Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2016

Greenwich University Exposes Student Info Online

Greenwich University Exposes Student Info Online

The University of Greenwich is under fire after it accidentally posted sensitive information on postgraduate students including details on health issues to its public-facing website.

The incident appears to have breached the Data Protection Act and watchdog the Information Commissioner’s Office (ICO) is said to be investigating.

The matter was brought to the attention of the BBC by a student at the university who came across the information through a simple Google search.

Details included students' names, addresses, dates of birth, mobile phone numbers and signatures, alongside minutes from a university committee governing research students.

These notes apparently included information on mental health and other medical problems as well as details of one student whose brother was fighting in a Middle Eastern army – with references made to an asylum application, the BBC claimed.

Emails between staff and students were also said to have been exposed online.

The university has contacted Google to remove cached copies of the data from the web, and apologized for the error.

"This was a serious error, in breach of our own policies and procedures. The material has now been removed. This was an unprecedented data breach for the university and we took action as quickly as possible, once the issue came to light,” said secretary Louise Nadal.

"At the same time, I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published.”

Experts were quick to highlight the case as a failure of policy and procedure.

Michael Hack, senior vice president of EMEA operations at Ipswitch, argued that forthcoming European data protection regulations will levy severe financial penalties on this kind of thing in the future if it’s found to stem from negligence.

“Whether private or public sector, when it comes to securing, storing and sharing confidential data, organizations must make sure they have the right policies and process in place,” he added.

“This includes using secure data management and transfer technologies, security systems and most importantly, providing essential staff training across the board.”

Greg Hanson, VP business operations EMEA at Informatica, argued that a data-centric security strategy is a must in today’s climate.

“In order to protect data, wherever it may be, organizations need to be able to identify where it originates in order to secure it, whether it is in transit or at its destination. For many organizations, a complete reassessment of security procedures is required,” he added.

Source: Information Security Magazine

Glibc Flaw Affects Linux Machines and IoT

Glibc Flaw Affects Linux Machines and IoT

A major vulnerability in the GNU C Library could result in remote code execution, and may affect most Linux machines.

The vulnerability affects all version of the GNU C Library, commonly known as glibc, since version 2.9. According to research by Google’s Staff Security Engineer Fermin J. Serna and Technical Program Manager Kevin Stadmeyer, a full working exploit was enabled and a patch made available.

Serna and Stadmeyer said in a statement: “You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack.

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”

The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Remote code execution is possible, but requires bypassing the security mitigations present on the system, such as ASLR.

The bug was reported to glibc maintainers in July 2015, but has been present in glibc 2.9 since May 2008. Carlos O’Donnell, Principal Software Engineer at Red Hat, said in an advisory that the vulnerability has likely not been publicly attacked, but that execution control can be gained without much more effort.

Tod Beardsley, Security Research Manager at Rapid7, said that like the GHOST vulnerability from 2015, this will affect lots of Linux client and server applications, and like GHOST, it's pretty difficult to "scan the internet" for it, since it's a bug in shared library code.

“There are certainly loads and loads of IoT devices out in the world that aren't likely to see a patch any time soon,” he says. “So, for all those devices you can't reasonably patch, your network administrator could take a look at the mitigations published by RedHat, and consider the impact of limiting the actual on-the-wire size of DNS replies in your environment. While it's may be a heavy-handed strategy, it will buy you time to ferret out all those IoT devices that people have squirrelled away on your network.”

Dave Palmer, Director of Technology at Darktrace, said: “It seems that this bug primarily affects the servers that run company applications and internet services, but probably also much of the IoT. However, it is still unclear how easy it is to exploit.

“Uncertainty surrounds not only this bug, but all future threats. It is simply impossible to guess where next vulnerabilities will be discovered. So as companies run around trying to work out if and how this will affect them, they should also fundamentally re-think how they are protecting the entirety of their systems. Without an immune system, which automatically monitors for abnormality, it is extremely difficult to keep up with today’s threat landscape.”

David Flower, MD EMEA at Carbon Black said: “Linux users have long since held the belief that their systems are secure by design and are invulnerable to attack. However, the string of high-profile Linux malware; from last year’s Mumblehard, which had gone undetected for five years, to 2012’s Snakso, which gave hackers remote access to servers, has proven this belief to be false. Google’s discovery of Glibc has delivered another significant blow to this misconception, highlighting that a basic flaw has been present within the code itself.

