Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2017

Imperva: 1 in 3 Web Visitors is an Attack Bot

Imperva: 1 in 3 Web Visitors is an Attack Bot

Every third visitor to a website is likely to be an attack bot – a trend which has persisted for the past five years, according to Imperva Incapsula.

The security firm’s Bot Traffic Report 2016 analyzed a sample of over 16.7 billion bot and human visits collected from 9 August to 6 November 2016, from 100,000 randomly chosen domains on the Incapsula network.

It claimed that, while not as dangerous as targeted attacks, “indiscriminate” bot-driven campaigns have the potential to compromise large numbers of sites that are poorly protected.

Out of the 100,000 domains sampled, 94% experienced at least one bot attack over the survey period.

For the fifth year in a row, “impersonator bots” were the most common, compromising 24% of all traffic on the Incapsula network and 84% of all bad bot attacks.

Typically it requires little effort on the part of the black hats to mask their bots as legitimate visitors and in so doing bypass traditional security filters, Imperva Incapsula claimed.

As such, they’re used most frequently to launch DDoS attacks, with notable examples being Nitol, Cyclone and the infamous IoT-botnet Mirai, but they can also be used to compromise sites and carry out acts such as ticketing fraud, purchasing large numbers of online tickets which can then be resold by scalpers at a profit.

Igal Zeifman, security evangelist at Imperva Incapsula, argued that intelligent traffic filtering is essential to mitigating the bot threat – but only solutions which can cross-reference multiple signals, including on-site behavior.

“Most DIY solutions, however, are based on indiscriminately blocking visitors based on the content of their user-agent headers. It's an outdated method that's prone to false positives and is ultimately ineffective against the majority of attackers,” he told Infosecurity.

“In our study we mention the Nitol DDoS bots, which we recorded using over 14,000 different user-agent variants and 17 identities. This is an extreme example, but it helps showcase just how inept the DIY option is when facing increasingly sophisticated malicious bots.”

Bots aren’t all bad, of course, and Imperva found the number of good bots had grown from 19.5% of all traffic in 2015 to 22.9% last year. They’re used for things like ferrying website content to mobile and web apps, collecting info for search engine algorithms and digital marketing.

Source: Information Security Magazine

OurMine Hacks New York Times to Tweet Fake News

OurMine Hacks New York Times to Tweet Fake News

OurMine has claimed responsibility for hijacking the account of the New York Times Twitter video account (@nytvideo) on Sunday morning.

The video account, which has more than 250,000 followers, was used to post fake news involving a nonexistent missile attack from Russia against the United States, quoting a leaked statement from Russian President Vladimir Putin.

OurMine is a hacking group that has a history of compromising high-profile tweeters, including Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta, Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify and Google CEO Sundar Pichai.

OurMine used its control of the video account to take responsibility for the faux message, saying that all was done in the name of good: “Message from OurMine: We detected unusual activity on the account and we re-hacked it to make sure if the account is hacked or not.” The group has been attempting to spin itself as a “security firm.”

However, researchers pointed out the danger of such actions:

“Hackers are realizing the power of social media over influential news sources like the New York Times, and are breaching accounts to try and essentially control or sway the news,” Michael Raggo, chief research scientist at ZeroFOX, told Infosecurity. “Twitter has become intertwined with our society and culture—with individuals turning to the platform to communicate, collaborate and stay informed on a global-scale. With that, if a hacker can overtake a credible profile and blast out provocative or false messages, it could trigger a knee-jerk public reaction impacting stock markets, threatening national security or even possibly sparking military tension.”

It also confirmed that it was behind the hijacking of the Sony Music’s Twitter account last month, when it tweeted a hoax about Britney Spears’ death.

The fake news and other tweets were quickly deleted: “We deleted a series of tweets published from this account earlier today without our authorization,” the Times said. “We are investigating the situation.”

