Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for September 2016

Password Reuse Remains Rampant

Password Reuse Remains Rampant

Despite high-profile, large-scale data breaches dominating the news cycle—and repeated recommendations from experts to use strong passwords, global consumers have yet to adjust their own behavior when it comes to password reuse.

Released on the eve of National Cyber Security Awareness Month, a survey from LastPass found that 95% of respondents recognize the characteristics of a strong password. Even so, 47% are still using their initials, friends or family names as their keys. About 42% use significant dates and numbers, and 26% use pet names—all information that’s easily obtainable through social media sites or a casual acquaintance.

Then there’s password reuse, most recently in the headlines related to the Yahoo breach. The survey shows that 91% of us know there is a risk when reusing passwords, but 61% continue to do so. If passwords are being reused across accounts, cyber-criminals who hack a lower-prioritized account can easily gain access to something that is more critical, like a savings or credit card account. And indeed, this vector looks alive and well: 69% of respondents prioritized password strength for financial accounts over retail (43%), social media (31%) and entertainment (20%). More than a third (39%) of respondents said they create more secure passwords for personal accounts over work accounts.

Changing passwords every month or so is another best practice, but only 29% of consumers change their passwords for security reasons, according to the survey. The No. 1 reason people change passwords is because they forgot what they were (46%).

“Developing poor password habits is a universal problem affecting users of any age, gender or personality type,” says Joe Siegrist, VP and GM of LastPass. “Most users admit to understanding the risks but continue to repeat the behavior despite knowing they’re leaving sensitive information vulnerable to potential hackers. In order to establish more effective defenses, we need to better understand why individuals act a certain way online and a system that makes it easier for the average user to better manage their password behavior.”

Photo © Den Rise

Source: Information Security Magazine

Popular Boxing Site Punches Visitors with Banking Malware

Popular Boxing Site Punches Visitors with Banking Malware

A popular Russian boxing site (allboxing.ru) boasting 3 million visitors per month has been infected by highly evasive code. It that attempts to silently redirect users to a third-party website containing an exploit and a Russian banking trojan—but only if the user is active on the site.

According to Forcepoint Security Labs, the injected code employs several evasion tactics. For one, “the attacker has made significant effort to blend in with the legitimate content by using the same formatting and comment style,” said Forcepoint Security’s Nicholas Griffin, in an analysis.

The attacker also attempts to insert a malicious script from his or her own website—but it’s not inserted if the user's browser is either Chrome or Opera, presumably because the attacker is not able to exploit these browsers.

The domain name and URL path used for the third-party site is also clever: It uses the term "canvas," which is a well-known boxing term, and the URL contains the word "sport."

And perhaps most notably on the stealth front, the script ensures that sufficient user interaction has occurred from either clicking, scrolling or moving the mouse. The attacker has given different weighting scores to the different types of user interaction and will only insert the iFrame once the threshold score is above 30. This is a stealth tactic used to prevent automated analysis systems from being redirected to the exploit, Griffin explained.

 “This makes the URL appear a lot less suspicious considering that allboxing.ru is a boxing news site,” Griffin said.

If all the boxes are ticked, the script downloads a variant of the Buhtrap Russian banking trojan. Buhtrap is a criminal cyber-hacking group that targets financial institutions. As reported by Group-IB, Buhtrap has been active since 2014. From August 2015 to February 2016, it managed to conduct 13 successful attacks against Russian banks and defrauded them of a total of $25.7 million.

“Attackers are getting better at disguising the code they inject into compromised websites,” said Griffin. “Websites with high volumes of traffic are a popular choice for attackers, and this is especially true if the bulk of the traffic is from a specific region of the world of interest to the attacker. With the recent arrests of actors using the Lurk banking trojan, Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software.”

Photo © Jack Dagley Photography

Source: Information Security Magazine

Half of US State Election Boards Attacked, 4 Breached by Russia

Half of US State Election Boards Attacked, 4 Breached by Russia

Russian hackers are ramping up their offensive on US voting databases ahead of the presidential election, with nearly half of all states reporting attacks.

More than 20 state election boards have reported incidents, according to NBC News sources. Four of those systems have successfully been breached, sources told ABC News. Multiple sources in law enforcement have confirmed the situation to other media outlets as well.

