Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2016

Qatar Bank Hack Exposes ‘MI6 Spies’

Qatar Bank Hack Exposes ‘MI6 Spies’

A newly discovered 1.4GB data dump leaked online appears to indicate a major breach at the Qatar National Bank and a wider operation designed to profile dozens of individual customers for follow-on attacks – some of whom may be spies.

The unusual case was first reported by the International Business Times, which claims that the stolen data includes hundreds of thousands of transaction logs, personal ID numbers and credit card information.

However, it is the additional folders bearing titles such as “SPY, Intelligence,” “Al Jazeera” and “AL THANI” that complicate the picture.

These are said to contain more than just bank details, in fact, information such as the names and photos of close relations, as well as social media accounts and phone numbers of the targeted individuals.

If the labels on the various files and folders are to be believed, the data dump includes detailed information on operatives from MI6, as well as Polish, French and Qatar intelligence, and nearly 30 Al Jazeera staff.

The information first came to light on Global-Files.net but was subsequently removed and now can be found on fellow whistleblowing site Cryptome.

The bank itself has refused to comment on the reports, but claimed in a statement yesterday that there is “no financial impact on our clients or the bank.”

It continued:

“QNB Group places the highest priority on data security and deploying the strongest measures possible to ensure the integrity of our customers’ information. QNB is further investigating this matter in coordination with all concerned parties. Thank you for your cooperation and understanding.”

Security experts from Trend Micro, who have reviewed the data dump, argued that it could indicate a hacker or group planning a series of follow-on phishing and other cyber attacks using both the banking data and other personal information gleaned from those profiled in the various dossiers.

“It clearly shows firstly how the attacker obtained the data; then how they worked the data to find what they were looking for; and then started to build profiles on the people it was interested in,” cyber solution security architect, Simon Edwards, told Infosecurity.

“It is almost as though the attackers ‘dropped the loot’ as they exited.”

He added that the exposure of this data online “could have been a mistake, or it could have been deliberate.”

Gord Boyce, CEO of file security vendor FinalCode, argued that businesses need to realize today it’s not a matter of ‘if’ they get hacked but ‘when.’

“Financial services firms, like in other regulated industries, need to expand their data defense portfolios beyond that of thwarting hackers and monitoring for insider threats to securing files that may be exposed due to inadvertent emails, lost portable storage devices or unauthorized sharing,” he added.

“The best approach to prevent file data leakage is through the use of strong encryption and usage control.”

Source: Information Security Magazine

Banks Beware: Nearly All of Your ATMs are Insecure

Banks Beware: Nearly All of Your ATMs are Insecure

Virtually every ATM in the world can be illegally accessed and raided – sometimes even without the need to install malware, according to new research by Kaspersky Lab.

The Russian AV firm’s pen testing team has combined its assessments for some of the world’s major banks alongside investigations of real world attacks to map all the major ATM security issues facing financial institutions.

It claimed that most are exposed either because of physical security shortcomings or software issues.

The latter is mainly due to the majority of ATMs still running Windows XP and XFS – an outdated standard allowing the ATM PC to connect with the rest of the banking infrastructure. This apparently exposes them to exploitation via malware attacks.

XFS requires no authorization for any commands it processes, which means any app installed on the ATM can issue commands at will – i.e. to dispense cash or turn the PIN pad and card reader into a skimmer.

The second major flaw is that many ATMs are built in such a way that criminals can easily reach the PC or network cable inside.

If they can do this, the robbers could install a black box inside the ATM to give them remote access, or reconnect the machine to a “remote processing center” – allowing them to issue their own commands.

Kaspersky Lab security expert Olga Kochetova argued that too many banks believe incorrectly that criminals are only interested today in online banking heists.

“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models,” she added in a statement.

“This makes them unprepared for criminals actively challenging the security of these devices. This is today’s reality that causes banks and their customers huge financial losses.”

To fortify ATMs against such attacks, the XFS standard needs updating and enhanced with 2FA between devices and software.

Any data transmitted between the PCs and other pieces of hardware inside the ATM needs to be encrypted and protected with integrity controls, and “authenticated dispensing” applied to block off attacks via fake processing centers, Kochetova added.

A detailed write-up can be found here.

Infosecurity has contacted Kaspersky Lab to ask exactly what percentage of the world’s banks/ATMs are at risk.

Source: Information Security Magazine

Less Than 1% of Severe/Critical Security Alerts Are Ever Investigated

Less Than 1% of Severe/Critical Security Alerts Are Ever Investigated

A full 80% of organizations receiving 500 or more severe/critical alerts per day currently investigate fewer than 1% of them.

