Director of game research and development for the Institute for the Future, Jane McGonigal, opened her luncheon keynote at the 2018 Security Congress with what she considered exciting news by announcing that human beings have reached a milestone: People spend 2.5 billion minutes a day playing League of Legends.
“To put that in perspective, that’s the equivalent of having a company of 20,250,833 employees who do nothing but play League of Legends all day,” McGonigal said. Lest the audience grow too alarmed, McGonigal quickly launched into evidence supporting the theory that playing games actually has a positive impact on productivity.
Recognizing that many might see gaming as a waste of time, McGonigal argued that this idea is a misconception. “I think the reason why we fear it is a waste of time has to do with a misconception that most of us hold from when we are very young, and we hold it for our entire lives.”
The opposite of work is not play, but depression, McGonigal argued. Play, in fact, induces optimism and fosters hope for success. The curiosity that comes from gaming can then be applied to cybersecurity through task switching. McGonigal suggested that a gaming "warm-up’"can actually create a "super-powered hopeful individual" – playing a game for 10 minutes serves as a preparation tool to shift into problem-solving in the real world.
Before tasking the audience with a challenge, McGonigal explained, “I make things that allow users to figure out how to tackle some of the toughest challenges of our time. What are the problems we face as a planet and how can we lift people from feeling anxious, hopeless or helpless into feeling they are empowered?”
Answering that question, McGonigal said that bringing gamers and the cybersecurity community together is key to thinking like a futurist. “They can work together to do a much better job of anticipating the long-term social impact of the technologies we create and integrate into our organizations and bring into our families and lives."
Some in the audience scoffed at her suggestion that we are all Mark Zuckerberg now, but McGonigal went on to explain, “We are all responsible for the role we play in adopting technologies and popularizing technologies and bringing impact into our organizations. Those who design technology, build technology and sell technology have their role in this as well.
“It’s up to all of us to think with a little bit more foresight. Are we building the future that we want? What might go wrong, and what actions can we take today to avoid these things going wrong?” The skills learned through gaming are preparing a generation of people to anticipate the impact technology may have on the future in order to better secure it, according to McGonigal.
In his opening keynote to members attending this year’s (ISC)2 Security Congress in New Orleans, CEO David Shearer talked about the resilience of the city in the aftermath of several hard-hitting natural and human created disasters noting, “It’s hard not to be inspired by the resiliency of this region.”
Using New Orleans as a model for resilience, Shearer said, “In my experience resiliency to respond to complex challenges is directly linked to a thorough understanding or a holistic view of the challenges you are likely to face." Shearer also commended the first responders of the region for having a deep understanding of their missions – dealing with bad situations and responding appropriately to the unpredictable.
Addressing the audience of cybersecurity professionals, Shearer said it is equally as important that, like first responders, experts in the industry do not approach their work through fear, uncertainty and doubt. “They plan for it, they drill for it, they are ready for it. It’s ingrained in what they do and who they are. We need to have a similar mentality about the growing threats we face,” Shearer said minutes before introducing Louisiana congressman Cedric Richmond.
Rep. Richmond, who currently serves on the House Committee on Homeland Security and the House Committee on the Judiciary, validated the need for planning and preparation in noting, “This conference comes at a pivotal time in our nation’s history and future. The secretary of Homeland Security recently warned that the next attack the magnitude of 9/11 won’t involve airplanes. It will be a cyber-attack.”
Systems at all levels are under attack at all times, Richmond said, which has provoked local, state and national conversations about what is needed to protect the economy and preserve the American way of life.
“First, federal, state and local governments must be structured and funded to properly protect against, investigate and remove malware on their systems and to serve as effective cyber-defense partners with the private sector,” Richmond said.
Advocating that the industry look to candidates with nontraditional backgrounds, the congressman also said, “We need a robust cybersecurity workforce to support both the private and public sectors.”
Educating the public on good cyber hygiene and building partnerships between the private and public sector will also help to advance the understanding of why cybersecurity matters. “Although we have made progress in these areas, progress has been too slow and too inconsistent. A game plan has to give everyone clear assignments and responsibilities. If people’s assignments aren’t clear, players and bad actors go uncovered. That’s how you lose a game,” Richmond said.
Before launching into the content of her talk, Enterprise Security Awareness Programs That Work, at the 2018 (ISC)2 Security Congress, Theresa Frommel, acting deputy CISO for the state of Missouri, confronted the elephant in the room, asking the audience, “How many of you are nonbelievers?”
When asked whether their programs were delivered only annually, many in the room mumbled yes. Frommel also received affirmation from the audience when she asked, “Most of you are not doing repetitive monthly trainings?”
