Cyber Risk News
A series of cyber-robbery attacks have been targeting financial organizations in Eastern Europe, according to new research from Kaspersky Lab.
Researchers found that the series of attacks, dubbed DarkVishnya, have affected at least eight banks in the region, with estimated losses running into the tens of millions of dollars.
Based on data collected through Kaspersky Lab’s incident response observations in 2017 and 2018, researchers noted that in each attack, bad actors managed to smuggle an unknown and attacker-controlled device into a company building and directly connect it to the company’s local network.
The attackers were reportedly using one of three different types of devices, including a laptop, a Raspberry Pi (a single-board computer the size of a credit card) or a Bash Bunny (a specially designed tool for automating and conducting USB attacks). According to a press release, some of these devices are equipped with a GPRS, 3G or LTE modem, which the attackers use to remotely access the corporate network of the financial organization.
After establishing a connection, the threat actors try to gain access to the web servers so that they can steal the data they need to run remote desktop protocol (RDP) on a selected computer. If successful, they can then seize funds or data.
A fileless attack, the method also leveraged the use of Impacket, winexesvc.exe or psexec.exe remote execution toolkits. During the final stage of the attack, the criminals used remote control software to maintain their control over the infected computer.
“Over the past year and a half, we’ve been observing a completely new type of attacks on banks, quite sophisticated and complex in terms of detection,” said Sergey Golovanov, security expert at Kaspersky Lab, in the press release.
“The entry point to the corporate network remained unknown for a long time, since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more.”
According to the EU GDPR (General Data Protection Regulation) Implementation Review Survey conducted by IT Governance, six months after the GDPR went into effect, the majority of organizations are failing to implement the mandatory regulations.
The study included 210 responses from participating organizations ranging in size from fewer than 10 to more than 1,001 employees from across industries. Participants were asked how far along they were in achieving GDPR compliance, and only 29% said they had implemented all of the necessary change.
Despite 59% of respondents stating that they are aware of the changes to data subject access requests (DSAR), only 29% actually have an adoption plan in place to address these changes, even though data subjects are able to file complaints that could result in fines if their DSAR is incorrectly managed.
Although respondents said they understood the ways in which the GDPR applies to their organizations, many expressed a lack of confidence in fully understanding how to implement changes. When asked whether they had completed implementation of the changes, 46.9% said yes while 45% had only partially implemented any changes. In addition, 5% responded no.
One area in which organizations have focused attention is with data flow audits, with 75% of respondents reporting that they have conducted these audits in some capacity. As part of a GDPR compliance project, organizations need to map their data and information flows in order to assess their privacy risks, according to an IT Governance press release.
“It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply. May 25 should have been the wakeup call, but it’s not too late to begin your compliance journey. The time is now,” commented Alan Calder, founder and executive chairman of IT Governance.
The GDPR has been in effect since May 25, 2018, and the regulations apply to all organizations that monitor the behavior of or offer goods and services to EU residents, regardless of the organization’s geographical location or where it processes data.
While there is room for improvement when it comes to implementing changes, research published by BitSight found that “a steady decrease in security performance across all regions of the globe, organizations within continental Europe actually improved their security performance over the last year.
“Some of the areas that organizations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports). These improvements align well with the lead-up to the implementation of GDPR, and continue after the effective date.”
Researchers at Lancaster University in the UK and Northwest University and Peking University in China have found a way to get around CAPTCHA security with new artificial intelligence, according to research published in a paper titled Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach.
The research findings were presented at the ACM Conference on Computer and Communications Security (CCS) 2018 in Toronto.
“Text-based captchas are extensively used to distinguish humans from automated computer programs,” researchers wrote. “While numerous alternatives to text-based captchas have been proposed, many websites and applications still use text-based captchas as a security and authentication mechanism. These include the majority of the top-50 popular websites ranked by alexa.com as of April 2018, including Google, Microsoft, Baidu, and many others.”
