Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2016

Android Vulnerability Affects 2.8 Million Devices

Android Vulnerability Affects 2.8 Million Devices

A new Android vulnerability, estimated to impact 2.8 million devices worldwide at its peak, has been uncovered by security ratings firm BitSight.

The vulnerability, which affects devices out of the box, involves Android devices (including BLU Studio G from Best Buy) and an over-the-air (OTA) update mechanism associated with the software company, Ragentek Group, in China. Certain mobile phones are this vulnerable to man-in-the-middle attacks, allowing adversaries to execute arbitrary commands as a privileged user—such as extracting information or remotely wiping the device—and making it possible to gain access to other systems on a corporate network and steal sensitive information.

Many of these devices sit unknowingly on enterprise corporate networks.

According to BitSight, transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands.

“This OTA binary was distributed with a set of domains preconfigured in the software,” the company said. “Only one of these domains was registered at the time of the discovery of this issue. If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack.”

BitSight’s AnubisNetworks now controls these two extraneous domains to prevent such an attack from occurring in the future, it said.

Still, the impact is significant. “We have observed over 2.8 million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains,” the company said. “In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device. Thus, there could be additional device models affected.”

Photo © mountainpix

Source: Information Security Magazine

UK Retailers Facing One Million Fraud Attempts Per Day

UK Retailers Facing One Million Fraud Attempts Per Day

The UK’s retailers have been warned to brace themselves for a barrage of fraud attempts this busy festive shopping season, with estimates claiming they’ll be hit by one million attacks each day.

Fraud prevention firm ThreatMetrix made the call based on data collected by its Digital Identity Network – which checks over 20 billion annual transactions supporting 30,000 websites and 4000 customers globally.

It’s predicted that fraudsters will use the run up to Christmas – which now starts during the Black Friday shopping period following American Thanksgiving Day – to sneak through defenses.

Some 50 million global online fraud attacks are expected over the Black Friday and Cyber Monday shopping week.

“It’s not that fraudsters expect IT teams to take their eye off the ball, but they are opportunists, so are looking to take advantage of periods where their fraudulent transactions are less likely to be spotted,” ThreatMetrix product and data evangelist, Rebekah Moody, told Infosecurity.

This is the case because basket values are traditionally higher this time of year, meaning fraudsters will try to sneak through higher value transactions in the hope of not being spotted.

Transaction volumes are also set to peak, so retailers often lower their risk tolerance to let more through without the added friction of fraud checks, explained Moody.

One of the main ways cyber-criminals are circumventing traditional fraud filters is by using automated bots.

“These have evolved from being the traditional brute force attacks that were traditionally stopped by WAFs,” she added. “They’re now much cleverer, adopting low and slow attack rate patterns to masquerade as legitimate human traffic. They might even sneak in a good transaction to trick the system as they mass test and validate stolen identity credentials harvested from data breaches.”

Another tactic which retailers may find hard to combat is when the cyber-criminal socially engineers a victim into downloading remote access software on their machine. Because they take over the account after the customer has legitimately logged in there are no unusual patterns for the retailer to spot.

Fraud prevention systems conducting behavioral analysis of users can help to spot bots and sudden changes in behavior that could indicate an account takeover, Moody claimed.

Source: Information Security Magazine

US Government Releases New IoT Security Guidance

US Government Releases New IoT Security Guidance

The US Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST) both this week released new guidance documents designed to improve IoT security.

The moves were made partly in response to recent major DDoS attacks leveraging botnets of compromised smart devices, which in one case took out some of the biggest names on the internet.

The DHS release is aimed at manufacturers, services providers, developers and business-level consumers while NIST’s much more detailed document targets manufacturers/developers with guidance on how to engineer safer products.

The DHS offers six “strategic principles” including building security into products at the design phase; promoting transparency; building on recognized security practice; and being mindful of whether continuous connectivity is needed or not.

It says of the principles:

“It is a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems.”

