Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2016

Lack of Cloud, App Visibility Plagues Security

Lack of Cloud, App Visibility Plagues Security

Enabling a highly connected and mobile workforce means new attack vectors, as evidenced by the fact that a lack of visibility is the biggest problem IT and security professionals cite when asked about issues with their current cloud and mobile solutions (85%).

In fact, data from Okta’s new Secure Business Agility Report reveals that 80% of respondents pointed to weak passwords or weak access controls as a security issue. As a result, 65% of IT leaders expect a serious data breach to hit their business within the next year.

The report also highlights that organizations are unsure if security is enabling or compromising productivity and agility: Just over half (52%) of IT leaders believe their current security solutions compromise productivity, while 48% believe their security measures enable the organization to adopt best-of-breed solutions that enable productivity and agility.

Also, 92% of IT leaders believe their organizations could do more to integrate and support cloud applications into their infrastructure and systems.

“In order to be more productive, organizations worldwide are investing in cloud and mobile technologies, enabling their staff to work from virtually anywhere. But this isn’t enough to ensure true agility. As organizations become increasingly connected, the traditional idea of the enterprise network boundary is vanishing and businesses need to prioritize strong security,” said David Baker, chief security officer at Okta. “To successfully navigate the new perimeter and avoid compromising on security and productivity, IT leaders need to adopt tools that span traditional company and network boundaries and enable agility across the organization.”

Photo © m.jrn

Source: Information Security Magazine

Eddie Bauer the Latest Victim of POS Malware Attack

Eddie Bauer the Latest Victim of POS Malware Attack

Outdoor clothing company Eddie Bauer has become the latest victim of a large scale Point of Sale malware attack, leading to the compromise of customer card data over the first six months of this year.

The firm claimed in a press release late yesterday that it is currently notifying an unspecified number of customers about the attack, which took place between 2 January and 17 July this year.

Interestingly, the company said that this POS malware campaign was part of a “sophisticated attack” encompassing a range of hotels, restaurants and retailers.

It emerged this week that a major breach had occurred at Hyatt, Marriott, Starwood and Intercontinental hotels between March and June 2016.

“We have been working closely with the FBI, cybersecurity experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” said Eddie Bauer CEO, Mike Egeck.

“In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”

The firm didn’t specify the scale of the attack, but Brian Krebs claimed the malware had affected its 350+ stores in North America.

Krebs said he reached out to Eddie Bauer six weeks ago, after being informed of the suspected attack by banking contacts who spotted patterns in card fraud at their end.

The security researcher railed against the lack of information given out by the victim organizations in these POS attacks, claiming that more details on the “attack tools and online staging grounds” used could help infosecurity professionals better fortify their own systems.

Travis Smith, senior security research engineer at Tripwire, argued that POS malware continues to be an attractive target for cybercriminals and until more businesses start switching to Chip and PIN, it will likely remain so.

“The best advice for retailers is to place any point of sale machine on a segregated network from any other machines with locked down internet access. These machines typically have a handful of internet locations required to process credit card data, if they require any at all,” he added.

“Locking down this communication will reduce the likelihood that malware will be able to successfully ex-filtrate private information to the attacker.”

However, migrating to a segregated network could cost hundreds of thousands in equipment and network redesigns, which many retailers might shy away from, Smith concluded.

Source: Information Security Magazine

Computing A-Level Numbers Jump but Experts Demand More

Computing A-Level Numbers Jump but Experts Demand More

The number of UK students studying computing at A-level increased significantly this year, but experts have warned that more needs to be done to address skills gaps in areas like cybersecurity.

It was A-level results day in the UK on Thursday, when hundreds of thousands of teenagers wait to see if they have the grades they need to get into the university of their choice.

The government claimed the number of students taking science, technology, engineering and mathematics (STEM) A-levels remained “stable" in 2016.

The number of those taking the ICT A-level, currently being phased out in favor of a new computing course, dropped by over 3,000 from the previous year.

However, the government trumpeted a 16% increase in those taking computing.

But experts told Infosecurity that even the uptick in interest would have little immediate impact on the skills crisis facing IT and cybersecurity.

David Lozdan, head of public sector at UK cloud services firm Exponential-e, claimed the limited talent pool would send wages rocketing and hold businesses back from innovating their way to success.

“This can be seen in many digital skills gap sectors, a key one currently being cybersecurity – as demand in cyber security experts looks to outweigh applicants, we need to continue to encourage more students to cultivate their interest towards STEM subjects,” he argued.

“We urgently need the government to look at how we can develop a national curriculum that ensures school leavers are prepared for industries where a skills gap still exists. The next generation of work needs to be fit for business purpose, especially in the digital age.”