Researchers asserted that their approach to an effective text CAPTCHA solver requires far fewer real CAPTCHAs but result in better performance. “We evaluate our approach by applying it to 33 captcha schemes, including 11 schemes that are currently being used by 32 of the top-50 popular websites including Microsoft, Wikipedia, eBay and Google. Our approach is the most capable attack on text captchas seen to date.”
Their approach consists of four steps, beginning with CAPTCHA synthesis, followed by preprocessing, training the base solver and fine-tuning the base solver.
“What makes some CAPTCHAs raise above these sophisticated attacks are not the CAPTCHAs or challenges themselves, but the risk assessment behind the challenge,” said Shane Martin, software consultant of customer success at NuData Security, a Mastercard company.
“If an attacker used this method to solve CAPTCHA challenges that are built on top of enhanced security solutions such as behavioral biometrics technology, the risk assessment would recognize that an automated system was completing the challenge and would then increase the challenge complexity until the challenge could not be solved. This is why it’s important to avoid CAPTCHAs as standalone products and have them as an interdiction that appears after an accurate risk assessment.”
Over two-fifths of organizations have fallen victim to a so-called Business Process Compromise (BPC) attack, despite widespread ignorance from senior execs about the threat, according to Trend Micro.
The security giant polled over 1100 IT decision makers responsible for security across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and the Czech Republic.
It found that 43% had been impacted by a BPC: a type of highly targeted attack in which hackers look to manipulate an organization’s unique business processes to their own ends.
They typically involve an initial compromise followed by plenty of lateral movement inside the victim organization to conduct reconnaissance on security gaps and internal processes.
Perhaps the most famous case of a BPC to date was the attack on Bangladesh Bank where hackers installed multiple layers of malware into the bank’s IT systems to exploit the communications process between the bank and SWIFT. A total of $81m was lost, although the figure could have been much higher if an eagle-eyed employee had not spotted a spelling error on a transfer.
Vice president of security research, Rik Ferguson, claimed cyber-criminals are increasingly playing the long game for greater reward.
“In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates. From there they can insert themselves into critical processes, undetected and without human interaction,” he explained.
“For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information — as was the case in the well-known Bangladeshi Bank heist.”
The good news is that security teams are aware of the threat, with 72% claiming that BPC is a priority for their cyber strategy. However, half (50%) of management teams don’t know what a BPC attack is or how it could impact the organization, Trend Micro warned.
Australia has followed the UK in passing its own draconian surveillance laws which could force technology providers to engineer de facto backdoors into their end-to-end encryption products.
The opposition Labor Party stood aside at the eleventh hour to let the bill pass, on the understanding that its amendments would be passed in the new year, something the government now says it will only “consider.”
As is the norm, the government had argued that law enforcers and security services needed to be able to access specific communications to fight serious crime and protect national security.
“This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm,” attorney-general, Christian Porter is reported to have said.
On the other side, experts warn that any attempt to introduce vulnerabilities into such systems would ultimately undermine security for the majority of law-abiding citizens, especially as it’s likely to be done in secret.
“This could have a devastating knock-on effect around the world. Creating a backdoor for law enforcement will never assure that no-one else will be able to access the database or files, and criminals will learn to exploit these vulnerabilities,” said ESET security expert, Jake Moore.
“If you break the fundamental way that encryption works, you risk breaking the internet and eradicating any trust and security."
According to the Electronic Frontier Foundation (EFF), the Australian Assistance and Access Act can be seen as an attempt to mimic the controversial UK Investigatory Powers Act (IPA).
“Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers, to re-engineer software and hardware under their control, so that it can be used to spy on their users,” explained EFF international director, Danny O’Brien.
“Engineers can be penalized for refusing to comply with fines and face prison; in Australia, even counseling a technologist to oppose these orders is a crime.”
The UK’s GCHQ is already looking to wield its powers to demand that messaging providers allow government snoopers to be secretly added to conversations so they can eavesdrop. It’s described not as an encryption backdoor but a “virtual crocodile clip” — although the plan was described as "absolute madness" by Edward Snowden as destroying trust in the privacy of online services.
