Infosec Island Latest Articles https://www.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 What a Risk-Based Approach to Security Means for Your Business https://www.infosecisland.com/blogview/24778-What-a-Risk-Based-Approach-to-Security-Means-for-Your-Business.html https://www.infosecisland.com/blogview/24778-What-a-Risk-Based-Approach-to-Security-Means-for-Your-Business.html Mon, 20 Jun 2016 08:00:00 -0500 As cyber security risks increase in number and sophistication, organizations need to switch from responding to incidents, to identifying them to prevent them before they occur.

Developing a robust risk-based approach to security needs to focus on supporting organizations to prioritize information security threats, understand the techniques that may be employed as part of the attack and evaluate the capability of controls to prevent, detect and respond to an attack. Without this knowledge, an organization will struggle to determine the level of exposure to particular threats and if their cyber incident response plans are structured and ready to address these threats when they arise.

Protecting Your Most Sensitive Information

Executives are familiar with the massive benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, efficiency, competitiveness and commitment to customers. Unfortunately, many struggle with assessing the risks versus the rewards.

One thing that businesses must do in this day and age is ensure they have standard security measures in place. One example of guidelines would be the Information Security Forum(ISF) Standard of Good Practice(The Standard).

The Standard is used by many international organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.

Institute a Risk Assessment Process

At the ISF, we define Information Risk Assessment as the process of assessing potential business impact, evaluating threats and vulnerabilities and selecting appropriate treatment to meet the business requirement for information security.

Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.

A piece of supplementary material that I advocate reviewing is the ISF Threat Radar. The Threat Radar plots the ability to manage a threat against its potential level of impact, thus helping to determine its relative importance for an individual organization. It can also demonstrate any likely change that may happen over the period in discussion using arrows.

It is imperative to remember that it is not practicable to defend against all threats. An organization therefore needs to look closely at its resilience: that is, what plans and arrangements are in place to minimize impact, speed recovery and learn from incidents, in order to further minimize impact in the future.

Further details on cyber resilience are available in our report Cyber Security Strategies: Achieving Cyber Resilience.

Preparing Your People

Many organizations recognize their people as their biggest asset. However, they still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control.

However, instead of simply making people aware of their information security responsibilities and how they should respond, the answer for organizations is to embed positive information security behaviors that will result in their behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real driver should be risk, and how changing employee behaviors can reduce that risk.

The position that disclosure will be more destructive than the data theft itself – is a sure-fire way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments. The lesson that we tell ISF members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. I strongly recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.

Focus on the Need for Cyber Resilience

Businesses are functioning in a progressively cyber-enabled world and the fact that traditional risk management isn’t nimble enough to deal with the risks from cyberspace activity. To put things in simple terms: enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. 

As global businesses, governments, and economies grow more interdependent, knowing how to build cyber resilient organizations will be vital to more than cyber security. We no longer hide behind impermeable walls, rather, we operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.   

Copyright 2010 Respective Author at Infosec Island]]>
Don't Let the Cure Become the Disease: Granular Control Is the Only Answer to Security Woes Caused By Encryption https://www.infosecisland.com/blogview/24777-Dont-Let-the-Cure-Become-the-Disease-Granular-Control-Is-the-Only-Answer-to-Security-Woes-Caused-By-Encryption.html https://www.infosecisland.com/blogview/24777-Dont-Let-the-Cure-Become-the-Disease-Granular-Control-Is-the-Only-Answer-to-Security-Woes-Caused-By-Encryption.html Mon, 20 Jun 2016 04:30:31 -0500 Encryption has gotten a bad rap lately, thanks to a rash of SSL (Secure Sockets Layer) security bugs that is expected to get even worse in coming years. Add to that the recent standoff between the FBI and Apple Inc. over the encrypted iPhone used by one of the San Bernardino terrorists, and it’s understandable why corporate decision makers have become increasingly nervous about the use of encryption.

But it’s important for IT security managers to reassure executives that encryption remains one of the most effective ways to protect data, while at the same time accepting that IT professionals can improve the standard way of addressing SSL issues. Rather than using tools to inspect and decrypt SSL messages indiscriminately, IT security professionals should instead leverage solutions that give them granular control over SSL traffic to decrypt data only when there’s a good reason to.

It is because of the effectiveness of encryption that many of the recent problems have occurred. The San Bernardino case, for instance, proved encryption can be so difficult to break that it seemed only Apple itself could get into the terrorist’s iPhone. Ransomware cases, in which cybercriminals lock up victims’ data and demand ransom to give users access back to their files, also prove how tough encryption is to break.

The problem is the misuse of encryption, which effectively turns the cure into the disease. That’s what happens when hackers exploit SSL bugs to break into networks – a practice that research firm Gartner says is getting worse. In 2017, more than half of cyber attacks on enterprises “will use encrypted traffic to bypass controls,” Gartner has predicted. In 2013, when Gartner made its dire forecast, such attacks accounted for less than 5 percent.

And just as hackers increasingly use encrypted traffic to bypass traditional cybersecurity solutions, hackers are choosing targets that give them the largest possible number of victims. So whether it is targeting Microsoft Windows users or exploiting vulnerabilities in widely used JavaScript downloader files to deliver malicious payloads, hackers are increasingly using SSL-encrypted traffic to stay hidden.

Hackers are becoming increasingly adept at sending threats through SSL traffic. ITProPortal recently listed five of these major “blind spot” threats: malware hidden in email or instant messages; malware distributed through social media; web app and DDoS (distributed denial of service) attacks; data exfiltration by insiders hiding the data in SSL; and malware communications between infected machines and command-and-control servers.

So we are left with organizations increasingly using encryption to protect their sensitive data but at the same time, facing an onslaught of encrypted attacks. The trick now is finding an effective way of preventing the cure from becoming the disease. One option that IT pros (including the author of the above ITProPortal blog) often suggest is to deploy tools that inspect and decrypt SSL traffic, but this approach can be problematic.

Decrypting SSL messages can violate privacy regulations in some cases, and some countries outlaw the practice. Allowing exceptions for regulated or BYOD traffic is one solution, but users get warning messages they don’t understand or administrators turn off SSL inspection, defeating its purpose.

The only answer is granular control of SSL traffic, so rather than decrypting all traffic indiscriminately, organizations can separately manage workgroup directories, parts of websites, domains and individuals. This way, decryption and inspection occurs only when necessarily to avoid productivity and compliance issues.

With the proper controls in place, organizations don’t have to fear encryption. Hackers can only succeed in exploiting encryption when organizations lack the right tools to fight back.

About the author: Peter Martini is President of iboss Cybersecurity, a rapidly growing cybersecurity firm focused on defending today’s borderless networks against malware, advanced threats and data loss with an innovative direct-to-cloud, containerized, node-based approach. Unlike legacy technology focused solely on keeping malware out, iboss offers a balanced cybersecurity approach with equal emphasis on prevention, detection and containment to reduce damaging loss from data breaches. Backed by patented, next-generation technology and unparalleled visibility across all inbound/outbound data channels, iboss next-gen technology provides better security weapons to reveal blind spots, detect breaches and minimize the consequences of data exfiltration.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes June 2016 - Review https://www.infosecisland.com/blogview/24776-SAP-Security-Notes-June-2016-Review.html https://www.infosecisland.com/blogview/24776-SAP-Security-Notes-June-2016-Review.html Wed, 15 Jun 2016 11:50:45 -0500 SAP has released the monthly critical patch update for June 2016. This patch update closes 21 vulnerabilities in SAP products including 15 SAP Security Patch Day Notes and 6 Support Package Notes. 8 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 3 of all notes are updates to previous Security Notes.