Raggo noted that the Times should take a lesson from the incident: “Everyone in today’s always-connected society must be maintaining a high-level of security awareness, especially media companies, as they serve as news mouthpieces of our nation. Furthermore, as accounts continue to be hijacked, organizations need to enforce the same password policies as they do for the rest of their enterprise, in particular two-factor or two-step verification.”

Source: Information Security Magazine

Hamas Compromises Israeli Soldiers with Pretty Woman Gambit

Hamas Compromises Israeli Soldiers with Pretty Woman Gambit

The Israel Defense Force (IDF) has detailed an espionage campaign by Hamas operatives, who used social engineering to trick IDF soldiers into installing eavesdropping apps on their phones.

The gambit used one of the more classic social engineering techniques: Pretty ladies. IDF soldiers were targeted by Facebook friend requests purporting to be from attractive women. To sweeten the pot, these “ladies” sent multiple messages expressing their interest, along with photos—though the photos were cribbed from other, legitimate Facebook profiles.

After chatting enough to convince the soldier that she’s real, the person on the other end asks the soldier to video chat.

“But all the [existing video] apps he has won’t work for her—she needs him to download another one,” the IDF described in a blog. “She sends him a link to an app [in a third-party app] store called ‘apkpk.’ He downloads the app she requested. The app isn’t working, not for the soldier, at least. He tries to tell the pretty girl on the other end, but she won’t respond.”

The app is of course malware, which then sets about listening to phone conversations and more, sending them directly to Hamas.

“It can turn a mobile device into an open book—leaving contacts, location, apps, pictures, and files accessible to Hamas,” the IDF said. “What’s more, it can stream video from the camera and audio from the microphone.”

Hamas successfully infiltrated only a handful of phones before the attack was uncovered, but it’s worth noting that Facebook users—especially those that occupy sensitive positions or are in the armed forces—should be careful of what they allow to be shown publicly. Hamas found and targeted soldiers via public photos, tags and posts that revealed they were actively in IDF military service.

Other common sense protections work too:

“Turning off the GPS on your phone when it’s not in use can make yourself harder to track, and only clicking links from people you trust can help, too,” IDF said. “If anything looks fishy—like an email with an uncharacteristic subject line and an attachment you’re not expecting to receive—don’t download or click it. Don’t accept friend requests on social media from people you haven’t met, and don’t download any apps from sources you’re unfamiliar with.”

Source: Information Security Magazine

HummingWhale Breaches the Surface of Google Play

HummingWhale Breaches the Surface of Google Play

HummingWhale, a new variant of the HummingBad malware, has been found hiding in more than 20 apps on Google Play. It includes new, cutting-edge techniques that allow it to perform ad fraud better than ever before.

According to Check Point researchers, the infected apps were downloaded several million times by unsuspecting users before the Google Security team removed them from Google Play.

HummingWhale’s command and control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and runs as if it is a real device. This action generates the fake referrer ID, which the malware uses to generate revenues for the perpetrators.

HummingWhale also conducts further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users. HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it.

HummingBad was first discovered by Check Point last February, using a chain-attack tactic and a rootkit to gain full control over an infected device. China’s Yingmob was later identified as the group behind the campaign. Over the first half of 2016 it reached fourth place in ‘the most prevalent malware globally’ list, and dominated the mobile threat landscape with over 72% of attacks. In all, it affected over 10 million victims, rooting thousands of devices each day and generating at least $300,000 per month.

HummingWhale shares much DNA with the original HummingBad, including a 1.3MB, suspiciously large, encrypted file called ‘assets/group.png’ – a. The new samples of HummingWhale also match several other traits and identifiers seen in previous samples, such as registering to certain events and some identical strings in their code and certificates.

“It was probably only a matter of time before HummingBad evolved and made its way onto Google Play again,” said Check Point researchers, in a posting. “It allows the malware to install apps without gaining elevated permissions first, then disguises the malicious activity, which allows it to infiltrate Google Play. It also allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it. It can install an infinite number of fraudulent apps without overloading the device.”

