Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Internet Companies Partner to Combat Terrorist Content Wed, 07 Dec 2016 07:42:00 -0600 Major Internet players, including Facebook, Microsoft, Twitter, and YouTube, are teaming up to create a database designed help combat the spread of terrorist content online.

The involved organizations are already engaged in fighting terrorism online, either by removing offending content from their platforms, or by suspending accounts related to terrorism, but the new collaboration should help them better identify terrorist content on their consumer platforms and increase their efficiency in the fight against this global issue.

Earlier this year, Microsoft updated its terms of use to prohibit the posting of terrorist content on its services, while Twitter, which formed a Trust & Safety Council to tackle violent behavior on its platform, announced the suspension of over 360,000 accounts related to terrorism.

In a joint announcement this week, the four revealed that said shared database will contain hashes (unique digital “fingerprints”) for the “violent terrorist imagery or terrorist recruitment videos or images” that have been removed from their services, and that each of the participants will be able to tap into these hashes.

“There is no place for content that promotes terrorism on our hosted consumer services. When alerted, we take swift action against this kind of content in accordance with our respective policies,” the joint statement reads.

As part of this collaboration, the four will start sharing hashes of “the most extreme and egregious” terrorist content they stumbled upon on their services. Such images and videos usually violate the content policies of these companies and end up being removed from the public services.

The participating companies will add to the database hashes of terrorist content found on their respective services, so that the others could use them to identify such images or videos on their own services. This will also allow participants to review the discovered content against their respective policies and definitions, as well as to remove the content as appropriate.

The sharing of information won’t include personally identifiable information and each company will independently determine what content it should contribute with. The matching content won’t be automatically removed from the other services, it seems.

“Each company will continue to apply its own policies and definitions of terrorist content when deciding whether to remove content when a match to a shared hash is found. And each company will continue to apply its practice of transparency and review for any government requests, as well as retain its own appeal process for removal decisions and grievances,” the announcement reads.

The participants are also considering getting more companies involved in the initiative, in the hope that it would improve users’ privacy and their ability to express themselves freely and safely. The ultimate goal is to engage with a wider community to prevent the spreading of terrorist content online while also protecting human rights.

Although not part of this initiative yet, other organizations are also focused on the removal of “propagandistic terrorist messages present on the Internet.” As part of a two-day concerted action that involved dedicated units in Belgium, France, the Netherlands and Romania, “1814 pieces of terrorist and violent extremist online content have been assessed for the purpose of referral to online platforms,” Europol announced today.

The campaign was held at Europol’s headquarters in The Hague on 29 and 30 November and focused on the terrorist content produced by media outlets associated with two specific organizations: IS and al-Qaeda.

While Internet companies and law enforcement intensify their fight against the content produced by terrorist organizations, so do these groups increase their efforts to spread their propaganda on social media platforms. What’s more, they have also “diversified their strategy by being active on several social media platforms and by using numerous accounts to radicalize, recruit and direct terrorist activity,” Europol also notes.

Copyright 2010 Respective Author at Infosec Island]]>
The 4 Cs of Automated Incident Response Tue, 06 Dec 2016 08:04:37 -0600 It’s almost a certainty that you’ve heard of the 4 Cs of diamond quality. Created by the Gemological Institute of America (GIA) in 1953 as an international standard for judging the most valuable characteristics of a diamond, the 4 Cs are cut, color, clarity and carat weight. It’s also a clever mnemonic device to easily remember the four categories of evaluation.

Just as there was no universally accepted method for judging a diamond’s quality or assessing relative value before 1953, we’re currently in a phase in security where there are an ever-expanding number of automated incident response solutions, and no standard method for judging quality or value.

The number of products is on the rise in categories like:

Taking a page from the GIA, what would be the 4 Cs for evaluating automating incident response? The question is open to interpretation, but from my perspective, they would include the following:

The First C: Connection

Any solution that intends to automate the process of responding to security alerts to investigate threats and remediate incidents must be able to integrate with its customers’ existing security tools. Expecting a single tool to replace all the existing solutions on the market is at best a pipe dream, and at worst a recipe for disaster.

The Second C: Capacity

Automating incident response should add capacity. By taking away the manual, repetitive and tedious work of investigating all potential threats, an automated solution should both add capacity by taking on the workload and letting valuable security resources focus on more important work.

The Third C: Capability

Any automated incident response solution worth its weight (pun intended) should provide new capabilities that simply weren’t possible otherwise. Simply adding speed is a nice-to-have, but adding new capabilities at machine speed makes IR automation a force multiplier.

A few examples of added capabilities:

  • An automated system that can immediately launch parallel investigations based on what it learns from investigating one alert
  • A solution that can use artificial intelligence to compare and incriminate threats against intelligence feeds
  • A tool that can stop a ransomware attack in-progress

The Fourth C: Confidence

Perhaps I’m shoe-horning the category name to fit the pattern, but in using confidence, I’m referring to a user’s ability to rest easy, knowing that every alert and threat – however big or small – is being investigated.

Many companies today have tuned their detection systems to meet their investigative capacity. But as many will tell you, they’re not ignoring low-fidelity alerts, but instead adding them to a backlog that is saved for another day. However, when you look at any of the headline-grabbing breaches in the last few years, you’ll note that breaches like Target or Sony weren’t due to a failure in detecting the threat. The threats were detected and alerts were sent – sometimes several times – but because of a capacity mismatch, they were never investigated.

Any automated IR system should be able to investigate everything in a timely way in order to give the customer the confidence that a front page headline isn’t hiding in the backlog.

Applying the 4 Cs

As we look to solve incident response challenges through automation, this simple framework is a guide as to what I see as the areas where automation can provide the most value. What do you think – which Cs would you add to the list?

About the author: Nathan Burke is Vice President of Marketing at Hexadite. He is responsible for bringing Hexadite's intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action.

Copyright 2010 Respective Author at Infosec Island]]>
Cybersecurity and Donald Trump: Where Do We Go From Here? Fri, 02 Dec 2016 13:16:00 -0600 Given the unforeseen results of the 2016 US Presidential election, it is hard to predict the future, particularly in sorting out campaign promises from policy intent.

In general, President-elect Donald Trump’s pro-jobs, pro-business resolve will likely loosen constraints on companies in terms of industry regulations and taxation while supporting employee expansion and capital investments. Trump will need to reconcile his image as a populist Washington outsider who will champion the common man with the business leader that will ease burdens and restrictions.

Changes are most certainly going to be made to cybersecurity. The election itself was tarnished with security issues that created at the very least tension, and at its pinnacle, a kind of hysteria. A string of email attacks that ensnared DNC leaders and even Hillary Clinton’s campaign manager revealed the impact that cyberwarfare can have on a national election.

However, cybersecurity concerns didn’t end with the high-profile DNC email hacks. There was talk of a “rigged” election which sent state elections agencies scrambling to ensure that the elections process was free from cyber threats and tampering.

Now with growing outrage over the Yahoo breach and the lengthy notification delays, cybersecurity is becoming a runaway public issue. It could easily cost Yahoo a billion dollars or more in its acquisition price—which I like to call “the data breach discount”—or derail the agreement altogether.  This comes against a backdrop of other network attacks, including the National Security Agency (NSA) being hacked and its clandestine exploits offered up for auction to the highest bidder. Tesco Bank and Adult FriendFinder also learned recently how dangerous, and damaging, cyber-attacks can be. 

Data breaches are not only becoming larger and more frequent, they are generating more devastating consequences. Manipulation of financial systems and resulting losses at international banks show that cyber-attacks can lead to fraudulent wire transfers, millions of dollars of losses, and even potentially financial instability. And what could be more frightening than the admission from the International Atomic Energy Agency director, Yukiya Amano, who last month admitted that an unnamed nuclear power plant had been “disrupted” but not shut dowcn by a cyberattack. Imagine what could have happened.