3 of all closed SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 9.1.

SAP Security Notes June 2016 by priority

Most of the discovered vulnerabilities belong to the SAP NetWevwer ABAP platform, the oldest and the most widespread one. It is a backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM.

SAP Security Notes June 2016 by platforms

The most common vulnerability types are Cross-site scripting and Missing authorization check.

SAP

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Nursultan Abubakirov, Alexander Polyakov, and Vahagn Vardanyan were closed.

How long does it take a vendor to patch an issue?

Third-party researchers discover numerous security issues in various products on a daily basis. A responsible vendor usually tries to fix an issue in a timely fashion. As a rule, it takes a vendor approximately 1-3 months to release a patch. However, some of vulnerabilities are not easy to close (especially architectural ones). As long as SAP is concerned, the required time to patch a security issue is 3 months, according to rough estimations.

This month, SAP fixed a vulnerability detected by ERPScan researcher Alexander Polyakov 3 years ago. The identified cybersecurity issue is an Information Disclosure vulnerability in BI Reporting and Planning of the Business Warehouse (BW) component. The product can transform and consolidate business information from virtually any source system.

The issue was reported about on the 20th of April, 2013. It means that it took SAP more than 3 years to fix the issue. Moreover, not all companies implement a patch after the release date. As the Invoker Servlet case shows, sometimes SAP systems stay unpatched even for 5 years after the Security Note release. Taking into account that vulnerability impact is rather severe (CVSS v3 Base Score: 5.3/10), as it allows an attacker to discover information useful for further attacks, the unpatched vulnerability put companies at serious risks.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • A Cross-site scripting vulnerability in SAP ecattping (CVSS Base Score: 6.1). Update is available in SAP Security Note 2256178. An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page.
  • An Information disclosure vulnerability in SAP BI Reporting and Planning (CVSS Base Score: 5.3). Update is available in SAP Security Note 2197262. An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help an attacker to learn about a system and to plan further attacks.
  • A Denial of service vulnerability in SAP Sybase SQL Anywhere MobiLink Synchronization Server (CVSS Base Score: 4.9). Update is available in SAP Security Note 2308778. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, this fact negatively affects business processes, system downtime, and, as a result, business reputation.
  • A Directory traversal vulnerability in SAP Data Services (CVSS Base Score: 2.7). Update is available in SAP Security Note 2300346. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

Other critical issues closed by SAP Security Notes June 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2306709: SAP Documentation and Translation Tools has a Code injection vulnerability (CVSS Base Score: 9.1 ). Depending on the code, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, or potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
  • 2222731: SAP DesignStudio SFIN has a Cross-site scripting vulnerability (CVSS Base Score: 8.8 ). An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page. Install this SAP Security Note to prevent risks.
  • 2308217: SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.

It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on its acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Why Your Next Generation Firewall Cannot Prevent Next Generation Threats https://www.infosecisland.com/blogview/24775-Why-Your-Next-Generation-Firewall-Cannot-Prevent-Next-Generation-Threats.html https://www.infosecisland.com/blogview/24775-Why-Your-Next-Generation-Firewall-Cannot-Prevent-Next-Generation-Threats.html Wed, 15 Jun 2016 07:30:00 -0500 As one of our customers said to me during the course of our conversation, changing a rule on a Next Generation firewall takes “an act of God”. The procedures that have been instituted inside enterprises, prevent easy changes to firewall policies. Today, organizations are deploying NG firewalls on the internal network to control access and prevent breaches. The solution, is at best, limited. These firewalls cannot detect breaches or stop insider threats. There are three main reasons:

  • Policies are static and cannot adapt to dynamic threats
  • Inability to learn and characterize User Behavior
  • Lack of granularity in the ability to respond to a threat or compromise

First, Next Generation firewalls are very deterministic in designating what is good and what is bad. What we have learned from insider threats and security breaches is that malicious attackers emulate the behavior of legitimate users, often by using compromised credentials. So, while the user may be legitimate, the behavior of someone using those credentials will not be so. This is not very different when an insider decides to misuse their credentials. NG firewalls will ensure the user is legitimate and will allow access if the credentials are legitimate.

Second, while it is possible to get user profiles and create detailed firewall rules, it is not practical. User roles change, their projects change, their groups change, etc. For a firewall administrator to keep up with the changes to ensure security is impractical, if not impossible.  Learning, characterizing and gaining a deeper understanding of every user and entity on the network is a requirement to stop the next compromise, and NG firewalls are not built to handle such frequent changes.

Third, when a threat is detected, if the only responses that can be employed are “Allow” or “Block”, then any false positive or legitimate change in behavior can lead to preventing a user from doing his or her job. Hence, it is rare to see “Block” rules within the Intrusion Detection and Prevention modules of NG firewalls. Security administrators don’t want to be fired for blocking the CEO’s network traffic due to a false alert. Threats of unconfirmed severity and confidence need a more graduated response.

So, if you wish to detect and block such insider threats and security breaches, what you need is a Behavioral Firewall. There are three key capabilities in a Behavioral Firewall that overcome the limitations of NG firewalls:

  • They have the ability to learn user behavior
  • Policies dynamically evolve to match user behavior
  • Responses are fine grained so business process is not impacted

Behavioral Firewalls provide visibility into risky users, endpoints, stale or compromised accounts and privileged user behavior. By monitoring and learning the behavior of every user, group and device on the network including when/where they log in, their role, their system privileges, strength of passwords, and more, Behavioral Firewalls can characterize the expected and normal behavior of users and endpoints.

Once such a baseline is generated, then policies are created that can be generated both automatically and manually to determine how to respond to different kinds of threats. For example, if a user accesses a set of network servers from a remote location, which he has not done before, and it is out of the norm for this organization, the system can request a confirmation of identity via 2FA. Or, the security administrator can create a rule that disallows access to new servers from a remote location. Building such a policy gives the security administrator the confidence that when a likely threat is identified, the system will be able to detect and respond to such a threat.

Finally, responding to a threat, especially one of unconfirmed severity, is a gamble. What is required is fine-grain automated response mechanisms, such a 2 Factor Authentication, Notify, Re-authenticate, etc. in addition to normal responses from NG firewalls like Allow and Block. Such granularity can ensure that security is maintained while legitimate users are not preventing from getting their job done.

NG firewalls had a good ten year run and are still good for the network perimeter. But when it comes to protecting the inside of the enterprise perimeter, they lack significant capabilities and it is unclear how they can be redesigned to overcome such limitations.

