Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Black Hat, DEFCON and the Summer of Our Discontent Thu, 21 Jul 2016 10:01:22 -0500 At upcoming cybersecurity conferences, many will cause trouble for big business and the government. These institutions might ask, what do these people want? They want privacy at the bottom and transparency at the top. That, and a little less hierarchical leadership.

The end of July is when the cybersecurity industry turns on its bad boy image. On the surface, the upcoming conferences are about educating attendees on the latest threats. In reality, many in the industry gather en masse to take on “The Man.” Developers spend the entire year plotting breakthroughs to build a freer Internet, exposing headline-grabbing vulnerabilities, or finding ways to avoid surveillance and censorship.These efforts typically culminate into one incendiary week at BlackHat and DEFCON.

Jeffrey McNamara, legal counsel for DEFCON explained it best when he recounted what he often hears from researchers. According to McNamara, many researchers come to DEFCON with one intention, “I want to step on the toes of ...master of the universe aggressive company. I want to come to DEFCON and piss them off.”  Mr. McNamara must have a difficult job, as his law firm has been involved in many lawsuits with tech giants as big as Cisco.

A mega-corporation or government on the receiving end of this agitation might ask, “What does the horde want?” Personally, I think the answer is evident in how techies spend their spare time. Many developers invest time on projects to promote free speech, demand transparency from powerful institutions, and some even create applications to incent open participation.

Would You Like Some Big Business, or Maybe Government? …How About Neither!

The mainstream narrative encourages choosing favorites between the state and private industry. The security crowd loves to thumb its nose at both. Of course it's a delicate balance, as most of us are employed by these power centers. Like that brilliant but flippant programmer, who they let mouth off to the boss, the cybersecurity mob delights in razzing our employers.

This complex relationship is epitomized by the hacker-centric DEFCON, where “Feds” are regular attendees and sometimes socialize with hackers after hours. In turn, the hackers often pay their bills by consulting for the government. At DEFCON, the National Security Agency (NSA) speaks alongside the ACLU and the Electronic Freedom Foundation (EFF). Privacy organizations that are perpetually locked in litigation with the Feds hear enthusiastic cheers from audiences. However, DEFCON leadership has historically encouraged dialogue with the National Security Agency (NSA), and calls for increased cooperation are popular amongst many attendees. The battle to protect individual privacy is a rallying cry for many attendees, but at the same time there is widespread recognition of the need to (at least sometimes) work with the powers that be.

I'll always remember the year of the Snowden leaks. The Feds were uninvited to DEFCON, but the NSA managed to attend anyway, and it was a circus. Attendees posed with cardboard cutouts of Edward Snowden, and one attendee handed out tinfoil hats. Personally, I wasn’t able to attend General Alexander's session. I did take a tinfoil hat though, and loved every minute of it. It was one of the few times where democracy felt like the idealized version of my youth.

Of course, there are many other targets who have felt the wrath of the cyber mob, many far more objectionable than our own government. At Black Hat or DEFCON, you’ll hear tales of how hacktivist collectives trolled Middle East terrorists, or Anonymous’ participation in the Twitter frenzy which ignited the “Arab Spring.” While a lot of tech workers don’t officially support hacktivism, many smile at some of its results.

Open Testing and Participation

Each night we ritualistically close and lock our front doors, because it makes us feel secure. A cop who’s kicked down thousands of doors once told me, “99.9% of doors go down in one kick.” We don’t know our front doors are insecure, because we never try to kick them in. In cybersecurity we open the floodgates for white hats with a passion for hacking to “test kick” our doors. While mainstreamers see chaos in this rowdy band of penetration testers, insiders see testing our defenses as an attempt at real security. This is why calls for the state to limit penetration testing and vulnerability research have been historically resisted.

The almost Wild West condition of security research is characteristic of the technology age. Some professions, such as medicine or architecture, employ state licensing monopolies and specialized schools to limit worker participation. Cybersecurity tends to go in the opposite direction, embracing open participation. Internet culture esteems the advancement of knowledge above self-interest, and eschews pre-conceptions about what kinds of people might have innovative ideas. In our industry, non-degreed workers sit alongside PhD's from Berkley and MIT. After all, many of our pioneers, like Bill Gates, Mark Zuckerberg, or Steve Jobs, dropped out of college

The online encyclopedia, Wikipedia, is another great example of how the community values open participation. To those thinking knowledge needs to be regulated by the few, Wikipedia has been a surprising success. In the same vein, researchers have discussed peer-to-peer free press platforms without hierarchical leadership to limit journalists’ contributions or authorities to censor opinions.

Leaderless organizations are frightening to many. I’d be inaccurate to claim all tech workers embrace the concept in all cases. I do however maintain that open technology – from the owner-less Linux, to Wikipedia, and to the uncontrollable Bitcoin – has shown that we can get along with more freedom and less authority. I’d argue it provides optimism that society might even thrive under these conditions.

Freed Speech and its Deterrents

It seems that many have been plotting an escape from America’s Panopticon. This notion is reminiscent of philosopher Michel Foucault’s theory of “Panopticism.” Foucault paints a society where total surveillance exists within a building structure, named the “Panopticon.” He explains that citizens in this state would be discouraged from taking on their rulers, due to a feeling that powerful men are watching their activism.

Remember when corporations with terrible service cowered in fear over web reviews they could not remove? Cybersecurity professionals pine for the days when those at the bottom ruled. They desire a new peer-to-peer internet, without central hubs to censor speech. The big controversy at Black Hat last year was the suspicious cancellation of the “ProxyHam” session, which would have taught attendees to achieve online anonymity with ham radios.

The notion that surveillance degrades the free speech needed to regulate a healthy society drives a lot of engineering imagination. Presentations on efforts to anonymize web browsing, such as the Tor Project, are routine at shows like Black Hat. Well, unless the authorities mysteriously cancel them.

Paradox of Encryption and Transparency

Policy makers might argue there is a contradiction between the industry’s fight for privacy and its love for whistleblowers and leaks. Why do many cheer the now open information in the Panama Papers, celebrate the Snowden or Bradley Manning leaks, but are afraid their own personal information cannot be kept private from the prying eyes of the State?

At first this might seem inconsistent, but I see wisdom behind the instinct to resist information authority. Human hierarchy tends to pyramid into increasingly fewer numbers up top. If you're going to fight for rights, there are more individuals at the bottom and more power to abuse from above. Thus, “Give us Privacy at the Bottom, and Transparency at the Top,” is not a bad credo.

Copyright 2010 Respective Author at Infosec Island]]>
Tor Veteran Leaves, Shuts Down Core Node Tue, 19 Jul 2016 15:03:52 -0500 Lucky Green, one of the people who has been with the Tor project for years before it was even called Tor, is leaving the project and has already announced plans to shut down a core node in the process.

In an announcement made over the weekend, Green cites ethical reasons for his departure, but doesn’t fully explain what determined it to make the move. What he does explain, however, is that his departure will involve the closing of Tonga, a pivotal node for the network, called Bridge Authority.

Green has been long enough with the project to be entrusted with the management of this special node within the network, which, the same as other Bridge Authorities, has its IP hard-coded in the Tor applications. Tonga also holds precious information regarding other Tor nodes, but all of the information related to it, including cryptographic keys, will be destroyed upon shutdown. 

“Tonga will be permanently shut down and all associated crytographic keys destroyed on 2016-08-31. This should give the Tor developers ample time to stand up a substitute. I will terminate the chron job we set up so many years ago at that time that copies over the descriptors,” Green announced.

He will also discontinue all Tor-related services hosted on systems under his control, and will shut down a number of fast Tor relays, but this should not impact the Tor Project at all. The closing of Tonga, however, is expected to cause disruption, even if there is enough time to deploy a new Bridge Authority and to issue the required software updates.

