Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2016

Carbon Black Acquires Next-Gen AV Firm Confer

Carbon Black Acquires Next-Gen AV Firm Confer

Endpoint security firm Carbon Black has today announced its acquisition of Confer, a next-generation antivirus (NGAV) company.

By adding Confer’s NGAV product (to be renamed ‘Cb Defense’) to its portfolio, Carbon Black aims to deliver the industry’s most complete, single endpoint security platform by replacing ineffective antivirus, locking down critical systems, and arming incident-response teams with the most advanced tools to proactively hunt down threats.

“Confer offers a NGAV solution that is lightweight, fast to deploy, and easy to manage,” Patrick Morley, chief executive officer of Carbon Black, told Infosecurity. “With the addition of Confer, we are further empowering our customers to secure their desktops, laptops, and servers from the full spectrum of modern cyber-attacks.

“By adding Confer’s NGAV product, Carbon Black is delivering the industry’s most complete next-generation endpoint security platform, designed to surpass legacy antivirus companies such as Symantec, as well as emerging endpoint solutions such as Cylance, CrowdStrike and Palo Alto Networks."

Today’s cybersecurity war is waged at the endpoint, but what’s becoming ever-clearer is that traditional antivirus alone struggles to defend against a continually evolving endpoint threat landscape, often missing entire classes of modern-day cyber-attacks and leaving enterprises vulnerable to attack. As a result, more and more companies are turning to NGAV to help combat the issue and keep their data safe.

Speaking to Infosecurity Bob Tarzey, analyst and director at Quocirca, explained that whilst traditional antivirus still has its place in security, attacks are now so sophisticated that new approaches are also needed.

“Of course, many of these new threats should be blocked before they ever reach the endpoint, but some will. Carbon Black, with endpoint monitoring, white listing (from the Bit9 merger) and now NGAV certainly now has a broad endpoint threat mitigation capability,” he added.

Cb Defense uniquely combines behavioral-based prevention techniques with integrated detection and response capabilities to stop cyber-attacks. Its cloud-based, deep-analytics approach blocks both malware and increasingly common malware-less attacks that exploit memory and scripting languages such as PowerShell. Once malware is blocked, Cb Defense gives organizations visibility into how the attack happened, which enables them to proactively fix security problems.

“NGAV solutions need to take a far more innovative approach in stopping attacks and be much more effective than legacy AV” said Mark Quinlivan, co-founder and chief executive officer at Confer. “We built Confer to provide a sophisticated, lightweight yet simple solution that includes groundbreaking prevention, detection and incident response.”

Source: Information Security Magazine

Governments Ramp Up User Data Requests to Google

Governments Ramp Up User Data Requests to Google

Google handed over data on users to the authorities in nearly two-thirds of cases in the second half of 2015, according to its latest Transparency Report.

The report shows that the web giant received requests for data 40,677 times during the period 1 July and 31 December 2015, and user account information 81,311 times – up from 69,000 during the previous six months.

It claimed that 64% of the time it produced “some data,” although it’s impossible to know how much.

However, the figure is far higher in countries like the US (79%), UK (72%) and Australia (70%), where there have been many thousands of user account access requests.

Interestingly the figure is far lower in some European countries such as Germany (57%) and France (59%).

Taken as a whole, however, the percentage of cases in which Google hands over data to the authorities is gradually falling – from a high of 76% at the end of 2010.

Defending his firm’s stance on co-operation with law enforcement, Google’s legal director for Law Enforcement and Information Security, Richard Salgado, said: “We’re pleased with some of the improvements we’ve seen in surveillance laws.”

He noted the recent Privacy Shield ‘agreement’ as including “procedural protections” for surveillance, and the signing into law of the Judicial Redress Act which will help non-US citizens redress grievances around data collected and stored by Washington.

“There are other important steps that the US can take to ensure that the privacy interests of non-US persons are addressed as policymakers consider government surveillance issues,” Salgado added.

“We helped create the Reform Government Surveillance coalition to encourage Congress and the executive branch to take steps to modernize US surveillance laws, further protect the privacy and data security rights of all users, including those outside the US and those not of US nationality, and improve diplomatic processes to promote a robust, principled, and transparent framework for legitimate cross-border investigations.”

