Info Security

Subscribe to Info Security  feed
Updated: 2 hours 45 min ago

New NetSpectre-Class Attack Raises Device-Hardening Concern

Mon, 07/30/2018 - 12:22
New NetSpectre-Class Attack Raises Device-Hardening Concern

A new type of NetSpectre attack requires no malware or malicious JavaScript, because it instead attacks victims through network connections, according to researchers at Graz University of Technology.

Four scientists at the university have published findings on a new type of Spectre attack in a paper entitled NetSpectre: Read Arbitrary Memory over Network. The paper details a new CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine, a significant development for Spectre-class attacks.

“By manipulating the branch prediction, Spectre tricks a target process into performing a sequence of memory accesses which leak secrets from chosen virtual memory locations to the attacker. This completely breaks confidentiality and renders virtually all security mechanisms on an affected system ineffective,” the researchers wrote.

Until now, Spectre attacks have needed the victim to either download and run malicious code on a machine or access a website that runs malicious JavaScript in the user's browser, but Spectre attacks have now evolved from requiring local code execution privileges to the first cache-less version that uses AVX state and instructions to create a covert channel, according to Craig Dods, distinguished engineer, security, at Juniper Networks.                                                                                                             

While Dod said the research is concerning from a device-hardening perspective, “The need for leak and transmit gadgets to be present on the victim’s computer makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack," said Mounir Hahad, head of threat research at Juniper Networks.

Some commentators agree that the industry could be moving too far into the weeds with the attacks as the likelihood of exploitation is so low. Brajesh Goyal, vice president of engineering at Cavirin, said, “The need for leak and transmit gadgets to be present on the victim’s computer also makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack."

Categories: Cyber Risk News

UK CNP Fraud Drops as Banks Fight Back

Mon, 07/30/2018 - 10:45
UK CNP Fraud Drops as Banks Fight Back

UK Card Not Present (CNP) fraud losses have fallen for the first time since 2011, despite rising levels in many European countries, according to new stats from FICO.

The fraud prevention firm’s latest interactive map is built on data from Euromonitor International and UK Finance.

It revealed that the UK saw the biggest reduction in net fraud losses of 8%, although the average across Europe rose by 2% (€30m).

A FICO spokesperson confirmed to Infosecurity that the vast majority (around 70%) of CNP fraud is committed online.

“As well as fraud migration, we are also seeing an evolution of fraudulent exploitation using cyber-enabled crimes,” said fraud consulting director, Toby Carlin. “The total size of the cyber-enabled threats will come to the fore as PSD2 reporting comes into play across Europe, but early indications from the UK show that cyber-enabled digital fraud is set to overtake plastic fraud by 2020.”

Despite the growing online threat, the UK is now the first market to have “significantly” reduced CNP fraud losses in several years. This should serve as an example to other regions that investment in the right technologies can reap rewards, but also as a warning that scammers may be on the lookout for geographies where less is being spent, said the firm.

“This is a significant turning point in the global fight against CNP, with hundreds of millions of euros worth of fraudulent migration imminent,” FICO claimed. “All other markets should be on high alert to receive this migrating attack and ensure that preventative mechanisms are deployed as soon as possible to stop themselves becoming the easiest target for criminals to hit.”

A PwC report recently claimed that nearly half (49%) of UK organizations have suffered from cyber-enabled fraud over the past two years, while Cifas figures from April pointed to identity fraud reaching an all-time-high last year, and e-commerce fraud jumping 49%.

Categories: Cyber Risk News

Idaho Inmates Hack Tablets for Extra Credits

Mon, 07/30/2018 - 10:09
Idaho Inmates Hack Tablets for Extra Credits

Hundreds of tech-savvy inmates at several Idaho correctional facilities have been caught exploiting a software vulnerability on their state-funded tablets to artificially increase account balances.

Officials claimed that 364 prisoners had been caught hacking the JPay tablets which are provided to allow them access to email, music and games.

The software exploit apparently allowed them to transfer a total of nearly $225,000 into their accounts, with one inmate managing an audacious $10,000.

There’s no hit to the taxpayer as these are virtual credits provided by JPay, with the firm claiming it has already recovered $65,000 worth. The guilty inmates will not be able to download games or music until they can compensate the corrections-related service provider, it said.

“JPay is proud to provide services that allow incarcerated individuals to communicate with friends and family, access educational programming, and enjoy positive entertainment options that help prevent behavioral issues,” a JPay spokesperson statement noted.

“While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”

The Idaho Department of Correction has also moved to discipline those involved, with reports suggesting they could lose various privileges and even be transferred to a higher security risk level.

US telecoms firm CenturyLink refused to disclose the vulnerability exploited by the inmates, citing it as proprietary technology.