According to research from EMA, it’s mainly a resource issue: Not only do 68% of organizations suffer from some sort of staffing impact to their security teams, but larger organizations are collecting gigabytes to terabytes of data each day. It is impossible for organizations to hire enough people to create adequate context for the data—and thus provide high-fidelity security information.

A full 88% of the respondents had just one to three people investigating and triaging security events per day. Seven per cent (7%) of the manufacturing respondents had 10 or more working events per day. Ninety-two percent (92%) of organizations were receiving up to 500 events per day, and 88% percent of respondents said they were receiving up to 500 severe/critical alerts per day.

“This indicates that most of the tickets organizations receive are being classified as severe/critical, which is a common problem created and exacerbated by a lack of context to properly prioritize the events,” the report noted.

Sadly, 60% of the organizations that received between 500 and 999 severe/critical alerts per day only had three to five FTEs working those events. To make matters worse, 67% of organizations were only able to investigate 10 or fewer of their severe/critical events per day, and 88% of the participants indicated their teams were only able to investigate 25 or fewer severe/critical events per day.

The adoption of tools that automate data capture can help with the issue. These also increase the level of high-fidelity security information available to IT teams, greatly minimizing the risk of security breaches and the subsequent damage to targeted companies. But the report points out that some companies simply have a false bravado, thinking that they don’t need that type of tool.

The opposite is actually typically true.

“Some companies turn a blind eye to network segments by not having their monitoring systems turned on or even installed, while others have log detail and collection settings that may not be high enough to provide sufficient detail,” said David Monahan, research director for Security and Risk Management at EMA. “The data tells us they prefer to believe that they are protected, when in truth they are not. This phenomenon was common across various industry verticals and organization sizes, and was termed the ‘bravado factor.'”

This is translating into a lack of adoption of advanced data tools. The report found that only 36% of organizations are using deep packet inspection (DPI), and only 42% of organizations are using netflow. This is even lower in key industries like healthcare/medical/pharma, where only 27% and 36% of organizations were using NetFlow and DPI, respectively.

Interestingly, when looking at the usage by organization size midmarket, organizations indicated a much higher use (58%/45% respectively) than either SMBs (28%/28%) and enterprises, (33%/38% respectively).

Incident response (IR) followed the same trend. A majority (92%) of respondents indicated their IR programs for endpoint incidents were “competent” or better, and 90% indicated the same for their network security.

Of all respondents, only those in retail organizations rated incident response as crucial to their program. And still, only 11% of retail respondents rated it as such.

In the end, detailed analysis showed that in aggregate, 80% of the organizations receiving 500 or more severe/critical alerts per day were only able to investigate 11 to 25 of those events per day, leaving them with what EMA characterized as “a huge, and frankly insurmountable, daily gap.”

“Either due to a lack of tools to collect data or a lack of tools with the ability to analyze data, this issue is created by a lack of high-fidelity security information. This issue is broad, affecting organizations of all sizes,” the report concluded.

Photo © Olivier Le Moal

Source: Information Security Magazine

Jaku Botnet Rises in the East

Jaku Botnet Rises in the East

A previously unknown botnet has been uncovered, built for a multi-stage tracking and data exfiltration, primarily of targets in Asia.

According to Forcepoint’s 2016 Global Threat Report, Jaku has claimed 19,000 victims across 134 countries so far.

“Jaku herds victims en masse and conducts highly targeted attacks on specific victims through the execution of concurrent operational campaigns,” it explained.

Technical details are still forthcoming in May from the firm, but it did say that payloads are delivered via exposure to compromised BitTorrent sites, the use of unlicensed software and the downloading of the Warez software. It also uses a raft of evasion techniques, like cryptography, steganography, fake file types, stealth injection, antivirus engine detection and more.

Forcepoint said that the victims are located around the globe, but there’s significant clustering in Asia, especially Japan, South Korea and China. The command and control servers are located in Malaysia, Thailand and Singapore.

Jaku was discovered as a result of a six-month investigation by Forcepoint’s Special Investigations (SI) team, as detailed in the company’s report. Forcepoint has built on Kaspersky’s previous Dark Hotel campaign research, and engaged with the UK National Crime Agency (NCA), CERT-UK, Europol and Interpol.