Clearly cybersecurity will be a big issue for the President-elect, and it must be addressed in multiple dimensions. First, there is the federal government itself. Then there is the issue of how to better protect consumers. Finally, there are the offensive and defensive capabilities of cyberwarfare.

Most government agencies and functions face housekeeping and a stern review by the Trump Cabinet. If the public has sagging confidence in the ability of federal agencies to protect information and resources, something must change. There is a long track record of failure after failure, ranging from the Office of Personnel Management (OPM) to the Internal Revenue Service (IRS) to FBI and even the White House. Like most enterprises, Federal agencies are simply not equipped to find network attackers early and stop them before theft or damage occurs. This has to change.

Trump may appoint political outsiders to assess federal cybersecurity or may demand an accounting from each department. Top down efforts have already improved security hygiene, but most agencies still lack true detection ability. Changes to authentication, access, encryption, network segmentation, patching and other forms of security improvements provide worthwhile tune-ups for preventative security and may make it more difficult for an attacker to get to assets but it does not solve the overall attack problem. Like enterprises, federal agencies need to take on the ability to find an active attacker—whether a malicious insider or a targeted external party—that is at work on the network, secretly working towards their goals. They need to add a new approach that will accurately detect such an attacker.

In terms of better protection for consumers dealing with commercial entities, Trump may well consider new potent legislation that could add formidable requirements and penalties for safeguarding personal information and facing significant punitive measures if they have a data breach.

Sweeping legislation such as the General Data Protection Regulation (GDPR) in the EU would be a true test of business versus consumers for Trump. Once enforceable in May 2018, the GDPR sets out penalties of up to 4% of worldwide revenue or €20 million, whichever is greater. Even to a Fortune 500 company this represents a significant cost. In addition, companies face clean-up costs and settlement pay outs for damages.

Trump should weigh consumer concerns and frustrations against industry regulations that impinge on business. It is certainly reasonable for US citizens to expect that they would have similar protections as Europeans in regards to timely breach notification and the application of best practices to safeguard personal data. The level and magnitude of breaches today is alarming, and organizations should be compelled to apply the latest measures and best efforts to turn the tide. 

Finally, the election and some news cycles referenced the country’s overall cyberwarfare capabilities in terms of both offense and defense. Clearly threats may come from large or small countries.

  • Is cyberwarfare a cat and mouse game that is played out between any countries, or does a country like the US have a considerable advantage both offensively and defensively?
  • Does the US need to improve and grow its cyberwarfare abilities?
  • If pushed, could the government deliver a striking cyber blow on an antagonist?

At the same time, could it step in and properly protect infrastructure to avoid a catastrophe or meltdown of commerce and daily life?

By answering these questions, we can begin to devise a plan that will address today’s most critical security risks.

About The Author: Kasey Cross is the Director of Product Management at LightCyber, a company pioneering the use of machine learning and network visibility as a new approach to detect network attackers. Cross has more than 15 years of experience in management networking at leading security companies including Imperva, A10 Networks and SonicWALL. Prior she was the CEO of Menlo Logic and led the company through its successful acquisition by Cavium Networks. Cross holds a degree in Economics and Physics from Duke University.

Copyright 2010 Respective Author at Infosec Island]]>
The Hidden Security Risks of Cloud APIs Fri, 02 Dec 2016 10:21:00 -0600 With the cloud market becoming increasingly crowded, developers are under mounting pressure to create more innovative solutions and reduce their costs. It's little wonder then that APIs (Application Program Interfaces), which can drastically reduce development time, have become one of the most prized tools in any developer's arsenal. However, the benefits are tempered with an increased risk of cyber attacks.

An API is essentially a set of instructions or routines to complete a specific task, or interact with another system, from servers to other applications. Because APIs are able to perform tasks such as retrieving data or initiating other processes, developers can integrate different APIs into their software to complete complex tasks.

Transforming cloud software development

Where this has become a real game-changer for the industry is, rather than spending countless hours writing every aspect of the software from scratch, developers can simply pick from an increasingly large selection of best-of-breed APIs developed by specialists, and plug them straight in. This transforms the development process from a time-intensive grind to something more akin to building with Lego.

Using ready-made components enables developers to considerably reduce costs and time-to-market, and perhaps more importantly also frees up time and resources to pour into the innovative and unique features that will cause their application to stand out.

APIs are so useful that some of the world's largest companies are now making the majority of their revenue through them. Research from the Harvard Business Review found that Salesforce generates around half of its revenue through APIs, while Expedia uses them to create almost 90 per cent of its income. Alongside the big players are an endless selection of specialists, meaning that developers can access high quality APIs for almost any task.

Some of the most useful examples for cloud developers are APIs for Platform-as-a-Service that can integrate with databases, portals, and messaging components, and APIs for Software-as-a-Service that connect the application layer to the IT infrastructure. Additionally, Infrastructure-as-a-Service APIs can help with tasks such as quickly provisioning or de-provisioning cloud resources, or managing workload management and network configurations.

The hidden threat

With so many benefits, APIs do come with downsides however - exposing the cloud to a new attack vector that can be used to access the back-end server the cloud is communicating with.

The weakness is the simple authentication that is widely used by most API Management Solutions to confirm that the client app on a device is genuine and has been authorized to utilise server assets. Typically, this is done using a simple challenge-response exchange, as the client app tries to connect to the API server. This exchange is usually a cryptographic operation, which means that the mobile client generally contains a secret key for an asymmetric cipher like RSA or ECC.

If attackers are able to break the application's security and decompile its code, they can root out the encryption keys. Any application that is available for download is particularly vulnerable to this, as they can be attacked indefinitely until a weakness is found.

Once the keys have been found, attackers can use them to trick the system into recognizing them as a legitimate client and enabling them to access anything the API was authorised to connect with. An API that accesses data on the back end server for the cloud application, for example, could provide attackers with the ability to break in and steal sensitive data or perform other malicious activity.

Keeping APIs secure

The vulnerability introduced by APIs can be overcome by taking extra security measures alongside challenge-response based authentication. The most effective approach is to centre defences on protecting the cryptographic keys.

White-box cryptography is a particularly strong method for securely hiding cryptographic keys, even if a hacker has full access to the software. Using this technique, the original key material is converted to a new representation in a one-way, non-reversible function. This new key format can only be used by the associated white-box cryptographic software, preventing the hacker from finding it and using it for the challenge-response.

However, white-box cryptography can still be circumvented if the hacker is able to decompile the original application and modify the app or lift out the entire white-box software package, and include it in their cloned version of the application.

Particularly relentless attackers can be stopped with anti-tampering techniques that prevent code-lifting attacks or the app being tampered with. Anti-tamper techniques, which also have RASP (Runtime Application Self-Protection) built-in, can respond to runtime attacks with customisable actions and notify the app owner that app is being modified.

By putting security measures like these in place to protect the cryptographic keys, developers can ensure APIs are able to communicate safely with networks and other applications. With the inherent security flaws taken care of, cloud software can take full advantage of the benefits of APIs without exposing themselves or their clients to attack.

About the author: Sam Rehman, who serves as CTO for Arxan Technologies, is a proven technology leader with over 25 years of experience in both leading product development and professional services companies.

Copyright 2010 Respective Author at Infosec Island]]>
Holiday Shopping Security Tips for Consumers Fri, 02 Dec 2016 08:12:00 -0600 Cyber Monday kicked off a month of great deals for consumers and high profits for online retailers. Unfortunately, this time of the year also offers hackers different ways to launch cyber-attacks, steal information, and compromise devices. Around Cyber Monday in 2015, hackers figured out how to steal information from the popular VTech toys that were used by 6.4 million children. In 2013, a data breach that started around Black Friday compromised 40 million credit cards used at Target stores. Consumers are targets for hackers but they can protect themselves from online threats while they shop by using the tips below.