Meanwhile, the NIST Special Publication 800-160 covers a massive 242 pages of in-depth technical detail on how to build connected systems which are as resilient and trustworthy as possible.

Its opening abstract has the following:

“Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems.”

Government and industry is finally taking notice of IoT security after botnets built from devices compromised by Mirai malware struck DNS provider Dyn, taking down sites including Spotify, Reddit and Twitter, security site Krebs On Security, and even the entire African nation of Liberia.

In many cases the products themselves are rushed out to market without proper time taken to fortify them against attacks.

However, recent research from the non-profit prpl Foundation actually found that consumers are willing to pay more for more secure smart devices, and are holding off on purchases because they’re worried about vulnerabilities.

That same group has released guidance for IoT stakeholders on how to product more secure kit, based around several key principles: open source software; interoperable standards; a Root of Trust anchored in the chip itself to prevent firmware attacks; and silicon-level virtualization to halt lateral movement.

President of prpl, Art Swift, argued that the DHS guidelines will provide a “good baseline” for manufacturers and developers.

“It often takes governments a little while to catch up with what experts have been saying for years, so it is encouraging that it seems to be sinking in now,” he added.

Source: Information Security Magazine

Three Arrested After Suspected Insider Breach at Three

Three Arrested After Suspected Insider Breach at Three

Three men have been arrested in connection with a data breach at UK operator Three which resulted in the illegal interception of mobile devices heading for customers.

The National Crime Agency (NCA) claimed it had caught a 48-year-old man from Orpington, Kent, and a 39-year-old man from Ashton-under-Lyne, Greater Manchester, on Computer Misuse Act offences.

A third man, a 35-year-old from Moston, Greater Manchester, was arrested on suspicion of perverting the course of justice, according to the BBC.

The men are said to have used an authorized login to access a database of customers – including names and addresses – waiting for a phone upgrade.

They are then thought to have used that information to intercept the phones.

Three has claimed the database in question did not contain any financial details, although it’s still ascertaining exactly how many customers were affected.

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices,” a spokesman said in a statement.

"We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity."

Chris Hudson, EMEA CISO at Zscaler, claimed the suspects probably had an inside contact.

“While its conceivable that user credentials were obtained through social engineering, swift arrests suggest a chain of associated events can likely be traced and compromise comes from insider intent.

“Three might say it’s okay that payment details weren’t accessed, but frankly – who cares? It doesn’t mean that other confidential data can’t be used to build a false customer profile or commit subsequent fraud at scale.”

He argued that the case should serve as a reminder that strong authentication and improved auditing is essential.

Michael Hack, senior vice-president of EMEA operations at Ipswitch added that the new EU GDPR will increase the scrutiny on firms suffering breaches of this sort.

"Organizations can’t take chances when it comes to IT security and must make sure critical information is kept safe,” he said.

“It’s no longer good enough just to have the right policies in place for secure data transfer, an organization must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training."

Source: Information Security Magazine

IT Decentralization Has Deep Security Impact

IT Decentralization Has Deep Security Impact

The increasing decentralization of IT into the cloud has had major repercussions for security, as it has created a lack of clear ownership and responsibility for various mission-critical functions. And IT is struggling to keep up.

Business models are being disrupted and digital transformation is critical in enabling organizations to remain innovative, competitive and agile; cloud computing has been key to this transformation. A survey from VMware conducted by Vanson Bourne on IT management found that 69% of respondents agree that the management of IT has become increasingly decentralized in the past three years. But the findings also revealed that IT isn’t ready for this transition, and it may be causing more harm to businesses than good.

“These survey results reflect that cloud computing is continuing to move technology beyond IT, giving lines of business easy-to-use, flexible IT services to drive innovation within their domains,” said Raghu Raghuram, COO, Cloud Services and Products, VMware.