Copyright 2010 Respective Author at Infosec Island]]>
Beyond Phishing: What You Need to Know About Whaling https://www.infosecisland.com/blogview/24774-Beyond-Phishing-What-You-Need-to-Know-About-Whaling.html https://www.infosecisland.com/blogview/24774-Beyond-Phishing-What-You-Need-to-Know-About-Whaling.html Mon, 13 Jun 2016 14:40:00 -0500 First, there was phishing…

Then came spear phishing…

Now there is whaling — and other new sophisticated social engineering techniques. The bad guys are quickly modifying their deceptive practices and here’s what you need to know.

You're Gonna Need a Bigger Boat

Just when you thought you had seen it all regarding online phishing scams, along comes a new round of deceptive emails, phones calls, instant messages and even traditional printouts from your fax machine. And these revamped social engineering approaches are working — fueling a continuing surge in cybercrime.

For companies and for individuals, the stakes online remain very high. Phishing impacts are affecting brand reputation, personal careers and the financial bottom line. What’s scary is that the bad guys are often using hijacked email accounts and other legitimate business channels. The goal: to trick efficiency-minded professionals into carrying-out their online crimes.

So what’s new?

Several recent “whaling” stories have emerged that don’t involve employees clicking on links or becoming infected with malware. Rather, first the criminals conduct extensive surveillance and gain the required internet credentials. Then a highly targeted end user is tricked into making a fund transfer or authorizing a pending transaction based on an email from their CEO’s personal email account.    

For example, this recent story about Alpha Payroll shows how an employee complied with a request that appeared to come from Alpha Payroll's CEO. The fake email requested: “Copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers.”

Here are some additional details:

“Later, on April 8 after an Alpha Payroll customer reported their staff had fraudulent tax returns filed under their Social Security numbers — an internal investigation discovered the successful phishing attack...

Several experts have reached out to suggest that an internal policy against sharing W-2 data was at play here, which could be the reason for the (the employee’s) termination.” 

In April 2016, the Phoenix Division of the FBI formally warned businesses about the dramatic increase in business email compromise scams (BEC).

According to the FBI press release:

"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.

There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to nonprofit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.

  • Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
  • This amounted to more than $2.3 billion in losses.
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
  • In Arizona the average loss per scam is between $25,000 and $75,000."

A Quick Tutorial from Phishing to Whaling

Online phishing scams are evolving rapidly. We all need to take note and not let our guards down.

Before offering some practical tips, I like to quickly recap the different types of phishing attacks that are ongoing — many of which have been around for several years.

Please note that phishing can be delivered in a variety of forms (or channels). While most people focus on email phish, text messages, faxes, Facebook or LinkedIn updates or even traditional phone calls are commonly used channels to deliver phish. The message will ask you to take an action such as clicking on a link, calling a phone number or performing some other transaction.  

First, we have traditional phishing. According to Security Mentor, phishing, like its namesake “fishing,” uses bait to lure a target into getting hooked. In phishing, the bait is a clever message and you are the fish. We fall for the phishing bait, because the phishers are masters of disguise. The bad guys play on our emotions and desires.

Most phishing scams cast a wide net that tries to get a reaction from as many people as possible. They do this by imitating trusted brands such as Walmart, PayPal, eBay, Google or Microsoft (or others) in their messages. 

Second, the wide net cast by phishing campaigns became more sophisticated and “spear phishing” started to become more common. Spear phishing is similar to phishing, except the attack is more targeted, sophisticated and often appears to be from someone you know such as a company colleague, your bank, a family member or a friend. The message may include personal information like your name, where you work, and perhaps even a phone number or other related personal information.

Spear phishing has become a huge challenge for global enterprises to defend against. Clicking on these links can open an organization up to malware leading to data loss, identity theft and even ransomware, which can encrypt system data until a ransom is paid to the attacker.

Over the past few years, spear phishing has become a preferred method for cybercriminals to infiltrate organizations, with numerous large breaches that began by gaining user credential via spear phishing. This blog lists 10 top spear phishing attacks, calling spear phishing the secret weapon in the worst cyberattacks. The same blog also points to a study of 300 firms in the US and UK — reporting that 38 percent of cyberattacks in the past 12 months came from spear phishing.

Third, we have the new trend which many are now calling “whaling,” since the bad guys are going after the biggest of fish in super-sized spear phishing attacks. As the FBI press release mentions above, the goal is: “to assume the identity of the CEO, a company attorney or trusted vendor.” This can happen in a variety of ways, including the use of company insiders who provide access to sensitive people, process or technology needed to succeed in the fraud.

How Can Enterprises Prepare?

So what can be done to lower the risk of whaling and other new social engineering techniques, which are sure to arise over the coming few years?

Here are five strategies to consider:

  • Train on security awareness and train staff again. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyber threats that are emerging. Remember, this is NOT just about clicking on links.
  • Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff. Yes — include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who gets fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  • Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  • Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  • Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

Yes — you should test staff with occasional phishing exercises, but don’t just measure clicking of links. The bad guys know that links set off alarms for many, so many of the biggest whaling incidents do not include clicking on links.

The enemy wants to gain staff trust, and they often include a combination of techniques to get employees to eventually take action.

Ask your staff: “What would you do if you were an outsider trying to gain access?”

Final Thoughts

As we develop new protections and alerts, the bad guys will adapt again and again. This is an ongoing cyber battle. In my view, whaling is “phishing 3.0.” There will be a 4.0 and a 5.0, to attempt to infiltrate organizational processes.

Are you prepared?

Do you have an ongoing security awareness training program?

The main thing is to continually educate staff to understand these new cyber threats and evolving risks faced every time we go online. The huge ongoing challenge is to continue to guide and enable staff to innovate, increase efficiency and reduce bureaucracy, while at the same time demonstrate a healthy, well-informed view of risks and online fraud. They also need to know what to do if they suspect inappropriate actions or a scam.

As Abraham Lincoln said in a letter written back in 1848: “You cannot fail in any laudable object, unless you allow your mind to be improperly directed.

Note: An earlier version of this article was published on Government Technology.

Copyright 2010 Respective Author at Infosec Island]]>
Android N Deprecating Crypto Provider and SHA1PRNG Algorithm https://www.infosecisland.com/blogview/24773-Android-N-Deprecating-Crypto-Provider-and-SHA1PRNG-Algorithm.html https://www.infosecisland.com/blogview/24773-Android-N-Deprecating-Crypto-Provider-and-SHA1PRNG-Algorithm.html Mon, 13 Jun 2016 12:38:05 -0500 The Android N operating system version will no longer use the Crypto provider and the SHA1PRNG algorithm, Google announced.

Google’s plan to modify the key derivation function (KDF) in Android is triggered by the company’s attempt to improve the cryptography features of the platform. Developers with applications that derive keys using the SHA1PRNG algorithm from the Crypto provider need to be looking for another key derivation function and possibly re-encrypt data, Sergio Giro, software engineer, Google, says.

Giro explains that the Java Cryptography Architecture employed by Android allows developers to create an instance of a class like a cipher, or a pseudo-random number generator, using different calls. However, while Google doesn’t recommend specifying the provider, there are calls to the Java Cryptography Extension (JCE) APIs that specify it, and many apps rely on the “Crypto” provider for an anti-pattern of key derivation.