1. Use Strong Passwords

The ideal way to shop on an ecommerce site is without an account because that prevents websites from storing credit card data and personal information. However, online retailers often offer incentives like coupons and free shipping for people to create an account on their websites. Consumers who create user accounts on ecommerce sites should use a strong password to secure their information. Hackers can now use automated algorithms to crack passwords, and easy passwords can be deciphered within minutes. Consumers should use a case-sensitive password that include numbers and symbols. Consumers should also avoid using obvious passwords based on birth dates and the names of family members or pets.

2. Update Anti-Virus Software

Everyone is guilty of pushing off a security update for a more convenient time. However, consumers should make sure their anti-virus software is up to date before they start shopping online on Black Friday and Cyber Monday. Updated security software prevents hackers from exploiting vulnerabilities that would allow them to infect devices with malware or steal credit card details.

3. Enable Two-Step Verification

An easy two-step verification method consumers can use is verification through a text message code. By enabling two-step verification on sensitive accounts, consumers can add an extra layer of security that hackers will need to get around. Sensitive accounts include primary email addresses, and online credit card and bank accounts.

4. Ignore Untrustworthy Emails

Consumers will be expecting to get a bunch of emails from online retailers before and after Cyber Monday. These emails will include Cyber Monday deals and coupons, and order confirmation numbers. Hackers may try to capitalize on this flood of emails by sending consumers phishing emails that contain malicious links. Scammers might also email links to fraudulent customer surveys under the guise of asking consumers about their shopping experience. The scammers will hope that unsuspecting consumers will fill out the survey with their login credentials, which will then give hackers access to their personal information. To avoid this, consumers should ignore emails that look suspicious or untrustworthy.

5. Monitor Credit Card Statements

During and after the holiday shopping season, consumers should monitor their credit card statements for suspicious activity. Consumers should go through their transaction statements to make sure that no fraudulent charges have appeared.

Online retailers can also increase the security of their networks by following endpoint security best practices this holiday shopping season. A well-timed DDoS attack conducted by sophisticated hackers can bring down an ecommerce site on heavy shopping days, which would deeply impact profits. A massive data breach could ruin an online retailer’s reputation. To combat these cyber threats, online retailers should scan their networks for malware before the holiday shopping weekend even begins. Retailers should also continuously be on the lookout for suspicious activity on their networks, like unauthorized users and software. By taking extra security precautions, consumers and online retailers alike can avoid becoming the victims of a breach this holiday season.

About the author: Dan Ross is CEO and President of Promisec

Copyright 2010 Respective Author at Infosec Island]]>
5 Signs You Need to Upgrade Your Legacy IAM Fri, 02 Dec 2016 06:01:00 -0600 IT leadership is a constant balancing act, especially as you must look for ways to advance your department as an engine for growth rather than a cost center. Unfortunately, time and resources for revenue-stimulating, strategic IT initiatives are often in short supply, thanks to the demands of mundane, but critical, day-to-day tasks. Of the day-to-day tasks that often become major resource drains, user identity and access management (IAM) is not only one of the most crucial to get right, but can also be one of the most problematic.

One of the first-to-market IAM solutions from a brand like Novell, NetIQ, IBM, Oracle, CA, Microsoft, or Sun—may have been innovative in its time, but is showing its age now, as enterprise needs, performance requirements, and budgets continue to evolve.

You may be unsure if now is the right time to examine your IAM solution and potentially push for a change, but things aren't perfect and you've managed thus far, right? The problem is, you may have temporarily solved issues as they've arisen, but over time, you've added unnecessary complexity and cost to a system that already offers limited benefits.

If you still aren't sure if the time has come to migrate to one of these new solutions, read on and ask yourself if any of the following signs apply to you.

1. Your team can't keep up with its growing application integration queue

Your company's employees expect to have access to the latest and greatest technologies, and the C-suite supports that. But it falls on you and your team to enable those technologies. For every application, you integrate, three more show up on the list, and you just can't keep up.

Modern IAM solutions address these problems by providing far quicker, more secure, and more cost-effective ways for you to add and remove applications and services to your business environment, including applications and services that are cloud-based and/or solely dependent on identity data for authentication and user access.

2. You have at least one business-critical system outside of IAM control

Despite all the efforts that your team invests in your legacy IAM system, there's likely at least one older or proprietary on-premises application or system that's still in wide use at your company, but outside the control of your existing IAM system.

Where this is the case, your department will run into a variety of problems. The most visible is the toll that it takes on your team. Unintegrated systems require your team to manually tackle any identity and access tasks across more systems and to use more workflows than they should. Manual deprovisioning raises the likelihood of open or orphaned accounts; they're easy to miss. And, when signals are crossed, breaches can happen.

3. Your legacy IAM vendor stopped innovating years ago

You may still pay licensing fees and/or maintenance and support on the aging technology, but what you get out of that expense no longer seems to include a product roadmap that highlights any meaningful innovation. These days, the product roadmap lists existing product tweaks and bug and security fixes.

Unfortunately, that's just not acceptable for today's businesses. The modern threat landscape and increasingly strict and complex regulatory environments demand more robust and more comprehensive identity and access controls and technology. Legacy IAM systems haven’t been keeping up with changing compliance requirements, security threats, or the needs of external user groups and partners.

Modern IAM solutions proactively develop support for things like social log ins and next-generation authentication techniques; they look ahead rather than simply around.

4. Your external users, such as partners, customers, contractors, and temps, are considered to be exceptions

Just as legacy IAM systems were designed for the more closed IT environment of the past, so too were they designed for the past’s more closed workforce. These older solutions may do fine at giving traditional, full-time employees access to the data and systems, but they fall short when it comes to provisioning access for external or temporary users. Today, cloud-based technologies have dissolved the enterprise perimeter and as a result, partner environments pose new IAM challenges - your partner’s weaknesses become your weaknesses.

Modern IAM solutions are platforms that can easily be configured and deployed to support external user groups, such as partners, customers, contractors, contingent workers, and even organization supporters or acquisition targets.

5. Your greatest fear is that you’ll be the next big data breach headline

Even if none of the above scenarios ring true for you, surely this one will: The environment of fear that developed when Target was breached has not lessened in the years since; nor has the threat landscape grown safer. In 2016, the average cost of a single data breach increased from $3.8 million to $4 million, while the average cost of each lost or stolen record containing sensitive information increased from $154 to $158.

If you aren’t in control of your environment and the credentials of everyone with access to your company’s data and resources, your organization—and your job—could very well be next. In fact, best practices encourage you to assume intruders are already in the network. Is your legacy IAM solution enough to prevent those intruders from moving around and finding their way to sensitive data that’s under your protection?

Time to Get off the Fence

When a major breach happens, even CEOs are held responsible, and you will be, too. The increased security that a modern IAM system provides can help keep your company safe—and your job, too.

Your business has changed, along with your user base and its needs. Without the scalability and reliability that you need to support a growing number of internal and external users, a plethora of cloud-based applications, and a multitude of corporate data, and without the controls and policies that you need to protect your organization, job, and career, you’ll never be able to dig out from under that mountain.

It may be time to examine your current IAM solution. A modern IAM solution is not a multi-year journey anymore. It isn’t as scary or as difficult as you might expect, and in the end, the squeeze is absolutely worth the juice.

About the author: James Litton is Identity Automation's Chief Executive Officer. With more than 25 years of experience in enterprise technology software and systems, James has led teams as an executive living and working in North America, Africa, Europe, and throughout the Asia-Pacific region. Immediately prior to joining Identity Automation, he was the Head of IT for Cray, a global supercomputing company.