Lozdan added that it is not only schools but universities and local businesses which need to collaborate to ensure young people get the best training to prepare them for work in certain niche sectors.

“In the workplace, this could mean running training academies that foster talent, offering the knowledge and skills necessary to enable people to achieve their best in high-growth industries like cybersecurity,” he continued.

“For those businesses that are brave enough to invest, providing appropriate training will not only help to close growing skills gaps in cybersecurity, but it will have an immediate commercial impact.”

It should also be noted that, despite the encouraging take-up of the subject, fewer than 20% of students received an A or A* grade in computing this year.

To underline the problem of skills shortages and gaps, the number of vacancies for IT roles in the UK grew 15% from June to July, with cybersecurity particularly in demand, according to new stats from the Robert Walters UK Jobs Index.

There was a 70% year-on-year increase in advertised vacancies for roles requiring cybersecurity skills in the second quarter, to a total of 1,617 jobs, according to the UK IT Jobs Watch issued by jobs site Dice.

Some 62% of respondents to the ISC2 Global Information Security Workforce Study last year claimed that their organization has too few information security professionals – up from 56% in 2013.

Source: Information Security Magazine

Global Data Stealing Campaign Snares Industrial SMEs

Global Data Stealing Campaign Snares Industrial SMEs

Security experts are warning of a financially motivated targeted attack campaign spanning over a year and more than 130 organizations worldwide focused on the industrial, engineering and manufacturing sectors.

Operation Ghoul was first spotted in March last year and has so far covered more than 30 countries, targeting Spain, Pakistan, the UAE, India and Egypt the most.

Attackers use classic spear phishing emails with a malicious attachment to infect their victims.

These emails are sent to top and middle managers in order to procure “core intelligence” and “controlling accounts,” and are spoofed to look like they came from a UAE bank, according to Kaspersky Lab senior security researcher, Mohamad Amin Hasbini.

Some contain payment advice in a malicious ‘SWIFT doc’ attached and others contain malicious links.

“Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (30 to 300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult,” he explained.

That malware is based on the popular Hawkeye family, and will collect and send out to a C&C server information including keystrokes, clipboard data, FTP server credentials and account data from browsers, and email and messaging clients.

The most recent wave of attacks began in June, with 70% of users in the UAE.

Hasbini warned employees to be cautious when opening unsolicited emails and urged firms to train privileged users in how to deal with such cyber threats.

Kaspersky Lab principal security researcher, David Emm, claimed the discovery highlights the fact that all companies, regardless of size, must now presume that a determined attacker will gain access to corporate systems.

“Therefore, companies should ensure that confidential data is encrypted and the network segmented appropriately as this restricts lateral movement once an attacker has gained entry. The starting-point for such attacks is often social engineering, so it’s vital that a strong emphasis is placed on staff education,” he told Infosecurity.

“Small businesses need to know that they’re not immune to attacks. It’s easy for SMBs to read the headlines and assume that targeted attack campaigns are directed solely at ‘big names’. However, aside from the fact that all companies have intellectual property, they can be used as stepping-stones to get to another target. Companies in the supply-chain of a large organization can be the means for penetrating the former.”

Source: Information Security Magazine

Student Loans Company in Phishing Warning

Student Loans Company in Phishing Warning

The UK’s Student Loans Company has been forced to issue a fraud alert after phishers launched a new campaign targeting students starting this autumn.

The fake emails, purporting to come from Student Finance England, try to trick recipients into divulging personal and financial information or to click on a malicious link, by claiming that failure to do so will result in the loss or delay of their first loan payment, according to the warning.

“Online fraudsters are aware that freshers are starting university for the first time next month and are targeting them, continuing students and their sponsors with emails and texts requesting personal and banking details to access their finance,” said Fiona Innes, head of Counter Fraud Services at the Student Loans Company.

“We have had several reports of this phishing email already. Phishing emails are sent in batches so there will be more in circulation. We want to remind customers that we will never request a customer’s personal or banking details by email or text message.”

The SLC’s Counter Fraud Services team claims to have prevented losses of £65 million since the 2012/13 academic year.

It urged students to treat any comms requesting personal or financial information with suspicion, claiming that emails addressed “Dear Student” and those with poor spelling and grammar are likely to be fakes.

David Stubley, founder of IT consultancy 7 Elements, claimed that employees are just as susceptible to phishing attacks as students.

"Phishing attacks remain scarily easy. In a recent phishing exercise we were able to entice 82% of recipients into clicking on a malicious link,” he told Infosecurity.