According to Giro, the provider only offered an implementation of the SHA1PRNG algorithm for instances of SecureRandom, and this algorithm is not cryptographically strong. In fact, researchers have demonstrated that the “random” sequence, considered in binary form, is inclined towards returning 0s, and this worsens depending on the seed.

“As a result, in Android N we are deprecating the implementation of the SHA1PRNG algorithm and the Crypto provider altogether,” Giro says. “A common but incorrect usage of this provider was to derive keys for encryption by using a password as a seed. The implementation of SHA1PRNG had a bug that made it deterministic if setSeed() was called before obtaining output,” he adds.

The bug consists of deriving the key from a password that is used as seed, and then using the ‘random’ output bytes for the key. However, ‘random’ in this context would be ‘predictable and cryptographically weak’, Giro notes. Next, the key is used for the encryption and decryption of data.

The engineer says that there are different ways to derive keys correctly, and even offers a full example of that. For developers looking to transition data easier if they have data encrypted with an insecure key, an example app is available, with a helper class specifically created for such situations. “You can then re-encrypt your data with a securely derived key as explained above, and live a happy life ever after,” Giro notes.

To ensure that applications continue to work, Google is keeping the Crypto provider in the Android SDK version 23, for Marshmallow and earlier operating system iterations. However, developers are advised to move away from the provider, as it will be completely deleted from the SDK in the future.

“Because many parts of the system assume the existence of a SHA1PRNG algorithm, when an instance of SHA1PRNG is requested and the provider is not specified we return an instance of OpenSSLRandom, which is a strong source of random numbers derived from OpenSSL,” Google’s engineer also explains.

The deprecation of the Crypto provider is yet another step Google is making toward improved user data security in Android, after it announced that full device encryption was mandatory for new devices in Android Marshmallow. Earlier this year, the company revealed that it was performing 400 million Android security scans daily to ensure the safety of its users.

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices: Study

Copyright 2010 Respective Author at Infosec Island]]>
Microsoft Blocks Certain Passwords https://www.infosecisland.com/blogview/24772-Microsoft-Blocks-Certain-Passwords.html https://www.infosecisland.com/blogview/24772-Microsoft-Blocks-Certain-Passwords.html Fri, 10 Jun 2016 08:25:19 -0500 Microsoft took a unique step recently and began disallowing certain common passwords from being utilized in a number of platforms including Xbox Live, Office 365, and will soon apply the rules to the Azure active directory in the cloud. The starting point for the Microsoft list was the SplashData annual “Worst Password List” and includes such gems as “12345,” “qwerty” and “password.” Users attempting to provide one of these as a password are met with a warning “Choose a password that’s harder for people to guess” and are forced to come up with something more inventive and, hopefully, more secure.

While this initiative by Microsoft should certainly help stop individual users accounts from being hacked, it does not really accomplish anything for the large population of corporate users authenticating to the company network. A few versions ago, Microsoft implemented fine grained password controls in active directory, which was thought of as a huge advantage, since different types of users in the organization could have different levels of requirements for passwords. For example, a sales person may be required to use an eight-character password with two special cases – i.e. capital letter, lower case, number and special character -- while a systems administrator may be required to use a 12-digit password with three cases. Other items that could be varied by groups included, password history and minimum and maximum password age.

This was a step in the right direction, but did not prevent people from using simple words to fulfill the requirements, or prevent them from incrementing – using “Password.1” and then “Password.2” and so on. It also did not prevent users from utilizing the company name, their name, etc. As long as the password complied with the basic criteria, it would be accepted.

There are commercially available applications that address this issue for the corporate network and, at the same time, provide a user friendly graphical user interface (GUI) to show that the password they are typing is complying with the complex rules. For example, rules can be set to disallow use of repeating characters and incrementing, as well as any number of special cases, including a dictionary of specific, excluded words.

When coupled with a self-service reset password application, turning on complex passwords for an organization can be relatively pain free and not place additional burden on the IT department or the helpdesk. The applications function much like a banking website: Users enroll via series of selectable challenge questions and provide answers. Should they forget their complex password, they can reset it on their own from either a website or a “Forgot My Password” link on the Windows login screen.

The steps Microsoft is making are definitely a move in the right direction to protect users from potential social hacking with easily guessable passwords. Applications like a password complexity manager and self-service reset password can help protect enterprises from the same issue without increasing the workload on the IT department. Hopefully when next year’s list of worst passwords is released, it will be significantly shorter, or at least contain something more difficult to guess than “password.” 

Copyright 2010 Respective Author at Infosec Island]]>
Google Kills SSLv3, RC4 Support in Gmail IMAP/POP https://www.infosecisland.com/blogview/24770-Google-Kills-SSLv3-RC4-Support-in-Gmail-IMAPPOP.html https://www.infosecisland.com/blogview/24770-Google-Kills-SSLv3-RC4-Support-in-Gmail-IMAPPOP.html Tue, 07 Jun 2016 16:11:25 -0500 Google on Monday announced that Gmail IMAP/POP mail clients will no longer offer support for SSLv3 and RC4 connections after June 16, 2016.

The announcement follows last month’s reveal that Gmail SMTP will kill SSLv3 and RC4 support on June 16, 2016. However, the change will be rolled out gradually for Gmail IMAP/POP and it could take for as long as 30 days for some users to be fully restricted from accessing Gmail via connections that still rely on SSLv3 or RC4.

Starting with last year, the company has been working on deprecating the two protocols from its products, mainly because of their obsolete status. SSLv3, which has been defined in 1996, was deemed insecure in 2014, because of the POODLE attack that affects all block ciphers in SSL, and which impacts TLS too, researchers believe. RC4, which has been around since 1987, is still widely used in TLS connections, but attacks against it are becoming more practical and feasible than ever.

According to Google, all those relying on Gmail IMAP/POP should steer clear of the two security protocols as soon as possible, which would ensure that they won’t experience disruption. Most email clients already favor modern TLS connections over outdated ones, meaning that most users out there won’t be impacted by the change, Google says.

The effect of the newly announced modification is that, after June 16, IMAP and POP clients using the outdated SSLv3 or RC4 protocols will gradually no longer be able to connect with Google’s mail servers. On the long run, Google is planning on deprecating SSLv3 and RC4 across all of its products. The company encourages admins to proactively update to TLS clients “as a best practice.”

Google says that most Google Apps customers have already stopped using IMAP or POP clients that connect to mail servers using SSLv3 and RC4. Admins with mail clients that only support SSLv3 and RC4 are encouraged to update them, because users may see connection errors when attempting to connect to Gmail from mail clients still using the two standards.

Earlier this year, researchers revealed another vulnerability that affects SSL and TLS services, including HTTPS, namely DROWN. Although only 5% of the affected cloud services patched the flaw within the first week after it was disclosed, DROWN wasn’t seen as a highly-impactful issue, mainly because its exploitability is non-trivial or impossible.

RC4, which became highly popular mainly because of its simplicity, as F5 Networks evangelist David Holmes noted in a SecurityWeek column in November, is being deprecated by other tech companies as well, including Mozilla’s Firefox browser

Copyright 2010 Respective Author at Infosec Island]]>
BadBlock Ransomware Encrypts Windows System Files https://www.infosecisland.com/blogview/24769-BadBlock-Ransomware-Encrypts-Windows-System-Files.html https://www.infosecisland.com/blogview/24769-BadBlock-Ransomware-Encrypts-Windows-System-Files.html Mon, 06 Jun 2016 10:26:08 -0500 A new ransomware threat goes beyond encrypting users’ personal files and holding them for ransom. 