To avoid infection, Forcepoint recommended that companies build processes within the organization to reduce potential dwell time, and limit or avoid contact with torrent sites and illegal software. They should also monitor for unusual activity, such as traffic sent to command and control servers, known to threat intelligence systems.

The report also detailed a variety of trends to watch, including a new crop of opportunistic ransomware, anti-malware tools and issues caused by the ever-dissolving perimeter. Ransomware has led a spike in malicious content in email, which increased 250% compared to 2014. It’s part of a continuing convergence of email and web attack vectors, the firm pointed out: In fact, nine out of 10 unwanted emails contain one or more URLs; and millions of malicious macros are being sent.

Organizations are also faced with increases in data breaches caused by both malicious and “accidental” insiders, and inconsistent security controls between cloud providers and businesses.

“The rapid evolution of the cyber threat environment has consequences that are much broader than just technical, operational, and financial—they can impact every piece of a business,” said Forcepoint chief scientist Richard Ford. “With this Threat Report, we want to demystify these threats and help enable businesses with tools, recommendations and, quite simply, knowledge, so they can continue to move forward without fear.”

Photo © Nicescene

Source: Information Security Magazine

BT Tower Hosts Mock Retail Breach

BT Tower Hosts Mock Retail Breach

24 candidates were tasked with tracking down the perpetrators of a data breach who had stolen money using unauthorised bank transfers, physical compromise, LAN intrusion and point of sale devices at the weekend.

In the second face-to-face challenge in Cyber Security Challenge UK’s 2016 series of competitions, the BT Tower hosted the mock investigation into a cyber-attack at the BT Tower in a bid to find the country’s best hidden cyber security talent.

The candidates, selected from a series of online qualifying rounds, were invited to compete against each other to investigate how a fictitious retail company came under vicious cyber-attack, show off their abilities in front of prospective employers and qualify for the Challenge’s grand final Masterclass competition.

Stephanie Daman, CEO of the Cyber Security Challenge UK, said:  “Our events are designed to accurately represent the scenarios that cybersecurity experts in the field experience on a day-to-day basis. The competition that BT has developed plays on current data breaches and hacking techniques and is designed to look for the skills that employers need today.”

The competition was closely monitored by BT’s security team and assessors from top cybersecurity organisations, who judged the candidates on how well they performed tasks in-line with industry best practice. The top performers in this event qualified for the Cyber Security Challenge UK Masterclass which takes place in November this year.

Team Margaret Rock were the winning team on the day, with Tomas Evans from Wales the overall winner of the competition. Nicolay Ulmasov and David Buchanan finished second and third respectively. The top eight competitors have also progressed to Masterclass in November.

“I am delighted to win the BT face-to-face competition, I had a great time with my team and the competition really tested my technical abilities. I’m looking forward to Masterclass and progressing my career in cyber security,” said Evans.

BT Tower Hosts Mock Retail Breach

Source: Information Security Magazine

Feds Drop Brooklyn iPhone Access Request

Feds Drop Brooklyn iPhone Access Request

The US Justice Department appears to have missed another opportunity to set a legal precedent forcing Apple to unlock an iPhone, after it dropped a court case when an unnamed individual provided the passcode.

A letter filed by prosecutors in a federal court in Brooklyn at the end of last week claimed abruptly that the FBI “no longer needs Apple’s assistance.”

Although it’s not clear who provided the all-important passcode, the smart money would be on the device owner – suspected drug trafficker Jun Feng.

The case predates the more widely publicized San Bernardino case, in which the Feds eventually dropped their demand that Apple provide backdoor access to the device, after reportedly paying a third party in the region of $1 million to provide access.

In the Brooklyn case, the device is running iOS 7 which – unlike the iOS9 handset in San Bernardino – Apple could technically provide access to fairly simply as it doesn’t feature the same strong encryption system.

Prior to their sudden decision to drop the case, the Feds were appealing judge Orenstein’s decision in February that the All Writs Act of 1789 couldn’t be used by the FBI to compel Apple to open up the device.

Justice Department spokeswoman, Emily Pierce, told Reuters that its cases have “never been about setting a court precedent; they are about law enforcement’s ability and need to access evidence on devices pursuant to lawful court orders and search warrants.”

Attention will now shift to the draft Feinstein-Burr anti-encryption bill – aka the Compliance with Court Orders Act – which would force the hand of companies like Apple in such cases to submit to the FBI’s demands.

Reports suggest that the Feds still have hundreds of locked devices they want to access as part of ongoing investigations.