Copyright 2010 Respective Author at Infosec Island]]>
Mobile Endpoint Security: 3 Helpful Tips to Protect Sensitive Corporate Data Fri, 02 Dec 2016 04:35:00 -0600 Working remotely and on the go is the norm, and mobile devices are now a critical component of getting work done quickly and efficiently for most businesses. Using mobile phones, tablets or smart watches, there are plenty of ways for employees to access company information from work or personal devices. But this convenience comes with its own unique challenges, not the least of which is the issue of ensuring a strong cybersecurity posture.

Doctors and nurses can now access patient portals through mobile devices, most online banking can be done on a smartphone, and even fast food restaurants and coffee shops are taking online and mobile orders to help customers combat long lines. The convenience of mobile apps and devices means more flexibility and better service in many instances, but it also increases the attack surface for criminals. Personal devices are often not secured with enterprise-grade security, so they are even more susceptible to malicious attacks.

More than ever, businesses are at a higher risk of losing sensitive data as employees take mobile devices to coffee shops, airports, hotels and other places and connect to public Wi-Fi networks -- they unknowingly click on unsafe web links while multi-tasking between work and personal tasks -- and the next thing you know, data-stealing malware is being installed on the device.

Everyone has different habits and levels of security that can leave an organization open to cyber risk. In fact, human error accounts for more than half of security breaches, according to CompTIA’s "Trends in IT Security" study. Mobility isn’t going anywhere, and neither is cybercrime, so it is up to each organization to design a set of guidelines to secure their mobile landscape. The task is daunting, so we’ve compiled a list of best practices to help organizations navigate the complexity of mobile endpoint security.

  1. Establish clear company policies for mobile. It’s imperative for organizations with a mobile workforce to be upfront and clear about exactly how those devices and applications can and should be used by employees. Whether the mobile endpoints are provided by the organization itself or a BYOD policy is in place, the rules and boundaries should be consistent. Guidelines need to be enforced across all departments and end-users should formally agree to them upfront. Many resources from analysts, to vendors to educational institutions are available to help organizations develop appropriate guidelines, and employees should be given ongoing training and education on those evolving policies.
  2. Monitor and track all endpoints on your network. This step serves to both ensure employees are following the mobile policies laid out, and that outside or unapproved endpoints aren’t reaching information they aren’t authorized to access. Detecting suspicious behavior is step one, and the monitoring of endpoints is one of the most simple and effective ways to do so. This suspicious behavior can originate from outside the organization, but an internal employee can also be a culprit. Ensure that there is a record of every interaction a device has with your network. Having this historical view and log data helps to identify normal and anomalous behaviors so that any unauthorized endpoints can be addressed immediately.
  3. Consider partnering to manage mobile security. Especially in the case of many small and mid-sized organizations, security is one of many responsibilities that IT staff tackle on a daily basis. But they often lack the skills and expertise to implement and a comprehensive security strategy. It also is simply not realistic for smaller companies to dedicate the necessary man-hours to perform the monitoring and forensics required for a robust mobile security posture.

There are many products aimed at helping to manage mobile security including mobile device management (MDM) tools. But security is not achieved by implementing a product, and companies need to make sure they are actively securing their company every day. In addition to monitoring endpoints, IT and security professionals also need a plan and methodology to protect lost or stolen devices. Many companies make the mistake of thinking they are safe because they bought the right products. History has proven that no matter how many products you have in place, you can’t just assume your mobile security tools are working and check out -- they must be regularly updated and coupled with industry best practices by staff to achieve your security objectives.

About the author: Brian NeSmith is the Co-Founder and CEO of Arctic Wolf Networks and has over 30 years of experience.

Copyright 2010 Respective Author at Infosec Island]]>
Authorities Disrupt Massive Malware Management Platform Thu, 01 Dec 2016 11:50:05 -0600 Europol this week announced that it managed to disrupt an online platform used for the distribution and management of around 20 malware families, including botnets, banking Trojans, and ransomware.

As part of a four-year long investigation, Europol and global partners disrupted the international criminal infrastructure platform known as “Avalanche,” which supposedly caused monetary losses of hundreds of millions of Euros. On November 30, authorities arrested 5 individuals as part of this operation and also seized 39 servers.

The sweep, however, was extensive: with help from prosecutors and investigators from 30 countries, 37 premises were searched and a total of over 830,000 domains were seized, sinkholed or blocked. Notifications sent to hosting providers also resulted in 221 servers being taken offline.

Europol didn’t say where the five arrests were made, but it did reveal the list of the 30 involved countries: Armenia, Australia, Austria, Azerbaijan, Belgium, Belize, Bulgaria, Canada, Colombia, Finland, France, Germany, Gibraltar, Hungary, India, Italy, Lithuania, Luxembourg, Moldova, Montenegro, Netherlands, Norway, Poland, Romania, Singapore, Sweden, Taiwan, Ukraine, United Kingdom and United States of America.

In Germany, attacks on online banking systems are believed to have caused an estimated 6 million Euro in damages. The massive malware distribution and management campaign, however, has hit victims in over 180 countries worldwide, and authorities have yet to estimate the exact monetary damages caused by the botnet.

“The global cybercrime market rakes in billions of dollars a year. The Avalanche network alone is estimated to have yielded hundreds of millions, although the exact damage inflicted is almost impossible to establish because of the business ramifications of the network,” Bogdan Botezatu, senior e-threat analyst, Bitdefender, told SecurityWeek.

The Avalanche infrastructure is said to have been used for malware, phishing and spam activities since 2009 and to have been capable of sending over 1 million nefarious emails a week. The Avalanche botnet is said to have had control of over half a million computers around the world on a daily basis. Infected computers could be remotely controlled, could send information to attackers, or both.

Some of the malware families distributed and managed through Avalanche include well-known botnets and banking Trojans, including Bolek, Citadel, Goznym, Nymaim, Marcher, Dridex, Matsnu, URLZone, XSWKit, CoreBot, KBot, Vawtrack, Dofoil (Smoke Loader), Gozi2, Slempo, VMZeus and Panda Banker, along with ransomware families such as Cerber and TeslaCrypt.

The Avalanche network was available to cybercriminals who paid for access to various criminal services, including malware and ransomware distribution, money mule and phishing campaigns. A so-called double fast-flux network (which involves the automatic and frequent changing of IP address records associated with a domain name) was used to protect the platform from disruption and identification.

While the disruption of the platform was successful, the operation didn’t result in the cleaning of the infected computers, and users who believe they might have been infected are advised to take this matter into their own hands.

“Removal is a critical step that victims need to take in order to ensure the extinction of these malware families,” Catalin Cosoi, Chief Security Strategist at Bitdefender, said. Users are encouraged to use one of the available resources to ensure their machines are cleaned after the botnet.

Several online scanners, a series of webpages that provide assistance for disinfection, and free clean-up tools are available in this regard, from well-known anti-virus companies such as Avira, BitDefender, Dr Web, ESET, F-Secure, Microsoft, Symantec, and others. 

Copyright 2010 Respective Author at Infosec Island]]>
Medusa DDoS Botnet Slams Russian Banks Fri, 18 Nov 2016 07:47:51 -0600 A new IRC bot used to carry out distributed denial of service (DDoS) attacks against the websites of a couple of Russian websites has emerged recently, researchers with the Russian security firm Doctor Web reveal.

Dubbed Trojan BackDoor.IRC.Medusa.1, the new piece of malware was used in DDoS attacks targeting the Rosbank and Eximbank banks, the security researchers say. The Trojan’s main purpose is the launch of DDoS attacks, and Doctor Web says that this specific malware might have been used against the recent attack on Sberbank.