“Organizations need to take a holistic approach when defending against such attacks, and this would include end user awareness, implementing technical controls such as web filtering, end point protection and hardening the OS and browsers in use.”

Source: Information Security Magazine

August Locky Blitz Hits Healthcare Organizations

August Locky Blitz Hits Healthcare Organizations

August has seen a major new wave of Locky ransomware attacks targeting healthcare organizations in the US, Japan and elsewhere, according to FireEye.

The security vendor claimed to have spotted “a few massive email campaigns” distributing the notorious ransomware this month.

Healthcare was by far the worst hit, accounting for over 75% of total detections, followed by a long tail including telecoms, transport, manufacturing and many more.

The United States was the most targeted country, followed by Japan and South Korea.

“Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems,” explained threat researcher Ronghwa Chong, in a blog post.

“These detection spikes and change in tactics suggest that the cyber-criminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

The stats highlight the ever-changing tools and techniques being used by cyber-criminals to make their campaigns more effective.

Worryingly, it appears the ransomware threat is as big as ever: Chong argued that it has now become more lucrative than even banking trojans.

In fact, Locky became the number one email-borne threat in the second quarter, overtaking Dridex, according to Proofpoint.

The vendor’s latest Threat Summary revealed that 69% of email attacks using malicious attachments featured the ransomware variant, versus 24% in the first quarter.

That same report claimed that CryptXXX was the major player in terms of exploit kits (EKs), although EK traffic dropped by 96% between April and mid-June.

New variants are appearing all the time. Just this week a version of Hidden Tear was found masquerading as a Pokemon Go app, designed to target Arabic speakers.

Source: Information Security Magazine

Sage Employee Arrested in Connection with Data Breach

Sage Employee Arrested in Connection with Data Breach

As the fallout from the recent Sage breach continues to rumble on, City of London police have arrested a Sage Group employee on suspicion of fraud.

The 32-year-old female was cuffed at London’s Heathrow airport yesterday in connection with the incident earlier this week, which saw the Newcastle-based software maker suffer what it described as “unauthorized access” to a “small number” of its six million or so UK customers via an internal login. The woman has since been released on bail and investigations are ongoing, police have confirmed.

Sage added:

“Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security.”

This latest breach is just another reminder that the ‘insider threat’ is still a very real risk to companies.

Mark James, security specialist at ESET, explained that one of the weakest links in any organization is the users; you can have as many security features as you like but most of the time someone somewhere needs access to it in one way or another.

“If that user gets compromised or joins the dark side then that data could be at risk. Of course there are lots of things you can do to make it difficult; making sure only some of the network is accessible through segregated access, masking certain stored information to ensure it’s not viewable in its entirety. Encrypting the data that’s stored in the databases and of course making sure that every single task or keystroke is audited, but typically your admins will need to access a large chunk of that data to keep it happy and accessible for all, insider threats are on the up, it’s no longer sufficient to assume your biggest threats are from external attacks.”

Jonathan Sander, VP of product strategy at Lieberman Software, shares a similar view, arguing that the Sage breach just goes to show despite all the headlines about bad guys trying to break in there is an ever present danger from within, too.

“Often firms spend tons of money protecting against outsiders getting in, but fall into the ‘we trust our people’ tap when it comes to insider threat. The trouble with trusting staff is that they're likely worthy of that trust until the moment they become disgruntled – and there's no way to see that moment happen. Every organization must shift to a least trust model for inside security, and even make the goal zero trust. Every scrap of sensitive information should be under a least permission model in files, folders, email systems, and inside applications. Very rigorous process must be applied to IT administrators and the privileged access they have because it can bypass all your strong security if you're not careful."

Source: Information Security Magazine

Cisco, Juniper and Fortinet Investigate Zero-Day Claims

Cisco, Juniper and Fortinet Investigate Zero-Day Claims

Cisco, Fortinet and Juniper Networks have confirmed that they are investigating reports of zero-days in their products.

After the apparent NSA hack by the ‘group’ known as Shadow Brokers, that Edward Snowden claimed to be a “treasure trove of ‘cyber weapons’ he said belong to the Equation Group”, the three companies have confirmed that they are investigating reports of zero-days.

Cisco confirmed that two exploits in the leaked archive are legitimate. Listed in the archive directory, the first vulnerability is Cisco Adaptive Security Appliance SNMP Remote Code Execution and rated it as high as it could allow execution of remote code on affected devices and obtain full control. The second is Cisco ASA CLI Remote Code Execution and Cisco has issued a fresh security advisory for it.