Source: Information Security Magazine

GCHQ Director Hannigan Announces Resignation

GCHQ Director Hannigan Announces Resignation

GCHQ director Robert Hannigan has resigned his position, citing personal reasons.

In a letter to the Foreign Secretary Boris Johnson, Hannigan mentioned that he was “proud of what we have achieved in those years, not least setting up the National Cyber Security Centre and building greater public understanding of our intelligence work”.

“After a good deal of thought I have decided that this is the right time to move on and to allow someone else to lead GCHQ through its next phase,” he said. “I am, like you, a great enthusiast for our history and I think it is right that a new Director should be firmly embedded by our centenary in 2019. I am very committed to GCHQ’s future and will of course be happy to stay in post until you have been able to appoint a successor.”

In particular, Hannigan said that the job had demanded “a great deal of my ever patient and understanding family”, and now was the right time for a change in direction. He took over in 2014 when GCHQ was in the wake of the Edward Snowden revelations on state-sponsored surveillance, where it was claimed that GCHQ was one of the Five Eyes collection of surveillance states.

His open letter thanked “the many Ministers I have served over the years, and to thank the Prime Minister and her three predecessors, for the opportunities I have been given”.

GCHQ said that there will be an internal competition within Government to identify candidates to succeed Mr Hannigan, for onward recommendation to the Foreign Secretary and the Prime Minister. In the meantime Hannigan and the board will continue to oversee all the department’s work.

In a letter back, Johnson thanked Hannigan for his service. “You have led the renewal of some of our most important national security capabilities, which we continue to depend on every day to save lives from terrorism and to protect our interests and values,” he said.

“You also set the groundwork for a major transformation of our cyber defenses, and put GCHQ on a path to meet the challenges of the future with your focus on technology and skills.”

Source: Information Security Magazine

Online Dating Fraud Hits Record High

Online Dating Fraud Hits Record High

The number of people defrauded in the UK by online dating scams reached a record high in 2016. 

As reported by the BBC, there were 3889 victims of so-called romance fraud last year, with those affected handing over a record £39 million, according to the National Fraud Intelligence Bureau.

These figures were up from 2824 reports of dating scams in 2013, with reported losses of £27,344,814; 3295 reports and losses of £32,259,381 in 2014 and 3363 with losses falling to £25,882,339 in 2015. However, both figures appear to have risen in 2016 to an all-time high.

Javvad Malik, security advocate at AlienVault, said that these findings aren’t surprising, as alongside enticing people with money, employment or threats, love is a common vector cyber-criminals use to try and gain peoples trust to defraud them.

“The problem for many dating sites is that their model is built upon having as many active profiles as possible to attract new customers. So, it’s not in their business interest to be stringent in validating the authenticity of people signing up. In some cases, it has been reported that the dating site itself creates fake profiles in order to lure customers,” he added.

However, Malik said, legitimate sites need to add a layer of user validation, or some form of vetting that can deter fraudsters from setting up multiple fake profiles and spamming unsuspecting victims.

“Users should be wary at all times. Obviously, people go on dating sites in the hope of meeting someone. But don’t be fooled by a good-looking profile suddenly expressing an intense desire to become your soul mate. Look for signs such as them being abroad, vague with details, or always too busy to meet or speak on the phone.”

There were sentiments shared by Mark James, IT security specialist at ESET:

“Sadly the figures are not surprising at all, most criminals are not stupid, they often know just how to manipulate or pressure people into handing over their hard earned money. Generally we as humans want to trust others, when we are lonely and looking for love it can be easier to be fooled into thinking someone cares for us and are showing some honest affection.”

James argued that users need to understand that when on the internet or dealing with others in a non-physical format they should always at the very least question what they are doing, and ask if it does sound legitimate?

“If we do engage in sending money we have to treat it like gambling at the casino, decide on how much you can afford to lose and be prepared to do so, it may be the jackpot, and if it is then you can reap the rewards. Sadly in today’s world of scammers and deceivers it’s a more than likely someone else trying to fleece you for all they can.”