Security ramifications are significant: 57% of respondents agreeing that decentralization has resulted in the purchasing of non-secure solutions. Another 60% agree decentralization results in applications being developed outside of corporate or government regulations, while 56% agree decentralization results in lack of regulatory compliance of data protection.

The survey also found that 65% of IT respondents want IT to be more centralized, and that 74% believe that the IT department should be responsible for enabling other lines of business to drive innovation.

In EMEA, six in 10 (60%) of IT decision maker (ITDM) respondents agreed that the IT department has had an active role in the decentralization of IT to other business users’ lines of business. The majority of all respondents agree impact of decentralization is making the IT department’s job more challenging (57%), while around half (51%) agree that it will increase the stress on IT personnel and resources.

In Asia-Pacific, 78% of IT decision makers and line-of-business leaders agree that cloud computing has made it easier for lines of business to purchase their own IT. This has led to an average of six additional cloud services being purchased outside of the IT department per organization, according to respondents.

Nearly 75% of ITDMs in Asia-Pacific agree that decentralization makes IT’s job more challenging. And, 60% say decentralization of IT creates a lack of clear ownership and responsibility for IT.

Source: Information Security Magazine

NatWest Implements Behavioral Biometrics for Online Banking

NatWest Implements Behavioral Biometrics for Online Banking

A top UK bank is rolling out behavioral biometrics to secure online transactions.

NatWest, which serves more than 14 million customers in the UK, has been trialing BioCatch technology within Coutts and with some business customers, and plans to pilot the technology with personal banking customers later in 2017.

The bank is using the technology to stop fraudulent attempts to transfer funds, identify remote access Trojans during an online session, and identify fraud attempts occurring across multiple channels (i.e., online and mobile).

BioCatch’s system captures more than 500 points of behavior such as hand-eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements amongst other things to create a unique user profile. Via continuous authentication, it is also able to recognize anomalies in behaviors from the point of login and throughout the entire session. This allows BioCatch to distinguish the normal human behavior of an authorized user from that of an unauthorized user, as well as to recognize automated BOTs, RATS, malware and other malicious account takeover attacks, where the victim is typically unaware that their banking session has been hacked.

 “The technology that we’ve been able to deploy with the help of BioCatch has played a crucial role in strengthening our security systems,” said Simon McNamara, chief administrative officer of NatWest. “The breadth of behavioral biometrics that BioCatch technology can monitor is really impressive and we’ve already seen many examples of it alerting us to suspicious activity and protecting our customers from fraud.”

Eyal Goldwerger, BioCatch CEO, added, “With 48% of data security breaches across the financial services industry involving compromised web applications, the importance of validating a user not only at login but throughout a session as a way to prevent fraud, has taken on increasing urgency. At the same time, today’s leading banks, such as NatWest, are also extremely mindful that injecting additional security measures must be balanced with maintaining a seamless customer experience, whether online or mobile.”

NatWest follows other financial giants in piloting biometrics. Credit card giant Mastercard has begun the long-awaited roll-out of its Identity Check Mobile feature, better known as ‘pay-by-selfie’ across Europe, promising improved friction-free authentication for users.

The service, which will go live soon across 12 markets including the UK, Spain, Sweden, Germany and the Netherlands, uses facial biometrics to verify a user’s identity, meaning they don’t have to remember yet another password to complete a transaction.

Photo © Sergei Kardashev

Source: Information Security Magazine

FIFA Hackers Steal $16 Million from EA

FIFA Hackers Steal $16 Million from EA

A hacker has been convicted of embezzling $16 million from gaming bigwig Electronic Arts, using “FIFA coins,” an in-game virtual currency for a soccer-themed video game.

Anthony Clark, 24, of Whittier, Calif., was convicted of wire fraud by a jury sitting in Fort Worth, Texas. Clark and three co-conspirators gamed the game, as it were. You see, in the FIFA Football game, players can earn FIFA coins based on the time they spend playing. People like soccer, and due to the popularity of FIFA Football, a secondary market has developed whereby FIFA coins can be exchanged for US currency. 