Belonging to the IRC bot category, the Trojan can unite with other similar malware to create botnets. These Trojans receive commands over the IRC (Internet Relay Chat) protocol by connecting to specific channels and awaiting directives.

The analyzed Medusa Trojan sample was heavily obfuscated in an attempt to hinder analysis, the researchers explain. Once installed on a compromised system, the malware checks if specific applications are present, to ensure it isn’t running in a sandboxed environment. It also changes the Windows registry branch to autorun itself.

Doctor Web researchers have discovered that Medusa is being actively promoted on the underground, where its creators claim that a botnet consisting of 100 infected computers can generate up to 20,000-25,000 requests per second and that they could peak at 30,000. A diagram of an alleged test attack on the NGNIX http server is shown as proof.

The Medusa IRC bot was designed with support for several types of DDoS attacks, but it also has the ability to download and run executable files on the infected computers. The virus makers even published a botnet operator manual to provide details on the entire list of commands that the Trojan comes with.

Some of these commands include httpstrong, httppost, httpseebix, smartflood GET (along with stop for each of them, and a stop-all command to kill all of these operations at the same time), silent on/off, download join channel, update, and resetnick. Login and logout commands are also available.

The security researchers have identified 314 active connections on one of the IRC channels controlling the Medusa botnet. While inspecting the command log, the researchers discovered that the botnet’s operators attacked a series of sites multiple times between November 11 and November 14, 2016, including (Rosbank), (Eximbank), and (the Livraison restaurant chain) and (a private website).

Related: Battling the Botnet Armies

Related: Mirai Botnet Infects Devices in 164 Countries

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Copyright 2010 Respective Author at Infosec Island]]>
Why Security Compliance Is a Continuous Process, and Not Just a Check in the Box! Fri, 18 Nov 2016 07:09:00 -0600 In today’s complex world of cybersecurity threats that are ever-changing and ever-evolving, it’s nearly impossible to say you’re 100 percent compliant with all standards at all times — FedRAMP, PCI DSS, SOX-2, HIPAA, etc. With enterprises quickly migrating to the cloud and data storage volumes growing exponentially, it becomes even harder to confidently say you’ve checked the box on compliance these days. It’s up to organizations to measure and demonstrate compliance in their systems and many organizations struggle to do so in the new cloud paradigm.

In addition, most organizations think that passing an annual audit or assessment means they are “in the clear” and don’t have to worry about maintaining their compliance, once they’ve gotten the green light. However, according to Verizon, 80 percent of those that passed their annual PCI assessment drifted out of compliance shortly thereafter. The scale of recent data breaches makes it clear that many organizations’ security measures aren’t slowing attackers down, and continuous compliance and ongoing risk management is needed to protect vulnerable systems and networks from future attacks. Simply putting security controls and standards in place aren’t enough. Compliance needs to be sustained by companies who wish to be prepared for the evolving security breach landscape.

Today’s compliance frameworks are offering more recommendations around a “continuous compliance” process to manage risk. They know that it’s impossible to guarantee compliance at any given point in time, so their best effort is to use continuous monitoring. Continuous monitoring is the only path to continuous compliance and simply put, managing this risk manually isn’t effective or efficient. Adopting a modern cloud infrastructure with automated security and compliance is necessary to protect the large entry point of attack that the cloud creates. Despite the fact that manual interrogation of the cloud is slow and arduous, many organizations also want to increase the frequency of their audits to ensure and demonstrate they are doing their best to remain secure.

Some of the main benefits of continuous compliance in today’s automated cloud security frameworks include:

  1. Real-time compliance and faster remediation - Near real-time situational awareness is achieved by monitoring infrastructure continuously and identifying critical risks as they are introduced. Compliance from the start means monitoring security throughout the entire development lifecycle and avoids expensive changes late in the cycle.  
  2. Ease of use and simpler, faster reporting -  One-button compliance reports document how compliance policies are followed and allows teams to create auto-remediation rules or follow guided remediation steps to resolve issues. User attribution features identify who, when, how and where risks were introduced into the environment. There is no more spending weeks of interrogating systems to manually aggregate a compliance report, which would be out of date by the time you finish. With one click, you can run a report and then export it in the form needed for auditors, saving time and money. Anyone from the team can produce reports without needing specialized knowledge. In fact, providing the auditors read-only access to self-service compliance reports creates a whole new layer of abstraction to protect your operational teams from disruption.
  3. Complete visibility into the cloud ecosystem - These platforms monitor, test and report on all cloud services and provide an actionable view into all testable compliance checks. Stakeholders have an easy way to view, monitor and report on the security and compliance of their entire cloud ecosystem.
  4. Faster remediation - Because monitoring, assessment and remediation of the cloud infrastructure risk are all managed from a single platform in real-time, risks are detected and remediated quickly. No longer are development teams thrown off track when they have to stop projects to address a year’s worth of compliance debt when audit time comes around.

Organizations need to shift their thinking around point-in-time compliance versus continuous compliance. With today’s dynamic computing environment, where there is no network perimeter, automated and continuous compliance is needed to ensure infrastructure is safe at all times. Today’s cloud security frameworks are equipped with complete, real-time compliance assessments for an organization’s entire cloud infrastructure. Reports can be generated in real time, and audits can be completed more frequently. Organizations who adopt modern security and compliance platforms can benefit from financial efficiencies and timeliness, so they can focus attention on other high-value projects.

About the author: Tim Prendergast co-founded to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim previously led technology teams at Adobe, Ingenuity, Ticketmaster and McAfee.

Copyright 2010 Respective Author at Infosec Island]]>
Security vs. Privacy: Securing Your Critical Information Assets Thu, 17 Nov 2016 06:19:00 -0600 We are currently in the middle of a digital revolution which continues to grow with each passing day. Not surprisingly, we are generating and consuming information at an astounding rate, contributing to the information explosion and leaving behind an extensive information footprint in digital, physical and spoken formats. This trend is set to continue: global data volumes are forecast to reach 44 trillion gigabytes by 2020.

In today’s “Information Age”, data has become an extremely valuable asset. Nowadays, information is used to compete and succeed in a global market. In fact, intangible information assets can represent 80% or more of an organization’s total value. With that being said, organizations must prioritize the protection of their mission-critical information assets. These assets require clear ownership and heightened protection due to the risks to which they are exposed.

What Are Your Mission-Critical Information Assets?

For centuries, organizations have been acquiring, producing, leasing, licensing and selling assets. Accounted for in financial statements, these assets represent an organization’s wealth and financial stability. This makes them vulnerable to theft and fraud. As a priority organizations should focus on those assets that are of the highest value and risk – commonly referred to by business leaders as the “crown jewels”.

Assets such as property, plant and equipment are tangible whereas information is an intangible asset. There are two types of intangible assets:

  • Legal – such as trade secrets, copyrights and customer lists
  • Competitive – such as company culture, collaboration activities and customer relationships

Both types are essential drivers of competitive advantage and shareholder value today. It’s common to view the value or importance of information by using a simple classification chart (e.g., negligible, low, moderate and high); however, mission-critical information assets represent only the very tip of the highest layer. Information of high business value or impact could still register as “high” or “critical” but not necessarily be designated as mission-critical. Traditional risk assessment approaches would not identify this information separately, so mission-critical information assets typically require a different approach to identification.

At the Information Security Forum (ISF), we refer to information assets with a high value and business impact rating as “mission-critical information assets”. When identifying mission-critical information assets, organizations should take into account the extent to which:

  • The information asset contributes to, or supports, business value (e.g., business revenue; competitive advantage; operational effectiveness; and legal, regulatory or contractual compliance)
  • The business could be impacted in the event of the confidentiality, integrity or availability of the information asset being compromised, considering any financial, operational, legal/ regulatory compliance, reputational, or health and safety implications.