However, despite the approval of Privacy Shield given by the European Commission, it is likely to be challenged down the line, according to legal experts.

“If the Privacy Shield adequacy decision is challenged, the CJEU is likely to expedite the hearing given the importance of this issue,” argued Pinsent Masons consultant lawyer, Kuan Hon. “Ultimately the CJEU will have the final say here, and at this stage we can’t predict whether they would uphold the Privacy Shield decision or invalidate it, and if so on what grounds.”

Further, although the agreement apparently gives assurances to EU citizens that they won’t be spied on by Washington, there remain question marks over the US and UK governments’ attitudes to their own citizens.

Microsoft last week won a case against the DoJ which had requested it hand over data on US citizens stored overseas.

Source: Information Security Magazine

Former St Louis Cardinals Scout Gets Four Years for Hacking Rival

Former St Louis Cardinals Scout Gets Four Years for Hacking Rival

A former Major League chief scout has been sentenced to nearly four years in jail after pleading guilty to hacking the computer systems of a rival team to gain a competitive advantage.

As Infosecurity reported at the time, St Louis Cardinals scouting director Chris Correa pleaded guilty to five counts of unauthorized access to a computer from March 2013 until at least March 2014, when he was promoted to director of baseball development.

It’s said that he accessed the “Ground Control” database managed by the Houston Astros which contained highly sensitive information on player trades.

Correa accessed a scouting list of every eligible player for that year's draft, and viewed notes on bonuses, recent performances and injuries, according to AP.

He gained access via the account of former St Louis general manager, Jeff Luhnow, who left to become GM of the Astros but had to turn his work laptop in first.

It’s thought Luhnow used the same or similar password at Houston to the one he used at St Louis, making it child’s play for Correa to access the database. When the Astros tightened security, Correa is said to have hacked Luhnow’s email account to get the new credentials.

The whole incident cost the Astros around $1.7m, with Correa able to use the stolen information to draft players for St Louis. He accessed the database some 60 times, according to Astros general counsel, Giles Kibbe.

Correa has been ordered to pay $279,038 in restitution and will spend 46 months behind bars – although he was originally facing five years for each of the five counts of unauthorized access he was found guilty of.

"I violated my values and it was wrong. I behaved shamefully," he reportedly told the court. "The whole episode represents the worst thing I've done in my life by far."

The St Louis Cardinals – one of the country’s most successful teams after the New York Yankees – now faces potential fines and/or penalties once investigators get hold of the details of the case from the relevant authorities.

Source: Information Security Magazine

Fitness Bands Struggle With Privacy; Leave Data Exposed

Fitness Bands Struggle With Privacy; Leave Data Exposed

They may be one of the hottest gadgets around right now, but fitness bands and smartwatches may be a disaster waiting to happen from a security point of view, according to a new report. And considering the personal information held on many of them, the consequences of a breach could be disastrous.

The research from AV-Test looked into eight of the biggest selling devices in the fitness band/smartwatch category: Basis Peak, Microsoft Band 2, Mobile Action Q-Band, Pebble Time, Runtastic Moment Elite, Striiv Fusion, Xiaomi MiBand, and Apple Watch. Fitbit was left out of this examination, having undergone its own separate test earlier this year.

AV-Test said it was primarily interested in two areas: “From the perspective of the private user, is the data recorded in the tracker or app secure against spying or hacking by third parties?” And, “From the perspective of health insurers or other companies, is the data in the tracker or app secure against tampering?”

The first issue looked at how secure the data held on the devices or in the app is, while the second was more concerned with a third-party that may access the data. AV-Test used insurance companies who reward users for good health as an example; if the data can be manipulated, then results could be misleading.

The test looked at data on the devices, their corresponding smartphone apps, and the connection between the two. In total, 10 different criteria were tested.

Starting with the trackers, AV-Test looked at visibility, ability to be found, BLE privacy (which is whether a new MAC address is generated with every connection), authentication, and tamper protection. While all devices failed the BLE privacy test, the Pebble Time and Microsoft Band 2 succeeded in all other areas.

The Moment Elite and Fusion both failed every single tracker security test, while the Q-Band passed only one test partially, and the MiBand had one pass and two partial passes.