According to information released by the American Civil Liberties Union last month, the US government has applied for an order under the All Writs Act to force Apple or Google to provide assistance in accessing data stored on a mobile device on over 60 separate occasions.

Source: Information Security Magazine

Verizon Data Breach Investigations Report: 93% of Compromises Take Less Than an Hour

Verizon: 93% of Compromises Take Less Than an Hour

Organizations are still failing on security basics like good password management and regular patching, with hackers taking less than an hour to compromise systems in 93% of cases, according to Verizon.

The firm analyzed more than 100,000 security incidents and 2,260 confirmed breaches to compile its annual Data Breach Investigations Report (DBIR) this year.

The findings should be a wake-up call to organizations globally.

While attackers had no trouble in compromising systems quickly over the reporting period, it took victims weeks or more to find out they’d been breached, in a shocking 83% of cases. And the longer a breach goes unreported, the bigger the impact.

Almost two-thirds of breaches were made possible by the use of weak, default or stolen passwords, offering yet more evidence that two-factor authentication or at least password manager tools should be used by firms, especially on privileged accounts.

“There’s no such thing as an impenetrable system, but often even a half-decent defense will deter many cybercriminals – they’ll move on and look for an easier target. Sadly, many organizations fail to achieve even that modest ambition,” the report noted.

Almost all breaches (95%) are covered by nine patterns.

Although “miscellaneous error,” including staff sending information to the wrong person, accounted for the largest number of breaches (17.7%), insider and privilege misuse featured in 16.3% of cases.

The latter is particularly damaging to organizations as in 70% of cases a breach involving insider misuse took months or years to discover.

Unsurprisingly, point of sale (POS) intrusions dominated hospitality breaches, accounting for 95%, while physical theft or loss was the third biggest factor involved in most breaches.

Worryingly, over a third of theft (39%) was from employees’ own work areas while 34% came from their vehicles – emphasizing the need for better staff education, and encryption for sensitive data.

Verizon also claimed in the report that while there has not been a “significant volume” of mobile or IoT-based threats, “it’s only a matter of time before we see a largescale breach.”

However, when asked by Infosecurity, the company claimed it couldn’t predict which specifically vulnerable areas black hats would look to target to exploit these systems.

Some of the security basics organizations should start thinking about include better staff training; effective patch management; use of 2FA; access policies of “least privilege”; and log files and change management systems to provide early warning of breaches.

Source: Information Security Magazine

Beautiful People Suffers Ugly Data Breach

Beautiful People Suffers Ugly Data Breach

Controversial dating site Beautiful People has been breached and a trove of sensitive data on over one million of its members leaked onto the cyber underground for sale, according to reports.

The data, which apparently includes all the things you’d expect from a dating site – including sexual preferences, email addresses, phone numbers and salary information – could be useful in follow-up scams and phishing attacks.

It appears to have been taken from an unsecured MongoDB database being used as a test server, yet populated with real users’ information.

Security researcher Chris Vickery told Wired that he found the database without password protection. Although the dating site was informed and claimed to have addressed the flaw – just before Christmas last year – it appears that a black hat had already lifted the treasure trove of personal data.

For its part, Beautiful People claimed in a statement that it was informing all affected users about the breach, as it did back in December 2015.

It added:

“The breach involves data that was provided by members prior to mid July 2015. No more recent user data or any data relating to users who joined from mid July 2015 onward is affected.”

The site is unusual, and somewhat controversial, in requesting members to vote on the attractiveness of others on the platform. In fact, it claims that “existing members hold the key to the door.”

The breach is nowhere near as bad – both in the volume and type of data exposed – as the Ashley Madison hack, but it could still put over a million users at risk from follow-on attacks.

As for MongoDB – configurations of the NoSQL database have been found wanting on numerous occasions in the past when it comes to security.

Most notable of these was just this week when Vickery again revealed a database containing the details of around 90 million Mexican voters had been left publicly accessible on an Amazon cloud server.

For its part, MongoDB argued that the fault was with users of the database who had incorrectly configured it.

There is no security issue with MongoDB – extensive security capabilities are included with MongoDB,” said vice president of strategy, Kelly Stirman, in a statement emailed to Infosecurity.

“We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarized here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices.”

Rob Norris, director of enterprise & cyber security EMEIA at Fujitsu, claimed recent research by his firm revealed just 9% of consumers think UK organizations are doing enough to protect their data.

“This means that organizations must not only ensure that they are using every possible method to protect customer data – from data encryption to robust firewalls – but they need to truly remain transparent with customers to instill confidence when it comes to data security,” he added.