As Tor’s Sebastian Hahn explains in an internal email, an operator who can “provide a very high-availability system” is needed for the new Bridge Authority. Moreover, Hahn says that this operator should be “supremely trusted,” because “they see sensitive data that they shouldn't lose.”

“Nevertheless, this will cause severe disruption for the bridge ecosystem as our users typically take a long time to update their version of Tor. We should strive to have this set up very soon and included in a Tor release well before Aug 31, and yet it will still cause disruptions,” Hahn also says. However, he points out that the shutting down of Green’s relays should not cause problems for the network.

Green doesn’t specifically say what determined him to quit Tor, but he does say that it was “recent events” that pushed him in this direction. These might include the recent accusations of sexual misconduct against Tor developer and security researcher Jacob Appelbaum, who already left the project, and the complete reshuffle of the Tor board of directors.

Related: Tor Browser Gets Multiple Security Enhancements

Related: Tor Rival Riffle Promises Anonymity Improvements

Copyright 2010 Respective Author at Infosec Island]]>
Security Is from Mars, Application Delivery Is from Venus Thu, 14 Jul 2016 08:06:58 -0500 Men Are from Mars, Women Are from Venusby John Gray was one of the best-selling nonfiction books of the 1990s. Its asserts that men and women essentially come from different ‘planets’, and need to seek out greater understanding of each other’s wants, needs and ways of thinking in order to cooperate better in relationships. In addition to providing great advice for romantic partners, I think it can also offer some important lessons to the world of corporate IT.

Let’s take a look at one of the book’s key sentences: ‘If I seek to fulfil my own needs at the expense of my partner, we are sure to experience unhappiness, resentment and conflict.’ This could easily refer to the relationship in most businesses between the security team and the application delivery team - they are key business partners and they need to work together for the organization to run smoothly.

Yet their relationship is all too often characterized by a lack of communication and cooperation. To solve this problem, we need to carefully examine what each side of the partnership wants from the other – and then, how to fulfil those needs.

So, what does security want from application delivery?

Broadly, there are three main things that security teams want from application delivery teams:

  • Clarity of business needs.Security wants application delivery to tell them what they want in terms of security and connectivity and they want them to tell them in advance. Crucially, these requirements need to be communicated in a language that the security team actually understands and can implement.
  • Visibility of business needs. Security wants to understand what application delivery is working on, how those applications need to communicate with each other, and how they might put the overall network and data at risk.
  • Assurance. Whenever the application delivery team is making or requesting changes to network access, the security team needs to make sure that these change don’t cause any additional risk. So the security team wants assurance that (a) the connectivity requested is secure; (b) that this connectivity is compliant; and (c)that good governance is being supported, with a clear record of who did what, when, where and why, so that if an auditor comes along, we have answers to all these questions.

What does application delivery want from security?

There are three key things the application delivery team wants from the security team:

  • Agility. The number one complaint we hear from app delivery teams in regard to IT security is that they want things done now. Yet it often takes days, or even weeks, for crucial network changes to be processed by security.
  • Availability of services.Nothing frustrates the application delivery team more than when the security team creates an outage due to, for example, a firewall misconfiguration – they want their applications up and running now.
  • Impact analysis ahead of changes being made. If a security policy change is going to slow down, or bring down an application, the delivery team wants to know about it in advance, so it can make the relevant adjustments.

How are we doing now?

Unfortunately, as in any relationship, neither side always gets exactly what it wants. One of the most common complaints about the application delivery team’s requests of the security team combines lack of clarity with unrealistic expectations: ‘You don’t know what ports you need open and for which IPs, but you need it by yesterday?’ And things aren’t any better for the application delivery team. On their side, the most commonly heard complaints relate to repeated availability problems: ‘The new firewall policy is blocking my application – for the third time this week!

Statistics to support these complaints range from Gartner’s discovery that 99% of firewall breaches are the result of misconfigurations, rather than flaws, to our own survey results(PDF), whereby we discovered that eight out of 10 organizations suffered an outage from a misconfigured firewall rule.

A Cloudy Future

Migrating to cloud and SDN environments is adding even more stress to this relationship. In the cloud, a server can be set up practically instantaneously – which means that security teams are expected to processing network changes at the same ‘speed of cloud’. From a security perspective however there is limited visibility and control at to what goes on in the cloud. Additionally, there are now various cloud security tools available to non-security teams, which application delivery teams can tinker with in a way they can’t in an on-premise environment. No application delivery professional would ever think of buying and installing a firewall on premise, but they might consider implementing cloud-provided security groups, and this may well upset the IT security team.

Aligning the stars

Now, more than ever then, it’s vital that organizations work to bring security and application delivery closer together.

First, businesses need complete, continually updated visibility of connectivity requirements across their entire environment - on premise and cloud. This requires a single pane of glass through which both teams can see what the other has, what is needed, and to check that everything is enabled, operational and secure at all times. Such visibility allows the two teams to speak the same language, to use terminology that effectively communicates their needs and requests to the opposite side.

Second, security teams need to embrace automation when it comes to change processes. This is the only way to deliver the accuracy and agility that application delivery needs, and as cloud and SDN environments become more commonplace, it’s becoming increasingly urgent.

Third, security teams need to take a proactive approach to risk analysis, as well as analyze and effectively communicate risk from the business application perspective to all the stakeholders in terms that they understand.

Fourth, security teams need to ensure continuous compliance. Today, when network changes are happening at breakneck speed, a twelve month compliance cycle no longer works. Therefore you need to proactively ensure compliance every single time a network change is made.

How do we achieve all this?  Security policy management supports all these needs, delivering a single version of the truth coupled with intelligent automation that is so crucial if security and application delivery are to work together effectively.  After all, we all live on the same planet and should live together in harmony. 

Copyright 2010 Respective Author at Infosec Island]]>
A View from the Top: The C-Suite Steps Up as Cyber Security Threats Surge Wed, 13 Jul 2016 04:21:52 -0500 Cyber security threats are powerful and pervasive enough to threaten our new way of life; digital business, personal communications, public services, global commerce and even healthcare rely on networked information technology and data.

The people, processes, and technology that protect digital resources and manage cyber risk are essential to sustaining businesses and societies. Even so, in many enterprises, boards and executives are just beginning to truly engage in cyber security strategy and leadership. A recent NASDAQ survey highlights alarming gaps between awareness and accountability at the highest levels of global enterprises: too many board members and executives are unable to understand security briefings and unwilling to accept responsibility for data breaches.

The simultaneous explosion of connected technology and devices, Big Data, and cybercrime has led in recent years to wider adoption of new executive roles like Chief Security Officer (CSO), Chief Information Security Officer (CISO) and Chief Digital Officer (CDO). As information governance, risk management, and compliance activities grow in scope and complexity, there is more than enough high-level strategy and oversight to keep an expanded C-suite challenged and busy. But more silos of responsibility can create confusion and inefficiencies when roles are not clearly defined, or collaboration is stifled. When it comes to cyber security, it’s more important than ever for board members and core executives—especially those not directly involved with deploying security programs—to fully participate and contribute on a continuous basis.

Over the past decade or so, the roles of the CEO, CFO, CIO, and CMO have undergone significant transformation. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization will be blamed and held accountable. That means everyone in the C-suite is potentially on trial.

The good news is, executives are beginning to pay more attention to the security measures protecting their organization’s assets, data, employees, and customers. The cautionary tales, doomsday scenarios, and the specter of public humiliation have made an impact. Executive awareness and engagement are finally expanding to meet the threats, but building a solid line of defense requires ongoing, strategic collaboration. Leaders must commit to fostering a culture of accountability from the top, making sure their message reaches out to the edges of the enterprise and everywhere in between.

Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is more feasible when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.


CEOs are on the hot seat and being pulled in a million directions at once. They face an influx of new regulations and risk factors related to the IT infrastructure and services that keep their enterprise up and running. These challenges can only be addressed through collaborative teamwork. Building a robust, encompassing cyber security program requires strong leadership from the CEO and a willingness to coordinate with the board and other executives to bridge traditional silos and redefine roles. By keeping security programs aligned with strategic business objectives, CEOs can help their organizations develop competitive advantage and dive into emerging opportunities with confidence.

In order to maintain an accurate, big picture understanding of their organization’s security preparedness, CEOs must actively solicit and distill security-related concerns, opinions, and contributions from multiple stakeholders. It’s important to make sure your team thinks of security breaches in terms of “when” not “if”—cyber-attacks are so numerous and sophisticated, it is foolish to think they can be entirely avoided.

In the event of a breach, you have to be ready with a quick and effective incident response; the faster the response, the better the outcome. In the eyes of regulators and consumers, credibility is bolstered by evidence of comprehensive, ongoing cyber security efforts. CEOs must espouse strategies that intentionally build resilience through security analysis, training, planning, and testing. The CEO leads the way by emphasizing the importance of ongoing communication and collaboration. Championing a culture of security awareness throughout the organization and supply chain strengthens your defenses; “insider threats” are still the most common attack vector.


Cyber criminals attack financial systems directly and indirectly, and data breaches of all kinds impact an organization’s bottom line. These ongoing threats require CFOs to become intimately involved in security measures and cyber risk management. CFOs are also concerned with loss of funds through theft, waste, and supply chain issues, all of which can originate or proliferate in the cyber realm.

From internal operations to investor relations, every part of a CFO’s role involves highly sensitive data that must be closely controlled and protected. To fulfill their fiduciary duties, CFOs must maintain a thorough understanding of where this vital information is, who might want to steal it, and how they might gain access to it. Their responsibilities include disclosing to the board the potential impact of a cyber-attack. This includes integrating security risks into discussions and decisions about investments, procurement, and partnerships. Analyzing the feasibility and cost effectiveness of cyber insurance and security solutions also falls in the CFO’s domain. Last but not least, CFOs should be intimately involved in crafting and rehearsing the portion of the organization’s incident response plan that involves communicating with shareholders, partners, suppliers, and customers.

CFOs have always played an important role in advocating for and pursuing critical investments that promote long-term business growth. Forward-looking CFOs recognize the importance of investing in cyber security as a primary method of protecting reputation, stock price, financial resources, and proprietary information.


The CIO role is, of course, most closely connected to cyber security responsibilities. It’s clear that CIOs have the most to gain from a broader, more collaborative approach. A united front that recruits champions from across the organizations is stronger than a thin, overwhelmed line of defense made up on only IT team members.

As new roles like CISO and CDO step in to alleviate their workload, CIOs should take the lead in engaging non-technical executives and board members. Their new directive is to excel at calm, clear communication with all stakeholders in order to obtain better funding and support for security initiatives. They have to speak the language of business and risk in order to convince boards and investors of the crucial link between IT enablement and risk management. Boards want regularly updated metrics and assessments they can compare over time as well as a way to form these into an accurate, holistic picture of information technology risk. The NASDAQ survey found that a vast majority of board members, especially those at vulnerable organizations, were unable to interpret cyber security reports. It is the CIO’s job to bridge this dangerous divide.

The CIO’s mandate is maintaining an effective, working balance between technology benefits, security controls, and risk management. By aligning their efforts with strategic business objectives, CIOs will partner more closely with their colleagues in the C-suite to shape business decisions, competitive strategy, and sustainable innovation.


The CMO oversees a digital realm that is more closely tied to the customer than ever before, so it’s not surprising that their role has seen the biggest changes in recent years. The advances made possible by mobile marketing, social media, ad tech and Big Data have prompted an astonishing rise in the amount of consumer data that is gathered and analyzed for marketing purposes. Part of managing this data, much of which falls under privacy regulations, is securing it against theft and abuse. After all, cybercriminals are just as interested in that data as you are. Data-driven marketing depends on customer trust, and repeated headlines about spectacular (and often avoidable) breaches are eroding that trust.

More and more, we see brands and customer relationships damaged in the aftermath of an attack. In the event of a breach, CMOs will find themselves front and center, so they should make sure they are part of the incident response and data security planning. One of the big lessons learned from recent incidents is that financial and reputational damage will be amplified or mitigated depending on how quick, credible, and efficient the brand response is. All of a CMO’s hard work can go up in smoke if customers sense a lack of care or transparency.

In today’s enterprise, the CMO’s organization drives digital based growth. The board and executive team rely on them to lead brand, product, and innovation efforts to competitive advantage, without coming into conflict with data privacy legislation. It’s the CMO’s job to make sure the brand stands out—but for all the right reasons.

View from the Top

The executive team has the clearest, broadest “big picture” view of how their organization’s components intersect. A serious, shared commitment to common values and strategies is key to a productive relationship between the C-suite and the board. Only through sincere, ongoing collaboration, can complex threats like cyber-crime and espionage be managed. Without coordinated oversight, risk factors will proliferate unchecked.

In a global enterprise, there are so many elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. By building on a foundation of preparedness, executives can create resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect customers, partners, and employees.

Now is the time for executives to step up and bridge the gap between awareness and action. Organizations that sow and fertilize a deeply rooted culture of security and accountability from the top down will be able to withstand the persistent, dynamic nature of cyber threats. 

Copyright 2010 Respective Author at Infosec Island]]>
From Production Slumps to Industrial Espionage: Why the Manufacturing Sector Must Be Better Prepared for Cyber Attacks Tue, 12 Jul 2016 02:57:52 -0500 This year’s Hannover Messe (a leading international trade fair for industrial technology) has once again demonstrated that the idea of ‘smart’ factories is no longer a futuristic vision but concrete reality. Automation engineers and manufacturing businesses were shown fully developed ‘industry 4.0’ techniques to take the next step on the road to the fully digitized, intelligent manufacturing plant. New developments ranged from mobile ultrasound measuring devices for foresighted machine maintenance to smart liquid analysis, driverless forklifts and even collaborating robots.

The growing fusion of IT and automated engineering, and the resulting intelligent collaboration of all components involved in the production process promises an increase in efficiency, flexible resource management and the individualisation of mass production. Already, it is obvious that to remain competitive in the long run, companies have to tap into the full potential of digitization.

Increasing Integration Means Increasing Threats

Security experts are wary of the idea of the smart factory because data protection, intellectual property theft, and potential manipulation of the plants are serious and challenging security risks. The fact is that most existing industrial facilities were neither designed for connecting to the Internet nor developed with a special focus on IT security. While more refined production facilities enjoy higher protection through advanced monitoring and alarm systems, the protection of software and applications is often neglected. This can have fatal consequences. Inadequately protected networks, applications and embedded systems pose a huge threat to industrial plants and businesses, as they open the floodgates to hacking attacks and cybercrime. Once attackers gain access to a critical application, they are easily able to manipulate the machines or manufacturing processes remotely. This opens up a range of potential disasters, from occasional interferences within the production process to a complete loss of production, the loss of sensitive corporate data, and industrial espionage.

The reality of these risks was not only demonstrated in 2010 when the computer worm Stuxnet sabotaged a uranium enrichment infrastructure in Iran, but also in 2014, when cyber criminals manipulated the furnace of a German steelworks and were able to shut it down.

According to a current study on product piracy of the Verband Deutscher Maschinen - und Anlagenbau e.V. (VDMA), illegal reproduction of software and machines creates a loss of 7.3 billion Euros every year. Around 70% of all German businesses are affected by plagiarism, and reverse-engineering is the most common cause.

