Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2016

Iranian Hacker Released by US in Prisoner Swap

Iranian Hacker Released by US in Prisoner Swap

An Iranian hacker who pleaded guilty last year to helping launch successful cyber espionage attacks against a US ballistics software firm has been pardoned and released as part of a bilateral prisoner swap.

Iranian national Nima Golestaneh became one of seven receiving either pardons or commutation of their original sentences on Sunday as the US and Iran sought to normalize diplomatic relations.

He’s the only one of the seven not to hold US citizenship. The others were mainly found guilty of money laundering and breaking the "Iranian embargo."

In 2015, Golestaneh pleaded guilty to four counts of wire fraud, and one count each of conspiracy to access a computer without authorization and accessing a computer without authorization.

He had been arrested in Turkey and extradited to the States in February that year, having conspired with others to hack the networks of Vermont-based maker of software for ballistic missile systems, Arrow Tech Associates.

His role in the plot was apparently to acquire servers in other countries for his co-conspirators to use in the attack in order to obfuscate their identity and location.

The Justice Department has been keen over the past few years to use high profile indictments in an attempt to deter foreign, potentially state-backed, spies from launching cyber attacks against private firms.

It famously indicted five PLA soldiers back in 2014 in what then attorney general Eric Holder described as a “wake-up call to the seriousness of the ongoing cyber threat.”

For its part, Iran has been steadily building its cyber capabilities over recent years.

Although it’s said to still lag behind the likes of China and Russia in terms of scope and sophistication, reports indicate this is changing quickly.

In December 2014 threat intelligence firm Cylance described Iran as “the new China” after revealing details of Operation Cleaver—a sophisticated campaign which “successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe.”

Photo © yui

Source: Information Security Magazine

The Top ‘Worst’ Password of 2015 is ‘123456’ Again

The Top ‘Worst’ Password of 2015 is ‘123456’ Again

The first and second placed “worst passwords of 2015” once again were “123456” and “password,” highlighting an ongoing security problem associated with using simple credentials to log-in to online accounts, according to SplashData.

Every year the password management firm trawls the web for plain text password dumps, and publishes its findings to illustrate the importance of creating strong credentials.

In 2015 it found over two million such passwords – mostly coming from hacks, breaches or leaks and linked to users in North America and Western Europe. Around 3% were represented in the Top 25.

Aside from the top two, which remained unchanged from last year, SplashData reported “12345678” in third place and “qwerty” in fourth, with “12345” rounding out the top five.

The top 25 ‘worst’ passwords list also contained easy-to-guess words such as popular sports (football, baseball), and even some new Star Wars-related credentials (solo, princess, starwars).

SplashData’s advice is to use passwords or passphrases of 12 characters of more with a mix of characters, and to avoid reusing them on different sites. A password manager is recommended to simplify the process and create random, strong credentials.

AlienVault security advocate, Javvad Malik, claimed poor password management can undermine all the good security work done by a website or app developer.

“The reason why these common passwords are so dangerous is that it gives an attacker an easy way to get into accounts,” he added. “It's similar to having a master key that you know will work on at least 10% of the houses on your street.”

Brian Spector, CEO of Miracl, argued that the industry “needs to get over passwords altogether.”

“They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks,” he added.

“However, there are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers.”

Source: Information Security Magazine

US FDA Releases New Security Guidance for Device Makers

US FDA Releases New Security Guidance for Device Makers

The US Food and Drug Administration (FDA) has made a long overdue push to improve the security of medical devices, in new guidance issued on Friday.

The draft document sets out the steps device manufacturers should take to monitor, identify and secure any potential vulnerabilities that might emerge once a product has entered the market.

It also promotes the principal of information sharing by joining an Information Sharing Analysis Organization (ISAO).

As part of a comprehensive cybersecurity risk management program, the FDA recommends applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity.

It said device makers need to better monitor information sources to help identify risk; be able to assess and detect vulnerabilities; develop mitigations to any threats; and adopt a co-ordinated vulnerability disclosure policy.

The FDA also said it needed to be informed by any manufacturer of any “small subset” of serious vulnerabilities which “may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death.”

“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, FDA associate director for science and strategic partnerships.

“Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”

The government agency is asking for public comments on the document, which will be accepted for the next 90 days.

It said it has been working to improve info sharing and “collaboratively develop and implement risk-based standards” since 2013. However, reports have shown the healthcare sector to be among the most vulnerable to cyber-attack.

Aside from the major breaches at Anthem and Premera Blue Cross where tens of millions of highly sensitive records were stolen, the Identity Theft Resource Center claimed 67% of all records reported stolen last year in the US came from this sector.

That amounts to over 112 million – way more than government (34m), business (16m) or banking (5m).

Source: Information Security Magazine

Ukrainian Government Plans Security Audit after Airport Cyber Attack

Ukrainian Government Plans Security Audit after Airport Cyber Attack

The Ukrainian government is launching a review of its critical infrastructure after a cyber-attack last week launched from a Russian server hit Kiev’s main airport.

"In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry," Ukraine infrastructure ministry spokeswoman, Irina Kustovska, told Reuters.

The attack itself was detected early enough in the network at Boryspil airport not to have caused any damage, military spokesman Andriy Lysenko told the newswire, despite reports to the contrary.

The Ukrainian CERT released an alert yesterday urging all system administrators to check log files and information flows for the presence or otherwise of BlackEnergy malware.

The destructive BlackEnergy malware is linked to several other attacks against key installations in the country.

Most notable was a 23 December attack on utilities companies in western Ukraine which cut power to around 80,000 homes for six hours, hitting multiple sub-stations.

BlackEnergy has been linked to a Russian-based APT group – the so-called ‘Sandworm Team’.

In 2014 it was pegged by the Department of Homeland Security’s ICS-CERT for a three year campaign against industrial control systems in various countries, although attribution back to the Kremlin has always been problematic.

As well as power stations, the group were observed attacking Ukrainian media organizations over recent months.

BlackEnergy itself dates back to 2007, when it was a relatively basic DDoS trojan. However, it emerged a few years later with a modular architecture which has featured in banking fraud and other targeted attacks.

Its destructive capabilities enabled the team behind it to wipe a large number of video files and documents related to the November local elections in Ukraine, CERT-UA has claimed.

A specific variant dubbed “KillDisk” was apparently used in the attacks on Ukrainian power stations, featuring functionality designed specifically to sabotage industrial systems.

Source: Information Security Magazine

French Government Rejects Encryption Backdoors

French Government Rejects Encryption Backdoors

The French government last week dismissed a proposed amendment to its upcoming Digital Republic Bill which would have mandated backdoors be introduced to end-to-end encrypted comms platforms.

Digital secretary Axelle Lemaire rejected the proposal made by Republican Nathalie Kosciusko-Morizet, which claimed police and gendarmes should be given access to such systems under the supervision of a judge.

Referencing the vulnerabilities found in Juniper routers recently, Lemaire claimed such plans would “open the door to players with less laudable intentions” as well as damage the credibility of companies acceding to such demands, according to French site Numerama.

"What you propose is a design by vulnerability,” she argued. “With a backdoor, personal data is not protected at all.”

The controversial amendment was proposed in response to the terror attacks in Paris in November that left over 100 dead – even though there’s no evidence that backdoor access to encrypted comms would have prevented the atrocities.

The French government’s stance puts it alongside the Netherlands, which recently stated its position as anti-backdoor and pro strong encryption, for many of the same reasons.

The move highlights a widening gulf between these states and the likes of the UK and US, where the respective governments are pushing hard for law enforcers to have such powers.

In the UK, this could soon be enshrined in law if the current Investigatory Powers Bill is passed by parliament, despite strong opposition from rights groups and even former NSA operatives.

In the US, discussions are still ongoing behind the scenes, despite the repeated assurances from the likes of Apple supremo Tim Cook that no such deal would be reached.

It’s telling that pro-backdoor politicians in both countries have tried to use the events in Paris to back their stance, but leaders in France have resisted such over-simplified arguments.

The Digital Republic Bill by and large contains measures to bolster cloud security, privacy by design and the principal of net neutrality.

Source: Information Security Magazine

Nissan Suffers Anonymous DDoS in Whaling Protest

Nissan Suffers Anonymous DDoS in Whaling Protest

Hacktivists Anonymous hit the websites of automotive manufacturer Nissan with a DDoS attack in an anti-whaling campaign.