The FBI has verified attempted hacks of voter registration sites in more than a dozen states according to two law enforcement officials speaking to CNN. It reported that Homeland Security Secretary Jeh Johnson also said 18 states have requested cyber-assistance from his department for voting systems.

"There have been a variety of scanning activities which is a preamble for potential intrusion activities as well as some attempted intrusions at voter database registrations beyond those we knew about in July and August,” FBI Director James Comey said at a House Judiciary Committee hearing this week. “We are urging the states just to make sure that their deadbolts are thrown and their locks are on and to get the best information they can from DHS just to make sure their systems are secure. Because there's no doubt that some bad actors have been poking around."

The FBI sent a warning to states in June, following two successful intrusions into voter registration databases in Illinois and Arizona.

The hacks have been aimed at voter registration databases, which contain potentially lucrative personal information on citizens that could be sold on the Dark Web. US officials have downplayed the hacks’ potential to sway an election, reiterating that the actual voting systems that will be used to cast ballots in November are not connected to the internet and are decentralized, meaning that a coordinated hacking effort would be nearly impossible. But the relentless attacks could be aimed at sowing the seeds of distrust in the system ahead of the election.

California Sen. Dianne Feinstein and California Rep. Adam Schiff, the ranking members on the Senate and House Intelligence Committees, respectively, released a joint statement blaming Russian President Vladimir Putin and the Russian government for attempting to influence the process.

"Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the US election," they wrote.

Asked this summer why Russia might be trying to undermine the US political process, Director of National Intelligence James Clapper said Russian President Vladimir Putin is "paranoid" about the potential for revolutions in Russia, "and of course they see a US conspiracy behind every bush, and ascribe far more impact than we’re actually guilty of."

The news comes just days after FBI asked to examine the cell phones of a small number Democratic Party staffers for evidence of hacking. Sources told CNN that law enforcement is looking for malware, and are assessing whether targeting staffers is part of the original breach of Democratic National Committee emails or something new.

"Our struggle with the Russian hackers that we announced in June is ongoing—as we knew it would be—and we are choosing not to provide general updates unless personal data or other sensitive information has been accessed or stolen," interim DNC Chairwoman Donna Brazile told CNN.

For months, the FBI has been investigating what appear to be coordinated cyberattacks on Democratic organizations—the most damaging so far being the hack of the Democratic National Committee, which presidential hopeful Hillary Clinton argued was carried out in order to provide leverage to the campaign of GOP rival Donald Trump.

Photo © Slasha

Source: Information Security Magazine

Bug Brokerage Ups iOS Exploit Bounty to $1.5 Million

Bug Brokerage Ups iOS Exploit Bounty to $1.5 Million

Notorious exploit broker Zerodium has tripled the reward for zero-day exploits in iOS 10 to an astonishing $1.5 million in a move that will keep Apple security teams busy.

The firm, which describes itself as “the premium acquisition program for zero-day exploits and advanced cybersecurity research,” also doubled the reward for Android 7 exploits to $200,000.

Flash RCE exploits now pay up to $100,000 – up from $80,000 – and Microsoft Edge and IE as well as Safari on Mac exploits will pay out $80,000, up from $50,000.

Zerodium boasts that all submitted research will be evaluated in under a week and payment is wired to the developer in a week or less.

The firm also claimed it may go even higher than the new prices for “exceptional exploits or research.”

Its business is a controversial one, given that the firm is effectively peddling exploits to governments so they can spy on people.

It’s up to the respective governments whether they use the tools responsibly to monitor terrorist suspects and catch criminals or, as in a recent case, to spy on human rights activists.

Last month Apple was forced to patch ‘Trident’ – a chain of three zero-day exploits designed to deliver the Pegasus spyware.

It is thought the UAE government had paid an exploit broker for the code, mainly because it was flagged by internationally renowned campaigner Ahmed Mansoor, who spotted a suspicious looking text message sent to his iPhone containing what turned out to be a malicious link.

The sums Zerodium and other similar companies are willing to pay out are in stark contrast to the rather more moderate bug bounty programs run by the tech companies themselves.

Apple, for example, will only pay up to $250,000. However, the brokers like Zerodium want only high quality exploits that work seamlessly and are “fully functional,” so the bar is set higher for the vulnerability researchers vying for a pot of cash.