Moving on to the apps themselves, AV-Test looked at local storage, code obfuscation, and log and debug info. The Q-Band partially redeemed itself by passing all the tests in this category, while the Pebble Time also scored well. The MiBand, Peak, Band 2 and Moment Elite all failed all but one test for app security.

Finally, AV-Test tested the connections between the devices and apps, in particular examining whether the transmission was encrypted and whether the data was tamper-proof. The Pebble Time and Basis Peak came out on top here, while the Q-Band, Fusion and Mi-Band sat at the bottom, only offering partial encryption and tamper protection.

Overall, while no one fitness band can claim to be totally secure, the Pebble Time, Basis Peak and Microsoft Band 2 performed better than the others. “They show minor errors, but on aggregate, they offer few opportunities for attackers or tampering,” the report said.

For those looking for strong security with their fitness app, it’s probably worth staying away from the Mobile Action Q-Band, which has “multiple risk factors.” Additionally, the three worst performing devices were the Runtastic, Striiv and Xiaomi, racking up seven or eight points out of 10.

“These products can be tracked rather easily, use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated, and data traffic can be manipulated and monitored with root certificates. Worst of all, Xiaomi even stores its entire data unencrypted on the smartphone,” AV-Test warns.

All the above devices run on Android, making a test and comparison fairly straightforward. AV-Test also looked at the Apple Watch, but because of differences between Android and iOS it had to take a different approach.

Despite some issues, such as updates happening unencrypted and researchers being able to read some data that should have been encrypted, the Apple Watch still scored highly, AV-Test said. “While the testers did identify certain theoretical vulnerabilities, the time and effort required for attackers to gain access to the watch would be extremely high.”

Photo © Alexey Boldin

Source: Information Security Magazine

Ubuntu Forum Hack Exposes 2 Million Users

Ubuntu Forum Hack Exposes 2 Million Users

Ubuntu Linux developer Canonical has confirmed that a data breach exposed personal information of two million users of its forum.

In a statement, Canonical said that it had received notification that someone was claiming to have accessed its forum database. An investigation confirmed the breach, which Canonical revealed had exposed two million usernames, email addresses and IPs. The forum was shut down as a precaution and all system and database passwords were reset. 

The attacker was not able to access any Ubuntu code repository or any valid user passwords, Canonical said. Nor did the attacker gain write access to the forum database or access to any other Canonical or Ubuntu service.

The statement added that the breach was a result of known SQL injection vulnerability in the Forumrunner add-on on the forum, which Canonical had neglected to patch.

“The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table,” the statement added.

The attacker downloaded the portion of the ‘user’ table that contained the passwords stored as random strings which were salted and hashed, although Canonical did not reveal what level of protection was being used.

As well as resetting passwords, Canonical also wiped and rebuilt the servers that were running the vBulletin software and patched it to the most recent release. It has also added a web application firewall to beef up its defenses.

“We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation,” the statement added. “Corrective action has been taken, and full service of the Forums has been restored. We apologise for the breach and ensuing inconvenience.”

This is the second major breach of a vBulletin forum in recent weeks. In June this year, Canadian media company VerticalScope said its forums had been breached, exposing email addresses, usernames, IP addresses and passwords belonging to 45 million users spread across 1100 different forums.

Photo © wk1003mike

Source: Information Security Magazine

Ponemon: External Attacks Costing Organizations $3.5 million a year

Ponemon: External Attacks Costing Organizations $3.5 million a year

Companies are struggling to cope with external cyber threats due to a lack of staff expertise and technology, according to a new report. This failure to adequately defend the business is resulting in at least one cyber attack per month and annual incurred costs of $3.5 million (£2.6 million). 

The research, carried out by the Ponemon Institute, found that many businesses lack a well-rounded, coherent strategy to deal with external internet threats, such as social engineering exploits. In fact, 79% of respondents said the defenses they had in place to identify and mitigate these kinds of attacks were either “non-existent, ad hoc or inconsistently applied throughout the enterprise.”

Sixty-four percent of respondents, who were security directors or higher within their organization, said they lack the tools and resources needed to monitor these external threats, 62% said they lack the tools in place to analyze and understand, and 68% said their resources for mitigating external threats are inadequate.

