Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2016

New TeslaCrypt Variant Hidden in Delivery Tracker Email

New TeslaCrypt Variant Hidden in Delivery Tracker Email

Cyber Operations Platform Endgame has unearthed a new variant of ransomware that disguises itself as an email with tracking details for a “recent order”.

According to a blog post on the firm’s website, a researcher recently stumbled across a suspicious set of emails which detailed the successful delivery of a package. These were soon determined to be part of a widespread spam campaign attempting to deliver TeslaCrypt 4.1A to individuals who click on the link provided within the message.

Endgame were quick to point out the scam has appeared at an interesting and potentially very damaging time. Millions of Americans have just filed their taxes and many could be looking out for some sort of tracking information regarding their returns, so may be likely to inadvertently click into one of these malicious campaigns and find their files locked down.

“Ransomware has become one of the most effective and efficient methods cyber-criminals use to gain access to a victim’s banking details,” Sian John, EMEA chief strategist at Symantec, told Infosecurity. “Mainly as it restricts consumers’ access to their personal data and devices, making the payment of the demanded ransom seem like the best solution for victims to re-gain access to their accounts.”

In the post, Endgame explained that this malware exhibits even greater varieties of anti-analysis and evasion features than previous TeslaCrypt types, with integration of various obfuscation and deception techniques that are indicative of the larger trend in ransomware towards more refined and multi-faceted capabilities.

John said that ransomware is continuously evolving with cyber-criminals adopting multiple changes in how they deliver these attacks, leading to greater effectiveness.

“Over the past year we’ve observed multiple aggressive ransomware attacks which encrypt all of a victim’s digital content and hold it hostage until a ransom is paid.”

“Consumers should be mindful of the way they share personal data online and should make sure to use strong and unique password for all online accounts. Furthermore, people should always think before they click and remain wary of any suspicious e-mails, pop ups or websites. Social engineering and ransomware attacks attempt to trick consumers into thinking their computer is infected, requiring ransom which consumers must not pay under any circumstances. Above all, keeping an offline backup of your data and the use of an up to date multi-layered advanced threat protection software is a must for both consumers and organizations,” John added.

Source: Information Security Magazine

DDoS-ers Take Down Mitigation Tools in Q1

DDoS-ers Take Down Mitigation Tools in Q1

Cyber-criminals turned up the heat on organizations in Q1 this year with a variety of techniques designed to circumvent DDoS mitigation tools, including multi-vector and high Mpps assaults, according to Imperva Incapsula.

The security vendor claimed in its Q1 2016 Global DDoS Threat Landscape Report that the industry faces an increasing challenge to deal with these more elaborate attacks.

“In the past few months … we have seen more and more attacks orchestrated with mitigation solutions in mind,” wrote Incapsula’s Igal Zeifman in a blog post. “The diversity of attack methods, as well as the experimentation with new attack vectors, suggest that more perpetrators are now re-prioritizing and crafting attacks to take down DDoS mitigation solutions, rather than just the target.”

In this way, the firm has seen an increase in high Mpps network layer DDoS floods, where typically small packets of no more than 100 bytes are fired out at high speed to deluge network switches.

Imperva said it has mitigated one 50+ Mpps attack every four days on average during the quarter.

Attackers are also looking to combine vectors in a single attack to outwit current mitigation strategies – the most common being a high Mpps UDP flood and a bandwidth-consuming DNS amplification attack.

Multi-vector attacks accounted for a third (33.8%) of network layer attacks – a 9.5% increase from the year previous.

On the application layer there was a notable increase in the use of DDoS bots designed to circumvent organizations’ defenses – from just 6% in the previous quarter to 36.6% of total bot traffic in Q1 2016.

“In addition to using more sophisticated bots, we also saw perpetrators explore new ways of executing application layer assaults,” noted Zeifman. “Most notable of these attempts was a HTTP/S POST flood, which used extremely large content-length requests to try and clog the target’s network connection.”

There’s also been an increase in frequency, with half of all targets attacked more than once.