Already, the UK government has warned parliament that GCHQ is evolving the way it snoops on targets under the IPA. Bulk “equipment interference” (EI) — also know as bulk hacking of devices — was originally intended to be limited to overseas “discovery” operations only: the exception rather than the rule.
However, in a letter this week, security minister, Ben Wallace, admitted that GCHQ will need to “conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.”
The reason, it appears, is the growing use of end-to-end encrypted communications.
“The communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted,” the letter noted.
“In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly.”
Two-fifths of UK consumers have been a victim of cybercrime with phishing topping the list, according to new research from GMX.
The email provider polled over 2000 Brits last month to better understand the impact and extent of online threats.
It found that half of those netizens affected lost money as a result. The average lost was £565 ($720), although 1% of respondents said they lost over £10,000.
Phishing and “misuse of data” were the most common forms of cybercrime, each accounting for 11% of answers. Next came malware (10%), fake e-stores (7%), online extortion (6%), and charity fraud (5%), where recipients are tricked into donating to spoofed worthy causes.
The over-55s were least likely to be victims of online crime, with 73% claiming they had never been caught out, versus 47% of those aged 16-24. This could be because older netizens are more cautious online, and/or that they spend less time on the internet.
The email firm urged consumers to remember its “three Cs”: context, common sense and charity aware.
The news comes as the busy online Christmas shopping period is well underway, with Brits expected to spend billions at their favorite e-commerce stores. They were predicted to have splashed out £5bn on Black Friday alone, half of which was online.
Security vendor Sonicwall claimed that UK phishing scams soared 648% year-on-year this Cyber Monday. It recorded 2535 attacks over the course of Monday and 11,433 for the week around this busy shopping weekend, a 436% increase on the same period in 2017.
With the run-up to Christmas still the busiest time for online shoppers in the UK, the firm warned that consumers could be deluged by phishing and similar scams, eroding trust in the brands they shop with and hitting stores’ profits.
Nokia is warning of a deluge of IoT malware after revealing a 45% increase in IoT botnet activity on service provider networks since 2016.
The mobile networking firm’s Threat Intelligence Report for 2019 is is based on data collected from its NetGuard Endpoint Security product, which it says monitors network traffic from over 150 million devices globally.
It revealed that botnet activity represented 78% of malware detection events in communication service provider (CSP) networks this year, more than double the 33% seen in 2016.
Similarly, IoT bots now make up 16% of infected devices on CSP networks, a near-five-fold increase from 3.5% a year ago.
"Cyber-criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed,” said Kevin McNamee, director of Nokia's Threat Intelligence Lab. “You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought.”
This is a threat that first came to light with the Mirai attacks of 2016, when the infamous IoT malware sought out and infected tens of thousands of smart devices protected only by factory default passwords.
That ended up launching some of the largest DDoS attacks ever seen, although Nokia also called out crypto-mining as a potential new use of IoT botnets made up of compromised smartphones and web browsers.
“Cyber-criminals have increasingly smart tools to scan for and to quickly exploit vulnerable devices, and they have new tools for spreading their malware and bypassing firewalls. If a vulnerable device is deployed on the internet, it will be exploited in a matter of minutes," McNamee warned.
IoT adoption is expected to accelerate with 5G, potentially exposing even more devices to cyber risk, Nokia claimed.
Yossi Naar, co-founder at Cybereason, argued that attackers can also use compromised IoT endpoints to move into corporate networks and high-value servers.
“Simply put, security needs to be a primary design consideration, as fundamental as any other measure of performance,” he added. “There should be a focus on tight mechanisms for strong authentication and the minimization of the potential attack surface. It’s a fundamental design philosophy that responsible companies have, but it’s not a reflex for all companies — yet."
For more information, listen again to our webinar with Nokia, featuring insight from HardenStance founder and principal analyst Patrick Donegan and Kevin McNamee from Nokia's Threat Intelligence Lab, on the report's findings around IoT, crypto-coins and smart devices.