Many organizations still don’t understand why security awareness training programs matter when they don’t see significant improvements in end user behavior, but Frommel said behaviors can change.
Missouri consists of 600 municipalities comprising 114 counties that broken into 30 state agencies across all legislative and judicial branches. Of the 40,000 employees, the state boasts 950 IT staff of which 20 are in the office of cybersecurity.
Why do companies need effective security awareness programs? Primarily because, Frommel said, 90% of breaches are the result of phishing attacks.
"In the first quarter of 2018, phishing activity trends were up 46%. More than a third of phishing sites were hosted on sites with HTTPS and SSL certificates, and the number of sites hosting phishing pages rose from 60,000 at the beginning of 2018 to 113,000 in March,” Frommel said adding in a reminder that many of the high profile breaches in the past several years were the result of someone opening a phishing message.
That’s why an effective awareness program needs to understand human behavior, Frommel said. Phishing campaigns are successful because attackers hit the emotion of fear and uncertainty.
“Sometimes it’s hard to blame the user because they are thinking and asking, ‘Am expecting an attachment? Do I know this user?’ and the answer is yes,” Frommel said.
In advising the audience on how to mitigate the human risk, Frommel assured, “Human behavior can be changed. Make users another security control, not a security problem. Phishing is no different than any other swindle, but technology can only mitigate email risk to a point. Training should be frequent, brief, targeted and able to change people’s thought processes, which over time, changes the culture.”
Recognizing that technology is only going to go so far, it’s incumbent upon security practitioners to keep encouraging change and thought processes. As for Missouri, it has 40,000 interactive lessons deployed monthly that are 10-15 minutes in length with each lesson focusing on a different topic. Additionally, agencies compete against each other through gamification.
Part of successful programs requires that you are able to track results and ensure employee participation, but it’s also critical that you are able to recognize when the content has become stale and be able to adapt to find more engaging material, said Frommel.
The United States and UK authorities have joined Amazon and Apple in contesting a blockbuster story last week that Chinese spies implanted tiny chips onto supply chain components used in the tech giants’ products.
The Bloomberg story, which cites 17 unnamed sources including three at Apple and four US officials, claimed that the microchips were placed onto motherboards in Chinese factories subsequently assembled into servers by Supermicro.
These servers were apparently purchased by Apple, Amazon and around 30 other companies, and also used by the US and UK government — which could have given Beijing unprecedented access to corporate and state secrets.
“The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”
A very similar statement was posted by the DHS over the weekend.
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” it noted.
“Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”
Bloomberg is standing by its story, but whether its claims are true or not, they’ve ratcheted up the tensions between the US and China over trade, security and the global supply chain.
Russia’s prolific military intelligence service the GRU appears to be on the back foot once again after an investigative news site revealed it managed to locate the identities of over 300 possible agents.
Bellingcat teamed up with Russian partner site The Insider to dig deeper after the British and Dutch authorities revealed the identities of four alleged GRU officers last week. They claimed the men had traveled to the offices of the Organisation for the Prohibition of Chemical Weapons (OPCW) in April to hack the organization via its Wi-Fi network.
Crucially, the four traveled under their real names using diplomatic passports, with subsequent searches revealing one of the men registered as living at Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the Military Academy of the Ministry of Defence is apparently located.
Further searches on the names revealed links to a Russian car ownership database where one of the four alleged GRU officers, Alexey Morenets, was registered as owner of a Lada.
This seemingly innocuous detail proved to be a significant discovery.
“The address to which the car was registered, Komsomolsky Prospekt 20, coincides with the address of military unit 26165, described by Dutch and US law enforcement as GRU’s cyber warfare department. The database entry contained Morenets’s passport number,” the report noted.
“By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address. The individuals range in age from 27 to 53 years of age.”
Even worse for the Kremlin, the database entries apparently contain full names, passport entries and mobile phone numbers, as well as the street address and military unit number: 26165.
This is the infamous unit which the hackers indicted by the US last week are alleged to be stationed with.
The report claimed that if the 305 individuals are indeed GRU officers, the discovery could be “one of the largest mass breaches of personal data of an intelligence service in recent history.”
It comes after a series of missteps by the Kremlin’s fearsome intelligence apparatus, including the unmasking of two GRU officers who attempted to assassinate a double agent in the English city of Salisbury earlier this year, and the indictment of many more by the US authorities for a series of major cyber-attacks.
California has passed new legislation set to make it illegal for connected device manufacturers to ship them with default passwords, but experts want lawmakers to go further.
The Information Privacy: Connected Devices bill will come into force on January 1, 2020, and is an attempt to force improvements in IoT security following some headline-grabbing incidents over recent years.
