Cyber Risk News
Delivering the keynote address at Black Hat USA in Las Vegas, Google’s director of engineering Parisa Tabriz talked about the need to collaborate, celebrate progress and recognize those doing the defensive work.
Tabriz claimed that there are times when she feels we are “living in a reality version of Whac-A-Mole,” and she admitted that as the head of Google’s Project Zero she gets frustrated when there are reports of vulnerabilities not addressed.
She said that “98% of security issues that Project Zero reported fixed within in 90 days,” and while she later acknowledged that it “was and is controversial,” the project's aim is to challenge the status quo and pushback, and sometimes efforts move faster with collaboration.
Tabriz said that the “world is dependent on being safe, so we need to be more strategic in our approach to defense” and that to be successful we need to:
- Identify and tackle root causes
- Be more intentional on projects, pick milestones and celebrate progress
- Invest in bold defense projects and champions outside of security so efforts are successful
In terms of the first aim, she pointed to the work of Project Zero, which she said is “leading to positive change” with time to fix flaws and update users having been massively shortened.
“Today we see examples with vendors with better response, and no longer see pushback [to vulnerability disclosure] and see investment in sandboxing,” she said. However, with more transparency, more collaboration and more interest in user security, we can move to more shared security goals.
As part of this, Tabriz publicly thanked defenders “for being unsung heroes” and said it was time to “recognize and celebrate defenders more.”
On the second point, she pointed at the recent launch of Chrome 68, which will flag non-HTTPS websites as not secure, saying that “without HTTPS there is no security and no privacy.”
She acknowledged that initial plans, which began in 2014, did not happen due to concerns on website performance and user experience. But when it did happen, the team celebrated it as it was “fun but important to keep morale up” and it was important to “celebrate progress as we tackle gnarly security problems.”
Finally, on investing in defense, Tabriz encouraged investment in core technologies and said that when the benefits are not immediately clear, they need to be communicates. “Impactful is not adding new things but simplifying existing code.”
She concluded by saying that the right problems and technical solutions can be found, but everyone must work together to clear the path for a safer future.
“Band together to stop playing Whac-A-Mole, so strategically pick milestones, remember to reflect on progress made and celebrate progress,” she said. “As we invest in a project where the benefits are not clear, build coalition of champions. We care about making positive change. It’s up to all of us.”
The proliferation of industrial internet of things (IIoT) devices is reportedly at the root of the higher than normal rates of reconnaissance related to cyber-attacks and lateral movement activity in the manufacturing industry, according to a new report from Vectra.
The new 2018 Spotlight Report on Manufacturing analyzed attacker behaviors and network trends from more than 250 manufacturing enterprises that opted to be part of Vectra’s research. For six months, Vectra monitored network traffic, collecting metadata from customer cloud, data center and enterprise environments. Analysis of the metadata garnered from over 4 million devices, and workloads revealed the ways in which the manufacturing industry is a prime target for attack.
Attackers who are able to bypass perimeter security gain network access, where they collect intel on their victims. The research revealed an unusually high volume of reconnaissance behavior, suggesting that attackers are mapping out manufacturing networks to locate critical assets.
Because the networks often have insufficient internal access controls, criminals are able to steal sensitive information with relative ease, the report found. Once attackers infiltrate the network, they proliferate the attack inside the network, evidenced by the findings that there is an abnormally high level of lateral movement.
Given that security controls can interrupt and isolate manufacturing systems, many manufacturers fail to invest in them. Instead, factories connect IIoT devices to flat, unpartitioned networks that have to communicate with general computing devices and enterprise applications, according to the report.
“In the past, manufacturers relied on more customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal,” the report stated.
According to Vectra, attempts to automate real-time data collection across integrated digital systems, IIoT devices and cloud computing resources in the manufacturing supply chain is an effort known as Industry 4.0. Using IIoT devices to converge enterprise information technology with operational technology networks in manufacturing organizations has enabled not only intellectual property theft but also business disruption.