The incidents took place at the: Idaho State Correctional Institution, Idaho State Correctional Center, Idaho Correctional Institution-Orofino, South Idaho Correctional Institution and the Correctional Alternative Placement Plan facility.

Categories: Cyber Risk News

US Warns of Supply Chain Attacks

Mon, 07/30/2018 - 09:19
US Warns of Supply Chain Attacks

The US government has repeated warnings of state-sponsored cyber-attacks made possible by infiltrating the software supply chain.

The report from the National Counterintelligence and Security Center (NCSC) reveals insight into foreign economic and industrial espionage against the US.

It calls out China, Russia and Iran as “three of the most capable and active cyber actors tied to economic espionage and the potential theft of US trade secrets and proprietary information.”

While new technologies such as AI and IoT will introduce new vulnerabilities into networks “for which the cybersecurity community remains largely unprepared,” it’s the software supply chain that represents one of the biggest emerging threats, the NCSC claimed.

It said 2017 was a watershed year in that it witnessed seven “significant” incidents versus just four in the preceding three years.

These included the infamous backdoor inserted into popular Ukrainian accounting software M.E. Docs which was the initial threat vector for the NotPetya ransomware campaign. Other supply chain attacks included CCleaner, which targeted technology firms and mobile operators, and Kingslayer, which has compromised at least one defense contractor.

The warnings echo those of the UK’s National Cyber Security Centre (NCSC) in April, which claimed state-sponsored and other compromises of MSPs and software providers can give hackers a stepping stone into thousands of organizations’ networks by allowing them to abuse “privileged accesses and client/supplier relationships.”

“When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect. Network monitoring can detect unusual or suspicious behaviour, but it is still difficult to ascertain whether a security flaw has been deliberately introduced (possibly as a backdoor) or results from a careless error on the part of developers or manufacturers – or indeed to prove that any potential access has been exploited,” it argued.

James Romer, EMEA chief security architect at SecureAuth Core Security, argued that secure access is a key part of protecting the supply chain.

“There needs to be a more robust approach to authentication within organizations’ supply chains,” he added. “One that brings context to the process and allows for a rapid response to evolving threats without significant human intervention.”

Categories: Cyber Risk News

Exobot Android Malware Targets Banking Apps

Fri, 07/27/2018 - 14:19
Exobot Android Malware Targets Banking Apps

Android users have been warned about another Exobot banking malware source code (v. 2.5) that was leaked online. It was first detected in May 2018 and has been dubbed "Trump Edition." The leak is expected to result in a surge of malicious Android apps given that the malware source code is now available in dark web hacking forums, according to Tripwire.

"The Trojan gets the package name of the foreground app without requiring any additional permissions. This is a bit buggy, still, but works in most cases. The interesting part here is that no Android permissions are required. All other Android banking Trojans families are using the Accessibility ore Use Stats permissions to achieve the same goal and therefore require user interaction with the victim," ThreatFabric security researcher, Cengiz Han Sahin told Bleeping Computer.

It’s no secret that bank websites and banking apps are under constant attack and that using Android Trojans to target baking apps is fairly commonplace. With this new Trump Edition, though, there are two primary concerns for security experts: First, whenever an infected Android device hits a financial institution's website, the overlay attack steals user credentials. Second, the release of any mobile banking malware will quickly ripple across the devices.

An increase in these types of attacks could have long-term implications that would likely impact more than financial institutions. “The data this malware is targeting will impact not only banks and their customers but also ecommerce companies and other industries,” said Ryan Wilk, VP of customer success, NuData Security, a Mastercard company.

“Personally identifiable information extracted from Exobot-infected devices will quickly find its way to the dark web, where it can be used against the account holder’s account, as well as other online accounts.”

This source code leak could spike an increase in overlay attacks, according to Frederik Mennes, senior manager market and security strategy, security competence center at OneSpan. “Malware on the user’s mobile device shows a window on top of the genuine mobile banking app that looks very similar to the genuine app. In this way the malware aims to trick the user into entering his credentials into the overlay window.”

Categories: Cyber Risk News

LifeLock Breach Highlights Weak Web App Security

Fri, 07/27/2018 - 12:55
LifeLock Breach Highlights Weak Web App Security

A flaw in the website design for LifeLock, a company charged with protecting the identity of its online customers, resulted in millions of customer accounts being exposed, according to KrebsonSecurity. A vulnerability in the site, which reportedly lacked authentication and security, has been fixed, but the breach highlights the larger security concerns inherent in web application security.

Of particular concern is the fact that web apps have become the cornerstone of operations for today’s digital enterprises. They are accessible at all times, from any location or device, but they can also contain sensitive customer data. Securing the data must be a priority, according to Setu Kulkarni, vice president of product and corporate strategy, WhiteHat Security.