The law mandates manufacturers either to create a unique credential for each device on the production line, or ensure that the user is forced to do so on booting up for the first time.
In the context of this law, “connected device” refers to any “physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
The law will help to reduce the risk of IoT attacks like Mirai which work by scouring the web for exposed devices protected only by simple, factory default log-ins, before conscripting them into botnets.
The technique has been aped by multiple variants since Mirai first appeared in 2016, with a new threat discovered just last week, dubbed “Torii.”
While the new law will certainly do its bit to improve IoT security, many of the devices which the Mirai botnet compromised were not built in China rather than California .
Experts lined up to argue the law should do more to improve baseline security.
Nabil Hannan, managing principal at Synopsys, argued that it would help to solve the problem of dictionary attacks or common password-based attacks, but not other threats.
“This, however, doesn’t stop the problem of say, a user’s password getting stolen through a vulnerability like SQL injection or through a phishing attack. Now the attacker can use the complex password and still get into the user’s account,” he explained.
“Or a user maintaining the same complex password across all applications. If one application is breached due to a vulnerability such as SQL injection, where all user passwords are stolen, then the attacker can now use the same complex password to get into the user’s account across all applications.”
AlienVault security advocate, Javvad Malik, claimed the law should also cover things like forcing manufacturers to ensure patches and security fixes are regularly issued and easy-to-deploy.
“Finally, many internet-connected devices are only usable when they are connected to the manufacturer’s cloud. If the manufacturer decided to stop support, or end-of-life a product, then often the customer is left with an unusable device,” he added.
“One option to combat this, is that manufacturers place the device code in escrow, so that if the company stops supporting the devices, or ceases to exist — customers, or a third party can manage the devices themselves.”
The British Standards Institution launched a new kitemark scheme earlier this year which will aim to raise security standards in the IoT industry. One of the requirements to be accredited is to produce devices with unique passwords which aren’t resetable to a factory default.
Credential phishing campaigns, in which high-profile individuals are unwittingly falling victim to malicious actors who are looking to gain access into business systems, have proven to be a successful attack vector. According to a new Menlo Security report, Understanding a Growing Threat: Credential Phishing, credential phishing is a quickly growing cyber-attack and is increasingly becoming the preferred entry point for most attackers.
Bad actors try to steal user credentials by tricking them into using their login information on fraudulent sites. By either hijacking an existing login page or creating a highly sophisticated login website that closely resembles an authentic site, attackers easily gain access to the network.
The most common targets are public agencies and political organizations, and the attacks are often sponsored by nation-state groups, advanced persistent threat (APT) cyber-criminals or hacktivists, according to the report.
“Attackers know very well how to manipulate human nature and emotions to steal or infiltrate what they want. They use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email,” the report said.
The research found that the most popular phishing lures across Menlo Security’s customer base were associated with OneDrive, LinkedIn and Office 365 logins. Attackers intentionally leverage these work productivity tools because people rely on them to conduct day to day business exchanges.
Apparently hackers enjoy long weekends, as Friday was reportedly the least popular day for attackers, with only 0.8% of phishing emails being sent out before the weekend. Campaigns start to pick up on Mondays, with 11.3% of URLs distributed. After easing into the week, email disbursements increased to 39.8% on Tuesday. Interestingly, the attack setup and the percentage of phishing URLs sent on different days of the week remained the same across every industry.
Gaining access to corporate networks is only the beginning of a much larger and more destructive attack, and the report found that credential phishing is so effective that threat actors are able to evade generic threat intelligence solutions.
"The difficulty of detecting credential phishing attacks shows that while the TTPs of a credential phishing attack may be simple, the technology needed to detect and protect enterprises and their users from these attacks – and to provide visibility into such attacks – must be intelligent, impenetrable and advanced," the report said.
A security vendor has discovered nearly 200 domains spoofing legitimate UK news sites in order to spread fake news.
DNS security firm DomainTools ran a search on five of the UK’s most popular sites: BBC News, Sky News, ITV News and the websites of the Guardian and the Daily Mail newspapers.
It discovered 197 domains with a high risk score, of over 70. These included: bbcnew[.]info; theguarsian[.]com; synews[.]co; ifvnews[.]cn; dailymail[.]cm.
Known as typo-squatting, this tactic typically relies on users to mis-type their favorite sites and in so doing end up on the fake version. Also known as URL hijacking, it can be used to generate revenue from pop-up ads, harvest user information, or even to covertly download malware to the victim's machine.
In this case it appears that those behind the registrations are looking to spoof the news sites to peddle fake news.
DomainTools warned internet users to pay more attention to the URLs they’re visiting, by hovering over links to see where they’re being taken to. Sneaking extra letters into a well-known domain, such as Yahooo[.]com and using “rn” to appear like an “m” are common techniques, it claimed.