Source: Information Security Magazine

UK Gov Boost Security with HTTPS and DMARC

UK Gov Boost Security with HTTPS and DMARC

The UK government is mandating the use of the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol as well as HSTS and HTTPS as of Saturday in a major boost to its cybersecurity credentials.

The Cabinet Office’s Government Digital Service (GDS) will require that the strongest DMARC policy (“p=reject”) be the default for email services from 1 October.

It is hoped that this will fortify systems against phishing and similar spoofing scams. The HMRC, one of the most ‘phished’ government departments, has apparently been using DMARC and other technologies including SPF and DKIM for a number of years.

The use of HSTS and HTTPS, meanwhile, will encrypt information to and from government websites to help protect against Man in the Middle and other attacks.

Patrick Peterson, founding member of DMARC and executive chairman at email security firm Agari, welcomed the move.

“Email is the number one entry point for data breaches, and the use of DMARC email authentication protocol for all .gov email domains will greatly reduce the risk of breaches and cyber-attacks,” he argued.

“This includes targeted email attacks such as Business Email Compromise (BEC) and spear phishing, which target governmental staff by impersonating senior officials, and phishing attacks that target members of the public by spoofing the .gov brand.”

The move will certainly go some way to improving the government’s cybersecurity posture, but it will have to do more about accidental data loss if it wants to really prevent breaches.

The NHS topped the list of security incidents reported to the Information Commissioner’s Office (ICO) in the period 1 January – 31 March 2016 alone, according to an FoI request by Egress revealed in June.

In total, human error (62%) accounted for the vast majority of incidents, far more than insecure webpages and hacking (9%).

Within human error, data posted or faxed to the wrong recipient (17%), loss and theft of paperwork (17%) and data emailed to the wrong recipient (9%) were the main causes of data loss.

Source: Information Security Magazine

Yahoo! Mobile Mail Wide Open Even After Password Reset

Yahoo! Mobile Mail Wide Open Even After Password Reset

In the aftermath of Yahoo! announcing the breach of 500 million user accounts, Trend Micro Zero Day Initiative (ZDI) researchers are warning that a password reset still leaves mobile mail wide open to criminals.

As the half billion consumers impacted by this breach know, Yahoo! is recommending users update their password to rectify the situation. But ZDI noted that users who access their accounts from a mobile device are not being prompted to update their passwords. This allows anyone with the account credentials to continue accessing the email account, potentially gaining additional personal data to further attack the individual.

ZDI’s Simon Zuckerbraun said that he received a notification that his account was included in the breach. Like many others, he logged in to his account and changed his password. He then opened his iPhone Mail application since he had configured the app to use his Yahoo account. He expected to be prompted for his new password and was more than a little surprised when he found it was not necessary. Even though he had changed the password associated with his Yahoo account, the phone was still connected.

“Upon investigating, it became clear that Yahoo had issued a permanent credential to the device,” ZDI noted, in an analysis. “This credential does not expire and is not revoked when the password changes. In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email.”

Obviously, this could lead to a situation where millions believe they are protected even though they aren’t. And ZDI noted that, even for the security conscious, it’s hard to be diligent; associated devices aren’t listed under the “Account Security” tab in the web interface—rather, they’re non-intuitively listed under the “Recent Activity” tab. And in the phone settings, there’s no option via the app to change the password.

“Here you are able to see which applications are connected to your account with an option to remove them,” ZDI noted. “It’s also interesting to see the apps and devices are just listed by product name—in this case iOS—and the date authorized. It’s up to the user to figure out what is legitimate and what’s not.”

To stay safe, users should change their Yahoo! password on the web and anywhere they may have reused the compromised Yahoo password with other online services. Then, set up two-factor authentication (2FA) or use Yahoo’s Account Key. Then go through the website to remove any associated devices.

Yahoo! did not immediately respond to a request for comment. We will update the story with any statements from the online giant.

Photo © dennizen/Shutterstock.com

Source: Information Security Magazine

Tofsee Botnet Gets Aggressive with Russian Dating

Tofsee Botnet Gets Aggressive with Russian Dating

A marked increase in the volume and velocity of spam email campaigns containing malicious attachments is spreading the Tofsee malware and botnet at unprecedented aggression levels.

