implementing Single Sign On (SSO) applications. But SSO, like password management systems, can be a double-edged sword for security practices.

If the central database of credentials for these systems is eventually compromised through brute force attacks against privileged users – a feat that becomes increasingly easier and less time consuming with steady advances in computing power – the consequences can be devastating for enterprises, vendors, and customers.

As we have repeatedly witnessed, a primary attack vector for large firms has been through third-party vendors, and this was again the case in last month’s massive breach of the password management firm OneLogin. A company statement conveyed the enormous scope of the incident by admitting that the hacker was able to access database tables that contain information about users, apps, and various types of keys – which could enable the malicious party to decrypt sensitive files for thousands, if not many more, of their clients.

Many security experts have touted password management services and SSO providers as positive advancements for our somewhat outdated reliance on a username and password combination as the most common method of verification. However, trusting cloud-based storage of highly sensitive data always increases the risks of compromise. If an attacker can obtain access to any user’s credentials that have the capability to unlock other applications, they will likely be able to compromise additional applications.

Social media accounts are also an increasingly common authentication point for third-party applications, which is commonly justified by not having to keep track of yet another new password. It streamlines the sign-in process and only requires permission to be granted during the first session. The third-party permission requirement does deter some users, and it is often restricted by firewalls that block employee access to the social media site. Instituted with an eye toward convenience, it too can allow hackers to compromise all of the linked accounts by authenticating with only the social media credentials.

The common denominator in all of these scenarios circles back to an arcane overreliance and overconfidence in the level of protection that the username/password combo provides. While several security-centric industries have adopted optional security measures such as two-factor authentication, enhanced authentication must be universally reinforced by making these procedures default requirements for the vast majority online activity. Multi-factor authentication should be used to enhance our ability to help avoid credential theft from every angle. These should be expanded to include providing something you have, something you know, and something you are as the new minimum standards for identification.

As nefarious actors and groups of all kinds have evolved their capabilities on a regular basis to commit ever more complex acts of cybercrime, we must finally take steps to evolve basic security processes in turn. Password management systems and similar tools aren’t silver bullets, as they only serve as yet another layer of simple, insecure passwords. After all, if all you need is a password to gain access to another password, there’s no substantive enhancement to security.

About the author: Alexandre Cagnoni is CEO of McLean, Virginia-based Datablink (, a global provider of advanced authentication and transaction signing solutions.

Copyright 2010 Respective Author at Infosec Island]]>
How Does Samba Compare to WannaCry? Wed, 05 Jul 2017 13:29:17 -0500 Many reports are drawing comparisons between the Samba vulnerability and WannaCry, withsome even dubbing it SambaCry. There’s no denying that the Samba vulnerability is serious. It also shares some similarities with WannaCry: it exploits a vulnerability in a service that utilizes Windows' SMB protocol, and, like WannaCry, is 'wormable' – meaning each infected machine could potentially infect other machines in its network, significantly increasing the spread of the malware. But, it doesn’t pose the same widespread risk as WannaCry.

To start, the number of potential targets of the Samba vulnerability is significantly less. Of the 2.3 million machines worldwide, the Samba vulnerability could only potentially impact a fraction – 60,000 to be exact. While, from a first glance, it would seem like there are millions of machines running Samba, from routers and network printers to your home NAS, there are several factors that must align for a machine to be exploited by this vulnerability:

  1. The machine needs to have TCP port 445 open and directly connected to the internet – this brings the number of potential targets down to 2.3 million machines worldwide;
  2. Guest login without password needs to be enabled – down to 980 thousand machines worldwide;
  3. The server is indeed running the vulnerable SAMBA version – down to 120 thousand machines worldwide;
  4. A writeable network share needs to exist on the system – down to about 70 thousand machines worldwide;
  5. And, finally, Samba inter-process communication needs to be enabled – down to about 60 thousand machines worldwide.

Although the risk is not as dire as WannaCry, organizations should always be vigilant to protect against any potential threats and should not ignore the possibility of an attacker exploiting Samba. The following “Three P’s” will help mitigate the potential threat posed by the Samba vulnerability to your business:

  • Patch, Patch & Patch: If a Samba server is enabled on a targeted device, or if your business is running an older Samba protocol version, keep that device updated with recent patches. File sharing is a business need, and patches will ensure that your system remains secure.
  • Password Protect: Often, guest logins do not require a password; however, all systems should be password protected to deflect attacks. Without a password, your system remains vulnerable.
  • Port it Shut: Firewalls are important, and ensuring that the specific Samba 445 Port is closed will eliminate the threat of external exploitation.

With new vulnerabilities constantly being brought to light, there’s considerable fear of security risks, and confusion about what these risks mean to organizations. In the case of the Samba vulnerability, it’s important to remember that this is just a vulnerability. There is no evidence to suggest that if a malware exploits the Samba vulnerability that it will be a ransom malware, nor would this likely be a massive attack.

But, organizations should always be aware of potential threats. They need to understand the business and technical implications of their systems’ vulnerabilities, and select the best set of controls to prevent attackers from using exploits.

