Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2016

EU Set to Regulate Crypto Currencies on Security Fears

EU Set to Regulate Crypto Currencies on Security Fears

The European Commission is proposing changes to the law designed to make it harder for terrorists and others to use prepaid cards and virtual currencies anonymously.

The changes – which would effectively begin to regulate virtual currencies – were outlined in a new “Action Plan for strengthening the fight against terrorist financing” this week.

Its fear is that virtual currency exchange platforms could be used by terrorist organizations to hide transfers, because although transactions with virtual currencies are recorded, “there is no reporting mechanism equivalent to that found in the mainstream banking system to identify suspicious activity.”

The report added:

“As a first step the Commission will propose to bring anonymous currency exchanges under the control of competent authorities by extending the scope of the [European Anti Money Laundering Directive] AMLD to include virtual currency exchange platforms, and have them supervised under Anti-Money Laundering / countering terrorist financing legislation at national level. In addition, applying the licensing and supervision rules of the Payment Services Directive (PSD) to virtual currency exchange platforms would promote a better control and understanding of the market.”

The Commission said it would also look into whether virtual currency “wallet providers” should also be covered under the new proposals.

The Commission falls short of accusing virtual currency platforms of helping fund terrorism – but argues that this could happen, given that “highly versatile criminals are quick to switch to new channels if existing ones become too risky.”

In fact, a report from the UK Treasury last autumn argued that digital currencies present a “low” risk for money laundering and the financing of terrorism.

It added:

“There are a limited number of case studies upon which any solid conclusions could be drawn that digital currencies are used for money laundering. There are concerns around anonymity, faster payments, and ability to provide cross border remittances and facilitate international trade. These issues are similar to issues identified with many other financial instruments, such as cash and e-money."

Sean Sullivan, F-Secure security advisor, argued that it was “entirely feasible” to impose stricter regulations on financial institutions governing how they handle virtual currencies.

“It’s not feasible on an individual level and it won’t impact individuals from trading with one another – the same as with real world cash. The key thing is to restrict the amount of virtual ‘cash’ that can be transferred into a bank account,” he told Infosecurity by email.

“The current situation allows for semi-autonomous currency transfers. Forcing stricter regulations could result in many banks simply refusing to do business. The idea of a free and unregulated currency that fits the ideals of (cyberpunk) anarchists looks increasingly out of reach due to practical security concerns.”

The European Commission is proposing changes to the law designed to make it harder for terrorists and others to use prepaid cards and virtual currencies anonymously.

The changes – which would effectively begin to regulate virtual currencies – were outlined in a new “Action Plan for strengthening the fight against terrorist financing” this week.

Its fear is that virtual currency exchange platforms could be used by terrorist organizations to hide transfers, because although transactions with virtual currencies are recorded, “there is no reporting mechanism equivalent to that found in the mainstream banking system to identify suspicious activity.”

The report added:

“As a first step the Commission will propose to bring anonymous currency exchanges under the control of competent authorities by extending the scope of the [European Anti Money Laundering Directive] AMLD to include virtual currency exchange platforms, and have them supervised under Anti-Money Laundering / countering terrorist financing legislation at national level. In addition, applying the licensing and supervision rules of the Payment Services Directive (PSD) to virtual currency exchange platforms would promote a better control and understanding of the market.”

The Commission said it would also look into whether virtual currency “wallet providers” should also be covered under the new proposals.

The Commission falls short of accusing virtual currency platforms of helping fund terrorism – but argues that this could happen, given that “highly versatile criminals are quick to switch to new channels if existing ones become too risky.”

In fact, a report from the UK Treasury last autumn argued that digital currencies present a “low” risk for money laundering and the financing of terrorism.

It added:

“There are a limited number of case studies upon which any solid conclusions could be drawn that digital currencies are used for money laundering. There are concerns around anonymity, faster payments, and ability to provide cross border remittances and facilitate international trade. These issues are similar to issues identified with many other financial instruments, such as cash and e-money."

Sean Sullivan, F-Secure security advisor, argued that it was “entirely feasible” to impose stricter regulations on financial institutions governing how they handle virtual currencies.

“It’s not feasible on an individual level and it won’t impact individuals from trading with one another – the same as with real world cash. The key thing is to restrict the amount of virtual ‘cash’ that can be transferred into a bank account,” he told Infosecurity by email.