According to Talos, Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

In the latest wave, the initial infection for this variant of Tofsee is accomplished by convincing users to open malicious attachments that are delivered via phishing emails. The phishing emails purport to be from women in Eastern Europe (namely Russia and Ukraine) and the theme of the emails is (what else?) adult dating. The messages purport to contain an attached zip archive with pictures of the sender as well as links to a Russian adult dating website.

“Threats are constantly evolving as attackers change the way in which they attempt to distribute malware and attack systems,” said Talos researcher Edmund Brumaghin, in a blog. “Threat actors also constantly strive to expand their presence by taking advantage of the ever increasing number of Internet users and devices.”

Earlier this year, Talos found that the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Now, appears that the botnet operator has ditched passive techniques.

“The RIG exploit kit moved from distributing Tofsee to other payloads, possibly because distributing them was more attractive to cybercriminals from a monetization standpoint or simply because different actors began using this exploit kit as a distribution mechanism for their malware,” said Brumaghin. “When RIG stopped distributing Tofsee payloads, those responsible for Tofsee switched to alternative distribution methods.”

The nature of the spam has changed as well, he added.

“While the Tofsee botnet has been known for sending spam messages, the messages have historically contained links to adult dating and pharmaceutical websites,” he said. “The Tofsee spam botnet has begun utilizing malicious attachments that function as malware downloaders. This activity has increased in velocity and volume.”

Photo © wk1003mike

Source: Information Security Magazine

83% of Companies Have Released Applications They Know Are Unsafe

83% of Companies Have Released Applications They Know Are Unsafe

Bug bounties have been on the rise and are widely regarded as a smart way to scale the testing of your security code. But a new survey shows that businesses may be over-reliant on them.

The survey, from Veracode and Wakefield, found that businesses are dis-incentivized to invest in secure coding internally. A full 59% believe it’s more expensive to fix code flaws found in bug bounty programs than to secure code during development. No wonder that 83% of respondents said that they have released code before testing or resolving security issues for bugs.

The result is that although majority of respondents feel as though their software and applications are secure, many lack the proactive, layered security programs necessary to combat today’s vulnerabilities, the report concluded.

In fact, the evidence points to insecurities: About half (44-percent) have spent more than a million dollars on bug bounty programs to catch vulnerabilities—even though 79% agree that an effective application security program results in spending less on bounties.

The survey shows that one in three (36%) have turned to bug-bounty programs.

“These types of programs have even caught the eye of notable technology giants such as Apple, Google and Yelp, all of whom have jumped on the widely-publicized bandwagon, and announced their own programs,” the report noted. “Proactive, automated vulnerability detection and remediation is now more important than ever. Further proven in that today’s threat landscape web application attacks continue to be the number one source of data breaches, end-user organizations are on the hunt to alleviate these potentially catastrophic challenges.”

But, although bug bounty programs can be effective, relying on a reactive approach to vulnerability detection is simply not enough. Since bug bounty programs focus on applications in use, they merely expose risks that the users of that application have been exposed to for months or even years, the report pointed out.

And indeed, Veracode’s survey data shows that 77% of professionals admit to relying too heavily on programs intended to catch mistakes in code that should have been proactively identified. Furthermore, 93% believe most flaws uncovered in a bug bounty program could have been prevented by developer training or testing in the development phase.

“In today’s technology environment, application security testing for vulnerabilities and flaws in software code should be a security best practice, regardless of an organization’s size or industry,” said Chris Wysopal, co-founder and CTO, Veracode. “While bug bounty programs catch flaws that inadvertently slipped through the software layer cracks, this reactive approach will not solve the bigger issue at stake which is helping eliminate security-related defects before the software is put into use. Our survey data is a signal to the security and researcher community that businesses need help in their software security strategy; it’s our responsibility as experts to assist in better securing software before it’s too late.”

Photo © Piter Kidanchuk

Source: Information Security Magazine

Web Host Hit by DDoS of Over 1Tbps

Web Host Hit by DDoS of Over 1Tbps

A French web hoster is claiming his firm has been hit by the biggest DDoS attack ever seen, powered by an IoT botnet with an estimated capacity of 1.5Tbps.