About the author: Rotem Iram is the Founder and CEO of stealth cyber insurance company CyberJack. With nearly two decades of security and engineering experience, Rotem previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, focusing on cyber intelligence, cyber defense strategy, and incident response.

Copyright 2010 Respective Author at Infosec Island]]>
The Security Risk Within Smart Cities Fri, 30 Jun 2017 10:29:00 -0500 Technical innovations and increasing digitisation are a mixed blessing: On the one hand, we benefit from them as they simplify our everyday life and can help us to overcome challenges. On the other hand, they present new difficulties and problems. The concept of the smart city, which has been under development around the world for some years now, is a perfect example of this.

Whether it’s growing traffic volumes, environmental pollution, dissipation of energy, or growing mountains of waste – the smart city of the future has the answer for a number of problems faced by our cities. The answer being, the internet of things, i.e. millions of connected, digitised and sensor equipped devices and infrastructures. From connected automobiles within a car sharing service, smart traffic light circuits and energy-efficient street lighting, to sensor equipped garbage cans or irrigation systems in parks – everything is possible.

But environmental compatibility, comfort, and resource efficiency do not come without their challenges. Not only is it difficult to cater for the immense amount of data and rapid analysis that comes with smart cities, but even more concerning is the susceptibility of smart cities to cyber-attacks. Something all security experts agree on is that the smart city of the future is insecure.

Manipulated Traffic Lights

One of the greatest weaknesses of IoT is the utilisation of insecure devices that lack sufficient security testing, allowing the devices to be hacked and fake data to be fed to them. The reason this happens is because during the development of IoT devices and applications, functionality and customer orientation still have the highest priority for the vendors. Even in times of increased connectedness, aspects regarding security and data protection are still neglected – be it for cost reasons, time pressure or limited processing performance.

What this means for smart cities and connected infrastructures, was demonstrated by security expert Cesar Cerrudo some time ago. On numerous trips through big American cities such as New York, Los Angeles or San Francisco, he demonstrated how thousands of traffic control sensors were vulnerable to attack. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — made possible due to one company failing to encrypt its traffic data. This enables hackers and cybercriminals to manipulate traffic data, permitting them to cause faulty traffic light circuits, traffic jams, large-scale obstruction traffic or even dramatic accidents.

Minimising IoT Security Risks and Vulnerabilities

In the case of cyber-attacks on smart cities, millions of devices are potentially threatened by manipulations or malware infections. Therefore, a well thought out security strategy is indispensable. This starts with identifying and then prioritising the critical infrastructure. Only those who can identify and clear away vulnerabilities, security flaws, malicious environments, outdated operating systems, etc. in time, are able to prevent serious failures and manipulations.

The best possible protection against hacking attacks is a security solution that is embedded within the IoT application itself. Instead of constructing a fence around the device and its software, applications need to be hardened with effective protection solutions such as obfuscation or Whitebox cryptography as well as with advanced RASP (Runtime Application Self-Protection) technologies. Being protected in such a manner, the applications are able to protect themselves against all kinds of attacks with individually defined activities e.g. informing the provider of the IoT device that the software has been modified. Thanks to these application hardening technologies the application´s sensitive binary code – its crown jewels so to speak – is proactively protected.

Smart cities offer great opportunities, especially for rapidly growing cities which have to deal with population growth and increasing traffic loads. Nonetheless, in terms of IoT innovations security, data protection and privacy have to be top priority if they should be profitable in the long run. An important factor here is education. The issue of security must be top priority in all companies and organisations. Suppliers and vendors of IoT devices and technologies need to be better skilled and should dedicate time to discussing risks and informing their customers about possible threats.

Copyright 2010 Respective Author at Infosec Island]]>
Follow the Money — Stemming Hacker Habits Fri, 30 Jun 2017 08:22:00 -0500 Cybercrime has become a business — with everything from designers to customer service representatives to help monetize exploit kits, malware and DDoS botnets for hire. Gone are the days of the lone wolf hacker seeking to disrupt random organizations and websites for the “lulz.” Instead, there are fully fitted businesses selling their malicious services. What has given rise to new criminal business models?

The resurgence of attacks, from ransomware to DDoS attacks at massive scale, has been blamed on many factors. IoT is adding new points of vulnerability, network complexity due to the cloud has made it difficult to monitor and protect data flows, and digitization has networked all parts of an organization. Although these things do factor in the recent attack trends, more important, is the hacker’s motivation — which often follows the path of least resistance and greatest reward.

As in any legal business operation, cashing in on the opportunity for revenue growth is a must for criminals. And the path cyber criminals have taken has been driven by the prospect of an easy buck.

Tech Progress — A Double-Edged Sword

Technological advances in the workplace have and will continue changing how people work. But while it allows for greater productivity by way of streamlined workflows, hyperconnectivity, automation and more, it’s a double-edged sword. Things like the cloud and IoT have added another layer of complexity and almost limitless compute power and, in turn, make cybersecurity even more difficult.