“These malicious domains are a kind-of double whammy, as they can be both engaged in the spread of fake news and in spreading malicious software,” argued DomainTools director of product management, Tim Helming.
“While malicious software can be damaging for the organization or the individual, fake news has a broader corrosive aspect, as it can damage the very institutions on which our democracies stand. These ideas can polarize and galvanize extreme forces in our country, ultimately ending as a threat to us all, especially where trusted news sources such as the ones above are concerned.”
Some 82% of cybersecurity professionals agree that fake news influenced the US election, according to a survey by the vendor at Black Hat last year. They argued that a combination of proper education (73%), social media filters (46%) and blacklisted websites (29%) could help prevent its spread.
A regional US fast food chain has become the latest victim of the notorious Fin7 hacking group after a breach of card data involving countless customers.
The FBI informed Pacific North West chain Burgerville on August 22 that it had been a target of the group, also known as Carbanak.
It was believed that the attack was a brief one, carried out a year previously, in September 2017. However, further investigation revealed it was still ongoing, with remediation finally completed by the firm on September 30.
Burgerville claimed it still doesn’t know how many customers were affected because the group was “adept at concealing their digital footprints.” However, it warned anyone that has visited a restaurant between September 2017 and 2018 may have had their card data compromised. With over 40 locations, this could amount to a sizeable breach.
Credit and debit card information, including names, card numbers, expiration dates, and the CVV numbers were taken — meaning the details would be relatively easy to monetize on the dark web.
Customers are advised to review card statements for any unusual activity, obtain an annual credit report and consider freezing their credit.
Three alleged members of the Fin7 group were arrested earlier this year and each charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.
Experts guessed that the breach was the result of POS malware installed on the Burgerville network.
“What is somewhat surprising is the length of time it took to discover the attack — nearly a whole year,” continued AlienVault security advocate, Javvad Malik. “This reinforces the need for companies to implement robust monitoring and threat detection capabilities so that any attack or malware can be discovered in a timely manner to reduce the overall exposure.”
Russian military intelligence officers allegedly travelled in person to the offices of targeted organizations in Switzerland, Brazil, Malaysia and the Netherlands to compromise Wi-Fi networks in a wide-ranging cyber-espionage campaign, it has emerged.
The allegations were made by the US Department of Justice (DoJ) as it indicted seven GRU officers yesterday for computer hacking, wire fraud, aggravated identity theft, and money laundering.
When the officers couldn’t obtain targeted users' log-ins or the hacked accounts didn’t give them the necessary privileged access, they allegedly travelled physically to hack them via Wi-Fi connections, including hotel Wi-Fi networks.
Anti-doping agency WADA, and the Organisation for the Prohibition of Chemical Weapons (OPCW) — which was investigating the Salisbury poisoning and use of chemical weapons in Syria — are said to have been among the targets.
Reports suggest four GRU officers set up hacking equipment in the boot of a car parked in the OPCW’s offices in The Hague.
They are said to have been disrupted by Dutch intelligence officers, who confirmed the equipment had also been used at the Swiss hotel used by the Canadian Centre for Ethics in Sport (CCES) and a hotel in Kuala Lumpar, where investigations were underway into the downing of Malaysia Airlines flight MH17 over Ukraine.
"State-sponsored hacking and disinformation campaigns pose serious threats to our security and to our open society, but the Department of Justice is defending against them," said attorney general Jeff Sessions in a statement.
"Today we are indicting seven GRU officers for multiple felonies each, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program.”
Other victim organizations named in the indictment included US nuclear power provider Westinghouse Electric Company, which was targeted with spear phishing attacks.
The US indictments, which are more for PR purposes than anything else as Russia won’t extradite the officers, follow the UK government’s attribution to the GRU of major cyber-attacks against the DNC and WADA, as well as Bad Rabbit.
Cybercriminals have found new ways to infiltrate corporate emails, which has resulted in a $12bn cost to businesses over the last five years, according to Digital Shadows. Compromised corporate accounts are commonly traded on the dark web, where criminals stand to earn a pretty penny, particularly if the email accounts are those of employees in accounting or finance departments.
According to the report, researchers detected 33,568 email addresses of finance departments that had been exposed by third parties. Of those, 83% included passwords. On dot-com domains, the research found 18,163 credentials exposed. It also includes images of exchanges on a special-access dark web forum where a criminal is looking for accounting emails from companies in the US and South Africa.