In a newly developed partnership with HackEDU, HackerOne announced that it has released a free web hacker training, adding to its Hacker101 offerings. Based on five popular, publicly disclosed vulnerability reports for which top bug bounty hackers initially earned up to $5,000 for reporting, HackerOne and HackEDU have created an interactive cybersecurity sandboxed training environment modeled after these real-world vulnerability reports.
Through training in this safe and legal simulated environment, hackers will learn the techniques of clickjacking, a vulnerability that can be used to create a worm; and XXE, a vulnerability that can be exploited to steal files. In addition participants will learn remote code execution (RCE), a vulnerability on a server that first earned a $5,000 bounty; and an SQL injection attack using sqlmap that steals data. Rounding out the the top-five vulnerabilities is an XSS attack, which causes a user to send you data without their knowledge.
Committed to growing and empowering the white hat community, HackerOne and HackEDU are providing free access to their training materials. The new HackEDU-developed vulnerability sandboxes are the latest in their interactive coursework available to hackers, who can also join existing Hacker101 interactive content, coursework and capture the flag (CTF) challenges, according to a press release.
“Hacking is a highly sought after skill, but it is not always clear how to get started or advance to the next level. This is why we started Hacker101,” said Cody Brocious, HackerOne security researcher and head of hacker education, in the release. “Now with HackEDU’s sandboxes and interactive lessons, hackers can test their skills like never before. With simulated real-world bugs – originally discovered by top bug hunters in the community – you will learn something new with these latest sandboxes, no matter your skill level.”
“HackEDU is proud to offer real-world applications with real-world vulnerabilities found on HackerOne’s platform,” said Jared Ablon, HackEDU’s CEO, in the release. “With this addition to HackEDU’s current offerings, users can explore how vulnerabilities manifest themselves in applications that people use everyday which enhances the learning process for both attackers and defenders.”
A new campaign, potentially originating from North Korea, has been targeting academic institutions since at least May 2018, according to new research published by NETSCOUT.
Dubbed "STOLEN PENCIL," the spear phishing campaign delivers emails that send unsuspecting users to a website displaying a document that tricks them into installing a malicious Google Chrome extension so that the threat actors can then scavenge for credentials.
“In keeping with tried and true tactics, the operators behind the STOLEN PENCIL campaign used spear-phishing as their initial intrusion vector,” NETSCOUT wrote in a blog post. “First reported by Twitter user @MD0ugh, a target of STOLEN PENCIL receives a spear-phishing message containing a link to one of several domains controlled by the threat actor.”
Once the malicious actors gain a foothold, they use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. According to NETSCOUT, this tactic indicates that a person – rather than a remote access Trojan (RAT) with a command-and-control site – is actually behind the keyboard interacting with a compromised system. The threat actors are then able to use an RDP to maintain persistence.
Additionally, the attackers rely on built-in Windows administrator tools and other commercial software to sustain the attack. Once they have exploited the victim’s system, they leverage multiple off-the-shelf sources, such as process memory, web browsers, network sniffing and key logging, to harvest passwords. Oddly, the researchers have not yet seen any evidence of data theft, which has left them unable to determine the motivation of the attackers; however, many of the victims were experts in biomedical engineering, according to NETSCOUT.
“Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system,” the research team wrote.
While the tactics and procedures of the threat actors are quite basic and they rely on off-the-shelf tools, they spent a lot of time doing reconnaissance. In addition, the operators also demonstrated poor OPSEC and exposed their Korean language in both viewed websites and keyboard selections.
Adobe has issued security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS after another active exploitation of a zero-day vulnerability in Adobe Flash via a Microsoft Office document was identified.
The critical vulnerability (CVE-2018-15982) exists in the wild and could lead to arbitrary code execution and privilege escalation, according to the advisory.
According to Gigamon’s applied threat research team, the vulnerability “allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system. The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic.”