For instance, clandestine devices and solutions are being brought into organizations unbeknownst to IT and security, ranging from personal connected devices to the use of unapproved cloud applications. This results in network visibility gaps that can be exploited by nefarious actors. All it takes is for a hacker to find this gap and exploit it for their benefit. It’s much easier to find a crack in a wall than it is to guard all of it.

Cyber Theft is Easy Money

In an unmonitored network, cybercrime and making money becomes easier for hackers — and cybercriminals aren’t missing a step in this seemingly easy-to-exploit environment. In 2016, we saw a record high of 1,093 breaches according to a recent report from Identity Theft Resource Center (ITRC) and CyberScout. This is a 40 percent spike over the previous year. And if recent headlines are any indicator, cybercriminals are likely to break the record again by the end of 2017.

The motivator is not just how easy it can be to get into a given network but the quick and big pay out it can provide. In the case of the past year’s breaches, over 36 million records were exposed. Databases worth of information were taken and then sold on the dark web on sites specially created for the purpose. It’s an entire ecosystem, as each record containing personally identifiable information (PII) can go for  $20 USD each. With thousands of records being sold at a time, it’s a large monetary win for cyber criminals that far outweigh the risk. Not to mention, they rarely face direct repercussions, as attribution is tenuous at best.

Shoring Up Defenses

In an attempt to prevent hackers from breaching their network, organizations across industries have begun to heavily invest in security. Cybersecurity Ventures predicts global security spending will exceed $1 trillion between 2017 and 2021. But throwing money at the problem will not solve it. As evidenced by a large number of breaches, best-in-breed solutions are not enough. Businesses can’t just plug and play, they need to have deep insight into their network in order to best orchestrate and manage solutions, traffic and, in turn, threats.

At the crux of this effort lies visibility. Without a single truth to work from and lack of network visibility to build on, organizations are haphazardly plugging holes — often, too late. Organizations need to ensure they take a step back before diving into the deep end of security. Cybercriminals only need to find one flaw to exploit and, without insight into where that can happen, organizations are left blind and unable to correct the flaws before it’s too late.

Cybercriminals aren’t stopping anytime soon. Ensure you have a finger on the pulse of your network or be ready to become another notch on a hacker’s belt.

Copyright 2010 Respective Author at Infosec Island]]>
Survey Shows Employers under Pressure to Keep Mobile Workers Safe Fri, 30 Jun 2017 06:21:00 -0500 According to a new report, “Protecting the Modern Mobile Workforce”  from Everbridge, Inc. (NASDAQ: EVBG), 77 percent of employers said their employees would prioritize safety over privacy concerns when it comes to identifying their location during a critical event. And while more than 80 percent of employers regard it as their responsibility to locate, share information and confirm safety of mobile employees during critical events – it remains a challenge for them.

The report includes findings from a May 2017 survey which polled security, risk management, business continuity and emergency management leaders at 412 organizations across a broad range of industries, about how they inform and protect employees when threats such as an active shooter, terrorist attack, workplace violence, or severe weather put the personal security of mobile employees at risk.

With 72 percent of the U.S. workforce expected to be made up of mobile workers by 2020, companies will face new challenges as traditional physical security approaches aimed at protecting employees within company facilities will no longer apply to a majority of the workforce.

The 2017 State of Telecommuting in the U.S. Employee Workforce Report,” recently announced by Global Workplace Analytics and FlexJobs, reports that the number of telecommuting workers has increased 115 percent in a decade, totaling 3.9 million workers. In fact, telecommuting exceeded public transportation as the commute option of choice in more than half of the top U.S. metro areas, and 40 percent more U.S. employers offered flexible workplace options than they did in 2010.

As the number of remote worked continues to climb, more pressure is being placed on companies’ to keep employees safe – regardless of whether they’re in the office or working remotely. Unfortunately, only 37 percent of employers confirm maintaining an accurate record of where employees are expected to be during working hours.

The good news, is with 83 percent of employers confirming that it’s their responsibility to do more to locate mobile workers who are potentially at risk – including alerting them to local threats and confirming their safety – you can bet discussions in board rooms worldwide will increasingly focus on how to effectively locate and confirm mobile employee safety.

About the author: Vincent Geffray is the Senior Director of Product Marketing at Everbridge. He has spent the past 15 years in IT operations and management solutions, with a focus on IT Alerting and communications.

Copyright 2010 Respective Author at Infosec Island]]>
Lax IIoT Cybersecurity: the Perfect Breeding Environment for Industroyer Thu, 29 Jun 2017 11:30:00 -0500 The growing threat against industrial environments is increasingly met by sub-par cybersecurity considerations. Jalal Bouhdada, Founder and Principal ICS Security Consultant at Applied Risk, explores the threat of poor security for IIoT technology, including why the industry must prioritise cybersecurity to ensure long-term profitability

The second major malware iteration to target Industrial Control System (ICS) technologies directly, Industroyer, is believed to be the source behind the 2016 attack against Kiev, Ukraine, which brought down segments of the electrical grid. The malware was designed to focus on unsecured Industrial Internet of Things (IIoT) ICS devices, propagated through IT systems, and is reportedly able to manipulate existing process commands to flip breakers, potentially resulting in downtime across power plants.