Source: Information Security Magazine

GCHQ Launches New Cybersecurity Comp for Teen Girls

GCHQ Launches New Cybersecurity Comp for Teen Girls

A new competition has been launched by GCHQ and the National Cyber Security Centre (NCSC) designed to encourage more teenage girls to consider a career in cybersecurity.

The CyberFirst Girls Competition will test the skills of 13 to 15-year-olds from across the UK, who’ll be asked to enter in teams of four, alongside a teacher to act as guardian and mentor.

The top 10 teams will be entered into a national final in London in March.

Prizes will be awarded to individual winners and their school will also be handed IT equipment to the value of £1000.

“I work alongside some truly brilliant women who help protect the UK from all manner of online threats,” said GCHQ director, Robert Hannigan, in a statement.

“The CyberFirst Girls Competition allows teams of young women a glimpse of this exciting world and provides a great opportunity to use new skills. My advice to all potential applicants would be enjoy the experience and I look forward to meeting some of you.”

CyberFirst is a relatively new initiative designed to equip secondary school-aged students with the tools and skills needed to stay safe online and open their eyes to a possible career in the industry.

Next month, it will launch a new program comprising free activity days and residential courses from Year 8 through to Year 13. There’ll also be the opportunity to apply for a CyberFirst Student Bursary of £4000 per year to study at university undergraduate level.

The UK certainly needs fresh blood.

This week, new data from global jobs site Indeed revealed that the UK has the second largest industry skills shortage in the world.

The number of cybersecurity job searches in the country amounted to just 31.6% of industry roles advertised. In comparison, the figure was 68.1% in Canada and 66.7% in the US.

Pre-registration for the CyberFirst Girls Competition has already opened and full registration will begin on 13 February.

Source: Information Security Magazine

Trump Security Advisers’ Passwords Publicly Available

Trump Security Advisers’ Passwords Publicly Available

Serious security concerns have been raised about the incoming Trump administration after it was revealed that 13 top staffers including the new cybersecurity advisor have had log-in credentials compromised in past data breaches.

Breaches at sites including Yahoo, LinkedIn, MySpace and others over the past four years have exposed the personal details of billions of global netizens.

According to Channel 4 News, the passwords used on such sites by the likes of cybersecurity advisor Rudy Giuliani, national security advisor, Michael Flynn and other including Trump’s head of social media, press secretary, chief trade negotiator, and secretaries of the interior and labor, are also publicly available.

If any of these staffers reuse their passwords across multiple accounts there’s a risk that highly sensitive government services could be accessed by determined hackers.

However, Channel 4 wasn’t able to verify if this was the case without breaking UK law by trying to access these accounts with the publicly available credentials.

Trump is apparently still boasting about how Republicans have better cybersecurity than their political opponents – well aware of the fact that the alleged Russian hackers that leaked damaging Democratic Party emails before the election also had information on senior GOP officials, but chose not to use it.

The irony, of course, is that Trump fought much of his campaign attacking his opponent Hillary Clinton’s use of private email for state department business, claiming she should be locked up for it.

“Breaches like these – and the associated list of simple passwords – underscore the need for two-factor authentication on sensitive accounts, such as the email accounts of public figures,” argued Tripwire CTO, Dwayne Melancon.

“Two-factor authentication, along with periodic password changes, greatly reduces the likelihood of a successful compromise even if someone gains access to your password. Two-factor authentication also mitigates much of the risk if someone re-uses a password.”

It’s still not clear how many federal systems use 2FA. There was a major implementation initiative following the massive OPM breach, which was made possible in part because contractors’ passwords were obtained by alleged Chinese hackers.

Source: Information Security Magazine

Four in Five Britons Fearful Trump Will Abuse their Data

Four in Five Britons Fearful Trump Will Abuse their Data

More than three-quarters of Britons believe incoming US President Donald Trump will use his surveillance powers for personal gain, and a similar number want reassurances from the government that data collected by GCHQ will be safeguarded against such misuse.