Connected Production Technology Requires a Rethinking of IT Security

If companies want to benefit long-term from the idea of ‘industry 4.0’ and create a competitive advantage, they must not only invest in technically upgrading their production facilities, but also rethink and refresh their existing IT security standards. Traditional security tools against traditional threats remain indispensable, but need to be adapted to growing digitization and supplemented by new, innovative methods of defense. It is common knowledge that traditional anti-virus and anti-spam solutions, firewalls and static encryption programs may not provide adequate protection, but nevertheless, effective security measures directly inserted into applications and programs are extremely valuable.What the industry needs are security solutions that strengthen single applications and embedded systems and enable them to self-protect against tampering, reverse-engineering, and malware insertion. 

If all applications that are involved in the production process were able to intelligently detect threats and defend themselves against all kinds of attacks – regardless of other external measures – security could be more greatly assured. However, there remains a tension between the need for high accessibility of critical data and system 100% of the time and the need for robust security controls. Security measures must never impair the performance of critical applications. For example, downloading a security update should never hinder or delay any production flows, as this could lead to faulty productions or production residue.

In a connected world, where digitization progresses rapidly and finds its way into our factories, we are inevitably faced with an ever-increasing level of vulnerabilities that lead to security breaches. It is thus all the more important that companies are aware of their responsibilities, and design security concepts that focus on the security of industrial plants and their software, while addressing any form of malware. This is the only way that ‘industry 4.0’ can truly work. 

Copyright 2010 Respective Author at Infosec Island]]>
European Businesses Fear DDoS Extortion Attacks: Survey Thu, 07 Jul 2016 10:56:00 -0500 Cyber-extortion is becoming a booming business, at least for criminals who threaten companies with distributed denial of service (DDoS) attacks, a recent survey from DDoS protection company Corero reveals.

The report shows that 80% of European businesses expect to be threatened with a DDoS ransom attack during the next 12 months, which reveals a growing trend in cyber-extortion. The survey, conducted among over 100 security professionals at the Infosecurity Europe conference in London, also uncovered that 43% of the targeted companies might give in and pay the ransom.

The report was published just over a month after the City of London Police warned that the cybercrime group known as Lizard Squad has engaged into a new wave of ransom driven DDoS incidents. The group, which managed to disrupt the gaming services of Blizzard Entertainment in April, demands a 5 Bitcoin ransom from UK businesses and threatens to target them with DDoS attacks if they don’t pay.

The practice isn’t new and history teaches us that many organizations end up paying the ransom to avoid operation disruption. In February this year, Alastair Paterson, CEO and Co-Founder of Digital Shadows, explained in a SecurityWeek column that extortion is one of the seven cyber threats that any financial services firm should know about.

Last April, Danelle Au, VP of Strategy and Marketing at SafeBreach, pointed out in another SecurityWeek column that extortion was thriving after coming to the digital world. DD4BC (DDoS “4” Bitcoin) and Armada Collective were two actors that led the DDoS extortion trend. Law enforcement managed to find some of the individuals behind the DD4BC group earlier this year.

DD4BC and Armada Collective, which launched short, low-intensity attacks against companies and then demanded a ransom to prevent larger attacks, managed to inspire many copycats. One of them, a group also calling themselves Armada Collective, was found this year to launch only empty threats. Although it managed to extort over $100,000 from potential victims, the group never launched a single DDoS attack, and researchers suggested that they didn’t have the necessary resources to do so.

“Extortion is one of the oldest tricks in the criminal’s book, and one of the easiest ways for today’s hackers to turn a profit. When your website is taken offline, it can cost businesses over $6500 a minute in lost revenue, so it’s understandable why some organizations choose to pay the ransom. But this is a dangerous game, because just a few willing participants encourage these threats to spread like wildfire,” Dave Larson, COO at Corero Network Security, says.

Corero’s report also reveals that 59% of the respondents fear that their Internet Service Provider (ISP) doesn’t offer the necessary protection against DDoS attacks, and 24% of them suggest that the ISP is to blame if a DDoS attack hits. Moreover, 53% percent of the respondents believe that ISPs are hiding behind net neutrality laws, 21% said they would leave the ISP if they did not offer adequate protection against DDoS, while 58% said they would leave because of poor service.

An 8.7 Gbps Layer 7 DDoS incident observed in April and a 470 gigabits per second (Gbps) DDoS attack observed last month to leverage nine different payload (packet) types, prove that DDoS attacks continue to rise in power and sophistication. As Corero notes, recent DDoS incidents also masque other types pf attacks, such as malware infections, typically ransomware, thus providing cybercriminals with new ways to extort money from their victims.

Related: Botnet Uses IoT Devices to Power Massive DDoS Attacks

Related: Thousands of CCTV Devices Abused for DDoS Attacks

Copyright 2010 Respective Author at Infosec Island]]>
Fighting Alert Fatigue Wed, 06 Jul 2016 03:57:00 -0500 While there’s been a great deal of discussion surrounding the high-level value of behavioral analytics in mitigating losses due to cyberattacks, the realization of this benefit usually begins with relieving an organization’s employees from the dreaded condition known as "alert fatigue."

Security professionals are under more pressure than ever before to identify and address advanced security threats within their organization’s IT infrastructure. The problem is that humans lack the capacity to sift through massive amounts of machine-generated log data on their own – let alone pinpoint the needle in the haystack.

Traditionally, security teams have employed monitoring tools that rely on threshold-based rules to detect cyberattack-related activity, but these tools are notoriously difficult and time-consuming to create and maintain in the face of rapidly changing environments. In addition, these tools tend to flood security teams with low priority or false positive alerts, rather than prioritizing the alerts that could have the greatest impact.

Overwhelmed by thousands of low-value alerts, security teams spend too much of their time troubleshooting false positives than identifying real threats and responding before they impact business. Half of IT professionals and security managers say false positives negatively impact their security readiness, according to research from Enterprise Management Associates (EMA).

With staff plagued by alert fatigue, issues hidden deep within an organization’s data often go unnoticed for months – or worse, can be missed altogether. Despite several high profile data breaches at Anthem, Home Depot and JP Morgan, the time gap between attack and detection is still unacceptably long. As such, security professionals are beginning to realize the benefits of turning to behavioral analytics to detect suspicious behavior early and better protect their organization – as well as preserve their own sanity.

Behavioral analytics solutions can employ technologies such as unsupervised machine learning to analyze millions of data points each minute, creating a statistical baseline of normal behavior within an organization’s data and then flag behaviors that are statistically unusual or anomalous. Security teams can deploy virtual “algorithmic assistants,” which are automated routines that continuously model selected data fields, and accurately detect anomalies. This capability is often referred to as machine learning-based anomaly detection.

Two Ways Behavioral Analytics Can Fight Alert Fatigue

  1. Prioritize investigation of existing alerts based on how unusual they are

A very simple principle can be applied to an existing stream of security alerts to provide relief for alert fatigue - investigate the most unusual alert behaviors first. By using anomaly detection to identify alert behaviors that are unusual early on, such as a rare event ID, an unusual volume of alerts for a given destination, or an unusual number of distinct event IDs in a given time period, analysts can avoid wasting time on the same false positive events day after day. As an added benefit, they now have a documented and mathematically based algorithm upon which their prioritization is based.

  1. Replace threshold-based rules with automated anomaly detection

The original idea behind monitoring rules - to use automated monitoring to alert the security analyst to known bad behaviors - is sound, but the actual implementations have caused alert fatigue due to the shortcomings and complexities in writing rules that work well in the face of dynamic data patterns.