Whilst this is the second technology of its type to target ICS technology directly in the wild, there are a number of Proof of Concept (PoC) attacks demonstrably able to achieve the same result. Industroyer malware is unfortunately neither new nor unexpected to those within the security industry; attacks such as this are a natural conclusion of poor security practices and unsecured IIoT devices. While the risks may seem clear to security professionals, it has been found that suppliers, system integrators and end users often believe their systems to be secure, only to later fall victim to a breach.

Technological convergence - defending against unknown unknowns

Despite 83 per cent of organisations utilising ICS technology claiming they are well prepared to face cyber-attacks, half of global organisations revealed they had suffered between one and five security incidents in the last year. As industrial environments increasingly see convergence between IT and Operational Technology (OT) through IIoT technology, this trend of poor security will only get worse as best practice is neglected or ignored. Notably, among businesses utilising ICS technology, ineffective cybersecurity practices were found to cost each organisation up to £383,000 per year. Despite the increased risk of downtime and an exponentially growing financial incentive to ensure security, organisations often remain unsecured and vulnerable to attack.

As the adoption of new technology increases, so too will the associated risk. The operational benefits that come from IT and OT convergence in industry cannot be overstated. The advent of IIoT means that efficiency gains can be drawn from traditionally ‘dumb’ technology, with IoT in industrial environments set to add $14.2 trillion to the global economy by 2030. With this benefit, however, comes a greater threat level. Networking technology that has been designed with inadequate security considerations creates an ideal environment for hackers attempting to breach a system.

Security by design - the new business essential

The IIoT landscape is, by design, influenced by its consumer IoT counterpart. In the rush to drive products to market, technology is often not shipped or installed with security in mind. Originally, industrial control systems were designed to be used in air-gapped environments where outsider security threats were not a key consideration. With increasing risk to industrial environments through IIoT, business priorities must adapt to ensure both uptime and profitability. It is well known that a skills shortage exists among security professionals. Combined with human error, currently the weakest link in OT security, a skewed ratio is the result – one with too few security professionals to address a growing number of threats targeted at other staff.

With a revitalised focus on staff training, educating all employees with a baseline of cybersecurity know-how, organisations have an opportunity to ensure the security of their business and boost efficiency from the ground up. Within a supply chain, this requires products to be designed and tested to ensure security, contributing to a holistic security environment. Once this has been achieved, as an industry, collaboratively sourcing secure technology will be the next step. By only utilising technologies with strong security credentials, the industry will be pushed towards a supply chain where products are secure by design. This will assist in removing the burden from available security staff, allowing a greater degree of autonomy and proactivity around cybersecurity response.

In meeting the challenge posed by greater levels of threats and fewer cybersecurity specialists to meet them, a shift in focus is essential. Until security is accepted as a business enabler, and not a cost centre, attacks of this nature will continue uncontested.

About the author: Jalal Bouhdada has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission provider, water utilities, petro chemical plants and oil refineries.

Copyright 2010 Respective Author at Infosec Island]]>
The Upcoming Oracle CPU: Struggling to Keep Pace with Vulnerabilities Wed, 28 Jun 2017 11:27:00 -0500 Oracle releases a collection of security fixes for their products on every Tuesday closest to the 17th day of January, April, July, and October. These fixes are known as a Critical Patch Update (CPU), and are typically cumulative and address security vulnerabilities associated with Oracle products. April’s update, with fixes for 299 vulnerabilities across Oracle's platform, was its largest CPU to date.

With the next CPU landing on July 18, there’s plenty to consider.

The database and cloud computing giant sees its software used for vital operations by most of the Fortune 500. The Java-based open source software is used in mission-critical environments across the globe and on more than 15 billion devices.

April’s CPU contained patches for core components of Java products, many of them linked to commonly used third party software that is standard among large financial services firms, healthcare providers and transportation companies. These sectors are constantly under attack from malicious hackers, making it of utmost importance to apply the most recent security patches as soon possible – a task that can take even the most sophisticated organization months to complete.

With these releases, we have one of the largest software vendors in the world, with expert security resources and dedicated testing and remediation teams, belatedly discovering and responding to the presence of major, known-vulnerable components buried deep in the software stacks of their core software platforms.

To put things in perspective, Oracle finds a new flaw in their products every 100 hours. Some of the flaws included in the most recent CPU date back to 2012. Now, to be fair, every software developer releases the equivalent of the Oracle CPU. However, Oracle’s market share makes it the bellwether of the entire industry.

That’s five years of an open, unpatched vulnerability. Among the others are more than thirty Java-related Common Vulnerabilities and Exposures (CVEs), eight of which directly affect the core Java platform. Nearly 70% of the Java-related CVEs are remotely exploitable without authentication.

Addressing years-old vulnerabilities in current patches is proof that we’re approaching a crisis point where our ability to respond in a timely and effective manner is at risk. We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities. That’s not a sustainable model. This should mean so much to so many organizations due to the ubiquity of third party software. In a recent report on more than a thousand commercial web applications, 96% included third party code. Of that, 67% had known vulnerabilities with 52% being high severity vulnerabilities.