Said Chris Morales, head of security analytics at Vectra, “The interconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of IIoT devices, has created a massive attack surface for cybercriminals to exploit.”
Have you found yourself put off by a friend's comment or shocked by words Mom wrote in a group message on WhatsApp? WhatsApp users who have been questioning the content of comments from friends and family could be victims of a malicious actor, according to research released by Check Point.
According to a blog posted today, Check Point researchers discovered a vulnerability in WhatsApp that would allow an attacker to not only intercept messages but also manipulate them to put fake quotes into someone's digital mouth. Thus far, the researchers have found that there are three possible attack methods an attacker can use when exploiting the vulnerability.
- Changing a reply from someone to put words into their mouth that they did not say.
- Quoting a message in a reply to a group conversation to make it appear as if the message came from a person who is not part of the group.
- Sending to a member of a group a message that looks to be a group message but is in fact only sent to this member. However, the member's response will be sent to the entire group.
The more than 1.5 billion WhatsApp users reportedly send over 65 billion messages per day. With more than 1 billion groups on the Facebook-owned application, there is a wealth of opportunity for attackers to have some fun scamming and scrambling people's exchanges.
Check Point researchers wrote that they followed the process of responsible disclosure to inform WhatsApp of the vulnerability they found. “Given WhatsApp’s prevalence among consumers, businesses, and government agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams," said Oded Vanunu, head of products vulnerability research at Check Point.
"As one of the main communication channels available today, WhatsApp is used for sensitive conversations, ranging from confidential corporate and government information to criminal intelligence that could be used in a court of law.”
According to a CISO survey conducted by Bugcrowd, 30 percent of CISOs plan to implement crowdsourced security programs in the coming year. To help fill the growing need for skilled researchers in the crowdsourced security field, Bugcrowd announced yesterday at Black Hat USA 2018 that it has launched Bugcrowd University.
Driven by the goals of improving the state of application security training and community engagement, the new Bugcrowd University will educate white hat hackers with the latest skills and methodologies. Delivering content that will empower security researchers, Bugcrowd University provides free, hands-on training and is open to all security researchers, even those who are not on the Bugcrowd platform.
According to Bugcrowd, organizations around the globe have seen a steady increase in the number of application vulnerabilities, which has resulted in more companies depending on crowdsourced bug bounty and vulnerability disclosure security programs that can identify their own vulnerabilities before an attacker is able to exploit them. This increased reliance on crowdsourced security programs has created a demand for more researchers.
The Bugcrowd Ambassador Program will continue to run in tandem with Bugcrowd University. By welcoming new researchers to the crowdsourced security field, Bugcrowd University will help to narrow the skills gap while offering continued training in new methodologies, enabling the white hat hacker community to level up their existing skills.
“Making Bugcrowd home for researchers is one of our highest priorities. The goal of Bugcrowd University is to empower researchers with training and content to strengthen the security community,” said Jason Haddix, Bugcrowd's VP of trust and security, in a press release.
“With this Bugcrowd University program we will not only train and empower our Crowd to find high-priority vulnerabilities, we will also introduce this model to would-be security researchers around the world to increase the number of skilled researchers looking for vulnerabilities.”
Commenting on the announcement, a 16-year-old hacker from Hungary, xdavidhu, reportedly told Bugcrowd, “I am actually pretty excited for Bugcrowd University because I think for beginners it's extremely hard (at least was for me) to get started and to get a basic idea of how this really works. But getting learning material from official sources like Bugcrowd would help a lot of people out when they are just considering to start doing bug bounty.”
One in 13 UK cybersecurity professionals have admitted they also participate in black hat activities, according to new research from Malwarebytes.
The security vendor commissioned Osterman Research to poll 900 professionals in the US, UK Germany, Australia and Singapore to compile its latest study, White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime.