Valuable Information Brings Added Risk

Data breaches are happening with greater frequency, and are compromising larger volumes of data, than ever before. As breaches continue, and the number of compromised records grows, organizations are being subjected to stronger financial penalties, greater legislative and regulatory scrutiny, and tangible reputational damage. For organizations that suffer an incident, responding in an intelligent and confident manner is becoming essential.

Business leaders often consider the value of mission-critical information assets, but fail to recognize the extent to which these assets are exposed to threats and the potential business impact should they be compromised. These assets often attract the attention of highly motivated, capable and well-funded adversarial threats, such as unscrupulous competitors, nation states and organized criminal groups. The extensive footprint of these assets provides more opportunities for attackers to gain access.

Recent ISF research found that different types of mission-critical information assets will often require innovative, advanced and sometimes unique protection approaches, supported by a range of security controls. Unfortunately, many organizations simply do not know what their mission-critical information assets are, where these assets reside or who is responsible for them. Few organizations have given focused attention to defining their mission-critical information assets across the enterprise. As a result, these assets are frequently incorrectly classified and poorly managed.

The Global Impact of EU Data Protection Reform

I’d like to move now to take a look at what regulators and legislators are doing and I’m going to focus on the European Union (EU) General Data Protection Regulation (GDPR).

Most governments have created, or are currently in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, businesses need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.

Back in January 2012, a two-part data protection reform was proposed and this Regulation will officially go into effect in May of 2018. It will certainly have an international reach, affecting any organization that handles the personal data of EU residents. From a standpoint of doing business in Europe, EU reform means that anybody who is handling European data in any way, shape or form will know exactly what they need to do and what they can get away with.

The Regulation aims to establish the same data protection levels for all EU residents and clarify blurred lines of responsibility and will have a strong focus on how organizations handle personal data. Organizations face several challenges in preparing for the reform, including a lack of awareness among major internal stakeholders. The benefits of the Regulation will create numerous compliance requirements, from which few organizations will completely escape. However, organizations will benefit from the EU-wide consistency introduced by the reform and will avoid having to navigate the current array of often-contradictory national data protection laws. There will also be international benefits as countries in other regions are devoting more attention to the protection of mission-critical assets. The Regulation has the potential to serve as a robust, scalable and exportable regime that could become a global benchmark.

Because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance. For many, this will require a more coherent incident response process along with closer cooperation between multiple departments, in particular legal. This coherence is essential, as Data Protection Authority’s (DPAs) will want to see a transparent rationale for remediation actions taken in response to a data breach.  ISF members have the benefit of an information security incident management framework that helps members build and improve their incident response capability and members should be well placed to deal with the implementation of the regulation.

The cost of non-compliance will increase, not only from new sanctions and fines but also from the court of public opinion. Reporting requirements will steadily push more data breaches into public view, creating reputational risks that many organizations have thus far avoided. Organizations that establish themselves as trusted data protectors will benefit commercially.

With reform on the horizon, organizations planning to do business in Europe, or those already doing business in Europe, must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it.

Move Beyond Conventional Protection

Mission-critical information assets demand and justify additional investment to ensure these assets are adequately protected. However, greater protection does not just mean performing additional security activities or purchasing more security products. To protect mission-critical information assets, including the footprint, a range of different protection approaches are likely to be needed for different types of mission-critical information asset. Information security practitioners have to think and plan beyond existing protection capabilities and security controls to provide owners of these information assets with protection that is:

  • Balanced, providing a mixture of informative, preventative and detective security controls that complement each other
  • Comprehensive, providing protection before, during and after threat events materialize into security incidents
  • End-to-end, covering the complete information life cycle.

This will enable organizations to match the protection provided with the sophistication of threats to mission-critical information assets. Organizations should also consider controls that are:

  • Automated, to complement manual security controls and help ensure greater levels of protection can be maintained
  • Fast, operating in real time, supporting decisions that need to be made immediately
  • Resilient, being resistant to direct attack by highly capable and committed threats.

While the need to provide mission-critical information assets with specialized protection can appear obvious, organizations often experience difficulties in identifying these assets, evaluating the extent of their exposure to adversarial threats and understanding the true level of risk to the organization. Consequently, many organizations do not adequately protect their mission-critical information assets and are vulnerable to a range of attacks, including serious cyber-attacks.

In contrast, ISF research has revealed that some organizations demonstrated “good practice”, providing the necessary high levels of protection for mission-critical information assets. These ISF members invest time and resources in a range of security activities, which form part of a broader set of good practices in information risk management and information security.

Cyber Resilience is Crucial

Every organization must assume they will eventually incur severe impacts from unpredictable cyber threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defenses, but also better responses. Business, government, and personal security are now so interconnected, resilience is important to withstanding direct attacks as well as the ripple effects that pass through interdependent systems.

I urge organizations to establish a crisis management plan that includes the formation of a Cyber Resilience Team. This team, made up of experienced security professionals, should be charged with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.

Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s mission-critical assets and preserve shareholder value. Such efforts are especially important due to all of the legal facets of doing business in cyberspace.

Take it to the Board

Finally, information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cybersecurity: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies. Cyber security chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organization’s business objectives.

Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure mission-critical assets and protect people.

Successful cyber security programs require careful planning and sustained effort throughout the enterprise, with executives leading the charge. Organizations that sow and fertilize a deeply rooted culture of security are most likely to be resilient and competitive in the face of ongoing threats and challenges. As the players, targets, and stakes shift in response to geopolitical and financial forces, leadership must remain vigilant—keeping up on trends and emerging threats, drawing lessons from incidents at other companies, reassessing plans and priorities, and collaborating closely with security experts. 

Copyright 2010 Respective Author at Infosec Island]]>
Norton Cyber Security Insights Report - November 2016 Thu, 17 Nov 2016 05:45:23 -0600 A new survey conducted by Symantec found that consumers are overwhelmed with the concern to protect their devices from cybercriminals.  

The study released today by Symantec has discovered that 79 percent of the consumers are aware that they need to protect their online information, 44 percent felt overwhelmed by the amount of information that they need to protect, while 81 percent said they'd feel devastated if their personal information was compromised. The concerns have raised even after the frequent DDoS attacks of the compromised IoT-devices.  

Director of Security Response at Symantec, Kevin Haley said, "Technology changes so rapidly and those of us in this industry keep on throwing new technology at them," "and I don’t know whether we always make it easy on people to understand."  

Talking about millennials, Haley says he anticipates that as they age, they'll become more cautious about security and have technical skills to protect their devices.   

The Norton Cyber Security Insights reports that hackers seek new technologies to exploit. They adapt to new exploits and scams to take advantage of consumers. According to the report, cyber criminals conducted more than one million web attacks against Internet-connected users in 2015 alone.  

Internet users tend to be naive regarding the security of their IoT devices. The Symantec study shows, 39 percent of consumers don't think that their devices are worth a target and every 6 people on average out of 10 believe that their connected devices are security focused. However, the reality is that only top-tier companies like Philips design its IoT devices with security in mind.   

Symantec recommends users to:  

Avoid password sharing: Roughly 25 percent of people surveyed shared passwords for social media accounts and emails. People don't always understand it's not necessary to be a site or particular device, but any website that you share the same password can expose it.   

Symantec suggests using a combination of at least 10 upper and lowercase letters, numbers, and symbols; and change your passwords every 3 months to keep cyber attackers at bay. If it is too overwhelming to keep track of changes, use a password manager for help.  

Don't go phishing: The study discovered 84% of the consumers surveyed said that they experienced a phishing experience, but 19% complied to that phishing emails and shared their personal information or clicking links.   

