Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2016

DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

In a new wrinkle in cybercriminal business modeling, distributed denial of service (DDoS)-for-hire services are being offered on the popular website Fiverr—where, as its name suggests, various professional services are offered for $5.

According to Imperva, DDoS-for-hire services are a widespread business for hackers, typically billing themselves as “stressor” services to “help test the resilience of your own server.” In reality, they’re renting out access to a network of enslaved botnet devices, (e.g., Trojan-infected PCs), which are used as a platform to launch DDoS attacks. And once a user hands over his money, the criminals don’t care whose servers are ‘stress tested.’

A year ago, Imperva’s survey of the 20 most common stressor services showed that the average price was $38 per hour, and went as low as $19. Recently, the SecureWorks Underground Hacker Marketplace Report showed that, on the bottom end, the cost of hiring such a service on the Russian underground dropped to just five dollars per hour.

“The price tag made us think of Fiverr—a trendy online marketplace where various professional services are offered for five bucks?” Incapsula researchers said, in a blog. “Would DDoS dealers have the audacity to use this platform to push their wares? A quick site search confirmed that, in fact, they would.”

Imperva reached out to see if the Fiverr offers were the innocent stress testers they claimed to be.

“To do so, we created an account on Fiverr and asked each of the stressor providers the following question: Regarding the stress test, does the site have to be my own?” the researchers noted. “Most had the good sense to ignore our message. One suggested that we talk on Skype.”

In the end, an offering with a skull and bones image that offered to “massive DDoS attack your website” responded, saying: “Honestly, you [can] test any site. Except government state websites, hospitals.”

Imperva quickly contacted Fiverr to let them know about the misuse of their service—they responded and acted to remove the providers. “Fiverr’s decisive action should serve as an example to an online community that, by and large, has accepted the existence of illegal stressors as a fact of life,” the researchers noted.

Photo © A7880S

Source: Information Security Magazine

52% of Consumers Want Biometrics and Other Post-Password Options

52% of Consumers Want Biometrics and Other Post-Password Options

Just as Google’s post-password play moves forward with major banks, a new survey has revealed that 52% of consumers want biometrics and other modern authentication methods to replace traditional passwords.

According to the data from Gigya, 80% of consumers believe biometric authentication is more secure, and they understand the pitfalls of typical password/user ID combos.

This is good news for projects like Google’s Project Abacus, which is set to be trialed with several major banks next month. It combines biometrics like facial and voice recognition with user behavior such as the times and locations one usually tries to log-in. From these it deduces a Trust Score which can then be used to check if the individual trying to log-in is you.

The survey shows that the thirst for post-password approaches could be motivated by sheer laziness: Those same consumers aren’t practicing good password hygiene in the first place.

Consider: only 16% of respondents follow password best practices with a unique password for each online account. About 6% use the same password for all accounts, and 63% use seven or fewer passwords across all their online accounts. And, 68% abandon the creation of an online account due to complex password requirements.

Millennials have the worst password practices, with only 67% using insecure passwords like, well, “password,” “1234” or their birthdays.

This, in spite of the fact that 26% of respondents have had at least one online account compromised in the past 12 months. When segmented by generation, 35% of millennials, 28% of Generation Xers and 18% of baby boomers reported having online accounts compromised.

So obviously, authentication mechanisms need to be simple and easy to use in order to be adopted. Biometrics by and large fit the bill, with 20% saying they would adopt fingerprint scanning, voice recognition, facial recognition or iris scanning technology were it available.

In fact, nearly one-half of millennial respondents use one or more forms of biometric authentication, such as fingerprint scanning technology (38%), voice recognition (15%), facial recognition (11%) or iris scanning (5%). Millennials also report that at least one of the applications they’ve downloaded offer some form of biometric authentication, which is consistent with Juniper Research’s estimates that more than 770 million biometric-enabled applications will be downloaded each year by 2019, as compared with 6 million in 2015.

Two-factor authentication, which couples traditional usernames and passwords with a personal security question or verification code sent via text message, has its supporters too. A full 29% of survey respondents like the idea (likely because it allows for weak passwords and password reuse).

Other frictionless approaches, like social-network authentication, are popular too. The “log in with Facebook” option that many websites have now implemented are a perfect example of this.