Clark and his buddies managed the ultimate hat trick: They circumvented multiple security mechanisms created by EA in order to fraudulently obtain FIFA coins worth over $16 million. Specifically, the group created software that fraudulently logged thousands of FIFA Football matches within a matter of seconds, and as a result, EA computers credited them with improperly earned FIFA coins.  They then subsequently exchanged their FIFA coins on the secondary market for over $16 million.  

Co-conspirators Nick Castellucci, 24, of N.J.; Ricky Miller, 24, of Arlington, Texas; and Eaton Zveare, 24, of Lancaster, Va., previously pleaded guilty and they await sentencing. 

Interesting, the issue with FIFA coins in not new. In 2014, a member of an international hacking ring responsible for stealing between $100 and $200 million in intellectual property and other proprietary data from Microsoft’s Xbox gaming platform developed a software exploit that did something similar to what Clark and crew accomplished. The exploit generated millions in in-game, virtual currency for Electronic Arts’ FIFA line of soccer games, which he then sold in bulk quantities on the black market.

That same ring was also accused of stealing a pre-release version of Epic’s video game, Gears of War 3; and a pre-release version of Activision’s uber-popular video game, Call of Duty: Modern Warfare 3. Gaming is a high-profile target given the billions that the industry rakes in every year.

Photo © Baron Firenze/ 

Source: Information Security Magazine

SHA-1 Time Bomb: One Third of Websites Have Yet to Upgrade

SHA-1 Time Bomb: One Third of Websites Have Yet to Upgrade

Over a third (35%) of the world’s websites are still using insecure SHA-1 certificates despite the major browser vendors saying they’ll no longer trust such sites from early next year, according to Venafi.

The cybersecurity company analyzed data on over 11 million publicly visible IPv4 websites to find that many have failed to switch over to the more secure SHA-2 algorithm, despite the January deadline.

With Microsoft, Mozilla and Google all claiming they won’t support SHA-1 sites, those still using the insecure certificates from the start of 2017 will find customers presented with browser warnings that the site is not to be trusted, which will force many elsewhere.

In addition, browsers will not display the tell-tale green padlock on the address line for HTTPS transactions, while some might experience performance issues. There’s also a chance some sites will be completely blocked, said Venafi.

SHA-2 was created in response to weaknesses in the first iteration – specifically collision attacks which allow cyber-criminals to forge certificates and perform man-in-the-middle attacks on TLS connections.

However, migration to the new algorithm isn’t as simple as applying a patch, and with thousands of SHA-1 certificates in use across websites, servers, applications and databases, visibility is a challenge, warned Venafi vice-president of security strategy and threat intelligence, Kevin Bocek.

“The deadline is long overdue: National Institute of Standards and Technology (NIST) has called for eliminating the use of SHA-1 because of known vulnerabilities since 2006,” he told Infosecurity.

“Most organizations do not know exactly how many certificates they have or where they are being used, and even if they do, it is a time-consuming and disruptive process to update them all manually.”

Bocek recommended organizations first work out where their SHA-1 certificates are and how they’re being used, before building a migration plan.

“Here, you will need to work out where your priorities are, so that you can protect your crown jewels first – i.e. the sites and servers that hold sensitive data or process payments. This way the team can focus on migrating critical systems first to ensure they are better protected,” he explained.

“The best way to do this is through automation. By automating discovery of digital certificates into a central repository companies can upgrade all certificates to SHA-2 at the click of a button, where possible. And importantly you can track and report on progress to your board, executive leadership, and auditors. This allows businesses to migrate without interrupting business services or upsetting customers.”

Source: Information Security Magazine

Snoopers’ Charter Passes Lords Test

Snoopers’ Charter Passes Lords Test

The House of Lords has passed the controversial Investigatory Powers Bill or Snoopers’ Charter and very soon the legislation will enshrine in law for the first time the mass surveillance of the populace by the security services.