“WhiteHat Security's research has shown that web applications are consistently the most exploited means of entry into the enterprise by hackers. Despite this, companies are still failing to implement proper application security protections, making them an easy and vulnerable target.”

“We often see enterprises inheriting risk from third parties. In many cases, web pages are developed by non-IT teams without much governance. Data-flow architecture gets ignored, which can jeopardize personally identifiable information (PII). Largely by necessity, web applications are built and deployed by a wide range of coders, architects and administrators, who sometimes make mistakes.”

The LifeLock site breach serves as another reminder of the security issues in web application development, which often are not designed with security in mind. “Too many website applications are built with little thought on how to prevent being hacked,” said Chris Olson, CEO of The Media Trust.

“LifeLock's web app vulnerability appears to have resulted from developers' oversight and mirrors many other incidents in the past year alone, where security features and procedures to reinforce them receive little attention. Developers should make security a priority throughout a product's life-cycle stages, from concept to manufacturing to retirement. Website operators should police all their website third parties to ensure all their activities fall within policies and scan their sites to identify and obstruct unauthorized code.”

The breach echoes the reality that an unknown vulnerability can pose a major threat to data security and brand reputation, according to Rich Campagna, CMO, Bitglass. “Enterprises need to have visibility across their networks, cloud services and devices in order to prevent and monitor for these kinds of risks.

“This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorized accesses and encrypt sensitive data at rest. Because LifeLock failed to utilize such a solution, millions of customers have had their data exposed, become more vulnerable to highly targeted spear phishing campaigns and lost trust in a company dedicated to keeping their data safe.”

Categories: Cyber Risk News

Imperva Acquires Prevoty, Enhances App Security

Fri, 07/27/2018 - 12:31
Imperva Acquires Prevoty, Enhances App Security

In an effort to deliver more robust application and data security solutions that protect enterprises against attacks from cyber-criminals, California-based Imperva Inc. announced that it will acquire the Los Angeles-based application security company Prevoty. The deal, which is expected to close in Q3 2018, has an estimated value of $140m. The Prevoty office will become an Imperva location.

Five years into its journey to deliver application protection to enterprises, Prevoty drew Imperva's attention with its Autonomous Application Protection (AAP) product, which Imperva states will extend its ability to deliver end-to-end application services from the network edge all the way down to within the applications themselves, protecting not only the applications but also the various databases where data is stored.

"The acquisition is expected to advance our hybrid security strategy and further our mission to deliver best-in-class cybersecurity solutions," said Chris Hylen, president and CEO of Imperva, in the press release. With the additional functionality of AAP, Imperva said it will deliver increased visibility into how applications are accessed to see what is happening within the application, thereby enhancing application services both on-premise and in the cloud.

In an email delivered to Prevoty’s employees, CEO Julien Bellanger wrote, “When we first started, Kunal and I believed in the mission of revolutionizing application security by adding protection and visibility to every piece of production software. We are well on our way there from a product perspective and market traction but not yet at the scale we were dreaming about.  Becoming part of Imperva will help us reach our goals at a different scale and pace.”

Bellanger called the acquisition a milestone in his vision for Prevoty, which he co-founded in 2013, adding that the board and the executive team are excited about the opportunity to join Imperva, who has offered continued employment opportunities to Prevoty employees.

"Our team is excited to join Imperva, a company with a long track record of cybersecurity leadership and innovation,” Bellanger said in the press release. "We believe that the combination of our solutions with Imperva's portfolio of products will allow us to jointly create the gold standard in technology for application and data protection for organizations everywhere."

Categories: Cyber Risk News

Two-Fifths of IT Leaders regard IoT Security as Afterthought

Fri, 07/27/2018 - 10:08
Two-Fifths of IT Leaders regard IoT Security as Afterthought

IT leaders could be dangerously underestimating the security risks posed by IoT, according to new research from Trend Micro.

The security vendor polled 1150 IT and security decision-makers in the UK, Germany, the US, Japan and France.

Despite businesses spending an average of over $2.5m each year on IoT projects, they don’t appear to be investing in cybersecurity.

Even though 63% of respondents agreed that IoT-linked attacks have increased over the past year, just half (53%) think they’re a threat to their organization.

This might explain why over two-fifths (43%) regard IoT security as an afterthought, and just 38% get security teams involved in the implementation process for new projects. This drops even further for smart factory (32%), smart utility (31%) and wearable (30%) projects.

Responding organizations suffered an average of three attacks on connected devices over the past year, according to Trend Micro.

“The embedded operating systems of IoT devices aren’t designed for easy patching, which creates a universal cyber risk problem,” said the firm’s COO, Kevin Simzer. “The investment in security measures should mirror the investment in system upgrades to best mitigate the risk of a breach that would have a major impact on both the bottom line and customer trust.”