“Within the next 10 years, traditional passwords will be dead as an authentication form,” said Patrick Salyer, CEO of Gigya. “Consumer-focused brands require modern customer identity management infrastructures that support newer, more secure authentication methods, such as biometrics. Businesses that are already using advanced authentication methods demonstrate increased customer registration and engagement while enjoying greater login convenience and security.”

Photo © Patrick Foto

Source: Information Security Magazine

Limelight and Neustar Partner to Defeat DDoS Attacks

Limelight and Neustar Partner to Defeat DDoS Attacks

Neustar and Limelight have partnered to offer a distributed DDoS mitigation network.

Combining Neustar’s SiteProtect with Limelight’s content delivery network (CDN), the companies claimed that this will increase the mitigation network by ten-times the current capacity to 10 Terabits per second.

In addition, Neustar UltraDNS customers now have the increased presence of in-region mitigation centers that will allow Neustar to redirect traffic to local scrubbing centers at the edge of the network, closer to the source.

Customers’ web traffic can now be “scrubbed” and delivered locally rather than having to be backhauled to a regional scrubbing center that may be partway around the world, which reduces network latency and restores network performance more quickly and effectively.

Rodney Joffe, Neustar’s senior vice-president, distinguished engineering fellow, and head of national security, said: “The global scale and stability of the Limelight platform will enable Neustar to outpace attackers and mitigate the world’s largest DDoS attacks with unrivaled performance and minimal disruption.”

Joe DePalo, senior vice-president, technical operations at Limelight, said: “This relationship is a strong endorsement of our network strength and commitment to securely delivering internet traffic around the world. We are very pleased to partner with Neustar and believe that together we will be uniquely suited to transform the DDoS market.”

In an email to Infosecurity, Rik Turner, senior analyst at Ovum said that Limelight is a classic CDN that has only operated in that space until now. “They have long talked up their ability to do CDN services in the media and entertainment space, if my memory serves me correctly. But now, as [with] all the CDN players they see an opportunity to get into DDoS mitigation services on the volumetric side,” he said.

“My first reaction to this announcement is that it may be two smaller players in their respective markets (i.e. CDN and DDoS) coming together to jointly compete with Akamai, which is huge in both spaces already.”

“I presume what they are saying about cleaning local traffic refers to the fact that Neustar can put boxes on premise to mitigate what they can there, then kick stuff up the Limelight CDN when required.”

Source: Information Security Magazine

DMA Locker 4.0 Gets Helping Hand from Neutrino EK

DMA Locker 4.0 Gets Helping Hand from Neutrino EK

Security researchers are warning that the DMA Locker ransomware is now being distributed via the Neutrino exploit kit, potentially exposing users globally to mass infections.

First discovered in January this year, the variant was originally “too primitive to even treat it seriously,” according to Malwarebytes researcher ‘Hasherzade.”

More complexity was added in later versions but it was still possible to decrypt locked data.

However, now version 4.0 has been released, and it has fixed that security hole as it looks to gear up for mass distribution.

Usability improvements have been added, such as the option to decrypt a test file, and a link to a tutorial. The process of purchasing a key and payment is supported via dedicated panel now – with no human interaction required as per previous versions.

Interestingly the website linked to the ransomware is not hosted on Tor, with the same IP used as the C&C server.

However, DMA Locker 4.0 does make more of an effort to stay hidden from security tools.

“In the past, DMA Locker was distributed without any packing. The reason behind it was probably the chosen distribution method – samples were deployed manually by attackers, who accessed machines via hacked Remote Desktops. Attackers didn’t bother much about adding any deception layer,” explained Hasherzade.

“In this edition it has changed. DMA Locker comes packed in some underground crypter, that is used to protect the payload and deceive tools used for the detection.”

The ransomware is the same as previous versions, however, in that it’s been designed to attack local drives and unmapped network shares.

The discovery by Malwarebytes reveals an interesting snapshot into the development work that goes into producing ransomware.

In the meantime, the scale of the problem continues to grow. There are no firm industry-wide estimates as to infection rates, but Trend Micro claimed to have blocked 99 million threats for its customers between October 2015 and April this year.

Source: Information Security Magazine

More Than 2500 Twitter Accounts Hacked with Sexual Content

More Than 2500 Twitter Accounts Hacked with Sexual Content

More than 2500 Twitter accounts have been compromised to tweet links to websites specializing in adult dating and sex personals, according to a blog post on Symantec’s website.