“Whilst it has yet to be exploited by hackers, those that fail to patch the vulnerability will face a significant threat now that the bad guys have been alerted to its presence.”


Source: Information Security Magazine

Apple: We Won’t Build ‘Backdoor’ to Unlock Gunman's Phone

Apple: We Won’t Build ‘Backdoor’ to Unlock Gunman's Phone

Apple has point blank refused to bypass its own security mechanisms with new software which the FBI can use to unlock and read information on the iPhone of one of the San Bernardino gunmen.

A court order issued by a California magistrate yesterday effectively asks Apple to create a new custom iOS version to install on the device – an iPhone 5C running iOS9 – which will allow the FBI to brute force the passcode.

The order noted that Apple’s “reasonable technical assistance” should accomplish three important functions:

“It will bypass or disable the auto-erase function whether or not it has been enabled; it will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, Bluetooth, Wi-Fi or other protocol available on the subject device; and it will ensure that when the FBI submits passcodes to the subject device, software running on the device will not purposefully introduce any additional delay between the passcode attempts beyond what is incurred by Apple hardware.”

The auto-erase function wipes all data after 10 incorrect passcode guesses, while the milliseconds-delay feature was introduced by Apple to neuter brute force attacks by making them take years to carry out.

The magistrate, Sheri Pym, asked Apple to respond if it was not possible to create a workaround as described above.

Tim Cook took the opportunity to do so in a long letter decrying the government’s attempts to undermine the security of Apple devices, although he notably didn’t reveal whether it was technically possible to do so or not.

While claiming no sympathy for the terrorists and pointing out that Apple has assisted the investigators to do “everything that is both within our power and within the law to help them,” he would not sanction the creation of software with the potential to unlock anyone’s iPhone.

He added:

“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control  …

For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”

Cook also took issue with the FBI’s apparent attempts to use the All Writs Act of 1789 as a legal justification for this expansion of its authority.

He argued:

“The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

The news comes in the same week EU security agency Enisa came out in favor of strong encryption and against any attempts by law enforcers to undermine this by demanding backdoors.

Image credit: endermasali /

Source: Information Security Magazine

Spear Phishing Incident Average Cost is $1.6M

Spear Phishing Incident Average Cost is $1.6M

Spear phishing has become an endemic scourge: 95% of US and 83% of UK respondents in a recent Cloudmark survey said that they have experienced spear phishing attacks (91% combined).

Spear phishing is effective: despite deploying traditional security solutions, 84% of respondents experienced spear phishing attacks that penetrated their security solutions. It’s also costly: Of those experiencing attacks over the last 12 months, 81% suffered some negative impact as a result, with an average financial cost of $1.6 million—and some losses in the tens of millions of dollars.

Unfortunately, human awareness of the issue appears to be lagging the risk. A full 79% of respondents test their employees’ responses to spear phishing attacks, and 78% of those had failure rates of up to a quarter of their employees.

Only 3% had no failures.

Also, a good percentage of companies appear to be in a state of denial when it comes to the targets on their backs. Only 73% of respondents feel that spear phishing currently poses a threat to their organization. About three-quarters (77%) feel that it will pose a threat within the next 12 months. And this gap is reflected in respondents’ actions, as only 71% have implemented a specific solution to prevent spear phishing, leaving a large number of respondents poorly protected. Those 71% are depending on traditional anti-spam (84%) and anti-virus (81%) software to protect their users, along with staff training (79%) and educational campaigns (64%).

“The high financial losses—$1.6 million on average—are only part of the story; other respondents experienced loss of reputation or even customers, drop in stock price or other negative effects,” the report noted. “In some sectors, more than half of respondents (55%) suffered a loss of customers; in others, almost half (47%) suffered a financial loss.”

Anti-spam and anti-virus technology can be effective in blocking some kinds of generic phishing. About 45% of respondents have deployed secure web gateways or URL filtering solutions, which might be effective in protecting users from threats such as fake bank or webmail login pages hosted on hacked domains. And secure email gateways and file sandboxing (deployed by 58% and 28% of respondents, respectively) can be effective against malware deployment, an attack which 30% of respondents have experienced.

But ultimately, the human is the weakest link.

“For example, in so-called CEO fraud or Business Email Compromise (BEC) attacks, the spear phisher masquerades as the company’s CEO or another executive and instructs an employee in the finance department to send money via wire transfer to a bank account controlled by the phisher,” the report explained. “These messages almost never contain an attachment or a call-to-action URL, so they will bypass traditional security technology easily.”