Security professionals understand that elementary attack behaviors, even those associated with previously unknown threat vectors, can be detected using the anomaly detection capabilities of behavioral analytics. Threshold-based rules can be replaced with algorithmic assistants that accurately model the normal behaviors in the data and generate alerts only when unusual behaviors are seen.

For example, a threshold-based rule created to detect data exfiltration over HTTP might trigger any time a user transfers more than say, 100MB of data in a given day. In a large organization, such a rule might trigger thousands of times per day, creating a flood of uninteresting alerts. By contrast, a machine learning based algorithmic assistant would accurately and automatically model the behavior of HTTP transfers for each user on the network and generate an alert only when a user’s behavior is different than it normally is for that time of day and day of the week. Such an approach would typically reduce the number of alerts from thousands per day to perhaps just a handful in a week, again helping to relieve alert fatigue (and simultaneously identifying actual unusual events worthy of investigation).

Both incidents and the attackers that perpetuate them are only going to grow more complex. To succeed in this new landscape, security professionals will need to accept the fact that human effort and intelligence alone is no match for today’s advanced threats. By augmenting their efforts with behavioral analytics and machine learning, teams can be sure they reduce alert noise and fatigue while quickly identifying and addressing the issues that actually matter before they hurt their customers or the bottom line. 

Copyright 2010 Respective Author at Infosec Island]]>
Spyware Targets Office, Mail, and Accounting Applications Thu, 30 Jun 2016 09:22:15 -0500 A new spyware Trojan aimed at Russian users exclusively was recently observed targeting various accounting applications, as well as instant messaging, email, and Microsoft Office programs, in an attempt to exfiltrate sensitive data.

Detected as Trojan.PWS.Spy.19338, the malware was designed to steal the information entered in the windows of nearly a dozen programs and to be launched directly into the computer’s memory in decrypted form. All of the stolen information is sent to a remote server encrypted using RC4 algorithm and then XOR, Doctor Web researchers reveal.

The spyware is distributed by a dropper Trojan called Trojan.MulDrop6.44482, which was designed to spread various other malicious programs, including Trojan.Inject2.24412, a Trojan embedded into malicious libraries’ processes launched on the infected computer.

According to Doctor Web researchers, before infecting a computer, Trojan.MulDrop6.44482’s installer checks the system for anti-malware programs such as Dr.Web, Avast, ESET, or Kaspersky, and terminates itself if it detects one of them. Moreover, the malware checks whether the computer uses the Russian localization of Windows, and terminates itself if it doesn’t.

On systems with the Russian language enabled and without one of the aforementioned anti-virus programs, the malware saves a 7z packer and a password-protected archive on the disk, after which it proceeds to retrieving files from the archive one by one. Some of these include programs and dynamic libraries that serve different purposes, along with the aforementioned Trojan and spyware.

According to the security researchers, Trojan.PWS.Spy.19338 is launched directly in the computer’s memory, although an encrypted copy is dropped to the disk. The Trojan appears to have a modular architecture, while its main purpose is to log keystrokes and to collect information about the system, after which it sends the collected details to its operators.

Before sending the data to the attackers’ server, the spyware encrypts it with the RC4 algorithm and then with XOR, researchers say. The logged keystrokes are saved on the disk as a special file, and its content is sent to the server every minute. To the exfiltrated information, the malicious program attaches the name of the application the keystrokes were logged from.

According to Doctor Web, in addition to accounting programs such as 1C version 8, 1C version 7 and 7.7, and SBIS++, the spyware also targets Microsoft Office applications such as Word and Excel, as well as messaging and mail programs like Skype, Microsoft Outlook, Microsoft Outlook Express and Windows Mail, and Mozilla Thunderbird.

What’s more, the spyware was also designed to collect information about the connected devices for Smart Card use, it seems. At the same time, it includes a series of components that were specifically designed to send information about the computer’s system to the C&C server, Doctor Web’s security researchers warn.

Related: Linux Trojan Takes Screenshots Every 30 Seconds

Copyright 2010 Respective Author at Infosec Island]]>
Why Passwords Are the New Exploits Tue, 28 Jun 2016 07:26:10 -0500 Twitter, 33 million. LinkedIn, 165 million. Tumblr, 65 million., 171 million. Badoo, 127 million. Myspace, 360 million.

There are now over a billion owned accounts with credentials sold online.  In the age of stolen passwords, compromised credentials are the easiest way in, simpler than phishing, malware or exploits. “Password confirmation” tools are now readily available to find reused passwords matching any website. This trend of large scale verification of stolen passwords is not new and has been ongoing for at least 2 years

Imagine a world where millions of keys capable of unlocking bank safe-deposit boxes are just lying on the ground everywhere. All you need is to pick them up and find a match to open any box you would like. Well, this is exactly where we are with passwords today. In fact, it is worse, because for most people, this same key is used to open their office, car, and house.

Passwords are the new exploit, but even better – credentials have become the number one attack methodology today. According to Verizon’s 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved leveraging weak, default or stolen passwords, and the problem is only getting worse.

The market is already so saturated with usernames and passwords that it is hard to tell whether a new password batch is a result of a new breach or re-filtering existing stolen passwords on a new website. Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites. 

If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account. That’s why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y. For instance, a hacker can take the Tumblr stolen dataset and use an automated “password confirmation” tool on Dropbox and within hours get millions of “new” Dropbox passwords, which is what happened in June, according to Brian Krebs.  

There are dozens of “password confirmation” tools available for this, for instance – SentryMBA. 

There are many other such tools, that test stolen passwords on many websites to confirm passwords. Of course, the websites try to prevent this activity, by rate limiting logins.  So attackers utilize large sets of proxies and botnets to win. They even use OCR software to bypass CAPTCHAs.

The economics are as follows: stolen credentials get packaged into batches of 1,000 and resold underground for prices between a penny and a nickel – roughly $50 dollars per million. Attackers then use sites like to find a tool they like to test passwords and only pay 1 cent for each working password, pay nothing for the non-working passwords.

As I mentioned in 2015, most of your passwords are likely already leaked and out there. And changing your password does not make you more secure either.  For one, statistically you will likely just change it to 123456789 or ‘dadada’ a la Zuckerberg or something equally bad.  

But even if you pick a good, hard to remember password, it is only a matter of short time before another SQL injection attack will pwn a service that you used the new password on, and you are back to square one.

So it is a good time to give up on passwords altogether, the way Yahoo  and Google are doing.

Another option is to use two factor by default all the time. Many services already do this.

Most people can’t be bothered to make up complex passwords or to remember to use unique passwords per service. So, websites must assume attackers already know most passwords. The rampant password re-use on many websites means there is essentially now a single point of failure for the entire online identity. It is time to change this situation and start retiring passwords as the primary authentication mechanism.

Copyright 2010 Respective Author at Infosec Island]]>
What a Risk-Based Approach to Security Means for Your Business Mon, 20 Jun 2016 08:00:00 -0500 As cyber security risks increase in number and sophistication, organizations need to switch from responding to incidents, to identifying them to prevent them before they occur.

Developing a robust risk-based approach to security needs to focus on supporting organizations to prioritize information security threats, understand the techniques that may be employed as part of the attack and evaluate the capability of controls to prevent, detect and respond to an attack. Without this knowledge, an organization will struggle to determine the level of exposure to particular threats and if their cyber incident response plans are structured and ready to address these threats when they arise.

Protecting Your Most Sensitive Information

Executives are familiar with the massive benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, efficiency, competitiveness and commitment to customers. Unfortunately, many struggle with assessing the risks versus the rewards.

One thing that businesses must do in this day and age is ensure they have standard security measures in place. One example of guidelines would be the Information Security Forum(ISF) Standard of Good Practice(The Standard).