While loss of customer trust (52%) and monetary loss (49%) were thought to be the biggest consequences of a related breach, loss of personally identifiable information (32%) and regulatory fines (31%) came some way behind. That’s despite the new GDPR, which could impose severe financial penalties on firms found not to have taken customer data protection seriously in the event of a breach.

“The significant investment in this technology across the globe is testament to the fact that IoT solutions can bring many advantages to businesses,” Simzer concluded. “But if security is not baked into the design of IoT solutions, and SDMs [security device managers] aren’t involved in the IoT implementation process, businesses could face damages far greater than the benefits this connected tech delivers.”

Categories: Cyber Risk News

XSS Flaws Most Common Over Past Nine Years

Fri, 07/27/2018 - 09:17
XSS Flaws Most Common Over Past Nine Years

The volume of common web-based vulnerabilities found by a leading cybersecurity firm over the past nine years has refused to come down, highlighting a need for greater investment in secure coding practices and awareness.

Global information assurance firm NCC Group uncovered over 1100 vulnerabilities from more than 350 vendors of operating systems, hardware and networking services, and cloud and web services over a near decade-long period.

However, while some classes of vulnerability had virtually disappeared over the past nine years — including format string flaws, memory-related flaws and some vulnerabilities in XML applications and services — others stubbornly persisted, it claimed.

King among these is the cross-site scripting (XSS) flaw, which was the most common type overall, comprising 18% of all those found.

“Although there could be a lot of factors influencing the discovery of bugs over the past nine years — such as shifts in industry focus with regard to certain classes of bugs, and even the time that our consultants have available — there is still an ongoing prevalence of the most common vulnerabilities,” explained NCC Group research director, Matt Lewis.

“While some historically common vulnerabilities have disappeared over the last nine years, cross-site scripting has been around for almost 20 years. We should have seen a significant fall in these types of vulnerabilities, but this hasn’t been the case, which highlights the need for better education around security within the software development life cycle.”

Over the years, Lewis and his team have uncovered vulnerabilities in 53 categories and have also spotted an increase in the number targeting complex applications and hardware — including deserialization flaws and exploitation of multiple chained flaws across complex web apps.

“This highlights the need for more investment into security skills, as well as a wider understanding of how important the mitigation of these vulnerabilities is for the overall security of businesses,” said Lewis.

Categories: Cyber Risk News

Smart Home Security Camera Bug Exposed

Fri, 07/27/2018 - 08:50
Smart Home Security Camera Bug Exposed

Security researchers have found a flaw in a home security camera model which could allow individuals to view users’ video feeds.

The bug was found in the SWWHD-Intcam, also known as the Swann Smart Security Camera, which has been on sale in several high street retailers including Currys and Walmart for the past eight months.

The problem relates to the Safe by Swann cloud system which allows users to view their feeds remotely via smartphone, according to the BBC.

The researchers — Ken Munro, Andrew Tierney, Vangelis Stykas, Alan Woodward and Scott Helme — claimed that they could intercept messages sent by provider OzVision from its servers to the app.

These contain a serial number unique to each camera, which can be manually altered to allow access to other devices, the report claimed.

They apparently also identified a way to work out which serial numbers Swann cameras were using, allowing them to theoretically view any account with ease.

"Swann was able to detect the subsystem Ken Munro and his team were attempting to hack and promptly addressed the vulnerability", a spokeswoman for the company told the BBC.

"This vulnerability did not apply to any other Swann products. We have not detected any other such attempts."

However, there are concerns that other camera brands supported by Israel-headquartered supplier OzVision may be vulnerable to attack. A problem was discovered in Flir cameras back in October last year, with a patch apparently imminent.

Some 40% of UK consumers are concerned that devices can listen in to their private conversations, according to McAfee research.

“People need to feel empowered and protected so they can embrace new technologies that aim to deliver peace of mind. Businesses manufacturing these devices must do their bit and ensure that security is built-in from the get-go,” said chief scientist, Raj Samani.

“There are also simple measures consumers can take when introducing new connected gadgets to their home environments. For example, people need to ensure they have protected Wi-Fi in place with multi-factor authentication and complex passwords. This will help prevent cyber-criminals from accessing devices and getting their hands on personal information.”

Categories: Cyber Risk News

DevSecOps Sees Slow Adoption but Wider Incident Handling

Thu, 07/26/2018 - 13:50
DevSecOps Sees Slow Adoption but Wider Incident Handling

More than three-quarters of DevOps professionals do not practice “DevSecOps”, or are still in the process of implementation.

According to the DevOps Pulse 2018 survey by, its survey of 1044 DevOps engineers, sys admins, developers and other IT professionals found that 54% said that their department handles security incidents in their organization, while only 41% have dedicated security operations personnel.