Adobe Flash makes up 10 of the top 20 application vulnerabilities that impact the most businesses, with 79% of those vulnerabilities being rated high severity and having public exploits available, according to Tenable’s recently published Vulnerability Intelligence Report. In addition, when looking at affected enterprises and assets, Microsoft .Net and Office, Adobe Flash and Oracle’s Java have the most widespread impact.
Even more alarming, the report noted that Tenable discovered considerable amounts of known – but unpatched – Oracle Java, Adobe Flash, Microsoft IE and Office vulnerabilities in enterprise environments, going back over a decade.
“Exploits against zero-day vulnerabilities that allow for command execution using relatively stock enterprise software are valuable. Flash exploitation can be expected to continue as long as there are valid weaponization vectors that permit reliable execution,” Gigamon wrote.
As many experts look to 2019 in anticipation of what is to come, they warn that there will be an increase in cyberattacks. The Information Security Forum (ISF) has announced the top global security threats that businesses will face in 2019. Among them is the increased sophistication of cybercrime and ransomware.
Yet when companies leave known vulnerabilities unpatched for the better part of a decade, cyber-criminals don’t need to advance their tactics and procedures to spread targeted attacks, particularly when organizations don't understand their risk. According to the Tenable report, the Common Vulnerability Scoring System is an inadequate prioritization metric, and companies must prioritize vulnerabilities based on actual risk.
Speaking at Black Hat Europe in London, Nahman Khayet, security researcher and Shlomi Boutnaru, CTO at Rezilion, explored the current cybersecurity skills shortage and its link to the education system.
Khayet explained that there are three main characteristics of security experts, which are ‘thinking outside the box,’ ‘adversarial thinking’ and ‘technical knowledge.’
He also cited a quote from M Gladwell regarding the 10,000 Hour Rule, “…the key to achieving world-class expertise in any skill, is, to a large extent, a matter of practicing the correct way, for a total of around 10,000 hours…”
“This sentence has two meanings for us,” Boutnaru said. “The first, is we believe that each person in the world should practice and experience as much as they can in order to become an expert,” and the second is that “every cybersecurity expert should have a lot of experience in the industry before they actually become an expert.”
However, Boutnaru argued that teenagers studying computing in schools are suffering from limitations of the education system. They are being taught less technical material like safe internet use, privacy controls, password safety and computer safety, he added, but some “cybersecurity deep knowledge is missing” from the curriculum.
“What about network threats? What about denial of service? What about IP spoofing? What about code vulnerabilities, and others? If you think about it, a lot of teenagers are today developing applications for mobile, web apps, but they don’t have the basic understanding of those [aforementioned] specific threats. Why? Because we are not teaching them that.”
“Students, when they are not getting the right education of cybersecurity, they are not understanding (later on) when they apply for work in the industry the security risks,” said Khayet. “If we look at the characteristics of security experts, they lack all of them.
So, both speakers argued that there is a great need to upgrade the current approach to teaching cybersecurity to teenagers by:
- Adding practical cybersecurity training in schools as early as possible
- Exposing girls in middle school to female cybersecurity leaders systematically
- Teach cutting edge technology with hands-on experience
- Invest more in pedagogical concepts
Speaking at Black Hat Europe 2018 in London Vijay Thaware, security response lead at Symantec and Niranjan Agnihotri, associate threat analysis engineer at Symantec, explored the rise of a threat called ‘Deep Fakes.’
According to the speakers, Deep Fake defines the theft of the human face (a crucial means of identity) for malicious gain in the form of videos. Deep Fake technology uses AI-based human image blending methods to create such things as revenge porn, fake celebrity footage or even cyber-propaganda.
“This is happening now,” said Thaware. “As AI has progressed, if it has been trained well with sufficient sources, it can create seemingly real fake and deceptive videos.”
Deep Fakes can be created to target people of interest and importance, but also the general public, he added.