“The current situation allows for semi-autonomous currency transfers. Forcing stricter regulations could result in many banks simply refusing to do business. The idea of a free and unregulated currency that fits the ideals of (cyberpunk) anarchists looks increasingly out of reach due to practical security concerns.”

Source: Information Security Magazine

Researchers Claim New eBay Flaw Could Lead to Data Theft

Researchers Claim New eBay Flaw Could Lead to Data Theft

Security researchers are warning of a new vulnerability on the eBay platform which could allow hackers to spread malware and steal personal information.

The flaw could allow an attacker to remotely bypass the e-commerce giant’s code validation checks to serve up malicious JavaScript to a victim, according to Check Point.

The security vendor claimed that the attack methodology is fairly straightforward.

A hacker first needs to set up an eBay store and then insert malicious code into the product listings page. Punters could then be tricked into opening the page via a pop-up offering them a one-time discount if they download a new ‘eBay mobile app’.

Hitting ‘download’ will trigger a download of a malicious app in the background – exposing the user to phishing or further malware downloads.

Although eBay prevents users from including scripts or iFrames by filtering out those HTML tags, an attacker can load additional JavaScript from their server using a non-standard technique called “JSF**k.”

Inserting this remotely controllable JavaScript enables the attacker to create multiple payloads for a different user agent.

Check Point said it disclosed its findings to eBay on 15 December last year, but on 16 January the trading platform responded that it had no plans to fix it.

The security firm and e-commerce platform are now in a stand-off. The latter believes its security controls on active content are sufficient, while Check Point thinks they can be bypassed.

Although eBay performs verification checks on code, it only strips alpha-numeric characters from inside the script tags, Check Point claimed. The JSF**k technique allows hackers to circumvent this protection by using a very limited and reduced number of characters.

“The eBay attack flow provides cyber-criminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Check Point security research group manager, in a statement. 

“The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”

When contacted by Infosecurity, Check Point claimed that eBay had provided no update to its position aside from this generic statement:

“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Image credit: Ingvar Bjork / Shutterstock.com

Source: Information Security Magazine

New Scheme to Arm Youngsters with Cybersecurity Knowledge

New Scheme to Arm Youngsters with Cybersecurity Knowledge

A new initiative established by the Smallpeice Trust and GCHQ aims to bring together Year 9 students from across the UK to educate them on cyber-security.

Following a tumultuous year of cyber-security breaches in 2015, both organizations have banded together to arm the nation’s young people with invaluable information in the fight against cybercrime.

The course, delivered by Royal Holloway, University of London, will see some of the UK’s top security experts teach and challenge the youngsters with workshops designed to engage their minds about the issues surrounding cybersecurity.

Dr Kevin Stenson, Chief Executive of The Smallpeice Trust, said:

“It may be a case of poacher turned gamekeeper, but it stands to reason that if you’re going to learn how to deal with cyber-attacks effectively you need to understand exactly how they work. Our partners at GCHQ believe that in order to stop hackers they need to understand how they operate, so we’re happy to follow the experts and encourage and enable our course attendees to be inspired.”

“Courses like this are all about thinking big, exploring further and imagining more, and it really doesn’t get bigger than having Britain’s cybersecurity forces supporting a residential course at one of London’s most prestigious universities. Of course, Smallpeice’s own team will also be on hand to help further capture the imagination.”

In an email to Infosecurity Adrian Davis, Managing Director EMEA, (ISC)² spoke glowingly of the new scheme and what positives it will bring across digital professions.

“This is a great initiative by the Smallpeice Trust and one which we wholeheartedly support. This is another step to creating the cyber-literate population the UK will need to reap the rewards of the digital economy. I hope that this initiative will attract other sponsors, especially from the industry, to broaden the challenges these students will face and to show them the breadth of our profession and the careers that it offers.” he said.

Source: Information Security Magazine

EU and US Propose PrivacyShield to Replace Defunct Safe Harbor

EU and US Propose PrivacyShield to Replace Defunct Safe Harbor

Source: Information Security Magazine

FireEye Add Automation to Service with Invotas Acquisition

FireEye Add Automation to Service with Invotas Acquisition

FireEye has announced the acquisition of Invotas, to add security orchestration capabilities as part of its global threat management platform.