Because of that, 76% of those surveyed either do not practice DevSecOps or are still implementing it, while 71% do not feel their team have adequate knowledge of DevSecOps best practices and 56% do not feel there are adequate tools available to help with DevSecOps.

Eoin Keary, founder of edgescan, told Infosecurity that he felt that 54% handling security incidents was a good thing, as this shows that cybersecurity is integrating with DevOps professionals earlier and continuously. 

“Handling incidents is also positive assuming the know-how is there: most incident response teams have staff from different departments within a company,” he said. “At edgescan, we see a large uptick for SaaS and managed services given the ability for a client to leverage dedicated experts and knowledge in particular fields they may not have internally in the organization.”

Keary also acknowledged that DevSecOps is still an emerging movement, and the cultural change required to implement a DevSecOps methodology can take time to foster.

Kai Roer, CEO of CLTRe, told Infosecurity that he felt that the 76% figure was natural, as even if half of all organizations did manage incidents within the DevOps team, “this transformation of culture is work in progress.” 

He said: “DevSecOps is a huge cultural shift, merging different teams, with different focuses, interests and competences, into one team. This shift has seen some very interesting successes, for example by speeding up patch deployments, as well as improving security by making changes available much faster.

“DevOps has matured a lot over the past few years, and adding security to form DevSecOps has been idealized for some time now. Just as merging operations and development made a huge cultural shift to the teams and to their organizations, adding security is likely to do the same. Suddenly, security goes from being a specialist team who sits on the side-lines, into a function that is tightly incorporated within development and operations.”

Roer said that this change is “bound to improve the security competence in those organizations”, and thereby directly influencing the security culture in those organizations.

Categories: Cyber Risk News

COSCO Hit by Suspected Ransomware

Thu, 07/26/2018 - 09:34
COSCO Hit by Suspected Ransomware

Chinese shipping giant COSCO is said to have suffered a major ransomware-related outage affecting its Americas operations, although so far seems to be trying to minimize the potential news fall-out.

Reports from the trade press citing internal emails suggest the firm has been hit by ransomware in the US and is asking staff not to open suspicious emails.

However, an official statement from the stet-owned firm yesterday doesn’t mention malware as the cause.

“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations,” it states.

“So far, all the vessels of our company are operating as normal, and our main business operation systems are performing stably. We are glad to inform you that we have taken effective measures. Except for above regions affected by the network problem, the business operation within all other regions will be recovered very soon.”

The ‘network breakdown’ also appears to have taken COSCO’s US website offline at the time of writing.

One report suggested that the firm had been forced to rely on the telephone to communicate with customers, slowing operations but not putting them completely out of action.

If the reports are true, they call to mind the NotPetya-related outage at Danish shipper Maersk, which resulted in an estimated $300m loss for the firm.

It’s another reminder of the potential impact ransomware can have, even on large organizations which should have a generous pot of revenue assigned to cybersecurity.

However, in general, reports of the malware to the FBI have decreased over the past year. The Bureau received only 1783 ransomware complaints in 2017, linked to losses of just $2.3m. That’s a sizeable drop from the 2673 reports it processed in 2016 and the 2453 from 2015.

With a 50 year history, COSCO is said to be the fourth largest shipper in the world.

Categories: Cyber Risk News

Senator Urges Government to Kill Off Flash Now

Thu, 07/26/2018 - 09:10
Senator Urges Government to Kill Off Flash Now

A US senator has written to three key government agencies responsible for federal cybersecurity, urging them to begin the transition process away from Adobe Flash.

Oregon senator, Ron Wyden, wants the Department of Homeland Security (DHS), NSA and NIST to collaborate to end government use of the buggy software before it is “end-of-lifed” in 2020.

"As the three agencies that provide the majority of cybersecurity guidance to government agencies, the National Security Agency, the National Institute of Standards and Technology and the Department of Homeland Security must take every opportunity to ensure that federal workers are protected from cyber-threats and that the government is not intentionally supporting risky online behavior,” he wrote.

“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming — the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”

Wyden demanded three actions be taken: that no new Flash content is deployed on any federal website, starting from within the next 60 days, that all agencies remove Flash content by August 1 2019 and that they remove Flash from employee desktop computers by the same deadline.

He claimed these efforts could be accelerated by an expansion of DHS cyber hygiene scans of agencies to include Flash content. The department could then provide a list to each agency of all the locations of Flash content on their sites along with guidance on how to transition away from it.

Known vulnerabilities are arguably a bigger preventable risk than eye-grabbing zero days: just 14 of the 19,954 vulnerabilities reported by Flexera in 2017 were zero-days, a 40% decrease from 2016.

Adobe Flash has long been a magnet for hackers and continues to get regular updates each Patch Tuesday, although system administrators often struggle to prioritize and keep up-to-date with the barrage of fixes issued by vendors, most with different update mechanisms.