BEC attacks are widespread. Sixty-three percent of respondents received spear phishing involving the spoofing of a CEO for financial gain in the last 12 months; in one sector, 48% received more than 30 such attacks over that period. Almost half of respondents said that the financial staff or department were specifically targeted in cyber-attacks.

Photo © igor.stevanovic

Source: Information Security Magazine

Mazar BOT Can Erase Android Phones

Mazar BOT Can Erase Android Phones

A fresh campaign bent on information exfiltration and erasing unsuspecting victims’ phones is spreading via random text message.

Heimdal Security uncovered the Mazar BOT Android malware, which, aside from being new on the scene, is notable in that it gains administrative rights that give it the ability to do almost anything with the victim's phone.

The malware also can read SMS messages, which means it can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites.

The attack chain begins with a message: “You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.”

If the APK, a program file for Android, is run, it will gain administrator rights on the victim’s device. The malicious APK also retrieves TOR and installs it on the victim’s phone, and then uses the anonymity browser to connect to the command and control server.

From there, the attackers can do any number of things, including harvesting data, tracking locations, monitoring messages and calls, and even erasing the phone altogether. Attackers also can do things like send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill.

But wait, there’s more. 

Heimdal noted that the attackers behind Mazar BOT also implemented the Polipo proxy, which is used to cache web pages for offline access, amongst other things. Through this proxy, cyber-criminals can change the traffic flow and interpose themselves between the victim’s phone and a web-based service, for a man-in-the-middle attack.

Interestingly, the code contains protections for Russians.

“Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option,” said Andra Zaharia, security specialist at Heimdal Security, in a blog. “Mazar BOT will check the phone to identify the victim’s country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user.”

Until now, Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks, she added.

“Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always),” Zaharia said. “We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication.”

Photo © evgdemidova

Source: Information Security Magazine

Survey Finds Lack of Consensus on Cybersecurity Accountability

Survey Finds Lack of Consensus on Cybersecurity Accountability

Results from a new study by Palo Alto Networks have revealed there is still plenty of work to be done within organizations when it comes to working collaboratively and sharing responsibility to prevent data breaches.

According to the survey, nearly half (46%) of 765 business decision-makers believe that responsibility for protecting an organization from cyber-crime lies solely with the IT department. Interestingly, more than half (57%) of those working in IT agreed, stating they hold sole domain over a company’s security.

Speaking to Infosecurity, Dr Adrian Davis, Managing Director EMEA, (ISC)2 said Palo Alto’s survey acknowledges one of the key issues surrounding cybersecurity risk, and that is accountability. 

“Cyber risk is an issue for all. Accountability for cyber risk will need to be embraced by all as we move forward in this now digitally dependent world. The challenge is that society as a whole is only in the early stages of appreciating this.” He argued.

“IT is accountable for understanding and articulating the risks around the solutions they propose and manage; business is also accountable for listening; assessing and assuring a strategy for managing the risks with IT. There is also a third group of influencers here – the innovators – who are going to have to recognize accountability for understanding and preventing the vulnerabilities that they are introducing by not designing with security in mind.”

The findings from this survey will raise concerns over how well issues of cybersecurity are being translated and understood within companies, especially with the General Data Protection Regulation (GDPR) coming into effect within the next few months. In the event of a breach, the GDPR will assign responsibility to any member of staff who has access to an organization’s data, which means that it is now imperative for companies to be educating all employees from all departments – from board-level executives to customer service staff.

Greg Day, vice president and regional chief security officer, Europe, Middle East and Africa, Palo Alto Networks, said:

“The new EU regulations will require businesses to step up their cybersecurity practices, and this can be an opportunity or a risk, depending on how these businesses choose to approach it. Ultimately, it is critical that managers recognize that, when it comes to cybersecurity, the onus is on everyone – it’s no longer a dark art but an everyday business practice that must pervade every level of the organization.”

The results suggest that a shortage of cybersecurity knowledge at leadership level is influencing the lack of consensus about where duties lie, with 13% of C-level respondents admitting they do not fully understand what defines an online security risk to a business. 

They also allude to the fact that the approaches many organizations currently use to gauge security do not provide a comprehensive outlook of what risks they are actually facing. A quarter of companies determine how effective their security infrastructure is by how many incidents they block, and 13% feel the length of time passed since their last breach shows how well they are doing.