Open source components are not automatically or routinely patched and it’s a challenge to keep up with vulnerabilities that require frequent patching. Unlike software from major developers where patches are sent on a schedule, open source code in libraries and central repositories normally require a user to seek a patch or develop their own.

Fortunately, proven technology exists to help alleviate the massive scope of these security updates. Many companies offer solutions that approach application monitoring in a new way, along with protection using a secure virtual container in server and cloud environments. Third party options offer approaches that behave like a patch without making code changes or affecting runtime speed, blocking attacks because it operates more deeply in the software, monitoring network packets, files system calls and CPU instructions.

The April CPU showed the scale of the challenge that the IT industry faces in securing modern modular enterprise applications that are composed of dozens or sometimes hundreds of third-party libraries and modules. Here’s something to think about next month: If a top vendor like Oracle struggles to account for and secure their third-party library dependencies in a major software platform like Oracle Fusion, then how can an “ordinary” enterprise that is not a sophisticated IT vendor be expected to do any better?

The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is both surprising and troubling. The Struts 2 patch is less surprising because it was first announced in March 2017, but still no less troubling as it points to the continuing issues associated with third party software components.

An average of ten new open source flaws are reported every day. But the ability to find these problems isn’t the issue. It’s fixing them. Oracle's security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the constant waves of vulnerabilities that are being discovered.

Every effective cybersecurity approach developed over the past two decades is fully integrated into the way businesses protect themselves today. The massive scale of vulnerabilities and ubiquity of software flaws, though, means that the measures we’ve relied upon for twenty-plus years are now unable to provide the level of protection required going forward.

Diligent system maintenance, consistent patching, and both automated and manual third-party security solutions are all necessary for end-users to be fully protected.

Avout the author: James Lee is the Executive Vice President and Chief Marketing Officer at Waratek Inc., a pioneer in the next generation of application security solutions.

Copyright 2010 Respective Author at Infosec Island]]>
Malware Prevention Key to Countering Evasive Attack Techniques Wed, 28 Jun 2017 09:26:52 -0500 Security teams had an unpleasant wake-up call on May 12, as a malware attack dubbed WannaCry spread rapidly to hundreds of companies, holding hundreds of thousands of systems hostage by ransomware until it was slowed down by a young security researcher. Those who know their systems are vulnerable were reminded once again of the potential damage these worms can cause: inability to access files leads to downtime, lost productivity, and more.

Instead of running fire drills and wringing their hands, companies should look at what happened as an opportunity to reflect upon their endpoint security architecture and try to better understand the role of the various defense layers that comprise it. As the post-WannaCry reports shed light on what happened, it’s useful to discuss questions like: What controls could have dampened the worm’s propagation? What measures could have been effective at preventing the infection? How might these security controls work or fail in future, copycat variations of this attack?

A widespread malware attack that exploits a known Microsoft vulnerability should not surprise anyone who is paying attention. Ransomware incidents have spiked, with damage totals increasing from $325 million in 2015 to a projected $5 billion in 2017. The SANS Institute reports that malware programs capable of evading detection rose 2000% in one year (2014-2015). Evasive techniques enable malware to bypass firewalls, gateways, and sandbox discovery tools. Configuration techniques like extended sleep and fast flux are quite common. Legacy systems, third-party devices and loosely administered computers are among those hit hardest. It’s important to assess risk regularly: confirm that endpoint defenses across the enterprise are in place, functioning as expected, and integrated to reinforce each other. More emphasis should be placed on prevention as a primary defense; detection methods are an important back-up layer, but are not foolproof and often lead to delayed incident response.

The best methods for defending against WannaCry and similar incidents are not a mystery; basic best practices can be executed with free and commercial tools. In any given attack, some security components might fail. Consider potential scenarios and plan to mitigate the biggest risks. For example, backing up important data is an essential defense against ransomware attacks. The following measures help establish a resilient environment:

  • Segment the network and block unnecessary protocols. WannaCry attacked over the SMB protocol. Microsoft recommends not using this protocol, but if you still need to, be sure to block access from outside the organization.
  • Keep up with security patches. WannaCry exploited a Microsoft Windows vulnerability that has been available for some time. Some machines cannot be patched quickly enough, and sometimes can’t be patched at all. In this case, be sure to harden the unpatched machines.
  • Install and regularly update anti-malware software. From the beginning, AV vendors were successfully identifying WannaCry components as malicious.

Stealthy attack methods are designed to evade these baseline mechanisms, so you also need endpoint defenses that disarm viruses not recognized by AV. This forces malware authors to “pick their poison.” If they design malware with evasive capabilities, prevention-oriented approaches can simulate an environment of security tools, which paralyzes evasive malware and forces it to abort the attack before any damage is done.  If the attacker doesn’t implement stealthy techniques, baseline antivirus will block the specimen.

It appears that the WannaCry authors didn’t implement evasion techniques (e.g., sandbox avoidance and memory injection), but it is quite possible that future derivatives will. By combining a preventative malware-neutralizing approach with baseline antivirus solutions, organizations will be protected regardless of which method malware developers choose.