Also, Fortinet has issued a security advisory for the Cookie Parser Buffer Overflow Vulnerability, which is rated as high as it allows remote administrative access. This affects FortiGate firmware released before August 2012 and “when exploited by a crafted HTTP request, can result in execution control being taken over”.

Also, according to Forbes, Juniper has confirmed that it is looking into the leaks. A spokesperson said that it is reviewing all available information related to the disclosures allegedly from the Equation Group, and will analyze any new information that becomes available.

The Shadow Brokers group released a 256MB compressed archive containing around 4000 files that mainly appear to be installation scripts, configuration files, and exploits targeting a range of routers and firewall appliances.

According to Symantec, it will take some time to assess all of the released files. However, early indications are that at least some of the tools released are functioning exploits.

Source: Information Security Magazine

Pokémon Go ‘App’ Hides Nasty Ransomware Surprise

Pokémon Go ‘App’ Hides Nasty Ransomware Surprise

Security researchers have discovered new ransomware masquerading as a Pokémon Go app which also creates a backdoor in the victim’s machine as well as attempting to spread itself via removable media.

The malware itself is an updated version of the Hidden Tear open source initiative, according to Lawrence Abrams at Bleeping Computer.

Discovered by researcher Michael Gillespie impersonating a Windows Pokemon Go app, the ransomware scans a victim’s drive and encrypts any file with a certain extension – as per usual.

However, there are some features which demand further attention.

“Most ransomware infections encrypt your data, delete itself, and then display a ransom note. The malware developers are there to do one thing; encrypt your files so that you pay the ransom,” explained Abrams.

“With this said, most ransomware typically do not want to leave any traces behind other than the ransom notes. The Pokemon Go ransomware acts a little differently as it creates a backdoor account in Windows so that the developer can gain access to a victim's computer at a later date.”

It’s not clear at this stage why the backdoor has been created, nor why the ransomware also creates network shares on the victim’s computer.

It has also been designed to copy itself to all removable drives before creating an Autorun.inf file so that it runs every time removable media is inserted into the computer.

Although the sample discovered by Gillespie is targeted at Arabic speakers – and most likely developed by an Algerian national – it is still in development, so we could see it reappear in a more battle-ready form in time.

Mark James, security specialist at Eset, warned that the backdoor could allow a hacker to remotely connect to a victim’s computer at a later stage to perform other malicious tasks.

“It’s currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries,” he added.

“Malware is constantly changing and the need to have a good multi-layered regular updating internet security product is a must these days if you want to keep safe. Keep your operating system and applications updated and on the latest versions and make sure you have some kind of backup to protect any data you can’t afford to lose.” 

Source: Information Security Magazine

Datasploit Tool Makes Social Engineering Child’s Play

Datasploit Tool Makes Social Engineering Child’s Play

A new tool designed for pen testers and investigators could also offer cyber-criminals an easy way to socially engineer their victims, highlighting the fine line between legitimate and black hat activity.

Datasploit, which was showcased at the Black Hat Arsenal event, utilizes Open Source Intelligence (OSINT) to uncover personal info about a target, correlates the raw data and presents it to the user.

The tool, which was built with Python, MongoDb and Django, only requires the user to know a single piece of information on a target such as their email address or phone number.

It will then go out and mine the rest, filter out the noise, correlate it and then repeat the process several times before storing it in a database.

The sources used by Datasploit’s developers – NotSoSecure’s Shubham Mittal, eBay’s Nutan Kumar Panda, and Sudhanshu Chauhan of Octogence – are all ‘hand-picked’ and are known to be reliable, they said.

A brief explanation of the tool continued:

“It allows you to collect relevant information about a target which can expand your attack/defense surface very quickly. Sometimes it might even pluck the low hanging fruits for you without even touching the target and give you quick wins. Of course, a user can pick a single small job (which do not correlate obviously [sic]), or can pick up the parent search which will launch a bunch of queries, call other required scripts recursively, correlate the data and give you all juicy information in one go.”

The product is marketed at “pen-testers, cyber investigators, product companies, defensive security professionals etc,” according to its developers.

However, Ronnie Tokazowski, senior researcher at PhishMe, warned that it could quite easily be abused by black hats to gain the credentials needed to breach systems.

“Datasploit takes data gathering a step further than similar tools such as recon-ng and SET by adding automation, providing another example of how hackers are evolving their techniques to gain access to specific assets within a network,” he added.

“Datasploit allows criminals to easily gather information that can be used to penetrate any network or database linked to that particular person in order to steal business assets.”

It’s yet another reason for IT security teams to be vigilant and to stay informed of the changing threat landscape, Tokazowski concluded.

Source: Information Security Magazine