Dubbed BadBlock, the new ransomware doesn’t stop at encrypting the user’s photos, videos, and images, but does the same for Windows system files as well, which ultimately results in the computer being no longer usable. Executables that are required for the Windows operating system to start are also targeted, meaning that a reboot after the infection could prove catastrophic.

Unlike typical ransomware families, BadBlock advertises its presence on the computer before completing the encryption process, which means that users can actually launch Task Manager and kill the badransom.exe process to stop the encryption, Bleeping Computer’s Lawrence Abrams explains.

What users would want to avoid, however, is to restart their computers, given that the operating system might have been already compromised. Luckily, a free decryption tool for this ransomware is already available, allowing victims to restore their files. Released by Fabian Wosar of Emsisoft, the utility uses brute force to determine the decryption key.

According to researchers, the BadBlock ransomware is both poorly coded and horribly designed, as it can also trash the victim’s system. What’s more, the malware authors ask for a 2 Bitcoin ransom from their victims, which is roughly twice the amount that other ransomware families typically demand.

At the opposite end of the ransom amount spectrum is a malware called Black Shades Crypter, which asks for only $30 to decrypt files. The ransomware allows users to pay either by Bitcoin or PayPal, appends the .silent extension to encrypted files, and targets both English and Russian speaking users, researchers say.

What makes this ransomware stand out, however, is the fact that its code includes strings designed as taunting messages for the researchers trying to analyze the threat. Some of these are base64 encoded, others use basic string manipulation that is easily decoded, but the general idea is the same: the malware authors claim that their malicious program cannot be cracked.

In March, the authors of a ransomware variant based on the EDA2 educational ransomware also started bragging about their ability to infect computers and suggested they would never get caught. Because EDA2 had a backdoor and because the cybercriminals bragged about their superior skills, the security community was quick to respond and neutralized the threat within a few days.

The Black Shades ransomware is supposedly distributed as fake videos, fake cracks, or fake patches and no free decryption tool is available for its victims as of now. However, the malware can be prevented from encrypting user’s files by denying its access to the website icanhazip.com (by pointing it to 127.0.0.1 instead). The malware also needs Internet access to send computer name, user name, key, execution time, and other information to the command and control (C&C) server.

Using AES-256 encryption, Black Shades encrypts files in all folders on hard disk, but targets only specific directories on the C: drive, thus ensuring that the infected system and the applications installed on it remain functional. After completing the encryption process, the malware points users to the payment website and attempts to delete itself from the infected machine.

Over the past several months, ransomware has become one of the largest cyber threats out there, and the proliferation of the ransomware-as-a-service (RaaS) business model helped in this regard. RaaS lets virtually anyone be a cybercriminal, and individuals interested in engaging into ransomware distribution need little more than script kiddie abilities.

Related: Cerber Ransomware Morphing Every 15 Seconds

Copyright 2010 Respective Author at Infosec Island]]>
Why Is There a Shortage of Security Talent? https://www.infosecisland.com/blogview/24768-Why-Is-There-a-Shortage-of-Security-Talent.html https://www.infosecisland.com/blogview/24768-Why-Is-There-a-Shortage-of-Security-Talent.html Fri, 03 Jun 2016 07:03:24 -0500 Regardless of the statistic you use, there is no doubt that there is a shortage of security professionals.

There is no stampede for new grads to become security experts, even though it is a financially rewarding career. We have to ask ourselves why this is the case.

  • Is it difficult to learn the tech?
  • Is the job just plain boring, as each day involves the same issues?
  • Is the long term prognosis for career development not positive or promising?
  • Do they not get respect from their peers?

The relatively few security experts today are moving from company to company for higher salaries. It is almost as if they are as mobile as a professional sports league.

At the entry level, there is no doubt that the technology is difficult to comprehend. It is not as if there are basic principles to master, as you would find in a standard engineering discipline. Cybersecurity requires “on the job” learning, especially since there are many different and esoteric ways security breaches occur. We need formal techniques to help build expertise. There are some good examples at both the college and industry level. Without more accessible opportunities such as these, true security proficiency will be hard to find at the entry level.

For many security analysts, the job is plain boring and repetitive. You tackle the same issues day in and day out, the same kinds of false positives, similar mistakes by employees, etc. The only way to get better is to build tools and processes, and, let’s face it, who enjoys writing process documents? There must be ways to make the role more interesting, productive and effective in order to attract and retain top talent. Analysts should not have to deal with false positives; the systems should automatically be able to deal with them! And we’re getting there; with newer solutions offering orchestration and automated response to help with reducing alerts.

From a career standpoint, if you are a developer, a product manager, a sales manger or a variety of other roles, you can become a leader, a CEO, or run a division. Unfortunate as it may be, there are not many great examples of a CISO leading a company. It may be possible, but the current statistics don’t demonstrate a trend. The CISO role is one of prevention, not growth. Those roles do not usually build charismatic leaders. Do you recall a good defensive-minded military commanders? Yes, you will need to exclude some of the best Vietnamese leaders.

Security teams believe users are the weakest link and employees think security teams are there to prevent them from doing their job. Neither side is right, but that is the perception. If security teams have the tools to help users figure out where they are making mistakes that could compromise security, it will go a long way in helping to build trust within the organization. Users will become more aware. Users will feel they have a role in security. That will also make the security team’s job easier and more fulfilling.

None of these problems are easy to solve. But they need to be addressed if we want to make security a strength, not a weakness. Embracing new technologies that help intelligently automate parts of security to provide overwhelmed security teams a hand is a start. But in the long run, bigger changes to security strategies will need to take place. Everyone in a company needs to be responsible for security, not just the CISO.

Copyright 2010 Respective Author at Infosec Island]]>
Backdoor Abuses TeamViewer to Load Malicious Library https://www.infosecisland.com/blogview/24766-Backdoor-Abuses-TeamViewer-to-Load-Malicious-Library.html https://www.infosecisland.com/blogview/24766-Backdoor-Abuses-TeamViewer-to-Load-Malicious-Library.html Mon, 30 May 2016 09:04:00 -0500 Malicious programs have been long known to abuse TeamViewer to gain unauthorized access to infected machines, and a new piece of malware leverages the popular remote control tool in new ways, security firm Doctor Web has discovered.

Dubbed BackDoor.TeamViewer.49, the new Trojan was discovered by Dr. Web and Yandex earlier this month being distributed via a fake Flash Player update. The bogus update package, however, turns out to be a different malicious application called Trojan.MulDrop6.39120, which acts as a dropper, Dr. Web researchers say.

After landing on the target machine, the MulDrop6 Trojan installs the actual Flash Player, while also displaying a legitimate installation window for the popular plugin. In the background, however, the Trojan also covertly downloads TeamViewer, BackDoor.TeamViewer.49, and a necessary configuration file onto the compromised system. 