As part of a series of attacks in defence of animal welfare, IB Times reported that #OpWhales hit Icelandic institutions and Icelandic Government websites in November in protest at the country's practice of whale hunting. This now includes attacks to protest Japan's plans to continue hunting 333 minke whales per year for 12 years until 2026 as part of a new whaling plan.

Nissan spokesperson Dion Corbett stressed to Bloomberg that Nissan has no stance or any connection whatsoever with whale hunting, and indicated that Nissan had voluntarily taken down the affected websites to prevent further damage to them.

“Because of a potential DDoS attack, we are temporarily suspending service on our websites to prevent further risks. Nissan continuously monitors and takes aggressive steps to ensure the protection of our information systems and all of our data,” said Corbett.

In a statement to Infosecurity, Richard Brown, director EMEA channels and alliances at Arbor Networks, said: “This is yet another example of the impact of carrying out a DDoS attack, and that any organisation is potentially at risk of an attack by Anonymous—or similar group—because of factors outside its control. Nissan is of course a target because it is such a big brand, but no one could have guessed it would be targeted purely for its Japanese heritage.

“We are now in an environment where almost anyone can launch a cyber-attack from anywhere in the world, all they need is a reason to do so. The damage to a brand—both in terms of reputation and loss of revenue through website unavailability—is huge, so defences must be in place. This needs to be coupled with the right processes to get the network up and running again and reduce the impact on consumers.”

Source: Information Security Magazine

LastPass vulnerable to LostPass Credential Stealing Attack

LastPass vulnerable to LostPass Credential Stealing Attack

A phishing attack against password vault LastPass can allow an attacker to steal a user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.

According to research by Sean Cassidy, a software engineer whose day job is CTO at Praesidio, the ‘LostPass’ attack works because LastPass displays messages in the browser that attackers can fake.

He also said that as LostPass phishes for the two-factor auth code, it bypasses the email confirmation step.

“Users can't tell the difference between a fake LostPass message and the real thing because there is no difference,” he says. “It's pixel-for-pixel the same notification and login screen.”

He explained that as LastPass trained users to expect notifications in the browser viewport, they would be none the wiser to these messages. “Since LastPass has an API that can be accessed remotely, an attack materialized in my mind,” he says.

The attack works by the victim going to a malicious website that looks benign, or a real website that is vulnerable to XSS. If a user has LastPass installed, LastPass is vulnerable to a logout CSRF, so any website can log any user out of LastPass. This will make it appear to the user that they are truly logged out.

Once the victim clicks on the fake banner, they can be directed to an attacker-controlled login page that looks identical to the LastPass one. This is the login page for Chrome where the victim will enter their password and send the credentials to the attacker's server.

Cassidy said that the attack works best against the Chrome browser because it uses an HTML login page. Firefox actually pops up a window for its login page, so it looks like whatever operating system you're on.

LastPass acknowledged the bug in December. It implemented a fix with a warning message in the browser viewport, like all of their messages. He says: “On an attacker-controlled website, it is trivial to detect when this notification is added. Then the attacker can do whatever. In LostPass, I suppress the notification and fire off a request to an attacker server to log the master password.

“We need to take a long look at phishing and figure out what to do about it. In my view, it's just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.”

Source: Information Security Magazine

Phishing costs UK £174 Million in 2015

Phishing costs UK £174 Million in 2015

Phishing fraud continued to rise in 2015, with the City of London Police’s National Fraud Intelligence Bureau (NFIB) and Get Safe Online reporting that the scams cost the victims £174.4 million.

Figures from the organisations found that the number of victims of phishing frauds rose 21% in just a year. A report by Financial Fraud Action UK (FFA UK) also found that fraudsters cost UK citizens £325.3 million in six months to June last year—a rise of 6% from £307.7 million over the same period in 2014, reported the Daily Mirror.

Raj Samani, CTO for Intel Security EMEA, told Infosecurity that this is not all that surprising. “In fact, recent research from Intel Security exposed price points for stolen data bought and sold in cyber-criminal marketplaces, finding the average estimated price for stolen credit and debit cards is $20 to $35 in the UK alone,” he says. “Cyber-criminals are becoming increasingly savvy and its important consumers understand this threat is very much a reality.