The UK stood out for three reasons. Its companies had the lowest average security budget of any globally, 97% of UK firms have fallen victim to a significant security threat over the past year, the highest of any country, and nearly 8% of respondents admitted to grey hat activity, versus a global average of 4.5%.
The study also revealed that 40% of UK security pros have known someone that has participated in black hat activity, 32% have been approached to take part and 21% have considered doing it.
The most popular reasons given for doing so were to earn more money (54%), the challenge that it offers (53%), retaliation against an employer (39%), philosophical reasons or some sort of cause (31%) and that it is not perceived as wrong (30%).
The financial challenge is likely to continue as the average security budget in the UK for a 2500-employee organization is set to grow by just 10% to £220,000 in 2018, according to the report. The largest chunk of this (17%) is apparently spent on remediation, with respondents claiming they’d spend on average more than £188,000 to remediate an incident.
"Companies need to assign more resources to their security budget, and that includes salaries for security researchers and other technicians. If an employee begins grumbling about pay, and if human resources are unresponsive to his or her requests, then organizations may be setting themselves up for a much larger financial loss down the line,” senior malware intelligence analyst, Jérôme Segura, told Infosecurity.
"Companies need to look for signs of individuals becoming unhappy or unfulfilled in their position and address them early on. Having regular dialogues between HR, managers and employees can help avoid more complicated situations at a later date.”
Segura added that tightening access controls can also help to mitigate the inside threat.
The Office of National Statistics (ONS) has warned that a lack of awareness about mobile security may be a cause for concern in the future, as smartphone threats mount.
Published yesterday, the latest ONS bulletin, Internet access – households and individuals, Great Britain: 2018, revealed that mobile phones are the most popular device used to access the internet, with 78% of UK adults logging-on in 2018.
However, there are question marks around security. Over a quarter (26%) of respondents said they didn’t have any on their device while 24% said they didn’t know if there was security installed.
“Although the proportion of adults who had lost information or data as a result of a virus or hostile program was only 2%, this could potentially become a concern in the future due to lack of awareness surrounding the importance of security installation,” the ONS warned.
However, experts claimed that most smartphones come with a good level of in-built protections. John Kozyrakis, staff research engineer at Synopsys’ Software Integrity Group, argued the ONS report confuses 'smartphone security' with third-party security apps.
“Both Android and Apple iOS automatically install several security software components on user devices to combat malware and viruses. Users are typically unaware of these actions, as the relevant security components are ‘under the hood’ of the operating systems,” he added.
“I attribute the 26% figure to the public being unaware of how much effort goes into securing and protecting against malware by Google and Apple. On an up-to-date, recent device released within the last three years, which has not been jailbroken intentionally, and does not get applications from places other than the official marketplaces (Google Play and Apple Store), there is absolutely no need to install any third-party security software.”
Imperva CTO, Terry Ray, claimed that the percentage of users that don't have security software installed is likely to be significantly higher than 26%, but that this isn’t a major issue.
“This isn’t overly critical yet, as there are only a small number of attack tools at the moment, and application stores are currently taking ownership of preventing user threats to these,” he argued.
Highly sensitive data on over 2.3 million Mexican patients has been exposed via a misconfigured MongoDB installation.
Bob Diachenko, formerly of the Kromtech Security Center, made the discovery via a simple Shodan search last week and claimed in a post that the data was viewable and editable for anyone without a password.
It included full name and gender, unique identity code, insurance policy number, DOB, home address and disability and migrant flags.
The database owner, telemedicine company Hova Health, sent the following brief statement when notified: “All the areas that work on this project are reviewing exactly what happened and checking all our infrastructure to avoid this kind of events.”
Along with the patient data, which appears to cover only individuals from a specific region of the country (Michoacán), Diachenko found hashed and salted admin account passwords and email addresses.
“It is unclear how long the data was publicly exposed or who else except myself had access. This is yet another warning to any company or service provider that handles and stores personal medical data,” he argued.