The newly observed BackDoor.TeamViewer.49 doesn’t leverage TeamViewer to get access to the user’s computer, since it has already managed to infiltrate the machine. As soon as the remote control app has been launched, the backdoor removes its icon from the Windows notification area, disables error reporting, and implements a mechanism that prevents it from being restarted.

The Trojan uses various internal functions of TeamViewer’s process and also abuses the fact that the application calls for a library called avicap32.dll. By creating a malicious library with the same name in the application’s folder, malware authors can have it automatically loaded to the memory at launch of TeamViewer.

The backdoor saves operational parameters in the configuration file and registers itself to autorun, which allows it to operate in infinite loop. It then hides its download folder, the malicious library, and the configuration file, while also assigning them the “system” attributes. If it fails, the Trojan starts removing the TeamViewer keys from the system registry.

Responsible for the backdoor’s malicious activity is an encrypted library hardcoded in the Trojan's body, which contains names of the servers from which instructions can be delivered. The Trojan can execute several commands on the infected machines and uses encryption when communicating with the server.

Doctor Web researchers say that the backdoor’s main functions are “to establish connection to the server (including authorization to it) and to redirect traffic from the server to the specified remote server via the infected computer.” This approach allows cybercriminals to remain anonymous on the Web when connecting to remote servers, because they can use infected computers as proxy servers.

TeamViewer has already published a statement on this issue, explaining that it is not a TeamViewer security breach, but a scenario in which a piece of malware abuses TeamViewer’s legitimate software. The real problem here is that, once it has infiltrated a computer, a malicious program allows perpetrators to virtually do anything.

"The perpetrators spread TeamViewer through a malware. This does not make TeamViewer a malware or vulnerable program. In fact, this procedure can be applied to any number of legitimate programs such as TeamViewer," the statement reads.

In February, CrowdStrike’s 2015 Global Threat Report revealed that TeamViewer malware has been used in cyber espionage operations. However, malicious programs intended solely for criminal purposes are abusing this legitimate application as well, including the Cherry Picker POS malware that was detailed in November last year.

*Updated to mention TeamViewer's statement.

Copyright 2010 Respective Author at Infosec Island]]>
2016 SecurityWeek CISO Forum to Take Place on June 1-2 at Half Moon Bay https://www.infosecisland.com/blogview/24765-2016-SecurityWeek-CISO-Forum-to-Take-Place-on-June-1-2-at-Half-Moon-Bay.html https://www.infosecisland.com/blogview/24765-2016-SecurityWeek-CISO-Forum-to-Take-Place-on-June-1-2-at-Half-Moon-Bay.html Thu, 26 May 2016 12:15:00 -0500 SecurityWeek’s 2016 CISO Forum will take place on June 1-2, 2016 at the Ritz Carlton, Half Moon Bay.

This invitation-only, high level event will bring together security leaders to discuss, share and learn information security strategies in an intimate environment. 

“SecurityWeek’s CISO Forum was specifically designed to bring together senior level security executives in an intimate environment for the ultimate exchange of knowledge and insights,” said Mike Lennon, Managing Director at SecurityWeek. “Our invite only approach ensures an ideal mix of enterprise security leaders who can learn from each other and gain knowledge of strategies, tools and techniques to better defend their enterprises.”

Select sessions at the 2016 CISO Forum include:

  • The State of Endpoint Security
  • In-CISO-mnia - What Keeps Security Leaders up at Night?
  • Eliminating The Attack Surface Inside Data Centers & Clouds
  • Maximizing the Value of Threat Intelligence
  • Playing Cyberwar Games to Win 
  • Blockchain as an Enterprise Security and Compliance Tool
  • Using Machine Learning for Next Generation Cyber Defense
  • Reporting Security and Risk Management to the Board - Moderated by Gartner's Ash Ahuja

Interested enterprise cybersecurity and risk management professionals may request a complimentary invitation by visiting: http://www.cisoforum.com/

Following the 2016 CISO Forum, delegates will have the option to play in the 3rd Annual SecurityWeek Golf Classic, taking place on the afternoon of June 2nd at the Ocean Course at Half Moon Bay.

Sponsors for the 2016 CISO Forum include Illumio, SentinelOne, FireEye, Darktrace, Digital Shadows, SafeBreach, Vera, Cavirin and CA Technologies.

Copyright 2010 Respective Author at Infosec Island]]>
Avoiding Ransomware with Strong Endpoint Security https://www.infosecisland.com/blogview/24764-Avoiding-Ransomware-with-Strong-Endpoint-Security.html https://www.infosecisland.com/blogview/24764-Avoiding-Ransomware-with-Strong-Endpoint-Security.html Thu, 26 May 2016 06:00:37 -0500 Ransomware attacks are growing in volume and sophistication—now not only damaging corporate data, but harming operations, reputations and finances as well. The FBI reported that it received over 900 complaints related to ransomware attacks, and the attacks ultimately resulted in more than $18 million in losses between April 2014 and June 2015.

By weaponizing encryption, ransomware attackers can debilitate basic operations and run up costs each day the organization isn’t able to do business. Organizations are often forced to quickly pay ransoms to get basic operations running again. Hollywood Presbyterian Medical Center made headlines back in February when the organization was forced to pay $17 thousand in Bitcoin to recover data that was encrypted during a ransomware attack. Paying the ransom was the fastest way for the medical center to restore administrative functions.

Victims of ransomware attacks can pay the ransom and hope that law enforcement will catch the attackers, but lately, police departments have also been targeted. Last year, a police department in Massachusetts fell victim to CryptoLocker, a well-known ransomware virus that was able to encrypt essential files. The police department had to pay the $500 ransom to recover their files, even after the FBI spent four days trying to help.

As ransomware becomes the latest epidemic in the cybersecurity space, a new report (PDF) from the Institute for Critical Infrastructure Technology (ICIT) notes that poor endpoint security practices are to blame for the rise in successful attacks. The report says that ransomware typically enters systems through vulnerabilities in the host operating system, but the code to exploit the ransomware is delivered via malicious email attachments and drive-by downloads.

High-value vulnerable endpoints that exist within the enterprise include servers, personal computers, and mobile devices. Servers are highly targeted by attackers, since they are essential to keeping business operations running. Personal computers and mobile devices with poor endpoint security pose a threat to organizations with BYOD policies because an infected personal device can infect an entire corporate network. Unlike other types of malware, ransomware relies on user interaction to be successful.

The first line of defense against ransomware attacks is end users, but uneducated end users can leave networks vulnerable to ransomware attacks. Organizations can spend time educating their employees about how ransomware is executed, and how attackers typically target employees. Because ransomware can be leveraged through malicious code sent via email, employees should know to only open email attachments from trusted sources.

IT security teams can also blacklist untrustworthy email servers and website domains as an added precaution, but this isn’t enough to protect from ransomware. Back in March, ads on trusted news websites like the BBC and the New York Times were hijacked by malware campaigns that tried to install ransomware onto user computers. Because even trusted websites aren’t entirely trustworthy, security teams should regularly monitor networks for suspicious activity. Continuous monitoring can help organizations catch ransomware before it’s executed and causes damage.