The acquisition closed on 1 February 2016, and will enable FireEye to deliver security orchestration capabilities as part of its global threat management platform.  The Invotas Security Orchestrator technologies will unify cyber-attack detection results, threat intelligence and incident response elements of an organization’s security program into a single console, giving enterprises the ability to respond more quickly to attacks through automation.

Following the acquisition of threat intelligence vendor iSIGHT Partners last month, FireEye said that the Invotas Security Orchestrator will leverage its threat intelligence to help security teams move from alert to remediation in minutes. FireEye will then automate responses based on playbooks developed by FireEye’s Mandiant consultants, leveraging more than a decade of incident response experience codified to assist customers.

David DeWalt, FireEye CEO and chairman of the board, said: “The addition of Invotas’ technology enables us to enhance our global threat management platform and advance ongoing efforts to provide our customers with a centralized method to manage alerts and intelligence and then automate actions based on FireEye-built playbooks or their own custom strategies.

“FireEye has always led the market in high-fidelity alerting and intelligence, and now our customers can use this data and insights from other sources to build automated workflows that quickly remediate these threats across the security ecosystem with minimal human intervention. FireEye addresses a critical customer need around analyst resources and time with the addition of a capability that will redefine the security orchestration and automation category.”

Invotas’ 19 employees will be integrated into the FireEye Global Engineering and Security Products organization. Paul Nguyen, Invotas’ chief executive officer before the acquisition, called FireEye a perfect fit for Invotas, as it offers the opportunity to fuse its security automation and orchestration capabilities with comprehensive threat management platform.

 “The strength of Invotas’ technology centers around its ability to easily integrate into the security ecosystem of an organization and automate key elements of incident response,” he said. “FireEye leads in delivering high fidelity alerts and contextual threat intelligence, and this move to enrich workflows with these insights and codify FireEye frontline expertise into automated playbooks is going to be a game changer for security operation teams.”

In an email to Infosecurity, Bob Tarzey, analyst and director of Quocirca, said that what struck him was that adding orchestration and automation technology will allow FireEye to continue to diversify through more acquisitions.

“Technology such as Invotas will play a role in integrating disparate technologies into a single FireEye console,” he said.

Source: Information Security Magazine

Blackshades Co-Creator Escapes Jail Term

Blackshades Co-Creator Escapes Jail Term

A US man has been sentenced to five years’ probation for his part in the creation and distribution of the notorious Blackshades remote access trojan (RAT) which may have infected over half a million PCs worldwide.

Michael Hogue – aka ‘xVisceral’ – was sentenced on Friday by a Manhattan district judge, ordered to forfeit $40,000 and perform 500 hours of community service, according to Reuters.

He was actually arrested back in 2012 after a two-year sting operation by the FBI but subsequently agreed to help officers to take out other users and distributors of the RAT.

This led to a May 2014 global swoop by law enforcers which culminated in the arrest of around 100 suspects.  

The major international operation involved police in 18 countries and the FBI claimed to have seized more than 1900 domains used by Blackshades users to control victims’ computers.

Arrested in Moldova was Swede Alex Yucel, co-developer of the software, who it is claimed was the head of the organization – “hiring and firing employees, paying salaries, and updating the malicious software in response to customers’ requests.”

Of the several different types of Blackshades tool made available, the most popular was the RAT, which could be bought for as little as $40.

Although in the beginning it could be bought legally for such tasks as remotely accessing a home PC from elsewhere, it was soon picked up and customized by hackers.

According to the FBI, they used it to: “steal passwords and banking credentials; hack into social media accounts; access documents, photos, and other computer files; record all keystrokes; activate webcams; hold a computer for ransom; and use the computer in distributed denial of service (DDoS) attacks.”

The tool was bought by thousands of users in over 100 countries and used to infect more than half a million computers worldwide, the FBI said. It also  generated sales of over $350,000 between September 2010 and April 2014.

Yucel was sentenced to 54 months back in June last year.

Hogue has escaped a jail term despite being told by judge Kevin Castel that he’d committed a crime of "historic proportions."

"But when he was confronted he did something right," the judge reportedly continued. "He did what he could to make amends."