It can be difficult to defend legacy systems and services without impeding performance, violating vendor contracts, or inconveniencing business users. Attackers are well aware that systems missing patches are often also missing baseline antivirus and other endpoint defenses; the WannaCry worm was optimized to propagate rapidly through vulnerable machines.

Malware vaccination can help stabilize legacy technology and distributed systems. Any enterprise not yet using an anti-evasion solution can immunize themselves against fast-spreading worms with vaccination. New approaches that simulate infection markers are proving to be effective in real world scenarios. Centrally managing vaccination through simulated infection eases deployment while preserving forensics capabilities and overall performance.

Some defenses (e.g., infection markers and sandbox malware analysis) are too computationally intensive to be practical for universal or continuous deployment. Detection-based solutions aren’t foolproof and generate false positives and alerts that have to be prioritized. Prevention-based solutions that account for evasive techniques can be extended to every endpoint via low-footprint agents that neutralize malware before it ever executes itself.

We can’t stay in the malware arms race by building a tool for every trick malware creators conjure up. It’s critical that we develop broadly applicable methods that frustrate their efforts by turning those tricks into defensive weapons. Creative countermeasures like malware prevention leverage the evasive mechanisms built into viruses to shut them down before they can sneak in and wreak havoc.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island]]>
Don’t get lost in translation when managing mixed firewall estates Tue, 27 Jun 2017 09:07:00 -0500 The first commercial firewall, the DEC SEAL, shipped in 1992. 25 years later the firewall is still the core building block of organizations’ security infrastructures. Of course, it has evolved dramatically since those early days, with each stage of evolution adding ever more sophisticated security features.

We’ve evolved from the stateful firewall which filters bi-directional traffic streams as whole, requiring users to write policies only for outgoing traffic, to the next-generation firewall (NGFW), which supports more granular filtering and deep packet inspection to identify application-specific traffic, not just network protocols and port numbers. The adoption of virtualized datacenters lead to the development of virtualized firewalls, adding even more devices that need to be managed. And now, with the move to private and public clouds, there are even more security controls available:  commercial cloud firewalls, the cloud providers’ own controls, and host-based firewalls.

Translation problems

The current reality is that organizations typically have very mixed environments: a mixture of firewall generations, technologies, and vendors. Managing such a mix is a challenge because each generation of firewalls, and each vendor’s products, use different syntax and semantics for creating security policies.

For example, let’s look at an enterprise network which uses both traditional firewalls and NGFWs. The organization may have a company-wide policy of blocking access to social media sites, but its marketing department needs to be able to access Facebook. Facebook traffic passes through both types of firewall – which means new security policies need to be written for both.

For the NGFW, this is simple and intuitive. Facebook can be set as a predefined, ‘allowed’ application in the firewall rulesets, while access to other social media sites, and from other departments, is blocked. However, the traditional firewall cannot understand the term ‘Facebook’:  it needs to be given the default ‘source’, ‘destination’, ‘service’ and ‘action’ protocols that Facebook uses – http and https.

So actually, making the security policy changes on the NGFW and traditional firewall involves very different processes and languages. The engineers configuring the devices must clearly understand the mapping between the applications (as they are defined in the NGFW), and their respective services, protocols and ports (as defined in the traditional firewall), so that the rules and policies can be set properly across both environments.

Any mistake or ‘translation error’ between products when writing those policies or making network changes has the potential to cause unexpected application outages or introduce security holes, either because crucial traffic is inadvertently blocked, or other traffic accidentally allowed. Multiply this across the dozens or even hundreds of firewalls on a typical enterprise network, and it’s a recipe for a hot mess.

Cloud complications

When these processes are extended to cloud deployments, IT teams encounter additional challenges, depending on the cloud security controls being used. One cloud provider may offer the ability to have multiple security groups associated with a particular server; while another may allow only a single security groups – but may also allow security groups associated with all the servers in a VLAN. At a high level, you may be able to identify a lowest common denominator for basic traffic filtering, but once you want to start doing more elaborate, granular filtering required for enterprise networks, some providers will have certain capabilities and others will not.

And again, each provider has a different semantic model of what you can filter, and where those controls are applied; these will also differ from the on-premise firewalls that an organization will already have in place.

These different languages mean that taking an organization’s security policy, and applying it across several different types of firewall across a heterogeneous network environment is extremely complicated – meaning that making even outwardly simple changes (such as enabling Facebook or Youtube access for a department in the company) is fraught with risk.

Breaking down language barriers

So how do you remove the risk from making what should be simple, business-led changes to security policies – and reduce the need for IT teams to have to speak multiple firewall languages fluently?  What’s needed is a way to translate between the different syntaxes and phrases that each type of security control – whether on premise or in the cloud – used to build its rules and policies, so that IT teams can make their security estate understand the language of their business.