South Korea (29.5%), Russia (10.8%) and Ukraine (10.1%) were the top three attacking countries and the United States (50.3%), the UK (9.2%) and Japan (6.7%) were the most targeted countries.

Zeifman told Infosecurity that DDoS attacks are in some cases still being used as a smokescreen for an attempt to compromise an organization’s web app and database.

“However, in other cases, what we see are attackers throwing everything they can at the target in the hopes of finding a soft spot, or simply to cause as much damage as possible,” he added.

“Having said that, the majority of attacks we mitigate are short term bursts, launched by amateurs using DDoS-for-hire services. The motivations for launching these assaults are less thought out. Typically, these are acts of simple vandalism or a part of a cyber extortion campaign. In both cases, the perpetrators’ primary goal is to take the target offline and inflict financial and reputational damage – either for bragging rights or for profit.”

Source: Information Security Magazine

ICO Bemoans Privacy Shield Failure

ICO Bemoans Privacy Shield Failure

The review of the proposed Privacy Shield data transfer agreement should have been done more formally and asked the correct questions.

Speaking at the IAPP Conference in London, outgoing Information Commissioner Christopher Graham, whose seven-year term ends in June, said that he “wished we had been involved” in discussions around Privacy Shield.

Saying that when the Article 29 Working Party were reviewing documents, it would be sensible if the European Court of Justice and USA had sat down and asked the important questions about the proposal, and asked questions about the lack of clarity around the documentation and the justification for bulk data collection.

“We were concerned about the process of transferring data to the USA which was moved on to third countries, and these are perfectly reasonable questions to ask and if there are not answers, there will only be trouble down the road,” he said.

“I would urge corporates – who have an interest in getting this thing sorted out so we can move on to more constructive uses of our time – to have a word in the ear of the administration to get answers to the questions so we can all move along, as the amount of data moving between Europe and the USA is important, and that underpins the prosperity on both sides of the Atlantic. So we need to get on with that.”

Last week the Article 29 Working Party. – a group comprised of representatives from member states’ data protection authorities, rejected the Privacy Shield data sharing agreement between the EU and the United States, claiming that several points need to be clarified to ensure the safety of citizens’ data.

It said in a statement that while it welcomes the significant improvements brought by the Privacy Shield compared to the Safe Harbor decision, it had strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.

Source: Information Security Magazine

Nearly One Third of Android Users Don’t Get Patches

Nearly One Third of Android Users Don’t Get Patches

Some 29% of global Android devices are running a version of the OS earlier than 4.4.4, meaning they aren’t supported by security updates, according to Google.

The tech giant’s Android Security 2015 Annual Report had the following (h/t The Register):

“The Android Security Team regularly provides security patches to manufacturers for Android 4.4.4 and higher so they can provide security updates to their devices. 70.8% of all active Android devices are on a version that we support with patches.”

Google estimates in the report that the Android ecosystem features over one billion devices, in which case at least 292 million smartphones and tablets based on the operating system are at risk in the wild today, and probably many more than that.

They won’t benefit from Google’s laudable attempts to improve security in the ecosystem.

These include bringing Android into the Vulnerability Rewards Program to encourage white hats to find bugs, and the launch of a monthly public security update program and security update lifecycle for Nexus devices – the latter encouraging hardware partners to do the same, according to lead engineer, Adrian Ludwig.

These hundreds of millions of users will also not be able to take advantage of the security features in the latest Android version Marshmallow (6.0), which include full disk encryption; more granular app permissions; verified boot functionality; support for fingerprint scanners; and a patch level checker.

Google was keen to draw attention to other security accomplishments over the past year, including scanning 400 million devices each day automatically for network and on-device threats via Google Mobile Services; and Verify Apps, which has kept Potentially Harmful Applications (PHAs) off the vast majority of devices.

Just 0.15% of those which download solely from Google Play have installed a PHA.

Tripwire security researcher, Craig Young, argued that Google has done a great job of security in the past few releases of Android, but that this work has been undermined by users not upgrading.