The Standard is used by many international organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.

Institute a Risk Assessment Process

At the ISF, we define Information Risk Assessment as the process of assessing potential business impact, evaluating threats and vulnerabilities and selecting appropriate treatment to meet the business requirement for information security.

Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.

A piece of supplementary material that I advocate reviewing is the ISF Threat Radar. The Threat Radar plots the ability to manage a threat against its potential level of impact, thus helping to determine its relative importance for an individual organization. It can also demonstrate any likely change that may happen over the period in discussion using arrows.

It is imperative to remember that it is not practicable to defend against all threats. An organization therefore needs to look closely at its resilience: that is, what plans and arrangements are in place to minimize impact, speed recovery and learn from incidents, in order to further minimize impact in the future.

Further details on cyber resilience are available in our report Cyber Security Strategies: Achieving Cyber Resilience.

Preparing Your People

Many organizations recognize their people as their biggest asset. However, they still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control.

However, instead of simply making people aware of their information security responsibilities and how they should respond, the answer for organizations is to embed positive information security behaviors that will result in their behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real driver should be risk, and how changing employee behaviors can reduce that risk.

The position that disclosure will be more destructive than the data theft itself – is a sure-fire way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments. The lesson that we tell ISF members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. I strongly recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.

Focus on the Need for Cyber Resilience

Businesses are functioning in a progressively cyber-enabled world and the fact that traditional risk management isn’t nimble enough to deal with the risks from cyberspace activity. To put things in simple terms: enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. 

As global businesses, governments, and economies grow more interdependent, knowing how to build cyber resilient organizations will be vital to more than cyber security. We no longer hide behind impermeable walls, rather, we operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.   

Copyright 2010 Respective Author at Infosec Island]]>
Don't Let the Cure Become the Disease: Granular Control Is the Only Answer to Security Woes Caused By Encryption Mon, 20 Jun 2016 04:30:31 -0500 Encryption has gotten a bad rap lately, thanks to a rash of SSL (Secure Sockets Layer) security bugs that is expected to get even worse in coming years. Add to that the recent standoff between the FBI and Apple Inc. over the encrypted iPhone used by one of the San Bernardino terrorists, and it’s understandable why corporate decision makers have become increasingly nervous about the use of encryption.

But it’s important for IT security managers to reassure executives that encryption remains one of the most effective ways to protect data, while at the same time accepting that IT professionals can improve the standard way of addressing SSL issues. Rather than using tools to inspect and decrypt SSL messages indiscriminately, IT security professionals should instead leverage solutions that give them granular control over SSL traffic to decrypt data only when there’s a good reason to.

It is because of the effectiveness of encryption that many of the recent problems have occurred. The San Bernardino case, for instance, proved encryption can be so difficult to break that it seemed only Apple itself could get into the terrorist’s iPhone. Ransomware cases, in which cybercriminals lock up victims’ data and demand ransom to give users access back to their files, also prove how tough encryption is to break.

The problem is the misuse of encryption, which effectively turns the cure into the disease. That’s what happens when hackers exploit SSL bugs to break into networks – a practice that research firm Gartner says is getting worse. In 2017, more than half of cyber attacks on enterprises “will use encrypted traffic to bypass controls,” Gartner has predicted. In 2013, when Gartner made its dire forecast, such attacks accounted for less than 5 percent.

And just as hackers increasingly use encrypted traffic to bypass traditional cybersecurity solutions, hackers are choosing targets that give them the largest possible number of victims. So whether it is targeting Microsoft Windows users or exploiting vulnerabilities in widely used JavaScript downloader files to deliver malicious payloads, hackers are increasingly using SSL-encrypted traffic to stay hidden.

Hackers are becoming increasingly adept at sending threats through SSL traffic. ITProPortal recently listed five of these major “blind spot” threats: malware hidden in email or instant messages; malware distributed through social media; web app and DDoS (distributed denial of service) attacks; data exfiltration by insiders hiding the data in SSL; and malware communications between infected machines and command-and-control servers.

So we are left with organizations increasingly using encryption to protect their sensitive data but at the same time, facing an onslaught of encrypted attacks. The trick now is finding an effective way of preventing the cure from becoming the disease. One option that IT pros (including the author of the above ITProPortal blog) often suggest is to deploy tools that inspect and decrypt SSL traffic, but this approach can be problematic.

Decrypting SSL messages can violate privacy regulations in some cases, and some countries outlaw the practice. Allowing exceptions for regulated or BYOD traffic is one solution, but users get warning messages they don’t understand or administrators turn off SSL inspection, defeating its purpose.

The only answer is granular control of SSL traffic, so rather than decrypting all traffic indiscriminately, organizations can separately manage workgroup directories, parts of websites, domains and individuals. This way, decryption and inspection occurs only when necessarily to avoid productivity and compliance issues.

With the proper controls in place, organizations don’t have to fear encryption. Hackers can only succeed in exploiting encryption when organizations lack the right tools to fight back.

About the author: Peter Martini is President of iboss Cybersecurity, a rapidly growing cybersecurity firm focused on defending today’s borderless networks against malware, advanced threats and data loss with an innovative direct-to-cloud, containerized, node-based approach. Unlike legacy technology focused solely on keeping malware out, iboss offers a balanced cybersecurity approach with equal emphasis on prevention, detection and containment to reduce damaging loss from data breaches. Backed by patented, next-generation technology and unparalleled visibility across all inbound/outbound data channels, iboss next-gen technology provides better security weapons to reveal blind spots, detect breaches and minimize the consequences of data exfiltration.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes June 2016 - Review Wed, 15 Jun 2016 11:50:45 -0500 SAP has released the monthly critical patch update for June 2016. This patch update closes 21 vulnerabilities in SAP products including 15 SAP Security Patch Day Notes and 6 Support Package Notes. 8 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 3 of all notes are updates to previous Security Notes.

3 of all closed SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 9.1.

SAP Security Notes June 2016 by priority

Most of the discovered vulnerabilities belong to the SAP NetWevwer ABAP platform, the oldest and the most widespread one. It is a backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM.

SAP Security Notes June 2016 by platforms

The most common vulnerability types are Cross-site scripting and Missing authorization check.


This month, 4 critical vulnerabilities identified by ERPScan’s researchers Nursultan Abubakirov, Alexander Polyakov, and Vahagn Vardanyan were closed.

How long does it take a vendor to patch an issue?

Third-party researchers discover numerous security issues in various products on a daily basis. A responsible vendor usually tries to fix an issue in a timely fashion. As a rule, it takes a vendor approximately 1-3 months to release a patch. However, some of vulnerabilities are not easy to close (especially architectural ones). As long as SAP is concerned, the required time to patch a security issue is 3 months, according to rough estimations.

This month, SAP fixed a vulnerability detected by ERPScan researcher Alexander Polyakov 3 years ago. The identified cybersecurity issue is an Information Disclosure vulnerability in BI Reporting and Planning of the Business Warehouse (BW) component. The product can transform and consolidate business information from virtually any source system.