To transcend language barriers and effectively optimize and manage security across a mixed environment from a single console with a single set of commands, you need an automated management solution with four key capabilities:

  1. Visibility and control: You need to be able to visualize all of the firewalls, gateways and security controls on your entire network, in a single pane of glass.
  2. Managing normal changes. You need to be able to configure and manage these security products holistically as part of normal, day-to-day operations.  So the solution you choose must be able to translate and interpret the different syntax and logic used by all your various security controls, and automate the implementation of security policy changes consistently.  The solution should also document all these changes.
  3. Managing larger changes. Major network architecture changes also place great demands on security policy management. You need to be able to automatically adjust your security policies across the heterogeneous environment when you migrate data centers or applications to the cloud, for example, or when a team moves from one vendor to another.
  4. Demonstrating compliance. Network security is a key area that you need to be able to demonstrate compliance to auditors and regulators. A solution which automatically tracks all processes and changes, proactively assesses risk and provides out of the box audit reports, can help be audit-ready and maintain continuous compliance.

A common tongue

With the right solution, organizations can ensure that their entire estate of firewalls both understands and responds to a common security requirements, no matter where they are deployed. This enables policies to be applied consistently, without time-consuming, error-prone manual processes, and ensures network traffic can move securely across both on-premise networks and private or public clouds environments. After all, your business’ security and compliance are two things that you can’t afford to get lost in translation.

Copyright 2010 Respective Author at Infosec Island]]>
Make Sure We're Using the Same Language Tue, 27 Jun 2017 06:01:00 -0500 A new spin on an old cyberattack threat was uncovered earlier this year by a Chinese security researcher, and has been reported on extensively by security press and publications.

While this repurposed threat has not yet been seen or experienced publicly, it is a particularly devious one that can potentially lead to a spate of phishing attacks meant to spread malware and steal critical credentials.

The re-spun threat leverages non-ASCII characters found in non-English alphabets, many of which either strongly resemble or are identical to characters in the English or Latin alphabet. It was for this reason that the International Corporation for Assigned Names and Numbers (ICANN), the non-profit organization responsible for the maintenance and security of the databases constituting the Internet’s naming conventions, decided that using the computer industry standard for representing text in the most used writing systems, known as Unicode, would be too confusing, because many Unicode characters look alike. That could be confusing and could lead to insecurities in Internet naming; it could also easily spawn phishing attacks.

This sort of attack is known as an internationalized domain name (IDN) homograph attack. It’s akin to another form of attack, typosquatting, in which a hacker leverages a similar, but usually misspelled word or brand name for nefarious purposes, like creating websites for phishing and credential theft.

Instead, ICANN decided to use Punycode for Internet naming. Punycode is a way to represent various non-ASCII characters – such as characters in non-English or non-Latin writing systems – in ASCII characters using sequences of English alphabet letters, numbers and hyphens.

Web browsers were intended to read Punycode characters for a URL and then, in the browser, translate them into Unicode characters. But, many web browser developers realized that Punycode could be used for malicious purposes, such as cloaking URLs for websites created for phishing as valid URLs and websites.

Some web browsers, attempting to block spoofed URLs using different writing systems and their differing alphabets, included filters which would discern if a URL mixed various alphabets. If a URL contained both English/Latin and Cyrillic characters, for example, instead of rendering the URL in Unicode, the browser would render the URL characters in Punycode. These browsers would only render a URL in Unicode if all the characters contained in the URL were from the same language and alphabet. For instance, the word “Bank” is spelled as such using English/Latin alphabet letters in Punycode; but, if someone tried to spell “Bank” using the Cyrillic letter “ve” (в) at the start of the word, while the mixed alphabet word would look like “вank”, the URL would be displayed as “xn--ank-edd”, the Punycode equivalent, as it would be mixing English/Latin and Cyrillic letters.

This all made sense, until earlier this year, when Xudong Zheng, a Chinese security researcher, uncovered a new attack variation.

The variation is, if a domain were to be registered in a language with alphabet characters that closely resembled the English/Latin alphabet, the URL would remain in Unicode and not be translated into Punycode, thereby spoofing the real web site’s URL, enabling a malicious person to setup a phishing website using what appears to be a legitimate URL.

While this attack has not yet been found yet “in the wild”, it is an extremely dangerous variant because it is almost completely undetectable. Potentially, only a sharp-eyed, trained observer might notice the slightest differences between the URLs; and then, only a truly security-conscious person might look up the web page’s certificate, which would show the URL in Punycode.  Other than that, the phishing page and attack could be imperceptible.

The example Mr. Xudong used in his blog post was “”. Simply using Cyrillic letters, in lowercase, “a” (а), “er” (р), and “ye” (е), and “palochka” (ӏ), which, in Punycode, reads “xn--80ak6aa92e”, he created a phishing web page which appears to be from the “” domain.

Another example of a potential URL that could be created to fool users is “”. Using the Cyrillic lowercase letters of “er” (р), “a” (а), and “u” (у), and an uppercase “palochka” (ӏ) – in Punycode, “xn--80aa0cbo66e” – in certain web browsers, the URL would appear as “раураӀ.com”. As you can see, it’s nearly impossible to tell the difference between the real URL using English/Latin letters versus the URL using Cyrillic letters.