Symantec suggests thinking twice before opening any suspicious emails or attachments, specifically from unknown entities, or clicking random links. The email might be from a cybercriminal who has compromised your friends or family social account.  

Lock Home Routers:  When setting up a new network-connected device, such as routers, always remember to change the default password. If you don't plan on using the Internet with smart home appliances, then either disable them or protect remote access when not in use. Also, protect your wireless with high Wi-Fi encryption to secure your internet traffic.  

Many of the routers in homes are usually old and runs older versions of Linux. People should also be aware of router updates. Whether remotely updated by the service provider or manually by the home users.  

Do not share your info on public Wi-Fi networks: Symantec discovered that one in every 3 internet user never uses a VPN while connecting to a public Wi-Fi network. Users are less concerned to install a VPN client on their devices, even though the VPN comes as an add-on in antivirus software. VPN encrypts and protects internet traffic from data sniffing and information breaching by attackers.  

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – November 2016 Mon, 14 Nov 2016 11:44:00 -0600 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • SAP’s critical patch update for November contains 16 SAP Security Notes.
  • The majority of them are missing authorization checks.
  • One of the Notes addresses DoS in SAP Message Server. Research revealed almost 4000 such systems available online.

SAP Security Notes – November 2016

SAP has released the monthly critical patch update for November 2016. This patch update closes 16 vulnerabilities in SAP products (10 SAP Security Patch Day Notes and 6 Support Package Notes).

5 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. One note is an update to a previously released Security Note.

2 of the released SAP Security Notes have a Hot News priority rating. The highest CVSS score of the vulnerabilities is 9.1.

SAP Security Notes November by priority

The most common vulnerability type is Missing authorization check check.

SAP Security Notes November 2016 by type

Issues that were patched with the help of ERPScan

This month, 3 critical vulnerabilities identified by ERPScan’s researchers Alexey Tyurin and Mathieu Geli were closed.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan researchers.

  • A Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5). Update is available in SAP Security Note 2358972. An attacker can exploit a denial of service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.
  • An Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3). Update is available in SAP Security Note 2342940. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc), which will help to learn about a system and to plan other attacks.
  • An SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
    SAP stated that "Due to the fact that this issue is inside Hybris cloud we don’t provide a security note."

About Denial of Service vulnerability in SAP Message Server HTTP

SAP has a set of services which should not be accessible from the Internet, as they are designed only for internal use or require additional network filtration before being directly exposed to the Internet. SAP Message Server that is used for communication between elements of a Java cluster is one of such services. It is often used as a load balancer for client GUI connections.

SAP Message Server HTTP is an HTTP part of Message Server. The DoS vulnerability (related SAP Note 2358972) allows an attacker to prevent legitimate users from accessing the service by crashing it.

We identified that there are almost 4000 (namely 3783) SAP Message Servers HTTP available online.

image image

The most critical issues closed by SAP Security Notes November 2016 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2357141: SAP Report for Terminology ExportI component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2371726: SAP Text Conversion component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2366512: SAP Software Update Manager component has an Information Disclosure vulnerability (CVSS Base Score: 7.5). An attacker can use an Information disclosure vulnerability to reveal additional information, which will help them to learn about a system and to plan further attacks. During upgrade of SAP NetWeaver based products the MSSQL database shadowuser credentials are stored in logfiles in plain text. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities as well as attack signatures are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
Solving the Incompatibility Problem Between Smart Network Security and Swift Operations Efficiency Fri, 11 Nov 2016 12:43:00 -0600 Unfortunately, H.G. Wells was only an author and not an actual inventor when he penned his most classic work of science fiction in 1895 called, The Time Machine. For those unfamiliar, Wells brought pen to paper the creation of a vehicle that allowed the operator to travel forward or backward in time.

It’s indisputable that a true time machine would be an invaluable piece of hardware to any business operations team or IT staff. However, perhaps even more valuable than literal time travel, would be the ability to manipulate it. More specifically as technology thought leaders – what if we could speed certain aspects of technology up a notch or two, so that conscientious security practices could match the steadily increasing productivity demands of the ultra-competitive global marketplace?

Where is the answer?

There’s an inherent incompatibility between the rapid pace at which operations wants to run and the much slower speed that properly securing our ever-expanding network enables us to run. The answer to the compatibility problem of security and operations lies somewhere between layers three and four of the OSI model, which involves decoupling the transport layer from the network layer to enable the upper layers to operate with non-traditional identities.

Standard IP addresses – the very fuel that powers the engine of the modern Internet, are subject to the most rudimentary point of attack from hackers. Bad actors, ordinary hackers, and foreign espionage are all capable of gaining an entry point to your network via misrepresentation of a basic IP address normally referred to as “Spoofable” IP addresses. Such an intrusion can have catastrophic consequences ranging from critical information gathering and data breaches, all the way to total system failure. So, what do we do to prevent such an attack? Until now, most of us just add one firewall after another, in addition to multiple security patches; thus, creating systems that become tangled in protective add-ons that halt innovation, operations, and business intelligence – bringing business efficiency and operations to a virtual standstill.

Out with the old IP, in with the new CID

By replacing traditional IP addresses with cryptographic identities (CID), comprehensive security is enabled at the device level, rather than reinforcing a vulnerable perimeter with outdated and largely ineffective measures. The use of cryptographic identities renders your network invisible to all Internet users, both local and abroad. The notion of using CIDs as part of a more advanced and comprehensive approach to networking and security has an impactful top-bottom effect that provides the following benefits:

  • Instant Third-Party Provisioning:  The Internet of Things (IOT) is getting increasingly larger every day – previously disconnected and seemingly low-tech devices like vending machines and HVAC systems from third-party vendors are being granted access to corporate networks. Likewise, building automation systems, PoS systems, web services to credit bureaus or supply chain vendors, and even guest Wi-Fi are all contributing to an ever-expanding attack surface for hackers to capitalize on. A modern security solution that includes the use of CIDs needs to effectively protect all these devices and be able to quickly provision them from remote locations without the physical presence of trained experts.  
  • Secure Savings: A security platform that is more compatible with the enhanced speed of operations is cost effective. By providing a better security solution, which allows for easier provisioning from anywhere in the world, labor costs incurred from dedicating highly-skilled personnel to monitor complex networks are virtually eliminated.

MPLS networks are simply too complex and pricey to be a logical solution. Today’s highly competitive global marketplace and increasing levels of threat from malicious sources demand something better. By placing security at the device level with an invisible entity rather than the perimeter, remote exposure to Man in The Middle (MITM) attacks are prevented because hackers are left in the dark about the location of endpoints which MITM attacks are contingent on.

  • Effortless Micro-Segmentation:Agile and effortless micro-segmentation is required for any network to be operationally efficient. Secure communication from machine to machine is necessary to free connectivity and application services from the constraints of the network. Devices are whitelisted either automatically or manually with a CID, allowing them to move freely about the network without further interference from a systems administrator.

Welcome Change and Challenges Posed by Innovation — Optimize Compatibility between Security and Networking Practices

Recent advances in security technology have permitted us to move beyond the firewall and past the security patches required to maintain a network built and reliant on spoofable IP addresses and complex provisioning. The truth is, if you’re not thinking about advanced security, you risk catastrophic consequences. However, if you’re allowing security to overwhelm your operations, you risk losing a competitive edge. Overall, the need to address a compatibility issue between advanced security and seamless operations is not only forward-thinking, but it’s mandatory to conducting business wisely and staying atop any industry as a profitable and efficient business entity.