“Security experts warn that not only should they audit their security processes regularly, but they should also have an incident response process in the event of a data leak. With the wave of ransomware attacks on hospitals, and medical providers it is clear that the healthcare sector is being targeted by cyber criminals.”
Although there have been countless cases of misconfigured cloud accounts found publicly exposed, often thanks to mistakes by third-party suppliers, with MongoDB there’s an even greater risk.
Last year saw two waves of attacks on publicly accessible MongoDB databases in which cyber-criminals stole the data before deleting the original copy and demanding a ransom. There were nearly 76,000 victims in the September 2017 attack campaign.
For its part MongoDB released guidance for users, claiming that if they follow the “extensive security protections built into MongoDB” they would be protected. However, Diachenko claimed nearly 54,000 databases are still exposed.
The future of cybersecurity product development relies on having a good idea, and the networking skills to get good feedback, customers and employees.
Speaking at the Black Hat conference in Las Vegas, CA Veracode CTO Chris Wysopal spoke on the ideas needed to start a company. Admitting that he was a “geeky kid” who later moved into software development, doing a computer engineering degree and vulnerability research, he said he was able to join local networks in the Boston, Massachusetts area by joining bulletin boards.
This later led him to join the working group L0pht, who were called to testify to the Senate in 1998 “and we took the leap and did the best job we could and took the opportunity and glad we did it.”
The theme of Wysopal’s talk was around networking though, and the need to overcome the comfort zone of not talking to people. He likened it to exercise “as it takes work and when you do it, you feel glad of it.”
He said: “If you start a company you need to know people, and you have to convince them to work for you. You need to meet them and see if they can work with you, and networking is critical if you want to start a company and meet people who are not exactly like you, such as developers and sales people. Not all security people.”
In terms of starting a company, he said that regardless of age, “if you have the urge to do it, go for it and be prepared to work on it for five, six or seven years and the best thing is to talk to people, find pitch challenges, apply to incubators and apply as you learn something from the application process and if it is rejected, ask why.”
Finally, in networking advice, Wysopal said that you need to talk to potential customers, and get feedback from customers and knowledgeable investors.
As well as identifying a niche idea to invent, he also recommended delegates look at getting along to local conferences, and take the leap of speaking at a small event and sharing knowledge. “That is what science is, and I urge you to try it.”
When considering a career in cyber or a career change into it, you don’t have to know everything but do consider your greatest achievements.
Speaking at BSides Las Vegas in the opening session of the Hire Ground track, Lesley Carhart from Dragos Security highlighted two characters who were in other careers and looking for a change and another who was starting their career.
In the case of switching roles, Carhart asked the audience, “What is the one thing scares you most on making next move?” She also asked what alarms them the most and what makes them the most hesitant.
In terms of highlighting work experience on a résumé, she recommended adding three sections: action, impact and quantification. Action is what you have done and what you did to maintain your position. Impact is why what you did was important to the team and the company. Quantification is about the financial scope – what money was made or saved – and the numbers of people who were trained or nodes that were serviced. “This shows what pace you were working in and the value what you were doing,” she said.
In terms of understanding cybersecurity, Carhart said that no one really understands everything. Most people fall into a category and feel like impostors or are too terrified to ask a question.
“You will never ever know everything in infosec, and no one else does either; and the more you focus on one niche, the harder it is to keep up with others; and the more you learn, the more you find you don’t know,” she said. “Keep trying to learn: there are plenty who will help you; and help others.”
A critical subset of the ever-expanding internet of things (IoT), medical devices are increasingly vulnerable to attacks from botnets and malware, which is why the Cloud Security Alliance (CSA), in conjunction with the Open Web Application Security Project (OWASP), today announced the release of OWASP Secure Medical Device Deployment Standard V2.
Recognizing the increasing number of attacks that are targeting IoT devices, CSA and OWASP saw the growing need for increased security in deploying medical devices. Announced at Black Hat today, the newest guide has been updated to ensure improved security of devices used in healthcare facilities.