Instead, to provide an accurate view of risk, Palo Alto Networks recommended companies should introduce pre-emptive and real-time methods such as monitoring all the traffic in its network.

Source: Information Security Magazine

Anonymous Hacks South African Governmment

Anonymous Hacks South African Governmment

Anonymous is at the hacktivist game again, this time targeting South African government as part of its #OpAfrica initiative.

The group hacked a database within the Government Communications and Information Systems (GCIS) department, leaking names, phone numbers, email addresses and hashed passwords of more than 1,000 government employees.

The hackers gained access to an old GCIS portal that hadn’t been updated; South Africa said that the vulnerability has been tracked down and closed.

Operation Africa is “a disassembly of corporations and governments that enable and perpetuate corruption on the African continent.” Anonymous said that in particular, the focus is on the issues of child labor and Internet censorship on the continent.

“We are fighting alongside other operations such as OpNigeria and AnonymousSA to help free the continent from the plague of exploitation that has been occurring for centuries,” it said.

South African developer Evan Knowles said that government employees made it fairly easy for Anonymous to carry out its work, because those hashed passwords are hardly secure. He said that all of the 1,471 passwords from the GCIS data that Anonymous dumped were hashed using the MD5 function without salt. And, that it was trivial to crack 1,116 of them anyway.

“All in all, in the collection of 1116 passwords, there were only 549 unique passwords,” he said. “This included nine passwords which were only one letter long, and 53.1% of the passwords failed a standard, very basic test (contains at least one number, and a minimum length of 6). 29.8% of the passwords contained the word ‘password’. 628 passwords (42.7%) were already in plain text and did not need to be cracked.”

Further, 25.2% of users had passwords that were identical to their first name.

The top 10 passwords in the GCIS dump were: password1; password01; password02; password2; password123; Admin#11; Education2015; Password123; password03; and, Password.

“Not too imaginative, but strangely satisfyingly stereotypical as far as poor passwords go,” Knowles said in his blog.

Photo © oneinchpunch/

Source: Information Security Magazine

Patients Sent Away as Ransomware Hits Hollywood Hospital

Patients Sent Away as Ransomware Hits Hollywood Hospital

A Californian hospital has been forced to cancel appointments and send patients to other hospitals after what appears to have been a ransomware attack brought its computer systems to a grinding halt.

The Hollywood Presbyterian Medical Center declared an “internal emergency” on Friday 5 February after “significant IT issues,” CEO Allen Stefanek said, according to local reports.

The emergency department was hit and staff were forced to return to fax machines and pen and paper as they had no access to email or online patient records.

Aside from access to patient records, the downtime apparently hit lab work, X-rays and CT scans, leading to some outpatients being forced to miss treatment.

Some reports are claiming the attackers are after around 9,000 BTC ($3.6m) in return for decrypting key files.

It’s not clear whether the issue has been resolved yet, although the FBI and LAPD have apparently been called in to investigate.

The incident highlights the potentially serious impact ransomware can have outside the world of IT.

Eset security specialist, Mark James, warned that systems can take a long time to restore after a ransomware attack.

“Good system backups will of course help but for this industry stopping it before it gets in is the priority. Typically in these situations the operating systems used are older and maybe outdated. Patching could cause downtime and may seemingly cause ‘more trouble than it’s worth’ but it’s a fact of computing these days and it has to be done,” he told Infosecurity.

“Segregating the network data and using a good regularly updated internet security product along with staff and user education on the current attack methods will help to keep infection down to a minimum.”

Meanwhile, David Gibson, VP of strategy at Varonis, argued that ransomware can be “hard to spot and harder to recover from” if IT staff don’t log what users are doing with file share data.

“Detecting and arresting ransomware requires an inside-out security approach. IT security must look to block phishing emails or at least educate employees about this threat, restrict access to social media, monitor network connections to known Command and Control (C2) URLs/IP addresses, and watch for malicious processes,” he told Infosecurity.

“But the real key to fighting ransomware is to take a closer look at what the attackers are after: these are the files and emails that employees create and view every day. This unstructured data is the largest data set in most organizations, often the most valuable, and, unfortunately, the least controlled.”

Brendan Griffin, threat intelligence manager at PhishMe, warned that phishing attacks can sometimes contain malicious links leading to a ransomware download.

“Technology alone cannot stop these threats and having a security team reliant on that technology is not going to prevent this kind of human error – it takes all hands on deck,” he told Infosecurity.