We should strive to welcome change and challenges, because they are what help us grow. Without them we grow weak like the Eloi in comfort and security. We need to constantly be challenging ourselves in order to strengthen our character and increase our intelligence. (H.G. Wells, The Time Machine, 1895)  


About the Author: Jeff Hussey is the President and CEO of Tempered Networks, the pioneer of the Identity-Defined Networking market. As an accomplished entrepreneur and business leader with a proven track record in the networking and security markets, Hussey also founded F5 Networks, the global leader in application delivery and an S&P500 listed company. He maintains numerous board positions across a variety of technology, non-profit and philanthropic organizations. Currently, Hussey is the chairman of the board for Carena and chairman and co-owner of Ecofiltro and PuraVidaCreateGood. Hussey also serves on the board for Webaroo and the Seattle Symphony. He was the chairman of the board for Lockdown Networks, which was sold to McAfee in 2008. Hussey received a BA in Finance from SPU and an MBA from the University of Washington. 

Copyright 2010 Respective Author at Infosec Island]]>
What We’re Learning about Ransomware, and How Security Is Stepping Up to the Task Tue, 08 Nov 2016 07:29:00 -0600 If anything is certain about the latest ransomware trends we’ve been tracking, it’s that no one is immune to an attack. Ransomware attackers don’t discriminate, and they have been successful at extorting money from all types of people and organizations, and as long as there’s a way for them to find you – there’s a risk. Victims range from hospitals and police stations with confidential records, to grandparents who are simply online to see photos of their grand kids. Attackers know that the more people they attempt to swindle, the better their chances are of finding someone who isn’t prepared and might be willing to pay a ransom for their files to be returned.

The good news is that the more we learn about these attacks, the better suited we are to identify and protect against them. We now know that ransomware is delivered primarily through email, with a few exceptions like compromised websites, file sharing sites or infected thumb drives. If we look at the characteristics of ransomware attacks that use email as a threat vector, we’re seeing some commonalities that everyone can use to help keep themselves and their organizations safe. Here’s what we’re finding about email-born ransomware and how these modern threats are causing the security landscape to adjust:

Mailbox Protection in the Age of Advanced Threats

Email security is nothing new, however, traditional approaches based on identifying bad senders, scanning messages for keyword patterns and doing signature-based virus detection are no longer sufficient in the face of advanced threats. In order to stop attackers who are adept at evading basic techniques, organizations should be looking to evaluate email security solutions with deep learning systems capabilities, multilevel intent analysis, advanced threat detection and real-time link protection. Simply scanning email to ensure that it’s free of spam and malware – just isn’t enough.

Let’s take a deeper look at the some of the security technology present for protection against today’s advanced threats.

Deep Machine Learning

Over the last five years, tremendous progress has been made in the field of artificial intelligence (AI) – more progress than in the fifty years prior. The progress is driven by the availability of computing power and advanced algorithms that enable machines to beat contestants in Jeopardy, find medical cures and drive our cars. It stands to reason that the same approach could be used to assure that we do not receive bad email.

Deep learning is only as effective as the data used to train it. The more diverse the training set, the more likely it is that malicious messages are caught, while still allowing the good ones to get delivered.  Deep learning is responsible for assuring that some of the most nefarious messages never reach a users’ inbox.

Multi-Level Intent Analysis

Sometimes the true intent of the message can only be discovered by following the links embedded in the email, and then following links on the resulting websites. The nefarious content could be buried pretty deep to avoid detection.  Security engines must be capable of discovering it, and making sure that the message linking to the bad external content is properly blocked.

Advanced Threat Detection

Malicious email attachments are a primary means of spreading ransomware. The classic way of detecting bad files was based on comparing the signature of the known malware file to the attachment. This process worked very well when malware writers developed a single program and tried to distribute it to millions of computers. It was the race between the malware distributor and security companies to discover the malware, analyze it, develop signature and publish it to all systems that needed protection.  In order to detect today’s threats, files should be checked against a cryptographic hash database that is constantly updated. When a file is unknown, it should be emulated in a virtual sandbox where malicious behavior can be discovered. Administrators need granular, file-type based control including automatic quarantine and blacklisting features to maintain the highest level of protection.

Real-Time Link Protection

Often at the time a message is scanned and delivered, the included links point to perfectly safe websites. Minutes, hours or even days after sending the message, attackers modify the site to carry malicious content. To protect the user from accessing such sites, original links present in the message could be re-written to ensure that click requests are always re-directed through the site operated by your security vendor in order to make a real-time determination of the target website veracity. If the site turned bad, the user receives a warning and is stopped from proceeding any further.

There’s no denying that ransomware and other advanced threats have quickly become a mainstream security issue, but it’s encouraging to see that the security industry is taking on the challenge with some of their own advanced security technologies. Like we’ve mentioned in the past, if advanced threats are a concern – you always have the option to work with your security providers for an assessment to ensure your level of protection is up to date. 

Copyright 2010 Respective Author at Infosec Island]]>
DOM XSS Vulnerability Impacts Over 70 Million Wix Websites Sat, 05 Nov 2016 08:34:00 -0500 A severe DOM (Document Object Model) based XSS (Cross-Site Scripting) vulnerability in could lead to an attacker gaining full control of the websites hosted on the platform, Contrast Security researchers warn.

Also known as type-0 XSS, a DOM based XSS is a type of attack where the payload is executed by modifying the DOM “environment” in the victim’s browser. Because of that, while the page (the HTTP response) isn’t changed, the client side code contained in the page executes differently, influenced by the malicious changes in the DOM environment.

The DOM XSS vulnerability that affects, Contrast Security says, allows an attacker to take complete control over a website hosted at Wix. An actor simply needs to add a single parameter to any site created on Wix to have their JavaScript code being loaded and run as part of the target website.

Cloud-based development platform has millions of users worldwide and allows everyone “to create a beautiful, professional web presence.” Wix claims to have 87 million registered users and over 2 million subscriptions.

Wix websites either use a subdomain or a custom domain, and an XSS against these won’t provide an attacker with access to the main domain and its cookies. Thus, a separate vulnerability is needed for an attacker to steal session cookies that could provide access to administrator session cookies or allow them to access administrator resources.

For that, an attacker can simply use the template demos that are hosted on, because they contain the vulnerability. Should the attacker manage to exploit an XSS on, they could do anything as the current user, including launching a worm attack.

The first step of such an attack, is to create a Wix website with the DOM XSS in an , Contrast Security explains. When a Wix user visits the infected website, a similar issue in is leveraged to edit all of the user's websites and inject the DOM XSS in an . Since the site infects any logged in Wix user and adds the with the same XSS to their websites, all of the current user’s websites now host the malicious content and serve it to their visitors.

“Administrator control of a site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine crypto-currency, and otherwise generally control the content of the site as well as the users who use it,” Matt Austin, Senior Security Research Engineer, explains.

An attacker could not only change the content of a hosted website for targeted users, but could also challenge the user for their Wix, Facebook, or Twitter username and password or trick them into downloading malware and executing it. Additionally, the attacker could generate ad revenue by inserting ads into website pages, spoof bank web pages and attempt to get users to log in, make it difficult or impossible to find and delete the infection, and could even make themselves an administrator of the website.

The security researchers say they contacted Wix about the issue on October 14 but that no positive response was received so far, although the company initially said it was investigating the issue.

“Contrast Security attempted to reach for over three weeks with no response. So we are disclosing this vulnerability in order to protect the many Wix website owners and users of these websites,” the security researcher said.

UPDATE 11/07: Contrast Security contacted SecurityWeek to inform us that Wix appears to have fixed the issue after they made the vulnerability details public:

"We published this disclosure on 11/2 at 8 AM PST. Sometime between 12 and 3 PM PST that same day, Wix appears to have resolved the problem. We can look at the update to see how they resolved this issue," Austin told us.

Related: WordPress Flaw Allows XSS Attack via Image Filenames

Related: Zen Cart Patches Multiple XSS Vulnerabilities

Copyright 2010 Respective Author at Infosec Island]]>