Developed in conjunction with the CSA IoT working group, version 2.0 contains many enhancements, particularly in regard to purchasing controls. With guidance from the Federal Drug Administration, the comprehensive updates focus on security audits and evaluation and privacy impact assessment. The changes to support evaluation controls are intended to better guide the secure deployment of medical devices within a healthcare facility.
"Too many of today's network-enabled security devices are still not being deployed with security in mind, exposing healthcare providers and their patients to data breaches at best and potential negative health consequences at worst. With ransomware and botnets targeting IoT devices, it is more essential than ever that devices are developed and deployed with security in mind," said OWASP project leader and author of the original paper Christopher Frenz in today’s press release.
The goal is to provide a clear roadmap that will ensure healthcare organizations follow best security practices for medical devices and IT systems. "The growth of electronic medical records and network-enabled devices has allowed healthcare providers to enhance their level of service and the efficiency with which they provide care. However, this same interconnectedness has opened a Pandora's box of security issues involving legacy systems and healthcare devices that were not designed with security in mind," said Hillary Baron, research program manager, CSA.
Ensuring consumer security requires an understanding of what data consumers value, as well as an awareness of their perceptions and experience with breaches. This is what Radware attempted to learn when it queried more than 3,000 consumers in its survey, Consumer Sentiments: Cybersecurity, Personal Data and the Impact on Customer Loyalty.
Of those who participated in the survey, 55% said that data theft ranked top of the list when it came to theft of their personal property. By comparison, 23% said they were concerned about the theft of their wallets, while 10% feared having their car stolen. Only 6% of respondents worried about the theft of their cell phone and house keys.
“It’s no surprise that data theft ranks so high in the minds of Americans as a major risk,” said Anna Convery-Pelletier, chief marketing officer for Radware, in today’s press release. “It’s easy to buy a new car or a new cell phone, but having private data exposed can have permanent consequences for both the consumer and the brand where the breach occurred. When an organization does not properly secure its network, it is putting its brand reputation in jeopardy and risking its customer base.”
Having their Social Security numbers pilfered was the biggest concern for 54% of respondents, yet only 18% had the same worry when it came to their banking information. As little as 9% of the survey respondents said that having their healthcare records stolen was a paramount concern, yet healthcare records have a black market value of anywhere from $10 to $1,000, while Social Security numbers are valued between $2 and $25.
A notable disparity exists between the data that consumers are the most worried about protecting and the dollar value that data has to cyber-criminals, which the reports suggested underscores the fluidity of the value of personal information. “Just like financial markets, the value of personal information rises and falls based on political, economic and social factors. The economic principles of supply and demand also affect how cyber-criminals sell and purchase stolen information.”
Attackers are harnessing the power of the internet, leveraging the proliferation of devices in the ever-expanding internet of things (IoT) to launch terabit-per-second–scale distributed denial-of-service (DDoS) attacks, according to NETSCOUT’s 2018 Threat Intelligence Report.
DDoS attackers represent a wide range of actors with various motivations. While some are malware authors, others are opportunistic criminals taking advantage of affordable services for hire. “They are a busy group, constantly developing new technologies and enabling new services while utilizing known vulnerabilities, pre-existing botnets and well-understood attack techniques,” the report wrote.
Additionally, DDoS attacks continue to grow in size, volume, frequency and targets with advanced persistent threat (APT) groups expanding beyond traditional areas. Attackers are using new DDoS attack vectors and methods, with 2018 giving way to the DDoS terabit attack era. Thus far, the largest DDoS attack ever recorded was at 1.7Tbps, NETSCOUT Arbor wrote in a press release.
The first half of 2018 saw 47 DDoS attacks larger than 300Gbps, nearly seven times the number of attacks seen during the same period in 2017. “DDoS activity now often involves hundreds of thousands—or even millions— of victims who largely serve to amplify the attack or end up as collateral damage, as indicated by the SSDP diffraction attacks that originated in 2015 and resurfaced this year,” the report wrote.