Another way organizations can protect their data from ransomware attacks is by regularly making backups. Large corporations should have no trouble dedicating time and resources to creating data backups, but this task can be difficult for smaller enterprises. Smaller organizations lacking time, resources, and technical knowledge can choose to use a third-party cloud service to store their data. Unfortunately, cloud service providers aren’t immune to ransomware attacks, and are often targeted because they store troves of data, and their business model is dependent on providing subscribers uninterrupted access to that data.

Some organizations opt to get the best of both worlds by adopting a hybrid cloud environment, where data is stored on private and public cloud services. Because the public and private cloud infrastructures function independently of each other, a ransomware attack on one isn’t likely to affect the other.

To best defend against ransomware, users must ensure that their machines remain up to date with the latest patches and security updates. If you fall victim to ransomware, you are either going to have to pay to get your files unlocked, or lose them forever. Don’t fall victim to these thieves and ensure you are backing up your files each day in case you had to restore the machine.

Ransomware attacks threaten all systems that are connected to the Internet, which makes it increasingly harder for organizations to not invest in good endpoint security practices. Left unaddressed, ransomware can rapidly spread to endpoints across the enterprise. Good endpoint security practices are essential to keeping ransomware from compromising critical information and potentially risking long-term damage to an organization’s brand.

About the author: Dean Dyche is World Wide Senior Director of Sales Engineering at Promisec, a pioneer in endpoint detection and response, and a leader in the Endpoint Detection and Response (EDR) market defined by Gartner. Promisec’s patented, agentless technology assures users that their endpoints are secure, audits are clean, regulations are met and vulnerabilities are addressed proactively to ensure the integrity of enterprise IT. 

Copyright 2010 Respective Author at Infosec Island]]>
Making the Most of User Entity Behavior Analytics: Expectations, Features and Best Practices https://www.infosecisland.com/blogview/24763-Making-the-Most-of-User-Entity-Behavior-Analytics-Expectations-Features-and-Best-Practices.html https://www.infosecisland.com/blogview/24763-Making-the-Most-of-User-Entity-Behavior-Analytics-Expectations-Features-and-Best-Practices.html Tue, 24 May 2016 05:43:06 -0500 User Entity Behavior Analytics (UEBA) has recently emerged as an advanced approach to detecting cyber threats. UEBA solutions leverage machine learning to surface threats; and in many instances, do so much faster than legacy SIEMs or other solutions can. They zero in on anomalous events with great accuracy.

If this description reminds you of other analytics tools, that’s no coincidence. User behavior analytics has materialized as a security-specific application of the same basic principles involved in all smart business analytics.

How does it work? What should I expect from UEBA?

First, UEBA solutions collect information emerging from many nodes in the network. The best solutions will collect data from network devices, systems, applications, databases and users. Using this data, they then create a baseline to determine what normal means under different conditions.

Once the baseline is established, UEBA solutions continue to aggregate data, looking for patterns that are deemed not normal. These determinations assess just how, and how much, a new event is unusual in context, and prioritizes the event’s significance and possible business impact. Custom rules typically can also be created by user behavior analytics administrators to tailor the solution more closely to the organization and its unique services, data, and processes.

One important principle to understand is that UEBA addresses anomalous behavior much more than infrastructure events in general. This focused approach helps address some of the most puzzling issues organizations face today:

  • Determining when a valid privileged account has been compromised
  • Surfacing insider threats
  • Determining when a system or application has been compromised

Key Features of UEBA: What to Look for in Vendor Solutions

Many vendors have begun claiming UEBA capabilities in their products, and there is a small, but growing number of what I call true UEBA providers. These vendors' products all function in a similar way. Essentially, they are all built on a platform with a core engine running proprietary analytics algorithms that takes in data feeds from existing sources and analyzes the data. The tools then display their findings in a user dashboard. The goal is to provide information security and IT professionals with actionable information to address the threats.

At present, most of these tools don't actively respond to threats themselves, but merely provide security operators with the insight to determine whether action should be taken and the ability to orchestrate such action. Platforms available today will likely continue on a path to integrate with firewalls, endpoints, and other network nodes to enable automated response within the next year.

Security analytics algorithms are the "secret sauce" that command these platforms. When assessing UEBA platforms, security professionals should be sure to ask for details of how these algorithms work. Many vendors will claim that this is their intellectual property. However, if the vendor has an insider threat model, ask if the model is based on specific events and/or flow messages such as logins and data access from devices, applications and hosts with set thresholds. If it is, this likely isn’t machine learning, but pre-configured correlation rules. This is an easy way to determine whether the vendor is just marketing machine learning or actually has machine learning in their solution. Other important differentiators between UEBA products include the following:

  • Supported data sources – These are the types of data the tool integrates with, including the supported formats (CSV, Excel, databases, etc.) and types of log files (from hosts, applications, routers, firewalls, VPNs, file systems, and even big data solutions such as Hadoop). Ask about whether or not these are built-in pre-existing integrations or if these require professional services to build. Seek to understand if the UEBA solution only collects basic event and flow data or goes beyond to capture more details. If the former, there may be critical user, system, and application data that is left behind because, unfortunately, logs and flow don’t always contain all the activity. Lastly, consider if it is possible to configure these data sources directly from the platforms’ user interface.
  • Partnerships – Vendors that tend to have a wide array of partnerships tend provide a measure of just how credible the tool is and how well it is integrated.
  • The time is takes to establish a baseline – This relates to whether the tool establishes the baseline in an entirely automated and dynamic fashion, or requires the manual input of a user to tune and tweak it. Some platforms make determinations based on just a few days of historical records; others can take weeks to about a month. Experience tells us that longer records tend to provide far more accurate baselines, because they can take into consideration seasonal variations, such as the end-of-quarter close, or another big event. However, some platforms have much more compute capacity available for running multiple advanced algorithms that can do a better job at dynamic learning and can both improve the ability to surface threats more accurately.
  • Time to results (TTR) – Referring to how quickly after initial integration the solution begins to produce actionable threat results. There is no obvious metric here: A clear definition of results is delivering previously unknown insights around abnormal behavior following the initial configuration and establishment of a baseline.  Furthermore, some solutions claim they can do this in real-time—be sure to ask the vendor to define metrics around such claims, and if they provide a means to test such claims.
  • Dashboard flexibility – Understand if the UEBA platform was designed with the assumption that the dashboard operator would be a security analyst or manager or a less sophisticated user. Many UEBA tools can be customized to provide detailed or executive-level reporting.
  • Platform delivery – Understand how the platform is delivered.  Most vendors typically offer an on-premises version of the product (either software-only or an appliance). Most vendors also offer a cloud-based version as well. One major challenge with cloud products is that UEBA platforms require close integration with many data sources that companies consider proprietary or sensitive (e.g., financial data feeds, HR systems, medical records, etc.) and don't wish to expose this data to the cloud. The exception here is if the UEBA platform vendors secure that data over an encrypted channel from the cloud to the premises.  In the next few years sensitive data will increasingly move to the cloud, and so cloud-based delivery of UEBA is likely to become a more popular option for enterprises.