The issue was reported about on the 20th of April, 2013. It means that it took SAP more than 3 years to fix the issue. Moreover, not all companies implement a patch after the release date. As the Invoker Servlet case shows, sometimes SAP systems stay unpatched even for 5 years after the Security Note release. Taking into account that vulnerability impact is rather severe (CVSS v3 Base Score: 5.3/10), as it allows an attacker to discover information useful for further attacks, the unpatched vulnerability put companies at serious risks.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • A Cross-site scripting vulnerability in SAP ecattping (CVSS Base Score: 6.1). Update is available in SAP Security Note 2256178. An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page.
  • An Information disclosure vulnerability in SAP BI Reporting and Planning (CVSS Base Score: 5.3). Update is available in SAP Security Note 2197262. An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help an attacker to learn about a system and to plan further attacks.
  • A Denial of service vulnerability in SAP Sybase SQL Anywhere MobiLink Synchronization Server (CVSS Base Score: 4.9). Update is available in SAP Security Note 2308778. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, this fact negatively affects business processes, system downtime, and, as a result, business reputation.
  • A Directory traversal vulnerability in SAP Data Services (CVSS Base Score: 2.7). Update is available in SAP Security Note 2300346. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

Other critical issues closed by SAP Security Notes June 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2306709: SAP Documentation and Translation Tools has a Code injection vulnerability (CVSS Base Score: 9.1 ). Depending on the code, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, or potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
  • 2222731: SAP DesignStudio SFIN has a Cross-site scripting vulnerability (CVSS Base Score: 8.8 ). An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page. Install this SAP Security Note to prevent risks.
  • 2308217: SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.

It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on its acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Why Your Next Generation Firewall Cannot Prevent Next Generation Threats Wed, 15 Jun 2016 07:30:00 -0500 As one of our customers said to me during the course of our conversation, changing a rule on a Next Generation firewall takes “an act of God”. The procedures that have been instituted inside enterprises, prevent easy changes to firewall policies. Today, organizations are deploying NG firewalls on the internal network to control access and prevent breaches. The solution, is at best, limited. These firewalls cannot detect breaches or stop insider threats. There are three main reasons:

  • Policies are static and cannot adapt to dynamic threats
  • Inability to learn and characterize User Behavior
  • Lack of granularity in the ability to respond to a threat or compromise

First, Next Generation firewalls are very deterministic in designating what is good and what is bad. What we have learned from insider threats and security breaches is that malicious attackers emulate the behavior of legitimate users, often by using compromised credentials. So, while the user may be legitimate, the behavior of someone using those credentials will not be so. This is not very different when an insider decides to misuse their credentials. NG firewalls will ensure the user is legitimate and will allow access if the credentials are legitimate.

Second, while it is possible to get user profiles and create detailed firewall rules, it is not practical. User roles change, their projects change, their groups change, etc. For a firewall administrator to keep up with the changes to ensure security is impractical, if not impossible.  Learning, characterizing and gaining a deeper understanding of every user and entity on the network is a requirement to stop the next compromise, and NG firewalls are not built to handle such frequent changes.

Third, when a threat is detected, if the only responses that can be employed are “Allow” or “Block”, then any false positive or legitimate change in behavior can lead to preventing a user from doing his or her job. Hence, it is rare to see “Block” rules within the Intrusion Detection and Prevention modules of NG firewalls. Security administrators don’t want to be fired for blocking the CEO’s network traffic due to a false alert. Threats of unconfirmed severity and confidence need a more graduated response.

So, if you wish to detect and block such insider threats and security breaches, what you need is a Behavioral Firewall. There are three key capabilities in a Behavioral Firewall that overcome the limitations of NG firewalls:

  • They have the ability to learn user behavior
  • Policies dynamically evolve to match user behavior
  • Responses are fine grained so business process is not impacted

Behavioral Firewalls provide visibility into risky users, endpoints, stale or compromised accounts and privileged user behavior. By monitoring and learning the behavior of every user, group and device on the network including when/where they log in, their role, their system privileges, strength of passwords, and more, Behavioral Firewalls can characterize the expected and normal behavior of users and endpoints.

Once such a baseline is generated, then policies are created that can be generated both automatically and manually to determine how to respond to different kinds of threats. For example, if a user accesses a set of network servers from a remote location, which he has not done before, and it is out of the norm for this organization, the system can request a confirmation of identity via 2FA. Or, the security administrator can create a rule that disallows access to new servers from a remote location. Building such a policy gives the security administrator the confidence that when a likely threat is identified, the system will be able to detect and respond to such a threat.

Finally, responding to a threat, especially one of unconfirmed severity, is a gamble. What is required is fine-grain automated response mechanisms, such a 2 Factor Authentication, Notify, Re-authenticate, etc. in addition to normal responses from NG firewalls like Allow and Block. Such granularity can ensure that security is maintained while legitimate users are not preventing from getting their job done.

NG firewalls had a good ten year run and are still good for the network perimeter. But when it comes to protecting the inside of the enterprise perimeter, they lack significant capabilities and it is unclear how they can be redesigned to overcome such limitations.

Copyright 2010 Respective Author at Infosec Island]]>
Beyond Phishing: What You Need to Know About Whaling Mon, 13 Jun 2016 14:40:00 -0500 First, there was phishing…

Then came spear phishing…

Now there is whaling — and other new sophisticated social engineering techniques. The bad guys are quickly modifying their deceptive practices and here’s what you need to know.

You're Gonna Need a Bigger Boat

Just when you thought you had seen it all regarding online phishing scams, along comes a new round of deceptive emails, phones calls, instant messages and even traditional printouts from your fax machine. And these revamped social engineering approaches are working — fueling a continuing surge in cybercrime.

For companies and for individuals, the stakes online remain very high. Phishing impacts are affecting brand reputation, personal careers and the financial bottom line. What’s scary is that the bad guys are often using hijacked email accounts and other legitimate business channels. The goal: to trick efficiency-minded professionals into carrying-out their online crimes.

So what’s new?

Several recent “whaling” stories have emerged that don’t involve employees clicking on links or becoming infected with malware. Rather, first the criminals conduct extensive surveillance and gain the required internet credentials. Then a highly targeted end user is tricked into making a fund transfer or authorizing a pending transaction based on an email from their CEO’s personal email account.    

For example, this recent story about Alpha Payroll shows how an employee complied with a request that appeared to come from Alpha Payroll's CEO. The fake email requested: “Copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers.”

Here are some additional details:

“Later, on April 8 after an Alpha Payroll customer reported their staff had fraudulent tax returns filed under their Social Security numbers — an internal investigation discovered the successful phishing attack...

Several experts have reached out to suggest that an internal policy against sharing W-2 data was at play here, which could be the reason for the (the employee’s) termination.” 

In April 2016, the Phoenix Division of the FBI formally warned businesses about the dramatic increase in business email compromise scams (BEC).

According to the FBI press release:

"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.

There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to nonprofit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.

  • Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
  • This amounted to more than $2.3 billion in losses.
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
  • In Arizona the average loss per scam is between $25,000 and $75,000."

A Quick Tutorial from Phishing to Whaling

Online phishing scams are evolving rapidly. We all need to take note and not let our guards down.

Before offering some practical tips, I like to quickly recap the different types of phishing attacks that are ongoing — many of which have been around for several years.

Please note that phishing can be delivered in a variety of forms (or channels). While most people focus on email phish, text messages, faxes, Facebook or LinkedIn updates or even traditional phone calls are commonly used channels to deliver phish. The message will ask you to take an action such as clicking on a link, calling a phone number or performing some other transaction.  

First, we have traditional phishing. According to Security Mentor, phishing, like its namesake “fishing,” uses bait to lure a target into getting hooked. In phishing, the bait is a clever message and you are the fish. We fall for the phishing bait, because the phishers are masters of disguise. The bad guys play on our emotions and desires.

Most phishing scams cast a wide net that tries to get a reaction from as many people as possible. They do this by imitating trusted brands such as Walmart, PayPal, eBay, Google or Microsoft (or others) in their messages. 

Second, the wide net cast by phishing campaigns became more sophisticated and “spear phishing” started to become more common. Spear phishing is similar to phishing, except the attack is more targeted, sophisticated and often appears to be from someone you know such as a company colleague, your bank, a family member or a friend. The message may include personal information like your name, where you work, and perhaps even a phone number or other related personal information.