These financially motivated malicious actors have expanded their attack methods beyond the commonly used, and quite reliable, phishing attacks to include account takeover attacks or simply paying for access. In another forum, a hacker is asking for as little as $150 to break into corporate email accounts, suggesting that cyber-criminals are winning in the digital war on fraud.
With social engineering and email spoofing, they are using more targeted campaigns. All the while, companies are inadvertently making it easier for them to compromise email accounts. In fact, according to the report, entire company email inboxes have been left exposed on the internet, which translates to more than 12 million archived files exposed because of misconfigurations in rsync, FTP, SMB, S3 buckets and NAS drives.
Researchers also discovered sensitive, personal and financial information exposed on 27,000 invoices, 7,000 purchase orders and 21,000 payment records as a result of faulty backups.
“Phishing continues to be a very serious problem associated with business email compromise, but, unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down,” said Rick Holland, CISO at Digital Shadows.
“Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge it is relatively easy for cyber-criminals to find whole email boxes and accounting credentials – indeed we found criminals actively looking for them.”
In the recent Hack the Marine Corps competition, a part of the Hack the Pentagon security initiative, ethical hackers uncovered more than 150 security vulnerabilities, netting more than $151,000 in awards, according to HackerOne. The Marine Corp challenge was the Department of Defense’s sixth bug bounty program, an effort aimed at strengthening the defenses of the Marine Corps Enterprise Network (MCEN).
A live hacking event at this year’s DEF CON 26 in Las Vegas kick-started the Hack the Marines competition, catapulting hackers into action. During the live event, participating hackers sat beside men and women from the U.S. Marine Corps Cyberspace Command (MARFORCYBER).
“I will never forget having a two-star general looking over the shoulder of hackers while they dug deeper into a Marine Corps site with permission and oversight from the Marine Corps team. Experiences like these are incredibly valuable to the organizations and for the hackers who rarely get that type of opportunity to dive deeper,” said Luke Tucker, senior director of community at HackerOne.
The entire challenge spanned 20 days, during which time more than 100 ethical hackers tested public-facing Marine Corps websites and services, yielding nearly 150 unique valid vulnerabilities in MARFORCYBER.
“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal,” said Major General Matthew Glavy, Commander, U.S. Marine Corps Forces Cyberspace Command, in a press release.
“What we learn from this program assists the Marine Corps in improving our war-fighting platform. Our cyber team of Marines demonstrated tremendous efficiency and discipline, and the hacker community provided critical, diverse perspectives. The tremendous effort from all of the talented men and women who participated in the program makes us more combat ready and minimizes future vulnerabilities.”
The Marines were not the only ones to boast about the benefits and successes of the challenge. A participating hacker, Tanner Emek, said, “It was great having the opportunity to work side by side with the Marines to help secure their assets. These are my favorite types of programs to be a part of, because they allow me to have a massive impact on systems critical to national security.”
Over the past few years, bug bounty programs have grown more commonplace, with global organizations and federal agencies entrusting white hat researchers to find and disclose vulnerabilities before malicious actors do so. “Without the programs, the researchers have the option of disclosing the vulnerabilities to the companies or organizations affected and getting recognition or selling them to a third party and making some money,” said Lamar Bailey, director of security research and development at Tripwire.
“Once a vulnerability is sold to a third party, the original researcher no longer has control of the data and it could be used for nefarious purposes. Several trustworthy companies have opened up generic bounty programs for researchers wanting to do a responsible disclosure and still make a little money. While these are good, nothing beats a good bug bounty program where a company or organization can work one on one with a researcher to solve a security issue.”
Traditional applications continue to introduce risks into the enterprise, and the number of serious vulnerabilities has increased across most sectors, according to WhiteHat Security. The 2018 Application Security Statistics Report: The Evolution of the Secure Software Lifecycle found that in addition to traditional applications, the vulnerabilities in agile development frameworks, micro-services, application programming interfaces (APIs) and cloud architectures also pose security challenges.
While the financial, healthcare and retail sectors have seen some improvements, all major industries struggle with long windows of exposure. When combined with the length of time to fix vulnerabilities, these factors have elevated risk levels beyond those of last year’s report.
“Businesses are transitioning from traditional applications and legacy systems to web and mobile applications that are purpose-built to serve up superior customer experiences,” said Craig Hinkley, CEO of WhiteHat Security. “However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats.”
New applications have become the very foundation of an enterprise’s digital transformation and to add value to their offerings, companies have had to adopt new software development practices. Yet the report findings suggest that businesses are still not building security into the app development lifecycle.
According to the report, nearly 70% of every application is comprised of reusable software components. In addition, the top four most likely vulnerabilities – information leakage (45%), content spoofing (40%), cross-site scripting (38%) and insufficient transport layer protection (23%) – have not changed in the past year.