In the initial research findings, several very popular web browsers fell victim to this homographic attack. Google Chrome, Mozilla Firefox, and Opera could not differentiate between the English/Latin letters and Cyrillic letters in a URL. And, since only one writing system or alphabet was used, and it wasn’t a mixed alphabet being used, there were no red flags raised.

Since this attack variant was first reported, Google has upgraded Chrome to address this issue.  A permanent fix to address the Punycode issue landed in Chrome Stable 58. Opera addressed the situation in a late April 2017 release (Opera Stable 44.0.2510.1449).

Mozilla has, to date, not made public whether it will address this issue in a dedicated patch or future release. However, Mozilla did augment their “whitelist with something based on ascertaining whether all the characters in a label all come from the same script, or are from one of a limited and defined number of allowable combinations." "Mozilla’s betting that any mixed language or “script” homographs “will be recognizable to people who understand that script.” However, there is a manual way in which Firefox users may turn on Punycode to display the URL instead of Unicode: In the address bar, type about:config, and change the network.IDN_show_punycode attribute to “true”.)

Microsoft Edge and Internet Explorer, and Apple Safari have thus far been immune to this attack. Other than changing web browsers, among other options that can alleviate this attack threat is isolation technology, making use of disposable virtual containers and advanced rendering technology. 

While it hasn’t been seen or released into the wild – yet – this IDN homographic attack is simultaneously, deviously innovative and treacherous, and something that needs to be planned for before it’s launched as an invisible, undetectable phishing assault.  

Copyright 2010 Respective Author at Infosec Island]]>
Ztorg Trojan-SMS Infects Google Play Apps Sat, 24 Jun 2017 08:35:29 -0500 Newly discovered Google Play applications infected with the Ztorg Trojan family no longer request root privileges on compromised devices, Kaspersky Lab security researchers reveal.

Late last year, Kaspersky warned of the high popularity Ztorg-infected applications had in Google Play, where one of them gathered over 50,000 downloads within a single day. Millions of users downloaded the various applications that were infected with the Trojan before being published in the official application store.

Now, the security firm says that newly observed infected apps no longer use exploits to gain root rights on the infected devices, although they continue to show malicious behavior. The programs, Kaspersky reveals, pack a Trojan-SMS that can send Premium rate SMS and delete incoming SMS.

Dubbed Magic browser, one of the applications was uploaded to Google Play on May 15, 2017 and has been installed more than 50,000 times before being removed from the store. Called Noise Detector, a second application was downloaded more than 10,000 times.

Both apps include a Ztorg Trojan variant designed to hinder analysis by waiting for 10 minutes before first attempting to contact the command and control (C&C) server. The malware makes two GET requests to the C&C and includes part of the International Mobile Subscriber Identity (IMSI) in both of them.

The first request contains IMSI’s first three digits, which are also the MCC (mobile country code), while the second request includes the first five digits, where the fourth and fifth are the MNC (mobile network code). This allows cybercriminals to identify the country and mobile operator of the infected user and determine which premium rate SMS should be sent.

The server responds with an encrypted JSON file with some data that should include a list of offers, with each offer carrying a string field called ‘url’, which may contain an actual URL. The Trojan tries to open the field using its own class and, if the value is an URL, the content is displayed to the user. If the field contains other data and an “SMS” substring, a message containing the text supplied is sent to the number provided.

Just after receiving URLs to visit or SMS messages to send, the Trojan turns off the device sound and starts deleting all incoming SMS, Kaspersky’s Roman Unuchek explains.

Malicious apps featuring the same functionality but distributed outside Google Play were also discovered, resembling more of an additional module for some Trojan, rather than a standalone malware. These threats were installed by a regular Ztorg Trojan along with other Ztorg modules, the researcher discovered.

Analysis of the JS files received by these Trojans revealed that they contained a function called “getAocPage,” most likely referencing to AoC (Advice of Charge). These files, Unuchek says, were designed to perform clickjacking attacks on web pages with WAP billing, which allowed the Trojan to steal money from the user’s mobile account.

“WAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS. It means that URLs which the Trojan receives from the C&C may not only be advertising URLs, but also URLs with WAP billing subscriptions,” the researcher explains.

All of the observed Trojans, including the Google Play ones, attempt to send SMS messages from the infected devices. Magic browser, for example, tries to send SMS from 11 different places in its code. This means that it can send messages on different Android versions and devices.

“The Magic browser app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser and Noise detector apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the Noise detector app contains the encrypted file girl.png in the assets folder of the installation package. After decryption, this file become a Ztorg Trojan,” the researcher notes.

The researcher also discovered other Trojans packing the same functionality, which were installed by a regular Ztorg Trojan. A malicious app called Money Converter observed in April 2017 was using Accessibility Services to install apps from Google Play without user interaction, even without root access. The app had over 10,000 installs in Google Play.

Related: Hundreds of Fake Android Antivirus Apps Deliver Malware

Related: Android Malware 'Dvmap' Delivered via Google Play

Related: Android Trojan Uses Sandbox to Evade Detection

Copyright 2010 Respective Author at Infosec Island]]>