Wyden is know for his tech literacy, introducing the first net neutrality bill back in 2006, and is a regular champion of cybersecurity and internet freedom on the Hill.

Categories: Cyber Risk News

ERP Apps Under Attack Warns US-CERT

Thu, 07/26/2018 - 08:38
ERP Apps Under Attack Warns US-CERT

The US Department of Homeland Security (DHS) has flagged a new report highlighting an increase in attacks on critical ERP apps by state-sponsored hackers, cyber-criminals and hacktivists.

The joint research by Digital Shadows and Onapsis revealed that hackers are increasingly targeting known vulnerabilities to steal highly sensitive data or disrupt business processes — exploiting known vulnerabilities, supply chain gaps and misconfiguration errors.

It claimed that there are now around 9000 known vulnerabilities in SAP and Oracle apps, which have seen a 100% increase in the number of publicly-available exploits over the past three years.

The report also calculated a 160% increase in activity related to ERP-specific vulnerabilities from 2016 to 2017.

It’s not just traditional state-sponsored actors targeting these apps for espionage or disruption, or cyber-criminals looking to make money — the report claimed hacktivist group Anonymous has carried out nine operations since 2013.

Some of the attacks observed include use of popular malware like banking trojan Dridex to grab user credentials.

In some cases, the supply chain is making the job of the attackers even easier: the researchers found 545 SAP configuration files publicly exposed on misconfigured FTP and SMB, offering valuable information on the location of sensitive files in targeted organizations.

Companies are also guilty of basic security mistakes which could play into the hands of attackers: the report claimed to have found over 17,000 SAP and Oracle ERP apps exposed on the internet — many not up-to-date with patches.

The dark web provides threat actors with a wealth of information on where the key weaknesses to exploit lie, according to Digital Shadows.

“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is,” said Digital Shadows CISO, Rick Holland.

Categories: Cyber Risk News

Virginian Bank Robbed Twice in Eight Months

Wed, 07/25/2018 - 09:53
Virginian Bank Robbed Twice in Eight Months

The perils of phishing emails and cyber-insurance were laid bare this week after news emerged of an American bank that fell victim to hackers twice within eight months and is suing its provider for failing to cover the losses.

The Virginian National Bank of Blacksburg was hit in late May 2016 and again in January 2017 thanks to phishing emails which eventually resulted in the combined theft of $2.4m.

The first attack enabled attackers to install malware on a victim’s PC, allowing them to access the STAR interbank network and disable controls including PINs, daily withdrawal limits and anti-fraud measures, according to journalist Brian Krebs.

The attackers were then able to dispense funds from customer accounts of over half a million dollars to ATMs around the country.

The second attack apparently used a booby-trapped Microsoft Word document to access the bank’s Navigator software, which they used to artificially credit various accounts with $2m before withdrawing funds from ATMs in the same way and deleting the evidence.

Chandu Ketkar, principal consultant at Synopsys, argued that the breaches came from failures of security awareness training, monitoring controls, emergency response, and policy around Office macros.

Ryan Wilk, vice president at NuData Security, added that phishing risk can be mitigated by migrating away from static username/password combinations.

“This is a clear example of why merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and incorporating multi-layered solutions with passive biometrics and behavioral analytics,” he added. “These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information.”

In a further twist, the bank is now suing its provider, Everest National Insurance Company, for failing to pay out.

The problem lies with the policy details: the bank had two types of coverage — one “computer and electronic crime” rider with a liability of $8m and another covering lost stolen or altered debit cards with just a $50,000 liability.

The insurer apparently claims both breaches fall under the latter.

It’s another example of the challenges facing the burgeoning cyber-insurance industry. In July it emerged that security vendor Trustwave is being sued by two insurers that claim its PCI audits failed to pick up issues which led to a massive breach at their client: Heartland Payment Systems.

Categories: Cyber Risk News

Twitter Looks to Tighten Control Over Developers

Wed, 07/25/2018 - 09:13
Twitter Looks to Tighten Control Over Developers

Twitter has announced new developer requirements designed to combat spam, privacy invasion and attempts to “manipulate conversations” on the social media platform.

The firm claimed to have kicked 143,000 apps which violated its policies off the site between April and June this year but wants to go further to improve visibility and control over developers’ use of user data.

All new API requests will now need to go through a new developer account application process in a bid to reduce “spammy and low-quality apps,” the firm said. This will eventually be expanded to all developers with existing API access, although Twitter couldn’t specify when.

The firm said it’s also limiting the number of apps registered by a single developer account to 10.

In a further bid to reduce spam, Twitter is looking to introduce tighter controls on apps that create tweets, retweets, likes, follows and direct messages.

These rate limits represent “a significant decrease in the existing rate of POST activity allowed from a single app by default,” the firm claimed. For example, from September 10 apps will only be allowed to post 300 combined tweets and retweets per three hours and 15,000 direct messages per 24 hours.