Source: Information Security Magazine

Old-School Android Ransomware Gets New-School Attack Vector

Old-School Android Ransomware Gets New-School Attack Vector

A novel Android attack method for ransomware has been unearthed in the form of an almost silent exploit kit—which threatens tablets, phones and set-top video streaming devices alike. But while the attack vector appears to be brand-new, the payload is decidedly old-school, hearkening back to pre-crypto “scareware” tactics.

According to Blue Coat Labs, the EK is using several vulnerabilities to install malware onto the victim’s phone or tablet in the background—without any user interaction at all on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.

The exploits are commoditized implementations of leaked Hacking Team and Towelroot fare.

“After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach,” said Blue Coat researcher Andrew Brandt, in an analysis. “Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the ‘futex’ or ‘Towelroot’ exploit that was first disclosed at the end of 2014….The ELF payload in turn contains code that downloads and installs an Android .apk application—which is a ransomware Trojan.”

The ransomware labels itself Cyber.Police, and is a version of older, pre-cryptographic ransomware families. It presents itself as a sort of law enforcement or intelligence agency intervention into browsing habits. The ransomware doesn’t threaten to (or actually) encrypt the victim’s data.  Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes.

“That’s unusual because it’s far more common nowadays for ransomware to demand non-trackable cryptocurrency, like Bitcoins,” Brandt said. “In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them.”

The lab device, an older Samsung tablet, was running the Cyanogenmod 10 version of Android 4.2.2 at the time it was infected. But the researcher cautioned that over-the-top video players running Android are also at risk.

“Older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity,” Brandt said. “That includes so-called media player devices—basically inexpensive, Android-driven video playback devices meant to be connected to TVs—many of which run the 4.x branch of the Android OS. Some of these older Android devices are now in the same situation as PCs running Windows XP: The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection.”

The attack, which has been going on at least since February 22 and possibly before, appears to affect at least 224 unique device models running a range of Android versions between 4.0.3 and 4.4.4.

As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet’s internal memory or memory card. That way, users can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall a mobile device’s apps. Using a more up-to-date browser than the built-in browser app included with Android 4.x devices is also highly recommended.

Photo © dizain

Source: Information Security Magazine

Sony Finally Implements 2FA for PlayStation Network

Sony Finally Implements 2FA for PlayStation Network

Sony, five years after a massive hack exposed user data for 77 million people, has finally implemented two-factor authentication for the PlayStation Network.

There hasn’t yet been an official statement on the development, but a Twitter user saw a reference to 2FA in the latest 4.80 firmware update for the PlayStation 3. A Sony representative then went on to confirm that implementation plans are indeed underway, and that “more details will be shared at a later date.”

The 2011 PlayStation hack exposed the personal information of the entire PSN user base, including users’ account names, dates of birth, email addresses and credit card details. The incident, which Anonymous took credit for, forced the company to shut down its entire system for almost a month.

After that, November 2014 brought the news that Sony Pictures Entertainment’s corporate network had been taken out, and vast quantities of Sony Pictures’ data had been stolen, including confidential personal and salary details. In addition, hackers leaked online upcoming Sony Pictures films including Fury. It was reported that Sony had stored passwords in a folder called, unambiguously, ‘Passwords.’

2FA has gained a higher profile, thanks to the slew of recent breaches that demonstrate how easy it is for attackers to compromise credentials of all stripes. And, there is little doubt that cyber-criminals are becoming more adept at compromising personal data. From Ashley Madison to TalkTalk to the Office of Personnel Management, millions of users were victims of online crime. These attacks have also precipitated aggressive measures. For example, in November Amazon had to force-reset accounts due to fears of a password leak.

“From email to social media to your online bank account, just about every online identity requires a password. In this high-tech age, passwords are a way of life. Many, however, are making some low-tech choices—as evidenced by the 35% of individuals who write down passwords,” said Craig Lund, SecureAuth CEO. “Cyberattacks cost millions of dollars a year, hurt individuals and lead to long, drawn-out lawsuits. Just ask the FBI, Target or IRS. It’s in everyone’s best interest to make it difficult for attackers to cause damage—now we just need to reframe what defines safe when connected online.”

It’s about time that Sony added 2FA to the mix. Microsoft, in contrast, has been providing two-step verification to its Xbox Live users since 2013. The feature is also used on Battle.net and Steam.

Photo © oneinchpunch/Shutterstock.com

Source: Information Security Magazine