“The videos are created in such a manner that they can fool the human eye and a human can easily get tricked and believe what they see, or believe what the threat actor wants them to believe,” Thaware said.
In terms of the various hazards of Deep Fakes, they include:
- Fake news = Deep Fake news
- Trust issues
- Disinformation campaigns
- Emotional stress
- Can become ubiquitous
- Morality vs legality issues
Preparing a Deep Fake video simply requires a laptop, internet connection, some passion and patience and, of course, some images (often easily obtained online), Thaware explained.
With Deep Fakes so prevalent on social media “it becomes very important to develop systems that monitor the quality of content on social media,” said Agnihotri.
“The presence of Deep Fake videos on the internet can skyrocket at any time, therefore we need to make technology that has the ability to scan the content that we upload on social media, and flag it or block it,” he added.
To conclude, Thaware’s advice for curbing the rise of the Deep Fake threat was:
- The use of watermarking on video content
- Users should think before they forward videos
- Users should assess the credibility of a source
- Lawmakers must introduce robust laws against Deep Fakes
Also, both speakers urged the security community to come forward and create an awareness that Deep Fakes exist in the world, and do it all it can to create as many hurdles possible to stop malicious actors creating Deep Fake videos.
BT and Huawei have sought to play down speculation that the former is stripping the Chinese telecoms giant’s equipment from its networks over security concerns.
The UK telco group said it is removing Huawei infrastructure from its core 3G and 4G networks to meet existing policy, which will also preclude the Shenzhen-headquartered firm from its core 5G network.
“In 2016, following the acquisition of EE, we began a process to remove Huawei equipment from the core of our 3G and 4G mobile networks, as part of network architecture principles in place since 2006,” BT said.
“We’re applying these same principles to our current RFP for 5G core infrastructure. As a result, Huawei have not been included in vendor selection for our 5G core. Huawei remains an important equipment provider outside the core network and a valued innovation partner.”
The firm will still use Huawei’s antennas and other products not deemed to be in the “core,” it has been reported.
However, the pressure is building on UK stakeholders to prevent Chinese and other potentially hostile foreign suppliers from having anything to do with 5G.
The US, Australian and New Zealand governments have all moved to block Huawei from supplying their 5G networks.
Plus, in July, the Huawei Cyber Security Evaluation Centre (HCSEC), overseen by GCHQ, highlighted significant shortcomings in the firm’s processes that “exposed new risks in UK telecoms networks.”
It concluded that HCSEC has “only limited assurance” that Huawei equipment poses no threat to national security.
The news comes as MI6 boss Alex Younger made a rare appearance in public, using a speech at his alma mater St Andrews University to question whether the UK should be using Chinese kit in critical infrastructure.
“We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a quite definite position,” he reportedly said.
Last month, the government sent a letter to 5G network providers, reminding them that any suppliers would need to be heavily vetted for security.
In related news, Huawei CFO, Meng Wanzhou, daughter of founder Ren Zhengfei, has been arrested in Canada and faces extradition to the US. It is suspected the charges may be connected to possible violations of sanctions against Iran.
The chief campaign organization of the Republican Party has been hacked and thousands of emails from senior aides compromised over the period of several months, it has emerged.
In an incident reminiscent of the notorious cyber-attack on the Democratic National Committee (DNC) ahead of the 2016 presidential election, three GOP officials said the National Republican Congressional Committee had been breached.
According to Politico, the incident was discovered in April but not related even to senior lawmakers like speaker Paul Ryan and majority leader Kevin McCarthy until the news site contacted them this week.
“We don’t want to get into details about what was taken because it’s an ongoing investigation,” a senior party official is quoted as saying. “Let’s say they had access to four active accounts. I think you can draw from that.”
The committee is said to believe it could be the work of a foreign agent, although those rumors haven’t been confirmed. The FBI is currently investigating.
President Trump has in the past gloated at the fact that Republicans did not suffer a data breach while the DNC was compromised, claiming it is because the GOP has better cybersecurity rather than the Russian hackers were out specifically to smear his opponent in the race for the White House.