UEBA Best Practices: How to obtain optimal results

Basic best practices to get optimal results from your UEBA tools include:

  • Take both external and internal threats into account when choosing a UEBA solution.
  • Look for solutions that feature analytical strengths in areas important to your organization, such as insider threat and compromised credentials. Choose a solution that fully surfaces the threat, such as an insider taking intellectual property and emailing it out using their Hotmail or Gmail account.  Many UEBA platforms lack this basic ability.
  • Consider carefully which team members have access and who gets alerted.
  • Don’t assume standard accounts are harmless. Many attacks create a cascade effect, compromising assets in sequence to arrive finally at the control of a privileged account or escalation from an account without privileges.

UEBA platforms are very promising. In the near future, expect to see user behavior analytics platforms integrate more directly with infrastructure and with automated response. We are already seeing this with firewalls and other network devices that can be configured to take user behavior analytics-derived insight and create new traffic rules immediately, shutting down invasive threats long before human talent would even notice they’re there.

About the author: Brian Soldato is Director of Product Management for Seceon. A 17-year security technology veteran, Brian is responsible for driving Seceon’s product vision and strategy. Prior to Seceon, Brian led product management for various SIEM solutions, including Intel Security’s SIEM product line.

Copyright 2010 Respective Author at Infosec Island]]>
“EITest” Exploit Kit Redirection Campaign Running Strong https://www.infosecisland.com/blogview/24762-EITest-Exploit-Kit-Redirection-Campaign-Running-Strong.html https://www.infosecisland.com/blogview/24762-EITest-Exploit-Kit-Redirection-Campaign-Running-Strong.html Sun, 22 May 2016 20:39:00 -0500 A long-lasting website infection campaign meant to redirect users to exploit kits (EKs) such as Angler and Neutrino continues to run strong roughly one year and a half after being originally discovered.

Dubbed “EITest” because of a variable consistently found in injected code across infected websites, the infection campaign was initially described in October 2014, but continued to affect websites in 2015 as well. As it turns out, the campaign is still ongoing, with numerous websites still getting hacked and injected with code that redirects users to exploit kits.

In 2014, Malwarebytes explained that compromised websites were essentially injected with code for a Flash application that also packed a series of parameters to make it invisible to the user. The EITest variable was present in the code, hence the campaign’s name, and visiting IP addresses were flagged so that the redirection would occur only during the initial visit, thus making the website infection more difficult to detect.

In March this year, Rackspace security researcher Brad Duncan revealed that the campaign’s patterns for injected script remained almost unchanged, but that the URLs and variable names have changed over time. Today, the researcher says that, earlier this month, the EITest campaign also switched to redirecting users to the Neutrino EK. Usually, the campaign uses Angler, but Neutrino is also used from time to time, it seems.

According to Duncan, the EITest campaign has been using 85.93.0.0/24 for a gate between the compromised website and the EK ever since the beginning of this year. The TLD for these gate domains is either.tk or .co.uk, the latter emerging mainly this week.

The researcher was able to generate two full infection chains from the same compromised website, both pertaining to the EITest campaign: one redirected to Neutrino, which instead downloaded the Gootkit malware, while the other used Angler and dropped a 24 KB executable (which hasn’t been analyzed yet) as the payload.

The EITest gate observed in this particular case was true.imwright.co.uk, with the Neutrino EK hosted on ndczaqefc.anein.top, while the Angler EK was served from kmgb0.yle6to.top. The two infection chains occurred within 11 minutes of each other, the researcher says.

Duncan also explains that the test machine was running Adobe Flash Player 20.0.0.306, which is vulnerable to CVE-2016-1019, and that both Angler and Neutrino EK pack exploits for this vulnerability. The same as with other EK infections, the malicious payload is dropped in the background, while the user continues to browse the web, even if they access only legitimate websites (but which have been compromised).

Cybercriminals have been long looking to hack websites and abuse them in EK attacks, but users can stay protected, by keeping their applications updated at all times and making sure that they have the latest patches for their Windows operating system installed. An up-to-date anti-virus program would also ensure that computers are not infected when running across such campaigns.

Related: EC Council Website Hacked to Serve Angler Exploit Kit

Related: Exploit Kits Leverage Vulnerability One Week After Patch

Related: Exploit Kits Mutate, Increase Activity: Report

Copyright 2010 Respective Author at Infosec Island]]>
Baiting the Phishermen: When Companies Strike Back at Scammers (Do Not Try This at Home) https://www.infosecisland.com/blogview/24761-Baiting-the-Phishermen-When-Companies-Strike-Back-at-Scammers-Do-Not-Try-This-at-Home.html https://www.infosecisland.com/blogview/24761-Baiting-the-Phishermen-When-Companies-Strike-Back-at-Scammers-Do-Not-Try-This-at-Home.html Mon, 16 May 2016 05:02:10 -0500 Dangerous computer hackers and internet scams do not always have to be complicated. With a simple ‘typo’ in a domain name, hackers can impersonate senior executives while attempting to trick employees into transferring money. This scam is a type of phishing known as whaling or business e-mail compromise (B.E.C). The scammer researches employees who manage money, then uses language from the company to target organizations that commonly work with foreign suppliers, or companies that regularly perform wire transfer payments. While the process is not complex, it has been effective for cybercriminals.

The Federal Bureau of Investigation stated that whaling costs companies more than $2.3 billion in losses over the past three years. Since January 2015, the FBI has seen a 270% increase in identified victims and exposed loss. This has gone global, with Law enforcement received complaints from victims in every U.S. state and in at least 79 countries.

Employees need to be reminded to pay attention to the details in emails, especially those asking for money. Hackers use tricks in the details of email URLs, for example, turning ‘i’s into ‘1’s and ‘l’s. If your employees receive an email like this, they should immediately get in touch with your organization’s security team to ensure the proper steps are put in motion. It is very likely that the scammer will try to extort money from more than one employee, acting fast will give your company a chance to turn the predator into the prey.

Security companies are not immune to such attacks and our most recent attack serves as an example of what to do. The hackers did their research, they had my name and used it in an attempt to steal money from our company, Centripetal Networks. Luckily, as a threat intelligence company, our employees can quickly spot a phishing campaign. We not only took the steps necessary to protect ourselves, we took the opportunity to turn the tables on the scammer and see where it led.

On Monday April 11th, a Centripetal Network sales person received an email claiming to be CEO Steven Rogers requesting an immediate wire transfer in the amount of $32,780. The email originated from a similar domain, with one spelling change, centripatalnetworks.com. Looking quickly, it is hardly noticeable and the email looks like I sent it. Due to our salesperson’s keen eye, he knew it was not me and instead forwarded it to our security team for analysis.

After ensuring the company network was safe and employees were aware of the attack, the security team planned to get to the root of the problem. Our security team alerted the Secret Service and then proceeded to engage the attackers in several email exchanges, gathering key information about the plan such as bank routing and account numbers, several user locations including Malaysia and Nigeria, and the name of an individual who was to receive the funds in Texas.

Of course, once engaged, our security team also set out to take down the operation that owned the misspelled domain name. What we found in doing this was a list of 77 other misspelled domains that the attackers had also commandeered.

It is never too late to remind employees about phishing emails and where to route suspicious finds. 

Steven Rogers, CEO of Centripetal Networks

Copyright 2010 Respective Author at Infosec Island]]>