“DevOps is now mainstream, but the adoption of security within the DevOps process is still lagging. Our work to track this trend for the past three years has shown that organizations continue to grapple with an increase in application releases, increased volume and complexity of attacks, and an ever-widening AppSec skills gap,” said Setu Kulkarni, vice president of corporate strategy at WhiteHat Security.
“However, we also find that organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and that their time to fix improves by 25%.”
Back in 2015, Amazon took such a liking to Elemental for its software-defined video solutions, that Amazon Web Services (AWS) announced on September 3, 2015, its intention to acquire Elemental. Fast-forward three years, and Bloomberg has reported that China planted microchips inside the servers used by Amazon and other companies.
If Chinese spies did infiltrate the supply chain of servers and insert microchips into those used by Apple, Amazon and other US companies, including government agencies, Amazon, Apple and China's ministry of foreign affairs claim they had no knowledge of it.
As for the servers in question, Bloomberg reported that an investigation began more than three years ago after Amazon discovered a microchip on the motherboard of AWS Elemental’s servers that were reportedly assembled by Supermicro Computer Inc., which has subcontractors in China. Amazon disputes Bloomberg's report that the company took its findings to authorities, setting off alarm bells across the intelligence community as Supermicro has hundreds of government customers.
The discovered chips had reportedly been inserted at one of the factories in China and enabled attackers to create a backdoor into any network. “This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get,” Bloomberg wrote.
The chips reportedly subvert the hardware on which they are installed, draining data while also delivering new code, as does a Trojan horse. Yet, according to Bloomberg, there’s no evidence that suggests the companies’ data – or that of users – was stolen or tampered with, but both firms worked quietly to remove the compromised servers from their infrastructure.
In response to the breaking news, Apple wrote, "As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Supermicro when we updated the firmware and software according to our standard procedures."
"We are deeply disappointed that in [Bloomberg's] dealings with us. Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed."
All parties referenced in the Bloomberg story make similar claims. “While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic, nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue," Supermicro said in response to Bloomberg's report.
Commenting on the risks of supply chain security, Ross Rustici, senior director, intelligence services at Cybereason, said that threats often do come from a complicit insider, "whether it is at the factory, a transportation agent or customs official. This makes creating a tamper-proof product extremely costly; the number of safeguards and other mechanisms required would drive up the cost of the product beyond market viability."
With the kickoff of National Cybersecurity Awareness Month, the Department of Homeland Security (DHS) has been actively focused on cybersecurity this week. The department is continuing its efforts to enhance cybersecurity across the nation’s critical infrastructure, which Secretary Kirstjen Nielsen emphasized in her talk at the Washington Post’s Cybersecurity Summit on October 2, 2018.
In advocating for The Cybersecurity and Infrastructure Security Act, Nielsen said, “We are responsible for federal efforts when it comes to both protecting critical infrastructure, working with the owner-operators in private sector, and protecting all those civilian dot govs. To do that, we have to have both a name that indicates that is what we do, and we have to be able to streamline the organization so that we can become more operational.”
That same day, DHS and the Department of Energy (DOE) met with the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) to discuss how industry and government can be more strategic in their approach to securing pipelines and other critical infrastructure.
“This meeting was a key milestone in the partnership between the federal government and the oil and natural gas industry, as we launched the pipeline cybersecurity initiative that partners DHS National Protection and Programs Directorate (NPPD) cybersecurity resources, DOE’s energy sector expertise, with TSA’s regular and ongoing assessments of pipeline security to get a broader understanding of the risks the sector faces,” said NPPD Under Secretary Christopher Krebs.
“Collaborative efforts like this allow us to better understand the threat landscape and direct more targeted and prioritized risk management activities. We look forward to continuing these important meetings with the other critical infrastructure sectors across the country.”
Underscoring the extent of its broad commitment, DHS also announced on Tuesday that it awarded $200,000 to Israel-based Morphisec to develop technology solutions that better protect financial institutions against cyber-attacks as part of the S&T Silicon Valley Innovation Program (SVIP).
The award falls under the Financial Services Cyber Security Active Defense Technologies solicitation, which explores advanced technologies that can defend the nation’s financial infrastructure from nation-state attacks.
According to the DHS, Morphisec will “extend, deploy, test and evaluate a moving target defense (MTD)–based cybersecurity solution for virtual desktop infrastructure (VDI) environments.” The challenge is to develop and then deploy a solution that doesn’t impact the overall performance of a VDI environment while preventing cyber-attacks on financial institutions.
MTD-based solutions change locations of libraries, functions, variables and other types of data at random, which makes attacking the system much more complicated and more expensive for attackers.