Despite opposition from the Liberal Democrats, Labour’s refusal to fight the bill in the end allowed its pretty smooth ascent into law with few apparent changes.

That will dismay rights campaigners who argue that even if these powers are used with restraint today, they give a terrifying amount of power to the state which will be very hard to reclaim in the future.

The powers themselves legitimize what the security services were recently found to have been doing illegally for years – mass surveillance of the populace and the ability to hack citizens’ devices.

That puts the UK somewhere on a par with Russia and China.

It also mandates that ISPs retain their customers web and phone data for a year – providing attackers with a potential treasure trove of eminently hackable information which could be used for follow-up fraud attacks or even worse, blackmail.

CensorNet CEO, Ed Macnair, expressed his disappointment at the passing of the Snoopers’ Charter by the Lords.

“It’s hardly a secret that agencies like GCHQ and MI5 already have access to our communications, should they need it,” he argued. “Given that, I can’t see how this law will increase our ability to stop terrorism and other crime enough to make it worth it. In fact, I worry it could do more harm than good.”

In fact, former NSA technical director, William Binney, made exactly that point at a committee reviewing the Investigatory Powers Bill in January.

He argued that bulk collection of data doesn’t work, because there’s simply too much for analysts to process. The communications from 9/11 terrorists weren’t spotted because of this approach, he added.

“Who wants to know everyone who has ever looked at Google or the BBC? We have known for decades that that swamps analysts,” he said at the time.

“The net effect of the current approach is that people die first, even if historic records sometimes can provide additional information about the killers.”

Macnair also pointed to the huge security risk that could come from forcing ISPs to retain customer records.

“Can you imagine the damage that could be done to individuals if their private browsing history was made public?” he said.

“That’s not people on ‘dodgy’ sites but individuals with highly personal concerns from sexuality and HIV, to addictions and depression. The Ashley Madison hack if nothing else showed us the devastation that occurs when incredibly personal information is leaked.”

Source: Information Security Magazine

$5 PoisonTap Device Cracks Open Locked Computers

$5 PoisonTap Device Cracks Open Locked Computers

A $5 tool called PoisonTap can allow malicious actors to easily hack into a locked computer.

Discovered by well-known independent white-hat hacker and developer, Samy Kamkar, PoisonTap siphons cookies, exposes internal routers and installs web backdoors on locked computers.

A physical device, PoisonTap simply needs to be plugged into a locked or password-protected computer to work its black magic. It emulates an Ethernet device over USB, and hijacks all internet traffic from the machine (despite being a low priority/unknown network interface).

In all, it allows the attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain. It exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding, and installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning. On the cookie front, it stores HTTP cookies and sessions from the web browser for the Alexa top million websites.

“PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable and microSD card, but can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle,” Kamkar explained in an analysis. “PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.

A video demonstration of just how easy it is to use can be found here.

While the initial compromise of the device requires physical access, consequent access to the machine can be pulled off remotely. The backdoors and remote access persist even after device is removed and attacker “sashays away,” Kamkar noted.

The discovery represents a new threat vector. “There have been attacks that look similar to the PoisonTap; however, this one is exploiting a completely different system weakness,” said Craig Smith, research director of transportation security at Rapid7, via email. “A key difference with PoisonTap is that it emulates a network device and attacks all outbound communications from the target system. This attack works on both Windows and Mac operating systems, and can hijack a large number of connections, even if the machine is locked. If a user gets up to use the restroom—or even if it's a kiosk that has disabled the keyboard, but the interface is a web backend—this device will still work.”

He added, “The brilliance of the attack is actually in its simplicity: the most complex code in PoisonTap is the beautiful HTML5 canvas animation by Ara. On a $5 Raspberry Pi, Samy pulled together several clever attacks that add up to something really masterful.”

Photo © vixenkristy

Source: Information Security Magazine