It is claimed the attackers have also altered users’ profile pictures (often to an evocative photo of a woman), biography and full name to further promote the sites, with recent tweets containing other suggestive images and language discussing adult webcam sessions and sexual encounters. The hackers are believed to have earned money – US $4.00 for each person who signed up – by redirecting the victims through affiliate programs, Symantec says.

It appears the perpetrators adopted a slightly unusual approach for such an attack, opting not to tweet or directly message other users, but instead used the compromised accounts to simply like tweets and follow others gambling that they will be curious enough to click on the affected profile and take a look. In doing so, they are met with tweets that claim to offer free sign-ups to the sexually orientated content with shortened links that eventually lead to the full site via an intermediate landing page.

Interestingly, Symantec’s investigation revealed that almost three-quarters (73%) of the compromised accounts were created at least four years ago (the oldest dates back to 2007) and some accounts had not been active/sent any new tweets in years. The firm says it was likely that many of the accounts hit were using weak or re-used passwords, something that often leaves the door open for hackers to take advantage.

In a statement to Infosecurity Chris Boyd, malware intelligence analyst at Malwarebytes, said attacks on social media accounts are now very common with frequent mass spam attacks on platforms such as Twitter incredibly prevalent.

“While the bulk of these peddle diet spam, many redirect to malware and PUPs, and these tactics rely on exploiting the trust of links from associates.

“Many social media accounts offer a wide range of security settings, from two factor authentication to allowing SSL (assuming it isn’t enabled by default). One of the biggest causes of spam on social media is when a service is connected to another: the moment the connected service is compromised, it potentially allows posting to the non-compromised platform from the hijacked account.”

Boyd advised social media users to disable connections to services they no longer use, and ensure security is as high as it can be across all connected services.

“They should also perform some spring cleaning and ensure no old or unknown applications have access to their Twitter or Facebook accounts,” he added.

Source: Information Security Magazine

Google to Trial Password-Free Log-Ins with Banks

Google to Trial Password-Free Log-Ins with Banks

Google’s play at password-free apps – Project Abacus – is set to be trialed with several major banks next month, it emerged on Friday.

First revealed at the I/O developer conference last year, Abacus is a new system for mobile authentication which “moves the burdens of PINs and passwords from the user to the device itself,” former head of Google’s ATAP (Advanced Technologies and Projects) division, Regina Dugan, said at the time.

It does this by combining biometrics like facial and voice recognition with user behavior such as the times and locations you usually try to log-in. From these it deduces a Trust Score which can then be used to check if the individual trying to log-in is you.

The idea is that more sensitive applications like those for online banking access will require a higher Trust Score.

Google is hoping to push out a Trust API to developers by the end of the year so they can start testing it and, ultimately, decide if it works well enough to replace traditional passwords or 2FA.

It has already been trialing the system with over 30 US and international universities over the past few years and will now be looking to take things forward with “several large financial institutions,” according to new ATAP lead, Dan Kaufman.

If it works successfully the benefits are obvious, as Abacus is completely passive and would not require users to remember a string of different passwords for multiple online accounts.

Richard Lack, EMEA director at identity management firm Gigya, argued the future of authentication lies with methods that don’t involve passwords – both for security and convenience.

“Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security,” he added.

“This is a win/win scenario which sounds the death-knell for awkward and insecure passwords sooner than we may imagine.”

Source: Information Security Magazine

Suspected Mumsnet Hacker Charged

Suspected Mumsnet Hacker Charged

A Surrey teenager has been charged with computer-related offenses in connection with attacks on the Mumsnet site last year, according to the Metropolitan Police.

In a brief statement on Monday, the Met’s Cyber Crime Unit (MPCCU) claimed it had charged David Gerrard Buchanan, 18, of Vann Road, Haslemere, with two counts of “causing a computer to perform a function to secure/enable unauthorized access to a program / data” and one count of “unauthorized acts with intent to impair operation of or prevent/hinder access to a computer.”

All three charges came under the Computer Misuse Act of 1990.

Two 17-year-olds were questioned under caution in connection with the attacks but subsequently released with no further action taken.

The statement continued:

“The charges relate to various incidents of computer intrusion and damage to network profiles following attacks on systems controlled by the website Mumsnet and others between July and August 2015.”

As reported by Infosecurity at the time, Mumsnet founder Justine Roberts revealed in August that her site had been DDoS-ed, and user account details stolen and hacked into.