“The use of VDI has grown in recent years, most commonly as an efficient structure for servers, both physical and cloud based,” said Greg Wigton, program manager for the cybersecurity division within DHS. “If attacked while unprotected, vulnerabilities in a VDI environment may impact every connected device, and each machine can be a potential target for entry to the VDI.”
Advancements in the motoring industry need to be replicated in cybersecurity to provide a safer online future.
Speaking in the cybersecurity keynote at IP Expo in London, BH Consulting CEO Brian Honan related a recent instance where we was speaking to his father about buying a new car, and how car safety had increased since the 1940s, and how fatalities in car accidents had decreased as a result. This has resulted in cars using safety as a selling point, as well as including automation technology and following law enforcement as a standard.
“These were designed to keep us safe,” he said. “Compare it with the internet, it is not designed to keep us safe. Infrastructure and devices are insecure and the majority of people using devices are not trained to do so safely.”
Referring to the 2018 Verizon Data Breach Investigations Report, Honan pointed at one finding that 30% of incidents are caused by malware, and called this “a battle we’ve been having since the 1980s and we’re still losing.”
Saying that efforts to aid users, industry and devices have failed, and government leadership has not been good enough, Honan said that it will cost a small fortune to get a new car on the road, but with an IoT device or IP-enabled camera, we only worry that it blows up or goes offline. “It can be as insecure and we are putting it on our networks and making ourselves more insecure.”
He concluded by arguing that we need to move away from the old ways of thinking of security as being a patch, and look at new ways and break out of silos. “No one clicking on a mouse should rule our financial or social lives, or should be our biggest worry.”
In closing he asked who would be the Volvo of the cybersecurity industry, referring to Nils Bohlin who gave away the patent for seatbelts as they were a safety feature. “Who leads, and gives ideas and technology away to keep others safe?”
The ‘Unsung Heroes’ of cybersecurity were acknowledged at an awards event in London last night, as part of Security Serious week.
Organized by Eskenzi PR, Smile on Fridays and IT Security Guru, the third edition of the annual awards were given to those individuals and teams working to protect the UK from cybercrime, and to raise awareness of security issues.
Saying that the intention was to recognize people for the efforts that they make, Security Serious week lead organizer Yvonne Eskenzi said that there is a tendency to focus on technology and innovation as a solution. “The cyber-skills gap is a huge issue for this country and an event like this really shows off what a great industry it is to be a part of and the wonderful people that make it.
The winners were as follows:
Winner: Millie Coombes, Plymouth University
Best Cyber Security Sales Leader
Winner: Mark Coates, Dtex Systems
Winner: Prof Natalie Coull, Abertay University
Best Ethical Hacker/Pentester
Winner: Gemma Moore, Cyberis
Best Security Awareness Campaign
Winner: Cyberscene – Theatre Royal Haymarket Masterclass Trust/Kidscape/Pureland Foundation
Winner: Simon Onyons, Bank of America Merrill Lynch
Winner: Andrew Sands, BBC
Winner: Denis Onuoha, Arqiva
Winner: Lee Barney, Net A Porter
Winner: Danny Palmer, ZDnet
Winner: James Arden, TalkTalk
Winner: Helen Williams, TITAN
Winner: Jennie Williams, TITAN
Godfather/Godmother of Security
Winner: Ian Glover, CREST
Winner: Meera Rao, Synopsys
Winner: Allan Yung, Immersive Labs
Winner: The Paranoids (Oath)
Winner: Nicola Whiting, Titania
Ian Glover, president of CREST, said: "I really like this event particularly as the people who received an award were genuinely surprised and pleased. The aim of recognizing people that do not have significant budgets or large teams is really important. There are many people that go beyond their normal day jobs to support and develop the industry. To have a platform for them to be publicly thanked is quite unique.”
A dark web intelligence company has called for an industry-wide, standardized framework for evaluating and describing goods and services for sale on underground forums, after complaining that most research is inconsistent and misleading.
Terbium Labs analyzed 22 reports from 18 different sources dating back to 2013 to better understand how security vendors and researchers approach the topic of dark web pricing for stolen accounts and identity information.
Its report, The Truth About Dark Web Pricing, argued that, despite the best intentions of those releasing these reports, they are saddled with inconsistencies in data collection, definitions and sampling methodologies. Researchers often cherry pick details, thus failing to present a balanced and accurate view of the industry as a whole, and are unable to provide insight into longer-term trends, it added.
“For example, one report classified payment cards with BINs (Bank Identification Numbers) as a separate category from payment cards, although all payment cards have BINs. Other reports classified cloneable payment cards and payment cards with track data separately, though they are essentially the same,” the study noted.