“Going forward, as apps approach these rate limits, we’ll continue to proactively review and contact developers with instructions about how to request elevated access,” the firm said. “These ongoing reviews will help avoid disruption for compliant developers, as well as help developers more quickly identify and address any behaviors that are non-compliant with our policies.”

The final new initiative is a “report a bad app” function in the Help Center designed to help users feedback when they spot abuses of Twitter’s policy.

The moves can be seen as something of a response to criticism of the social media platform following long-running Russian attempts to manipulate popular discourse on the site — most notably ahead of the 2016 presidential election.  

However, it remains to be seen whether the measures go far enough, and will be enough to root out malicious activity on the platform.

Categories: Cyber Risk News

Trend Micro’s ZDI Bug Bounty Goes Server Side

Wed, 07/25/2018 - 08:36
Trend Micro’s ZDI Bug Bounty Goes Server Side

Trend Micro’s Zero Day Initiative (ZDI) has expanded its bug bounty program to include a new $1.5m pot for researchers able to discover new vulnerabilities in server-side open source products like Drupal, Apache and WordPress.

The new addition to ZDI’s Targeted Incentive Program (TIP) will aim to ramp up the number of critical exploits found in some of these popular tools, with special rewards on offer for the first few months.

From August 1 to the end of September this year, ZDI will be offering $25,000 for vulnerabilities in Joomla and Drupal running on Ubuntu Server 18.04 x86. WordPress flaws will get $35,000 until the end of September, while NGINX and Apache HTTP Server bugs receive a massive $200,000 until the end of November and December respectively.

Vulnerabilities in Microsoft IIS running on Windows Server 2016 x64 also get $200,000, until January next year.

Only fully functioning exploits demonstrating remote code execution earn the full bounty amount; that means proof-of-concepts won’t cut it. These need to be true zero-days affecting the core code, not add-on components or plug-ins, said the ZDI.

Researchers must be able to find exploits that work despite the software running on fully patched versions of the relevant OS and which circumvent mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and application sandboxing.

Trend Micro director of vulnerability research, Brian Gorenc, revealed that the ZDI has published 600 advisories already this year thanks to schemes like this.

“One advantage of purchasing this many bug reports is that we can guide researchers towards specific areas that either interest us or enhance protections for our customers,” he added. “For example, we added a virtualization category to our Pwn2Own event to see what sort of exploits could escape a guest OS, and the results were fascinating. That’s one of the main drivers behind the newest addition to our existing bug bounty.”

The expansion of the bug bounty scheme is well-timed, given the continued problems facing users of popular open source products.

However, security is a two-way street and users will only be protected if they make a concerted effort to update to the latest software version. Last year hackers managed to deface over one million WordPress sites that weren’t patched, while the Ukrainian energy ministry was hit by ransomware targeting an unpatched Drupal installation earlier this year.

Categories: Cyber Risk News

Russian Hacking Campaign Targeted US Utilities

Tue, 07/24/2018 - 15:23
Russian Hacking Campaign Targeted US Utilities

By penetrating the networks of downline vendors, Russian hackers gained access to a reportedly secure, isolated network, allowing them to eventually reach the control rooms of US utilities, according to the Wall Street Journal.

The state-sponsored hacking group, which poses a serious threat to critical infrastructure, has been on the watch list of the Department of Homeland Security (DHS) since 2014. Using stolen credentials gained through spear-phishing emails and watering-hole attacks, the hackers's activity long went undetected, which allowed them to steal confidential information and “familiarize themselves with how the facilities were supposed to work,” WSJ reported.

The activity of the Russian hacking group took place in the summer of 2017, according to an email from DHS spokesperson Lesley Fulop. Additionally, Fulop wrote that DHS hosted a webinar on 23 July to share actionable information with its industry and government partners in an effort to help them protect their networks and improve the nation’s collective defense against cyber threats. 

"While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline," said Fulop. "Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to industry in defending against this threat. We will continue our strong public–private partnership and remain vigilant in defending critical infrastructure."

"Protecting our nation’s critical infrastructure is a shared responsibility between DHS and our public and private sector partners. Industry has invested significant resources in defending against nation state actors and this investment is working."  

Part of that investment includes empowering service providers to identify weaknesses in third-party vendors, a critical security strategy intended to prevent these types of attacks. “If they beat you just once by finding a single exploitable weakness within a single vendor, supplier or contractor, the results can be catastrophic. Rather than reacting to breaches like this after they occur, utilities providers need to take a more proactive approach to managing third-party risk,” said  Fred Kneip, CEO, CyberGRX.

“That means identifying third parties with weak security controls before they’re exploited, and working with them to mitigate the risk of attacks and breaches before they become a target for attackers.”