These are the headline findings from a new Privacy International poll of over 1600 Brits on the day Trump is inaugurated as the 45th President of the most powerful nation on earth.

With that role comes sweeping surveillance powers – the extent of which was only revealed after NSA whistleblower Edward Snowden went public in 2013.

There are many now concerned that Trump, an eccentric reality TV star and gregarious property mogul, could abuse such powers for personal gain.

That’s what 78% of UK adults polled by Privacy International believe, and 54% said they had no trust that Trump would use surveillance for legitimate purposes.

Perhaps more important for those living in the United Kingdom is the extent of the information sharing partnership between the US and the UK.

Some 73% of respondents said they wanted the government to explain what safeguards exist to ensure any data swept up by their domestic secret services doesn’t end up being abused by the new US administration.

That fear has become even more marked since the passage of the Investigatory Powers Act or 'Snoopers’ Charter', which granted the British authorities unprecedented mass surveillance and hacking powers, as well as forcing ISPs to retain all web records for up to 12 months.

Privacy International claimed that although it has privately been presented with documents detailing the info sharing partnership between the two nations, Downing Street has so far refused to make the information public.

The rights group and nine others are currently appealing to the European Court of Human Rights to overturn a decision by the Investigatory Powers Tribunal (IPT) not to release information about the rules governing the US-UK agreement.

“UK and the US spies have enjoyed a cosy secret relationship for a long time, sharing sensitive intelligence data with each other, without parliament knowing anything about it, and without any public consent. Slowly, we’re learning more about the staggering scale of this cooperation and a dangerous lack of sufficient oversight,” argued Privacy International research officer, Edin Omanovic.

“Today, a new President will take charge of US intelligence agencies – a President whose appetite for surveillance powers and how they’re used put him at odds with British values, security, and its people… Given that our intelligence agencies are giving him unfettered access to massive troves of personal data, including potentially about British people, it is essential that the details behind all this are taken out of the shadows.”

Source: Information Security Magazine

Code Development Still not Seeing Security Involvement

Code Development Still not Seeing Security Involvement

Code development should have security built in from the start to avoid headaches further along the line, and tools and processes exist to make this possible.

Speaking at the Checkmarx “Shift Left” conference in central London, security researcher Troy Hunt said that it is hard to put numbers on security of code, and it is hard to look at code once it is written and determine if it is good or bad, but if it is bad, it “will cost so much to manage in future.”

Speaking on 'Software Security and Early Prevention of Vulnerable Code', Hunt said that it is educational to go through people’s software and at a late stage, you can “find entertaining vulnerabilities at this stage”.

He said: “It is insightful as often it is the expectation that no one does bad stuff to your software, and ‘no matter what, people screw it up for us’. If we think we use software used in the way it is designed and intended to be used, we are going to have a problem.”

Hunt created the character ‘Vlad’ who delivers the bad news about code flaws, and said that often bad news is delivered at the end of the process during testing, and often “security folks are sick of folks screwing it up.

“We have got to be better with the ‘standoffishness’ between developers and security people; we are all trying to achieve the same thing, and it is a bit of a problem,” he said.

“Businesses doesn’t understand the nuances of security and want the website to be live, but we know there are vulnerabilities and things may be exploited, so somewhere there has to be compromise, as we know there are risks and can fix them.”

Hunt acknowledged that it is easy to write bad code, and the end of the process is a “bad time to do security”, so he argued we need to move it to the start as that is where we should think about it and this should be an embedded concept.

“If we fix bugs earlier it will cost significantly less,” he said. Asked how that can be achieved, Hunt stressed the need for training, using static code analysis and via continuous integration. He also said that dynamic analysis is important, as nothing in isolation is better than another and all facets can work together.

“Dynamic analysis after release will find other interesting things; penetration testing is also very valuable and I am amazed at what good pentesters can do, as smart people do great things with complex software and you don’t want the Vlads of this world to do static analysis to find SQL flaws.”

Source: Information Security Magazine