Brian Vecci, technical evangelist at Varonis, said the attackers appear to have targeted individuals’ inboxes specifically to gain intelligence.
“The countries that have proven themselves to be able to perpetuate these kinds of attacks and have the motive to do so are Russia, China, and North Korea,” he added. “That doesn’t rule anyone else out, it just means they’re the most likely. These are the countries with the means, motive, and opportunity to get the most out of inside information related to US political thinking.”
Speaking at the Black Hat Europe conference in London, trainer and researcher Joe FitzPatrick from SecuringHardware.com asked delegates if their risk assessment considers $5 hardware attacks and if not, “why worry about $1m [hardware attacks], as what is more likely?”
In his talk 'A Measured Response to a Grain of Rice,' which took a strong look at the controversial Bloomberg article about tiny chips found on motherboards, FitzPatrick said that we first heard of malicious implants as part of the Snowden leaks in 2013, and the “Ant Catalogue” as reported by Der Spiegel.
“Usually we think of keystroke loggers via USB but they have been around for decades, as have Modchips,” he said.
Asking when hardware attacks make sense, he said it makes sense to have air gaps and heavily monitored networks, as well as to be aware of physical access which would not be possible remotely, and supply chain access to firmware.
Focusing on the Bloomberg story, which alleged that a chip affected 30 companies, FitzPatrick said that there was a lot of reaction to the story, as well as questions on how to test and what the indicators of compromise are. “By the time the board gets to you, something has changed to the schematics to figure out what chips are what,” he added.
FitzPatrick said that there was little in the article on what the chip did, and using the term “component graffiti” he argued that the article caused “a lot of assumptions and doom and gloom.”
He said: “Was it real or a hoax? I don’t know: we don’t have information and I am no expert, however I can say it is possible and the things described are possible and I see challenges as a technical person.”
He asked why there were no first-hand accounts of what it did, and went on to say that a typical server has more than 10 components with firmware, hundreds of active components, and thousands of passive components, meaning that there is a “huge surface to look at.”
Concluding by discussing what we can do, FitzPatrick said that ripping up servers “is a waste of time” and asked delegates if they review what a supplier does and where hardware was acquired, and if they look inside systems.
“Actual risk is a combination of impact and frequency,” he said. “We need to respond to the threat and not to the hype.”
A new study found that a majority of financial services security professionals are overly confident about the ability of machine identity protections to defend their organizations's networks, according to Venafi.
The report, Securing the Enterprise with Machine Identity Protection, conducted by Forrester Consulting on behalf of Venafi, surveyed 116 IT security professionals from financial services and insurance organizations across the US, UK, Germany, France and Australia. It found that 80% of respondents who are responsible for identity and access management (IAM) trust that automated communications between machines on their networks are mostly or completely secure.
In addition, 70% of respondents feel confident that effective protection of machine identities is critical to the long-term security and viability of their companies, the study found. Still, financial services organizations are only tracking an average of 43% of the most common types of machine identities.
Looking at the number of respondents who follow the progress of specific machine identities, the study found that just over half (56%) are tracking cloud platform instance machine identities and 55% are tracking physical server machine identities. Yet less than half (48%) track mobile device machine identities, according to a press release.
Even fewer, only 34%, track the machine identities of SSH keys. Those numbers continue to decline when looking at tracking the machine identities of containers (28%) and micro-services (26%).
“Financial services organizations have more work to do in order to make sure their machine identities are protected, and we know these issues are not unique to a specific industry,” said Jeff Hudson, CEO of Venafi, in a press release.
“Despite the importance of machine identities, most organizations are overwhelmed by the sheer number of them on their networks, and they don’t have the visibility, intelligence or automation necessary to take the necessary steps to close the gaping hole in security.”
The report also noted that 41% of financial services IT security professionals confessed that the lack of system administrator focus on machine identity use is a major challenge, while the same number identified lack of automated processes to inventory machine identities as a major problem.