“Even reports from the same research group used slightly different categories from year to year; one series of reports grouped cards from the same geographic area in different categories depending on the year the report was published.”
This only adds to the fear, uncertainty and doubt permeating the cybersecurity industry and creates greater opacity where insight and clarity is desperately needed, argued Terbium Labs.
The answer is to build a shared taxonomy for describing dark web goods and services, ideally involving a price index which could measure price changes in a standardized way, according to the firm’s chief research officer, Munish Walther-Puri.
“An industry standard such as this one cannot be set by one organization; a true standard requires that we synthesize across sectors. We are proposing first to recognize the shared problem that we all face and then create an environment where a standard can emerge,” he told Infosecurity.
Models from adjacent areas could help in drawing up such a standard, he claimed.
“These include the development and adoption of STIX TAXII for threat intelligence, ATM terminal and fraud definitions set by the European Association for Secure Transactions, and even the scoring of corruption: the Corruption Perception Index from Transparency International,” Walther-Puri explained.
“The latter case, incidentally, is a similar challenge: what once was considered strictly qualitative, and limited discussion of the influence and impact of corruption soon became measurable and comparable over time.”
Some financially motivated cyber-attacks previously attributed to the infamous Lazarus Group are actually the work of another North Korean state-sponsored threat group, according to FireEye.
The vendor’s latest report details the activities of APT38: a “large, prolific operation with extensive resources” that has already attempted to steal over $1bn from 16 organizations in at least 11 countries, many simultaneously.
Although the group may share personnel, code repositories and other resources with Lazarus and the TEMP.Hermit group, APT38’s TTPs are distinct and its aim is primarily to steal money for the hermit nation rather than carry out politically motivated espionage or destructive attacks, the report claimed.
Its attacks are notable for their lengthy, careful planning, custom-developed tools and willingness to destroy machines if it helps to thwart investigations, FireEye said.
The group spends on average 155 days inside a victim’s network, although it has been known to persist for nearly two years.
Attacks typically start with information gathering from targeted personnel and third party vendors, to understand how SWIFT transactions work, before initial compromise via watering hole attacks exploiting out-of-date Apache Struts2 installations.
Malware is then deployed to gather credentials and map network topology, before pivoting to the target’s SWIFT servers. Malware will then be deployed to insert fraudulent SWIFT transfers and alter transaction histories, before logs are deleted and disk-wiping malware is deployed.
“In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. This adds to the complexity and necessary coordination amongst multiple components supporting APT38 operations,” concluded FireEye.
“Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.”
It's likely that a large part of that $100m came from the 2016 cyber-raid on Bangladesh Bank.
The UK has attributed for the first time a range of major cyber-attacks including those against anti-doping authority WADA and the Democratic National Committee (DNC) to Russian military intelligence.
The National Cyber Security Centre (NCSC) took the very public step of naming-and-shaming the GRU for what the UK government sees as its increasing attempts to “undermine international stability.”
The attribution will not be a surprise to many in the cybersecurity industry, with vendors already releasing lengthy reports detailing the activities of APT28, Fancy Bear, Sofacy, Pawnstorm, Sednit, CyberCaliphate, BlackEnergy, Strontium, and Sandworm, among others.
All of these ‘groups’ are now said in fact to be part of the GRU’s hacking apparatus.
The NCSC said it assessed with “high confidence” that the GRU was “almost certainly” responsible for the WADA attacks which came after Russia was banned from world athletics for doping; the DNC raids which resulted in publication of sensitive emails ahead of the US Presidential election; the BadRabbit ransomware attacks which hit Ukrainian and even Russian institutions; and unauthorized access of email accounts at a UK TV station.
The GRU has already been blamed by NCSC for the VPNFilter home router attacks earlier this year and the June 2017 NotPetya ‘ransomware’ blitz.
The government claimed the attacks had sought to undermine international law and institutions and had cost national economies millions of pounds in the process.
“These cyber-attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport,” said foreign secretary, Jeremy Hunt.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behavior demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”
The GRU is also said to be behind the attempted poisoning of a Russian double agent and his daughter living in Salisbury. Although they survived, an English woman died as a result of the attack.
Former senior British intelligence officer, Malcolm Taylor, now director of cyber advisory at ITC Secure, said such an overt attribution of attacks to the GRU is highly unusual.
“They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources,” he added.
“But I think it’s also important to consider who benefits from attacks against these specific targets — WADA, Ukraine and the West in general. The answer to that question of course includes, and may indeed be limited to, Russia and Russian foreign policy interests. The mention of western businesses as targets should also be a reminder that foreign intelligence services do engage in commercial cyber-espionage and we all need to take appropriate steps to manage that risk.”