Octave Klaba, the founder and CTO of OVH, took to Twitter late last week to reveal his firm was under attack from a stream of DDoS blitzes creeping towards and eventually past the 1Tbps mark.

He claimed the botnet in question was initially comprised of around 145,000 internet-connected cameras and digital video recorders with an estimated 1-30Mbps capacity each – that’s a potential 1.5Tbps in total.

In further updates this week Klaba said the botnet had increased by first another 6857 devices and then 15,654 more.

The news follows reports last week that Akamai was forced to withdraw its pro bono DDoS protection of the KrebsOnSecurity site after it was allegedly hit by an attack measuring 665Gbps, then the largest on record.

Dave Larson, CTO and COO at Corero Network Security, claimed the recent attacks are beginning to change the way IT security professionals view DDoS.

“The internet is a powerful tool, and must be viewed with security and protection first and foremost,” he added. “Motivations for attacks, and the tools and devices used to execute the attacks, are readily available to just about anyone; combining this with almost complete anonymity creates a recipe to break the Internet."

Roland Dobbins, principal engineer at Arbor Networks, argued that IoT botnets are increasingly favored by hackers because they frequently ship with insecure defaults, are often connected to high speed internet and are rarely patched to fix bugs.

“Embedded IoT devices are often low-interaction – end-users don’t spend much time directly interfacing with them, and so aren’t given any clues that they’re being exploited by threat actors to launch attacks,” he told Infosecurity.

“Organizations can defend against DDoS attacks by implementing best current practices for DDoS defense, including hardening their network infrastructure; ensuring they’ve complete visibility into all traffic from their networks; having sufficient DDoS mitigation capacity and capabilities either on premise or via cloud-based DDoS mitigation services or both; and by having a DDoS defense plan which is kept updated and is rehearsed on a regular basis.”

Source: Information Security Magazine

FBI Probes Possible Democrat Mobile Phone Hack

FBI Probes Possible Democrat Mobile Phone Hack

The FBI is looking into the possible hacking of Democratic Party officials’ mobile phones as an investigation into a string of cyber-attacks on the party widens.

Sources told Reuters that the Feds have asked to image the devices of a small number of officials, although it’s not clear whether any are members of Congress.

It’s possible that the attacks are linked to a long-running cyber espionage campaign against the party’s Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC), which many believe to have been orchestrated by the Kremlin.

There would certainly be geo-political mileage to be gained from disrupting the November presidential elections, or even releasing data which could undermine the eventual winner once in power.

Presidential hopeful Hillary Clinton was pretty unequivocal during Monday’s debate about the cause of the cyber-attacks.

“Putin is playing a really tough, long game here, and one of the things he's done is to let loose cyber attackers to hack into government files, to hack into personal files, hack into the Democratic National Committee,” she told attendees.

Her rival Donald Trump, who has been accused of being a Putin supporter, fired back that there’s no firm evidence for that yet.

Democrat officials and Clinton campaign spokespeople have either refused to comment or claimed they’re unaware of the FBI’s latest investigation.

In related news, it emerged that attempts to hack election registration data have intensified.

Homeland security secretary, Jeh Johnson, told the Senate Homeland Security Committee that 18 states have now asked for help in defending against cyber-attacks on their electronic voting systems.

The news follows an FBI alert sent out in August to election officials nationwide after two state-level voter databases were breached by foreign hackers.

Senator Dianne Feinstein, vice chairman of the Senate Intelligence Committee, and Congressman Adam Schiff laid the blame for recent incidents firmly at Russia’s door.

“At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes of the election – we can see no other rationale for the behavior of the Russians,” a joint statement read.

“We believe that orders for the Russian intelligence agencies to conduct such actions could come only from very senior levels of the Russian government.”

Tim Erlin, senior director of product management at Tripwire, argued that in nearly every compromise, the extent of the attack is bigger than that originally disclosed.

“We shouldn’t be surprised to learn that’s true here as well,” he added.

“It’s difficult to guess at the end game of an attacker that’s as well-resourced and expansive as Russia. A nation-state adversary doesn’t generally plan one move, but looks at multiple, multi-step options to achieve a set of goals. This isn’t credit card theft. It’s modern espionage.”

Source: Information Security Magazine