It was thought at the time that the hacker(s) in question phished several accounts by tricking users into entering their credentials into a fake log-in page. All users were urged to change their passwords after the incident was discovered.

It was suspected to be the work of a troll on the site – @DadSecurity online – who had posted provocative Twitter comments such as “RIP Mumsnet” and “Our DDoS attacks are keeping you offline.”

At around the same time, Roberts and another Mumsnet user who interacted with the troll online were hit by so-called “swatting” attacks – when hoaxers phone through a fake alert to police in order to get an armed response team sent to the victim’s home.

It’s not known what the motivation for the attacks was and police say they are still investigating the incident.

Buchanan is set to appear at Guildford Magistrate’s Court on 7 June.

Source: Information Security Magazine

Swiss Attack Conducted by Patient and Sophisticated Hackers

Swiss Attack Conducted by Patient and Sophisticated Hackers

A cyber-attack targeted at the Swiss defense contractor RUAG used malware from the Turla family, which had no rootkit functionality, but relied on obfuscation to stay undetected.

In a technical analysis by the Reporting and Analysis Center for Information Assurance MELANI and the Swiss CERT, it found that the attackers showed great patience during the infiltration and lateral movement of the attack. RUAG had been affected by this threat since at least September 2014.

The Bern-based company was originally infected in September 2014 according to IoCs in logs, and waited until December 2015 when no in-depth search was possible because a proxy did not log internal client IP addresses.

“After they got into the network, they moved laterally by infecting other devices and by gaining higher privileges,” the summary said. “One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships. The malware sent HTTP requests to transfer the data to the outside, where several layers of Command-and-Control (C&C) servers were located.”

Once the attackers were inside, they used named pipes for the internal communication between infected devices and constructed a hierarchical peer-to-peer network: some of these devices took the role of a communication drone, while others acted as worker drones. The worker ones never actually contacted any C&C servers, but instead received their tasks via named pipes from a communication drone, and also returned stolen data this way.

Ruag is a defense contractor and provider of aerospace and terrestrial military equipment, and supplies munitions to the Swiss military. The final attack was conducted using the same tactics as against the annual World Economic Forum (WEF) in Davos, Switzerland in January.

The report deemed that the attack was part of a long running campaign of the threat actor using and running Epic/Turla/Tavdig that has infiltrated many governmental organizations and commercial companies in the private sector in the past decade.

The report concluded: “Even if we think completely preventing such attacks is very difficult, the goal must be to make them as difficult as possible. There is a good chance to make the entry point difficult to find, when protecting the clients adequately using tools like Applocker or virtualized browsers. Even if this does not completely eliminate this kind of threat, the bar is raised for the attacker.”

MELANI and the Swiss CERT said that it is sharing information gathered with its partners and this instance was detected based upon mutual sharing of information. “We’re happy to work together with many partner organizations throughout Europe and are grateful for their efforts and the good international cooperation,” it said.

“Putting all elements together over a long time gives the momentum of action back to the CERTs and CSIRTs, struggling to keep their networks clean and their data safe. The fact that attackers abuse vulnerable systems for their purpose – no matter if this is for criminal activities or espionage – shows the importance and responsibility of every party providing services on the internet. There is no such thing as an insignificant system on the internet, every server may be abused for attacking others. This puts great responsibility on everyone, and we hope that this report contributes to increasing the security level within every network and server.”

Gadi Evron, CEO and founder of Cymmetria, who also chairs the Israeli CERT, told Infosecurity that he believed in information sharing generally, and coordination. “I’ve been involved in the CERT community for many years, and the thing about information sharing and response is we are doing as much as we can,” he said.

“That said, people are talking about information sharing and coordination, and it is good for the industry as we are doing as much as we can so I am always for coordination and information sharing and doing what we can together, but we are doing as much as we can considering the legal standpoint of things compared to how many companies are willing to share with each other.”

Source: Information Security Magazine

Just 22% of IT Leaders Think Their Org is ‘Very Well Prepared’ to Deal with Cyber-attacks

Just 22% of IT Leaders Think Their Org is ‘Very Well Prepared’ to Deal with Cyber-attacks

As little as one in five (22%) IT leaders believe their organization is ‘very well prepared’ to identify and respond to cyber attacks, according to new research by Harvey Nash and KPMG.