“Unfortunately Android’s platform dashboard shows that there are more devices running completely unsupported software than there are devices running with the two latest (5.1 and 6.0) releases,” he explained.

“This is definitely a big problem for Android. Patching this bug in the Android ecosystem will probably mean more rules for handset manufacturers to follow if they wish to ship devices with Google’s proprietary apps.”

Source: Information Security Magazine

Conficker and Cutwail Botnets Still Bother Businesses

Conficker and Cutwail Botnets Still Bother Businesses

Redundant botnets were responsible for 35% of recognized attacks in March, according to data collected by Check Point.

It said that Conficker was the most prominent family with 20% of the recognized attacks; Sality was responsible for 9.5%, and Cutwail for 4% of the recognized attacks. It said that this highlights the fact that cyber-criminals do not need to develop entirely new malware to launch damaging attacks; they simply need to make small changes to existing families to enable the updated variant to bypass traditional security measures.

Orli Gan, Head of Threat Prevention, Product Management at Check Point, told Infosecurity that the reason that so many old botnets remain active is because too few companies have advanced threat prevention technologies in place.

“I am not just saying that because I am a vendor and want to see the market grow, but the truth of the matter is a small percentage of companies actually have advanced technologies deployed,” she said. “It will take time and the more you hear about companies being hit and more damage being done, the more boardroom discussions will occur and people will ask the right questions and the right solutions will surface. It is much cheaper to buy security than to deal with an infection, but some companies really need to deal with an infection before they realize it.”

The Conficker worm was prevalent in 2009, when it was estimated to have infected more than three million PCs. The Sality virus allows remote operations and downloads of additional malware to infected systems by its operator. The Cutwail botnet mostly sent spam emails relating to Valentine’s Day or Hallowe’en.

In an email to Infosecurity Luis Corrons, PandaLabs technical director at Panda Security, said that these botnets are persistent and keep infecting people that run unprotected systems.

“Good news is that I expect this will eventually die at some point, or at least stop being that prevalent,” he said. “As old computers die and people migrate to Windows 10, the landscape changes for the better. Windows 10 will turn its own anti-virus on where there is no protection on the computer, and even though it might not be the best security solution, it can handle old threats such as Conficker and Sality.”

Source: Information Security Magazine

Mobile Apps and Sites Continue to Leak Sensitive Data

Mobile Apps and Sites Continue to Leak Sensitive Data

New research from mobile data security and management firm Wandera has revealed that high-profile apps and mobile websites are continuing to leak sensitive data.

The Mobile Data Report Q1 2016 discovered that the number of apps and sites that are failing to secure credit card information has increased by 17% in the first quarter of 2016, compared to the final three months of last year.

Furthermore, Wandera found an alarming surge in the amount of malicious domains visited by users. A massive 200% increase per month through the quarter was attributed to a concerning rise in ad frameworks used within apps and websites that are directing users to domains with a history of malicious activity.

“The report illustrates that despite their best efforts in avoiding malware, for instance through identifying phishing attacks, users are unfortunately being caught unawares by compromised ad frameworks in trusted apps,” said Eldar Tuvey, CEO of Wandera.

“App owners themselves are not directly responsible for the adverts that may appear within their apps, as they come from the frameworks, so CIOs must help their employees with further detailed education on what may constitute a compromised ad,” he added.

Perhaps unsurprisingly, half of the top 10 data consuming apps accessed on enterprise devices were non-work-related, with Facebook, Instagram, Twitter and WhatsApp all proving popular, suggesting companies are failing to control the app usage of their employees.

“CIOs need to be appreciative of how non-work-related apps such as Facebook and Snapchat are swallowing up huge portions of corporate data allowances, leaving an enterprise at risk of bill shock. Usage rules and education are the most effective means of minimizing excessive consumption of data,” said Tuvey.

On a more positive note, the report did find that encryption is on the up with 70% of the data from apps now encrypted, an increase of 21% in the last 12 months. Encryption of data within browsers has also risen, although this was by a less significant 13%. What this shows is that developers and brands are clearly recognizing the importance of encryption, even if there is still work to be done to ensure awareness continues to accelerate.