Source: Information Security Magazine

Audit Finds Massive Holes in US Government’s Einstein Security System

Audit Finds Massive Holes in US Government’s Einstein Security System

The US Department of Homeland Security’s multi-billion dollar National Cybersecurity Protection System (NCPS) is failing to fully secure government networks thanks to a number of major failings, the Government Accountability Office (GAO) has claimed.

In a new report on the system issued late last week, the GAO highlighted deficiencies that would make most CISOs cringe, including intrusion detection which only compares traffic to known signatures rather than deviations away from baselined ‘normal’ behavior.

“In addition, NCPS does not monitor several types of network traffic and its ‘signatures’ do not address threats that exploit many common security vulnerabilities and thus may be less effective,” the report continued.

Intrusion prevention capabilities, meanwhile, currently do not cover malicious web traffic – although this is planned for 2016.

Information sharing was another area the DHS has fallen down in, having failed to develop most of the NCPS’ planned functionality in this area.

“Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications,” the GAO added.

“Further, DHS did not always solicit—and agencies did not always provide—feedback on them.”

The DHS was also unable to say whether the system has offered value for money because its performance measurement metrics don’t “gauge the quality, accuracy, or effectiveness of the system's intrusion detection and prevention capabilities.”

The department was also criticized for failing to plan for malware detection capabilities for agencies' internal networks or threats affecting cloud service providers.

Given these shortcomings it’s perhaps not surprising that only five of the 23 agencies required to implement the NCPS’s intrusion prevention capabilities have done so.

The report added:

“Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system.”

The GAO recommended nine steps for the DHS to enhance its capabilities, improve planning and support greater adoption of the NCPS.

High-profile breaches like those discovered by the Office of Personnel Management last year have highlighted the parlous state of US government cyber security.

The NCPS, operationally known as the Einstein program, has cost US taxpayers more than $5 billion over the past several years.

Source: Information Security Magazine

US and EU Fail to Meet Safe Harbor 2.0 Deadline

US and EU Fail to Meet Safe Harbor 2.0 Deadline

IT commentators and think tanks have expressed disappointment at the failure of EU and US negotiators to agree on a replacement to the Safe Harbor data sharing agreement by the 31 January deadline.

Justice commissioner Vera Jourová admitted in a statement issued yesterday that “these talks have not been easy” and that “additional effort is needed” to reach agreement on a deal.

She outlined several areas where the EU has drawn a line in the sand over the negotiations.

These include getting written assurances from the US that access to personal data by the authorities will be “limited to what is necessary and proportionate,” and that no indiscriminate mass surveillance of EU citizens’ data be allowed.

There will be an annual joint revue of any agreed arrangements to ensure this is the case, she claimed.

Jourová also stressed the need for a “functionally independent body” whom Europeans can contact if they think the US is snooping on their data for reasons of national security.

Another area negotiators are working on is complaint resolution against companies in case of privacy violations.

If a complaint cannot be handled by the company itself, a free “alternative dispute resolution,” or the FTC – via a Data Protection Authority – then there should be a "last resort" mechanism to “ensure that all complaints are resolved through a binding an enforceable decision,” she argued.

“Finally, we need commitments by the US that are formal and binding,” Jourová said. “As this will not be an international agreement, but an exchange of letters, we need signatures at highest political level and publication of the commitments in the Federal Register.”

Mike Weston, CEO of data science consultancy Profusion, was pessimistic about the chances of agreement between the two sides, claiming that the “net result for the man or woman on the street will be more expensive online services and less choice.”

“The reality is that the US and Europe have completely different positions on an individual’s right to privacy online. In Europe, with the exception of the UK, the direction of travel has been towards increasing data protection,” he argued.

“Whereas, in the US, with the passage of the Cybersecurity Information Sharing Act, the Government’s position is the polar opposite. Unless there is a huge change in policy on one side of the Atlantic, agreements like Safe Harbor are doomed to failure.”

Daniel Castro, vice president of think tank the Information Technology and Innovation Foundation, was more optimistic.

He claimed in a statement that following recent changes the US now has a clear set of rules governing the authorities’ access to personal data, which “offer similar levels of protection to those found in Europe and elsewhere.”

“In the spirit of working towards an agreement that restores cross-border data flows, the European data regulators set to meet tomorrow should establish a moratorium on new enforcement actions to give negotiators additional time to find a compromise,” he added.