The threat landscape is moving more rapidly as attacks modify their tactics, according to Hardik Modi, head of ASERT. “Methods that are commonplace in the DDoS threat tool kit have sprung to crimeware and espionage. This accelerating internet-scale threat paradigm changes the frontiers for where and how attacks can be launched, observed and interdicted.”
The report also found that state-sponsored activity has become more commonplace with a broad tier of nation-state APT groups leveraging internet-scale attacks, such as NotPetya, CCleaner and VPNFilter. In addition, crimeware actors, inspired by these large-scale global attacks, have adopted the self-propagation technique, which allows malware to easily spread more rapidly.
The vast majority of IT decision makers appear to believe the hype surrounding artificial intelligence as a means to enhance cybersecurity.
An ESET poll of 900 IT leaders in the US, UK and Germany found a disappointing 75% believe AI is a ‘silver bullet’ to helping them counter online threats.
Respondents from the US (82%) were much more willing to believe the hype than their counterparts in the UK (67%) and Germany (66%).
Most of those polled claimed that AI and machine learning would help their organization to detect and respond to threats faster (79%) and help solve skills shortages (77%).
There’s certainly evidence to suggest that the emerging technology can help IT teams in this way — by spotting patterns indicative of a threat more quickly than human eyes could, and automating detections to take the strain off stretched cybersecurity teams.
However, no single technology should be viewed as a ‘silver bullet,’ according to ESET CTO, Juraj Malcho.
“If the past decade has taught us anything, it’s that some things do not have an easy solution — especially in cyber-space where the playing field can shift in a matter of minutes. In today’s business environment, it would be unwise to rely solely on one technology to build a robust cyber defense,” he said.
“However, it is also interesting to see such a gap between the US and European respondents. The concern is that overhyping this technology may be causing technology leaders in the UK and Germany to tune out. It’s crucial that IT decision makers recognise that, while ML is without a doubt an important tool in the fight against cybercrime, it must be just one part of an organization’s overall cybersecurity strategy.”
In fact, AI also offers cyber-criminals a potential advantage, according to NTT Security EMEA SVP, Kai Grunwitz.
“Just as it helps us find the needle in the haystack — the malware threat hiding in plain sight — it could also enable them to automate the discovery of vulnerabilities in key systems,” he argued earlier this year.
“Imagine what havoc could be reaped by self-learning malware designed to continually adapt to its environment, with no input required from its masters? As always, the upper hand is with the attacker, who only needs to find one vulnerability to succeed, whereas we defenders must make only one mistake to let them in.”
To that end, 91% of cybersecurity professionals are concerned about hackers using AI against them, according to Webroot.
The FCC’s attempt to maintain that its comments page crashed last May as a result of a co-ordinated DDoS attack was actually built on falsehoods, it has admitted.
The regulator was forced to make the admission ahead of an inspector general report into the case due to be released shortly.
The comments section crashed after millions took to the site to complain about its controversial decision to overturn net neutrality rules brought in under the stewardship of Trump appointee and new chairman Ajit Pai.
It’s thought a late-night piece by comedian John Oliver, in which he encouraged individuals to complain to the FCC about the decision, also swelled numbers.
However, new statements suggest the regulator has been lying.
Pai sought to play the partisan card by blaming an Obama appointee for the mess whilst trying to abnegate himself from all responsibility.
“With respect to the report’s findings, I am deeply disappointed that the FCC’s former chief information officer (CIO), who was hired by the prior administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people,” he said.
“I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.”
Democrat FCC member, Jessica Rosenworcel, had a different take, focusing on the issue of net neutrality.
“The inspector general Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” she said in a statement.
“What happened instead is obvious—millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”
Although the Senate recently voted to overturn Pai’s net neutrality repeal it’s still likely to be forced through by the Republican-dominated lower House. Detractors have argued that the repeal will lead to throttling, blocking and paid prioritization , creating an uneven playing field dominated by large ISPs and service providers.