“Brits must to be wary of unexpected emails, even if they are cited as being from a brand they are familiar with. Think twice before acting, calling up your bank directly if you’re concerned about anything before taking action. We have to make sure we stay one step ahead of the cyber-criminals and caution is the best way forward here.”

Commander Chris Greany of the City of London Police said: “Fraudsters are using ever more sophisticated methods to gain personal information and these types of attempts have often left victims penniless. “We urge everyone who receives unsolicited phone calls, texts, emails or letters to ignore them and never enter into conversation with someone that you don’t know online or over the phone.”

Source: Information Security Magazine

Industrial Control Stalwart Open to Authentication Bypass

Industrial Control Stalwart Open to Authentication Bypass

A vulnerability in Advantech’s EKI-1322 serial device server would allow any user to bypass authentication by using any public key and password.

Exploitation of the flaw could allow an attacker to execute arbitrary code, to obtain private keys, or to impersonate the authenticated user and perform a man-in-the-middle attack.

The Advantech EKI series products are Modbus gateways used to connect serial devices to TCP/IP networks. They are typically found in industrial control environments, and are deployed in industrial automation globally. They can be integral parts of the networks that run critical infrastructure.

The Rapid7 team found that the heavily modified Dropbear SSH daemon used in the 1.98 version of the firmware did not enforce authentication.

In addition, there may be a backdoor hardcoded into this version of the binary as well, using the username and password of "remote_debug_please:remote_debug_please.”

“Note that it is unconfirmed if this backdoor account is reachable on a production device by an otherwise unauthenticated attacker,” the researchers said in an advisory. “Its presence was merely noted during binary analysis, and the vendor has not acknowledged the purpose or existence of this account.”

Fortunately, the issue is resolved in EKI-1322_D2.00_FW. In the event that firmware cannot be installed, Rapid7 recommends that users of these devices should ensure that sufficient network segmentation is in place, and that only trusted users and devices are able to communicate to the EKI-123 device.

This is the latest vulnerability in the product; earlier, ICS-CERT warned that the routers are vulnerable to the Shellshock flaw, unless updated.

Photo © Mclek

Source: Information Security Magazine

Netflix Cracks Down on Out-of-Market Streaming

Netflix Cracks Down on Out-of-Market Streaming

Within a few weeks, subscribers will no longer be able to use proxies to watch content not available in their home country.

It’s a relatively common practice around the globe to use proxy servers to fool streaming services into thinking that video is being  delivered to a domestic location—when in reality, the traffic is simply re-routed to a far-flung market where the content wouldn’t otherwise be accessible.

"If all of our content were globally available, there wouldn't be a reason for members to use proxies or unblockers," David Fullagar, Netflix's vice president of content delivery architecture, wrote in a blog.

But of course, that isn’t the case, even though the announcement comes just a week after the company went live in more than 130 countries. That launch means that Netflix covers almost the entire globe except China, but geographic licensing agreements with media companies and content owners extend Netflix the rights to distribute their content only in certain regions or countries.

So, for now, it’s not just one big Netflix stream-for-all, despite the worldwide footprint that the over-the-top video behemoth now has—and the use of proxies is technically a form of piracy.

“We have a ways to go before we can offer people the same films and TV series everywhere,” Fullagar said. “Over time, we anticipate being able to do so. For now, given the historic practice of licensing content by geographic territories, the TV shows and movies we offer differ, to varying degrees, by territory. In the meantime, we will continue to respect and enforce content licensing by geographic location.”

So, for now, Netflix is instituting a crackdown, and subscribers will only be able to access the service in the country where they are actually physically located.

Access to unlicensed video continues to cost rights-holders a staggering amount of money. Web pirates cheated copyright owners out of more than $800bn in 2014, according to a study last year from Arxan Technologies.

The study also found that video piracy is on the rise: In 2014, 1.6 million pirated releases made their way online, compared to 1.96 million pirated assets in 2015, of which 50% of them consisted of video content. That represents a 22% increase over the last three years, Arxan said.

Photo © scyther5/

Source: Information Security Magazine