In order to defend against Russia and other nation-state attacks, the cybersecurity community and the US government need to act, said Steve Kahan, CMO, Thycotic. “The NIST framework presents IT security professionals with guidelines to improve critical infrastructure cybersecurity. However, to be truly effective, the NIST regulation must compel operators of essential services to deliver higher levels of cybersecurity and require that these essential services remain available during an attack.”

Categories: Cyber Risk News

Email-Based Attacks a Growing Risk

Tue, 07/24/2018 - 15:11
Email-Based Attacks a Growing Risk

Human beings have long been the weakest link in an organization’s security chain, largely because they so often fall victim to phishing campaigns, and a new report from Mimecast, State of Email Security 2018, found that attackers continue to target end users with email-based attacks.

According to the report, the C-suite is putting businesses in danger. Nearly 40% of the respondents agreed that their organization’s CEO is a “weak link” in their cybersecurity operation. Close to a third, 31%, of C-level employees are reportedly very likely to have accidentally sent sensitive data to the wrong person in the last year, compared to just 22% of general employees.

That sensitive information is sent via email, but accidentally sharing information with the wrong party is not the only security risk. Email is the ultimate gateway for ransomware. Almost all ransomware attacks, 92%, were delivered by email last year, resulting in an average downtime of longer than three days.

Phishing continues to be a problem as attackers grow more sophisticated. The vast majority, 90%, of organizations reported an increase in the volume of phishing attacks, combined with and complicated by an increase in impersonation attempts. These campaigns reportedly no longer focus on particular individuals, making everyone – from the C-suite to the finance department and HR staff members to trusted third-party vendors – a target.

“Email-based attacks are constantly evolving and this research demonstrates the need for organizations to adopt a cyber-resilience strategy that goes beyond a defense-only approach,” said Peter Bauer, Mimecast’s CEO.

“This is more than just an ‘IT problem.’ It requires an organization-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk – to be the last line of defense.”

In light of the continued email-based attacks, the report noted that the lack of training is hurting businesses. Surprisingly, only 11% of organizations continuously train employees on how to spot cyber-attacks, and more than half (52%) perform training just once a year.

"Security awareness is an important part of any high-functioning security program. But like all security controls there is no silver bullet solution. The best security programs seek a balance between technical controls, boosting their human firewalls, and having IT enabled business processes that are resilient to failures, whether man-made or caused by technology," said Matthew Gardiner, cyber-resilience expert at Mimecast.

Categories: Cyber Risk News

Pen Testers Abuse Configuration, Capture Creds

Tue, 07/24/2018 - 14:44
Pen Testers Abuse Configuration, Capture Creds

Over a period of nearly 10 months, penetration testers conducted external tests where the testers were able to exploit at least one in-production vulnerability in a large majority of the simulated attacks, according to a new report, Under the Hoodie, from Rapid7.

The majority, 59%, of the 268 penetration tests performed in the survey period – September 2017 to June 2018 – were externally based, where the targets tend to be internet-facing vectors, such as web applications, email phishing, cloud-hosted assets and VPN exposure.

Rapid7’s pen testers were able to abuse at least one network misconfiguration in 80% of engagements and one in-production vulnerability in 84% of all engagements. In 53% of all engagements, the testers were able to capture at least one credential, and that number jumped to 86% when looking solely at internal engagements.

The report also revealed the top five security priorities of the participating organizations. When it comes to protecting sensitive information, 21% prioritize sensitive internal data, 20% focus on personally identifiable information (PII). Only 14% of organizations ranked protecting authentication credentials as a top-five priority, 7.8% prioritize payment card data and only 6.5% ranked bank account data.

Organizations are more interested in securing their own sensitive data – such as internal communications and financial metrics – than that of their customer and employees.

According to the report, humans are predictable when it comes to creating passwords. Given that pen testers captured credentials most of the time, it is more likely than not that an adversary could impersonate at least one authorized user on the network. Malicious actors often find that manual guessing of usernames and passwords to be the most effective method.

Some of the most common passwords (5% of total set) captured by pen testers included passwords with the company’s name (e.g., PAN123!), while variations of “password” (e.g., Password1) came in second at 3% of the total set. Seasonal passwords, such as Winter2018, placed third at 1.4% of the total set.

Additionally, Rapid7’s pen testers remained undetected on 61% of all engagements and just 8% were detected within an hour. “Even mature security teams in established enterprises still struggle with their attack detection capabilities,” said Tod Beardsley, director of research, Rapid7.

“Generally, even the best pentesters aren't particularly stealthy, since they are dealing with pretty strict time boxes and don't have the luxury of taking a low-and-slow approach to network breaches. The fact that so few organizations detect pentesters tells me that the security industry still has work to do to make incident detection and response a normal and robust component of any security program.”

Categories: Cyber Risk News