Further, three in ten (28%) have had to respond to a major IT security or cyber attack on behalf of their company within the last two years, whilst 12% now believe their business is exposed in multiple areas.

George Quigley, cybersecurity partner at KPMG, explained that the complexity of cybersecurity is affecting the level of confidence among IT leaders regarding how well prepared companies are to ensure all reasonable risks are covered.

“If you look at cyber, it is a multi-dimensional problem; it’s also unpredictable, intangible and constantly changing,” he told Infosecurity. “It’s a very complex area to try and get your head around. We’ve seen a lot of large and sophisticated organizations breached, so if you’re sitting in an organization that is not as large, not as sophisticated and doesn’t have the same sort of budgets and standing, then culturally you’re also going to have your confidence dented.

“Are companies going to be bold enough to say ‘We’re really confident we can solve this problem’ when they see all of these other players being breached?”

The report also revealed substantial concerns about a lack of skills among employees, with 65% of respondents saying skills shortages are preventing them from keeping up with the pace of change in technology.

“There’s undoubtedly a significant skills gap in cyber,” Quigley said. “There are challenges in terms of getting people with a cyber-mindset; what we’re finding is security companies having to invest time and money in training people. Across the industry we’re probably paying more than you would otherwise do in a normal functioning market because you’ve got to pay to retain people.

“If I had one concern in this skills gap market and what we’re doing, it’s that we are still not attracting enough women into the cybersecurity field. It’s incredibly male dominated and we still struggle to attract women into the industry and I do think we would benefit from getting more women into it and widening out that pool,” he added.

Lastly, in terms of the cloud, the research discovered over a third of respondents are looking to significantly invest in cloud services this year, but almost half report data loss and privacy risks as the biggest challenge when it comes to adopting cloud technology.

KPMG’s global CIO advisory service network leader Lisa Heneghan argued that one of the main issues surrounding the cloud is that many services are being implemented outside of IT, and as such without the level of control that you would normally expect to see within the IT organization.

“There’s almost an assumption that, because these organizations professionally provide the [cloud] services, that’s going to deal with everything; therefore important things like processes and governance are not considered early enough, and there’s almost been a blindsided view of it,” she told Infosecurity.

Source: Information Security Magazine

UK Cybercrime Prosecutions Rise by a Third

UK Cybercrime Prosecutions Rise by a Third

Cybercrime prosecutions rose by over a third (36%) in the UK last year, according to new stats issued by law firm Pinsent Masons.

In 2015, there were 61 recorded prosecutions for cyber offenses, up from an – admittedly small – figure of 45 in 2014.

They make up just a small proportion of the 9401 prosecutions for white collar crime last year, which rose from 9343 the previous year. Although the stats represent the first increase in five years, they remain much lower than the 11,000+ tally of 2011.

Barry Vitou, head of global corporate crime at Pinsent Masons, argued that the police and other agencies needed adequate resources to follow-up all leads.

“The fact that prosecutions continue to rise in this area is promising – and indicative of the efforts the authorities are making to get to grips with tackling what is a highly complex issue,” he said in a statement.

“However – these new kinds of crime require police forces to adapt quickly, and considerable time and investment is needed to ensure they deal with it effectively. Businesses’ position is fairly clear – they want as much action as possible from enforcement agencies, to prevent cybercrime and to prosecute.”

Part of the problem still lies with the fact that many businesses simply don’t report fraud incidents, either because they don’t want to affect the brand by going public, or because they have no confidence police will ever catch those responsible.

This lack of openness continues to hamper white hat investigators, who still don’t have a clear picture of the scale of the problem in the UK.

In a bid to address that, the Office of National Statistics last year released a more comprehensive Crime Survey for England and Wales (CSEW), estimating 2.5 million cybercrime incidents and 5.1 million cases of fraud.

However, even these figures are likely to be well short of the mark.

The government earlier this year announced a new Home Office-led Joint Fraud Taskforce, to work alongside the country’s leading banks, the National Crime Agency, fraud prevention service Cifas, Financial Fraud Action UK, City of London Police and the Bank of England.

Online fraud has reached its highest point since records began, accounting for £217m in 2014, or nearly half (45%) of all card fraud, according to Financial Fraud Action UK’s Fraud the Facts 2015 report.

Also, online banking losses jumped a massive 64% to reach £133.5m in 2015.

Source: Information Security Magazine