In a statement to Infosecurity Luis Corrons, PandaLabs technical director at Panda Security, explained that technological companies have been aware of the need for better encryption for a number of years, but issues such as implementation complexity and a lack of understanding have often prevented it being properly applied.

However, with the general public now demanding more products and services that guarantee their privacy, companies are becoming more willing to attract customers by satisfying those requests with better encryption, Corrons added.

“If we want to implement good layered security,” he continued, “one of these layers is undoubtedly encryption to all processes that work with critical information such as credentials, confidential documents, communications, etc. It will increase our security and is a must if we are possible targets of a cyber-attack – which is pretty much all companies these days.”

Source: Information Security Magazine

UK Firms Failing on Free Wi-Fi Security

UK Firms Failing on Free Wi-Fi Security

UK organizations are falling behind their global counterparts when it comes to recognizing the risk of allowing mobile workers to use free Wi-Fi networks, according to a new study from iPass.

The mobile connectivity firm interviewed 500 CIOs and IT decision makers from the US, UK, Germany and France to compile the iPass Mobile Security Report.

It found that, while 62% of global organizations now forbid their staff from using free Wi-Fi when out and about, and a further 20% plan to do so in the future, nearly half (47%) of those in the UK still allow their mobile workers to log-on via these public hubs.

In fact, in the UK, employees were seen as the biggest mobile security threat by 64% of respondents. This is in contrast to the US, where insecure hotspots (53%) are viewed as the number one threat.

On average, 94% of global respondents said they saw free Wi-Fi as a significant mobile security threat, while 92% claimed they were concerned about the security challenges posed by a growing mobile workforce.

IPass VP of engineering, Keith Waldorf, argued that organizations need to better balance the need for low cost and convenient connectivity versus security.

“Wi-Fi is a disruptive technology that has changed the way people work, but in recent times it has also introduced formidable mobile security concerns,” he added.

“Being connected is the basic requirement of every mobile worker. However, with increasing numbers of businesses falling foul to security breaches, the number of organizations expressing a concern about mobile security is high.”

The report also revealed that although many remote workers have the option of using VPNs to secure access into the corporate network, only 26% of respondents said they’re confident that mobile staff use these at all times.

The dangers of logging in to corporate networks or sensitive online services via free and/or public Wi-Fi have long been known.

In fact, last year, F-Secure demonstrated just how easy it is – hacking the personal devices and accounts of several high profile lawmakers.

Ipass VP EMEA and APAC, Mato Petrusic, explained that Man in the Middle attacks are among the most common risks associated with using free networks, allowing the hacker to grab passwords for sensitive online and corporate accounts.

“Another type of attack with a similar goal uses ‘packet sniffing’ technology to capture data transmitted over a shared network. In this case, an attacker reads your data over an unsecured network and can decide to modify it, without the knowledge of sender or recipient,” he told Infosecurity.

“Such an attack then allows the hacker to do things such as seed false information, for example, which could be incredibly damaging to a company.”

Source: Information Security Magazine

UK Voters Head Happily Towards Surveillance State

UK Voters Head Happily Towards Surveillance State

UK citizens are sleepwalking into a surveillance state nightmare, with three-quarters not even aware of the hugely contentious Investigatory Powers Bill (IPB) currently being debated in parliament, according to a new study.

Broadband Genie interviewed 1600 adults in the UK on the controversial proposed legislation and found a worrying lack of engagement or awareness about the IPB, also dubbed the ‘Snoopers’ Charter.’

Despite over a third of respondents (36%) claiming they support the IPB, nearly half (44%) said they didn’t think police should have the right to access encrypted communications and devices – one of the main tenets of the new legislation.

The bill itself introduces a number of controversial elements, including a requirement for ISPs to hold web browsing records for a year so that police can access them in investigations.

It is also set to enshrine in law “bulk interception warrants” and “bulk equipment interference warrants” and gives the green light to police to force companies to remove encryption where it is “practical” to do so.