Spear phishing has become a huge challenge for global enterprises to defend against. Clicking on these links can open an organization up to malware leading to data loss, identity theft and even ransomware, which can encrypt system data until a ransom is paid to the attacker.

Over the past few years, spear phishing has become a preferred method for cybercriminals to infiltrate organizations, with numerous large breaches that began by gaining user credential via spear phishing. This blog lists 10 top spear phishing attacks, calling spear phishing the secret weapon in the worst cyberattacks. The same blog also points to a study of 300 firms in the US and UK — reporting that 38 percent of cyberattacks in the past 12 months came from spear phishing.

Third, we have the new trend which many are now calling “whaling,” since the bad guys are going after the biggest of fish in super-sized spear phishing attacks. As the FBI press release mentions above, the goal is: “to assume the identity of the CEO, a company attorney or trusted vendor.” This can happen in a variety of ways, including the use of company insiders who provide access to sensitive people, process or technology needed to succeed in the fraud.

How Can Enterprises Prepare?

So what can be done to lower the risk of whaling and other new social engineering techniques, which are sure to arise over the coming few years?

Here are five strategies to consider:

  • Train on security awareness and train staff again. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyber threats that are emerging. Remember, this is NOT just about clicking on links.
  • Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff. Yes — include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who gets fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  • Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  • Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  • Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

Yes — you should test staff with occasional phishing exercises, but don’t just measure clicking of links. The bad guys know that links set off alarms for many, so many of the biggest whaling incidents do not include clicking on links.

The enemy wants to gain staff trust, and they often include a combination of techniques to get employees to eventually take action.

Ask your staff: “What would you do if you were an outsider trying to gain access?”

Final Thoughts

As we develop new protections and alerts, the bad guys will adapt again and again. This is an ongoing cyber battle. In my view, whaling is “phishing 3.0.” There will be a 4.0 and a 5.0, to attempt to infiltrate organizational processes.

Are you prepared?

Do you have an ongoing security awareness training program?

The main thing is to continually educate staff to understand these new cyber threats and evolving risks faced every time we go online. The huge ongoing challenge is to continue to guide and enable staff to innovate, increase efficiency and reduce bureaucracy, while at the same time demonstrate a healthy, well-informed view of risks and online fraud. They also need to know what to do if they suspect inappropriate actions or a scam.

As Abraham Lincoln said in a letter written back in 1848: “You cannot fail in any laudable object, unless you allow your mind to be improperly directed.

Note: An earlier version of this article was published on Government Technology.

Copyright 2010 Respective Author at Infosec Island]]>
Android N Deprecating Crypto Provider and SHA1PRNG Algorithm Mon, 13 Jun 2016 12:38:05 -0500 The Android N operating system version will no longer use the Crypto provider and the SHA1PRNG algorithm, Google announced.

Google’s plan to modify the key derivation function (KDF) in Android is triggered by the company’s attempt to improve the cryptography features of the platform. Developers with applications that derive keys using the SHA1PRNG algorithm from the Crypto provider need to be looking for another key derivation function and possibly re-encrypt data, Sergio Giro, software engineer, Google, says.

Giro explains that the Java Cryptography Architecture employed by Android allows developers to create an instance of a class like a cipher, or a pseudo-random number generator, using different calls. However, while Google doesn’t recommend specifying the provider, there are calls to the Java Cryptography Extension (JCE) APIs that specify it, and many apps rely on the “Crypto” provider for an anti-pattern of key derivation.

According to Giro, the provider only offered an implementation of the SHA1PRNG algorithm for instances of SecureRandom, and this algorithm is not cryptographically strong. In fact, researchers have demonstrated that the “random” sequence, considered in binary form, is inclined towards returning 0s, and this worsens depending on the seed.

“As a result, in Android N we are deprecating the implementation of the SHA1PRNG algorithm and the Crypto provider altogether,” Giro says. “A common but incorrect usage of this provider was to derive keys for encryption by using a password as a seed. The implementation of SHA1PRNG had a bug that made it deterministic if setSeed() was called before obtaining output,” he adds.

The bug consists of deriving the key from a password that is used as seed, and then using the ‘random’ output bytes for the key. However, ‘random’ in this context would be ‘predictable and cryptographically weak’, Giro notes. Next, the key is used for the encryption and decryption of data.

The engineer says that there are different ways to derive keys correctly, and even offers a full example of that. For developers looking to transition data easier if they have data encrypted with an insecure key, an example app is available, with a helper class specifically created for such situations. “You can then re-encrypt your data with a securely derived key as explained above, and live a happy life ever after,” Giro notes.

To ensure that applications continue to work, Google is keeping the Crypto provider in the Android SDK version 23, for Marshmallow and earlier operating system iterations. However, developers are advised to move away from the provider, as it will be completely deleted from the SDK in the future.

“Because many parts of the system assume the existence of a SHA1PRNG algorithm, when an instance of SHA1PRNG is requested and the provider is not specified we return an instance of OpenSSLRandom, which is a strong source of random numbers derived from OpenSSL,” Google’s engineer also explains.

The deprecation of the Crypto provider is yet another step Google is making toward improved user data security in Android, after it announced that full device encryption was mandatory for new devices in Android Marshmallow. Earlier this year, the company revealed that it was performing 400 million Android security scans daily to ensure the safety of its users.

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices: Study

Copyright 2010 Respective Author at Infosec Island]]>
Microsoft Blocks Certain Passwords Fri, 10 Jun 2016 08:25:19 -0500 Microsoft took a unique step recently and began disallowing certain common passwords from being utilized in a number of platforms including Xbox Live, Office 365, and will soon apply the rules to the Azure active directory in the cloud. The starting point for the Microsoft list was the SplashData annual “Worst Password List” and includes such gems as “12345,” “qwerty” and “password.” Users attempting to provide one of these as a password are met with a warning “Choose a password that’s harder for people to guess” and are forced to come up with something more inventive and, hopefully, more secure.

While this initiative by Microsoft should certainly help stop individual users accounts from being hacked, it does not really accomplish anything for the large population of corporate users authenticating to the company network. A few versions ago, Microsoft implemented fine grained password controls in active directory, which was thought of as a huge advantage, since different types of users in the organization could have different levels of requirements for passwords. For example, a sales person may be required to use an eight-character password with two special cases – i.e. capital letter, lower case, number and special character -- while a systems administrator may be required to use a 12-digit password with three cases. Other items that could be varied by groups included, password history and minimum and maximum password age.

This was a step in the right direction, but did not prevent people from using simple words to fulfill the requirements, or prevent them from incrementing – using “Password.1” and then “Password.2” and so on. It also did not prevent users from utilizing the company name, their name, etc. As long as the password complied with the basic criteria, it would be accepted.

There are commercially available applications that address this issue for the corporate network and, at the same time, provide a user friendly graphical user interface (GUI) to show that the password they are typing is complying with the complex rules. For example, rules can be set to disallow use of repeating characters and incrementing, as well as any number of special cases, including a dictionary of specific, excluded words.

When coupled with a self-service reset password application, turning on complex passwords for an organization can be relatively pain free and not place additional burden on the IT department or the helpdesk. The applications function much like a banking website: Users enroll via series of selectable challenge questions and provide answers. Should they forget their complex password, they can reset it on their own from either a website or a “Forgot My Password” link on the Windows login screen.

The steps Microsoft is making are definitely a move in the right direction to protect users from potential social hacking with easily guessable passwords. Applications like a password complexity manager and self-service reset password can help protect enterprises from the same issue without increasing the workload on the IT department. Hopefully when next year’s list of worst passwords is released, it will be significantly shorter, or at least contain something more difficult to guess than “password.” 

Copyright 2010 Respective Author at Infosec Island]]>