“Enacting temporary enforcement measures at this point would be premature and impose unnecessary costs on businesses and consumers without addressing the long-term goals of either European or US interests.”

Skyhigh Networks European spokesperson, Nigel Hawthorn, argued that in the absence of an agreement, US firms have been working to circumvent the problem by adjusting their business operations to become more European-centric.

“In fact, 27% of cloud services now offer to store data in the EU, twice as many compared to six months ago,” he claimed.

Source: Information Security Magazine

BlackEnergy Gains a Fresh Spear Phishing Tactic

BlackEnergy Gains a Fresh Spear Phishing Tactic

Office documents with malicious VBA macros are being used to drop the BlackEnergy malware, the Kasidet backdoor and the Dridex banking Trojan.

Kaspersky Lab says that the Russian APT group known for attacking energy targets is using malicious Microsoft Word documents and spear phishing emails to spread the BlackEnergy Trojan in Ukraine. Meanwhile, according to Zscaler, a virulent campaign has been using the same tactic in the last two weeks for more run-of-the-mill info-stealing.

The BlackEnergy threat group, which targets ICS/SCADA, energy, government and media in Ukraine and worldwide, has been using malicious Excel and PowerPoint files to spread destructive malware since last year. Kaspersky's Global Research and Analysis Team Director Costin Raiu said that the perpetrators have now moved on to using Word documents.

“The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014,” he said in a blog. “However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed on disks.”

But it’s not just potentially state-sponsored APT groups that like the tactic.

“Malicious Office documents are a popular vector for malware authors to deliver their payloads,” said Zscaler researchers, in the analysis. “Dridex authors have leveraged this technique for over a year and it was interesting to see the same campaign and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared by these cyber criminals.”

Zscaler took a look at Kasidet and found that it installs itself and then sets about stealing data from infected machines using two methods: memory scraping and browser hooking.

Memory scraping allows Kasidet to steal credit-card data from the memory of point-of-sale (PoS) systems. Browser hooking meanwhile allows Kasidet to steal data from Web browsers. It can inject code into Mozilla FireFox, Google Chrome and Internet Explorer, and uses the same hash function as used by Carberp malware to encrypt the browser names.

Source: Information Security Magazine

Conficker, AndroRAT Continue Malware Reigns of Terror

Conficker, AndroRAT Continue Malware Reigns of Terror

It was a December to remember, on the malware front: The risk of malware infection grew by 17% in the month, as the number of active malware families increased by 25%.

That’s the word from analysis by Check Point, which using its ThreatCloud World Cyber Threat Map identified more than 1,500 different malware families active during December, up from 1,200 in the previous month.

Digging into the numbers, the UK became a more attractive target than it had been. It ranked the 99th most attacked country globally, rising from 116th during November. Perhaps more interestingly, it was attacked more than the US (which placed 122nd) and Ireland (116th) but less than Germany (94th), Spain (87th) and France (59th).

Conficker meanwhile continued in its position as King of the Worms, remaining the most prevalent malware type and accounting for 25% of all known attacks during the period. Conficker is popular with criminals thanks to its focus on disabling security services to create more vulnerabilities in the network, enabling them to be compromised further and used for launching DDoS and spam attacks.

It came in well ahead of the second-place infection, Sality, a virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware. Sality accounted for 9% of attacks.

In third place was the Necurs variant, which is used as a backdoor to download additional malware onto the infected machine, while disabling security services on the host to avoid detection.

The top ten malware families accounted for 60% of the total recognized attacks in December, Check Point found.

Check Point’s research also delved into the most prevalent mobile malware during December 2015, and once again attacks against Android devices significantly more common than iOS. The top three mobile malware were: Xinyin, which performs click fraud on Chinese ad sites; AndroRAT, which is able to pack itself with a legitimate mobile application and install without users’ knowledge, allowing full remote control of an Android device; and Ztorg, a Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.

“The increase in active malware during December highlights the severity of the threat posed to organizations networks and sensitive data,” said Nathan Shuchami, head of threat prevention at Check Point. “As a result, organizations should be pushing cyber-security to the top of their agendas for 2016, as cyber-criminals continually find new ways to attack networks, so that they can be equally relentless in robustly securing their networks.”

Source: Information Security Magazine