“We are still waiting for evidence that programs that put us all under surveillance are the most effective way to combat terrorism. Previous terrorist incidents, such as the attacks in Paris and Belgium and the murder of Lee Rigby, were committed by people already known to the intelligence agencies,” argued Open Rights Group executive director, Jim Killock.

“There have been repeated calls for operational cases about the effectiveness of surveillance to be made; the Home Office has provided some anecdotal evidence but not a full cost benefit analysis.”

The Snoopers’ Charter itself has come under repeated criticism from industry experts and lawmakers – criticism roundly ignored by the government, which is trying to rush it through parliament.

An open letter criticizing the bill was sent to the government, signed by over 200 of the country’s top lawyers, and three major parliamentary committees tasked with scrutinizing it have also voiced significant concerns – calling for over 100 changes to be made to the draft legislation.

“We will be the only European country that forces Internet Service Providers to record the internet browsing history of its citizens” said Killock. “Even if individuals are unperturbed by this breach of their privacy, they should be made aware of the impact the bill will have on business, journalists, lawyers and activists.”

Source: Information Security Magazine

Oracle CPU Fixes 121 Bugs

Oracle CPU Fixes 121 Bugs

Oracle has released its latest Critical Patch Update round, this time addressing a whopping 121 bugs in a range of products.

There were five fixes for the Oracle Database Server, including two that could be remotely exploited without authentication.

Also featured were 22 fixes for Oracle Fusion Middleware, all but one of which were remote code execution flaws. One of these – CVE-2016-3455 – was allocated a CVSSv2 base score of 9.0.

Oracle’s Enterprise Manage Grid Control needed just two fixes, while the E-Business Suite was allocated seven, the Supply Chain Products Suite six, PeopleSoft Products 15, JD Edwards Products one, Siebel CRM two, Oracle Communications Applications one, Oracle Retail Applications three, Oracle Health Sciences Applications one, and Oracle Financial Services Software four.

There were nine fixes for Java SE – including four rated CVSSv2 10.0 – 18 for Sun Systems Products, four for Oracle Virtualization, 31 for MySQL, and five fixes for Oracle Berkeley DB.

In total, seven of the 121 flaws were rated the highest score on the CVSSv2 system of 10.0 – all of which “fit the pattern of those exploited in less than a month,” according to Shavlik products manager, Chris Goettl.

“With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” he advised.

“I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”

Goettl explained that admins should check Metasploit to see if an exploit code for specific vulnerabilities is available.

“If it is in Metasploit, it is also in the threat actor’s hands,” he added. “Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”

Verizon’s Data Breach Investigations Report also provides a useful profile for bugs more likely to be exploited, Goettle claimed.

Source: Information Security Magazine

#CPX2016: With Cyber Security in Great Growth, What do you Drop?

#CPX2016: With Cyber Security in Great Growth, What do you Drop?

Part of the future is reacting and responding, but also preparing and predicting.

Speaking at the Check Point conference in Nice, Dan Burrus, futurist and NY Times bestselling author said that in technology we have been one step behind and while we cannot go back and change the past, we can shape the future. “Not just about being busy, be strategic,” he said. “We live in a world of uncertainty – what will happen with stock, investments; in a world of uncertainty what am I certain about?”

He focused on hard trends which are based on future facts, and soft trends that are based on assumptions. He made a short range prediction that “in the next five years we will transform how we secure things”.

Burrus went on to say: “We are transforming cybersecurity right now as if we don’t we won’t be happy next year. We need to do it together with shared knowledge and understanding and learning from each other and taking organizations and our careers to the next level as well.”

#CPX2016: With Cyber Security in Great Growth, What do you Drop?

He concluded with an analogy about a security manager being a juggler and now, they are all juggling the maximum number of balls and if someone throws you another ball you will drop them all. “So ask yourself, which one is less relevant in a world of transformation change so you can drop one. We are reinventing the profession now and there has never been as much opportunity to make as much change as you have now.”

Source: Information Security Magazine