The study, which was carried out in conjunction with BrandProtect, found that 59% of respondents said the protection of intellectual property (IP) from external threats was essential or very important to the sustainability of the business. 

Figures from the report suggest that organizations know what it takes to better defend themselves against external threats but lack the resources to do so. Sixty-two percent of respondents said mobile app monitoring was a priority, 61% said the same about social engineering and organizational reconnaissance, 58% cited spear phishing infrastructure, and 54% mentioned executive and high value threats.

“The majority of security leaders understand that these external internet threats imperil business continuity,” said Larry Ponemon, president of the Ponemon Research Institute. “The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for enterprises.”

Roberto Drassinower, CEO of BrandProtect, added: “As external threats explode in both frequency and sophistication, forward-leaning security teams are actively prioritizing external threat detection, intelligence and mitigation in their objectives. But the majority of enterprises still have a long way to go. Despite losing millions of dollars annually to external and branded exploits, security teams are dealing with a significant readiness gap."

Photo © LeoWolfert

Source: Information Security Magazine

Trojan Delilah Recruits Malicious Insiders Via Extortion

Trojan Delilah Recruits Malicious Insiders Via Extortion

Organizations have been warned of a rise in insider threats after a new trojan was revealed which is specifically designed to gather information on targeted victims so that malware authors can blackmail them into doing their will.

Threat intelligence firm Diskin Advanced Technologies (DAT) discovered the new malware – dubbed “Delilah” presumably in reference to the biblical character – on the cybercrime underground, but shared among closed hacker groups.

It’s delivered to victims who visit and attempt downloads from certain adult and gaming sites, according to Gartner distinguished analyst, Avivah Litan.

After installation it apparently gathers personal information on the targeted victim including info about their family and workplace. A plug-in is also available which enables the hacker to remotely switch on the victim’s webcam and record them.

With this information the hacker can then manipulate the victim into doing their bidding.

“Also according to DAT, instructions to victims usually involve usage of VPN services, TOR and comprehensive deletion of browser history (probably to remove audit trails),” Litan explained in a blog post.

“These bots still require a high level of human involvement to identify and prioritize individuals who can be extorted into operating as insiders at desirable target organizations. Criminals who want to use the bot can also acquire managed social engineering and fraudster services to help them out, in case they lack those specific skills.”

It’s clear the trojan isn’t yet the finished article, apparently producing error messages when the webcam spying function is used and causing the screen to freeze.

Litan argued that more data on VPN and TOR activity is needed to better understand the nature of the threat and added that IT security teams should lock down risk by blocking certain risky sites.

“With Trojans like Delilah, organizations should expect insider recruitment to escalate further and more rapidly,” she concluded. “This will only add to the volume of insider threats caused by disgruntled employees selling their services on the Dark Web in order to harm their employers.”

Research from Kaspersky Lab in November 2015 claimed that nearly three in four firms have suffered an insider threat incident, with employees (42%) the largest single cause of data loss.

Source: Information Security Magazine

Microsoft Wins Landmark Email Privacy Case

Microsoft Wins Landmark Email Privacy Case

A US federal appeals court has ruled in favor of Microsoft in a major privacy case related to whether the government can demand access to data stored on servers outside the country.

The decision reverses a court order from 2014 requesting that the computing giant hand over emails stored in Ireland for use in a drugs case.

Judge Susan Carney of the US Court of Appeals for the Second Circuit in New York ruled that the Stored Communications Act only applies to data stored in the US.

Microsoft had argued that if the government got its way in the case, it could open the floodgates for foreign agents to raid its offices in jurisdictions all over the world and demand access to US citizens’ data.

"The decision is important for three reasons,” said Microsoft president and chief legal officer, Brad Smith. “It ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”

Microsoft had been supported in its legal fight by a host of Silicon Valley rivals and others, with amicus briefs filed by 28 tech and media companies, 23 trade associations and advocacy groups, 35 leading computer scientists and even the Irish government.

Smith called for changes to the law both domestically and in terms of new international treaties to avoid such problems in the future.

Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), welcomed the ruling as a “resounding affirmation of the endurance of privacy in an age marked by constant data transfers in the cloud, Internet of Things and big data applications.”

“The Court held that even in the cloud, data physically resides on servers in a specific geography, and that government cannot compel a service provider to reach over national borders to deliver data at the expense of customer privacy,” he added.

Guy Marson, co-founder of data science company Profusion, argued that the court’s ruling was in line with the European Commission’s views on privacy, but warned that an appeal from the US government is a certainty.

“If the case is overturned yet again, the resulting shockwaves across the tech industry will set the sector back several years,” he added. “Any future rulings will especially affect cloud providers, calling into question the security of cloud computing platforms. It will also place the already embattled Privacy Shield on rocky ground.”

Source: Information Security Magazine

For Most Orgs, Privileged Account Management Is Severely Lacking

For Most Orgs, Privileged Account Management Is Severely Lacking

Despite a high awareness of potential problems, there is a distinct lack of follow-through in implementing security best practices for the protection and management of privileged account credentials.  Some of the most disturbing findings show that:

According to the 2016 State of Privileged Account Management (PAM) Report from Thycotic and Cybersecurity Ventures, one in five organizations (20%) have never changed their default passwords on privileged accounts. But, 80% of respondents consider PAM security a high priority.

Further, 30% of organizations still allow accounts and passwords to be shared, and 40% use the same security for privileged accounts as standard accounts.

 “While awareness is high among organization on the importance of securing privileged accounts, according to results found in our survey, many organizations still fall short when it comes to adopting and maintaining best practices in the protection of privileged account credentials,” said James Legg, president and CEO at Thycotic. “There are some serious gaps in the enforcement of basic security measures when it comes to securing privileged account credentials.”

In the majority of data breaches, stolen credentials and privileged accounts continue to be the main target for hackers because they unlock the access required to exploit virtually any part of an organization's network, including critical and sensitive data. 

Yet the survey also found that 70% of organizations do not require approval for creating new privileged accounts, and half of them do not audit privileged account activity.

This, despite the fact that 60% of respondents indicate that PAM security is required to demonstrate compliance with government regulations.

“Weak privileged account management is a rampant epidemic at large enterprises and governments globally," said Steve Morgan, founder and CEO at Cybersecurity Ventures. "Privileged accounts contain the keys to the IT kingdom, and they are a primary target for cyber-criminals and hackers-for-hire who are launching increasingly sophisticated cyber-attacks on businesses and costing the world's economies trillions of dollars in damages. We expect the needle on automated (PAM) solutions adoption to move fairly quickly into the 50% range over the next two years."

Photo © Zurainy Zain

Source: Information Security Magazine

MIT Hit with a Series of DDoS Campaigns

MIT Hit with a Series of DDoS Campaigns

The Massachusetts Institute of Technology (MIT) has received more than 35 DDoS campaigns so far in 2016, against several different targets, and using a variety of techniques.

An investigation by Akamai SIRT revealed that close to 43% of attack vectors leveraged during these campaigns included DDoS reflection and amplification attack vectors. Attacks originated from a combination of devices vulnerable to reflection abuse and spoofed IP sources.

The largest attack campaign peaked at 295Gbps, consisting of only a UDP flood attack. Akamai said that this originated with a malware variant known as STD/Kaiten. 

Prior to that, the largest attack peaked at 89.35 using a combination of UDP flood, DNS flood and UDP fragment attack vectors—a hallmark of so-called booter or stresser services. During the campaign, attackers targeted a total of three destination IP addresses.

“Unlike Xor, these kinds of attacks are more accessible to a much larger population of malicious actors,” Akamai said in a threat advisory shared with Infosecurity. “The fact, is almost anyone with motivation and enough knowledge to determine the IP of their target can launch these attacks at low cost. A recent look at a pricing of popular sites offering DDoS stresser services show this can be performed for as little as $19.99 per month.”

The domains abused for amplification of attack responses included cpsc.gov and isc.org. The domain owners themselves are not at fault and don't feel the effects of these attacks–attackers simply abuse open resolvers by sending a barrage of spoofed DNS queries where the IP source is set to be the MIT target IP, Akamai explained.

Photo © Profile–Image

Source: Information Security Magazine