“While having a security team would have possibly helped in this instance, it still wouldn’t provide the most comprehensive security measures possible, as it neglects the utility of having staff that are ready and enabled to prevent these threats.”

Paul Edon, director at security firm Tripwire, added that ransomware incidents are only set to increase as cybercriminals make use of ransomware-as-a-service offerings available on the darknet.

“The single most important thing to help recover from a ransomware attack is a well-practiced and regularly updated off-line backup,” he told Infosecurity.

“Additionally, I would recommend ensuring software updates and patches are deployed in a timely fashion, RDP is disabled on those devices where it is not absolutely necessary for business, all email should be filtered and .EXE attachments quarantined. And finally work with a reputable security vendor/consultancy to ensure you are following industry best practices.”

Source: Information Security Magazine

Low-Skilled Social Engineering Attacks Become more Prevalent

Low-Skilled Social Engineering Attacks Become more Prevalent

A major rise in social engineering has been seen over the past few months, mostly using very standard attack tactics.

Speaking to Infosecurity, Check Point head of incident response Dan Wiley said that in mid-market businesses you see a lot less advanced persistent threat (APT) level attacks and nation-sponsored hacking, but you see a lot more ransomware and malware, and a lot more extortion, and they are similar as they are larger in scope.

“We are seeing a large uptick, and in December we saw a lot more cases in pure social engineering and no malware whatsoever,” he said.  “We are working with a company who had outsourced all of their email and they called us and said ‘we’ve lost $3-4M and can you help us trace it?’

“Ultimately what had happened is someone had stolen one of the financial guys’ credentials, logged into the portal, logged in as the person and scraped the entire customer base and sent an email to all of the customers and said ‘our bank routing information has changed, please change your accounts payable’. No one caught the email as it was from a trusted account and they lost $3-4M.”

Wiley said that this was a watering hole attack that got the credentials, and he predicted that attackers are going after the applications that use the cloud and as there is no consolidated view, there is no control but the provider that is giving you the service and authentication is a major issue.

“Forensics in reviewing the case is very difficult, so we will see that this year – a significant uptick in terms of those avenues,” he said. “The next generation of hacking is much more social, and the attackers are going after Facebook and LinkedIn and understanding the social dynamics of your virtual reality.”

Wiley said that most organizations do not realize that they are pawns in a bigger game as there was a veil of protection, and now you’re in a game that you may not want to play. “All the strange conspiracy theories, you could be part of it,” he said.

Asked how attackers get in, Wiley said that with Amazon you can have two-factor authentication to verify your identity, but if you call customer service they will reset your password to whatever the attacker wants. “The attackers are looking for every single angle from a social aspect to modify the credentials or authorized transactions to move the bar a little further to get them to the next social network and once they control the whole playing field they can suddenly be able to elevate privileges to get more and more,” he said.

Source: Information Security Magazine

Bank Details of 100,000 Brits for Sale Online

Bank Details of 100,000 Brits for Sale Online

Stolen banking details of more than a million people (including 100,000 Brits) are being sold on the internet by a group of cyber-criminals for as little as £1.67 each, according to a report by The Telegraph.

It is believed the website is operating on the open internet as opposed to the ‘dark web’, where online criminality of this type usually takes place.

The site looks and operates like a standard retailer, with a customer helpdesk and refunds for faulty products. However, whereas hacked information on the dark web can only be accessed using a special internet browser, this site appears to be accessible using a regular web browser such as Google Chrome or Apple Safari.

It is estimated have been openly operating since at least June last year and sells stolen card details in conjunction with other sensitive information such as postal addresses and victims’ mother’s maiden names.

If the site has indeed been able to run so brazenly for so long, it will inevitably raise some questions regarding the effectiveness of anti-fraud law enforcement amid fears that the police are losing the battle against online fraud. However, Chris Boyd, Malware Intelligence Analyst, Malwarebytes, told Infosecurity:

“That these sites exist is no real indication of the battle between law enforcement and criminals going one way or the other – there's a large selection of carding sites online on the open web, and there have been for many years. The key difference now is that law enforcement and researchers tend to get more out of tracking and shutting down small groups rather than playing whack-a-mole with easily replaceable websites."

“Sometimes difficult to close forums are used by law enforcement to observe specific criminals and gather evidence, eventually going after the individuals rather than the website itself.” he added.

Source: Information Security Magazine