Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2017

Severe Flaw in Samsung SmartCam Allows Remote Hijack

Severe Flaw in Samsung SmartCam Allows Remote Hijack

Security researchers have found a severe vulnerability that could allow hackers to hijack a Samsung SmartCam, according to a report.

According to researchers calling themselves the “Exploiteers,” the php files that provide firmware updates via the camera's iWatch" webcam monitoring service have a command injection bug. The bug can be remotely executed by an unprivileged user—meaning that anyone with the camera’s IP address can exploit the system.

Samsung's SmartCam was first compromised using a number of vulnerabilities by the Exploiteers at August's DEFCON 22 security conference, in a way that allowed remote camera execution and let them change the administrator's password. Samsung addressed this by removing the camera’s accessible web interface, instead shifting access to Samsung’s SmartCloud website.

However, the fact that the web server remained in place opened the door to this second exploit, which the group demonstrates in a YouTube video.

“In the case of the Samsung SmartCam, the vendor attempted to resolve past security issues within the products web server by removing the web page content, instead of the web server,” said Deral Heiland, research lead at Rapid7. “The best practice solution is, if a service is not being used, it should be disabled.”

Heiland added, “This is yet another interesting example of commonly identified web vulnerabilities being found on embedded IoT devices. Historically, we are accustomed to seeing such web vulnerabilities in e-commerce websites, and we are getting better at preventing them. Yet we quickly forget about the growing number of embedded IoT appliances that contain web servers for the purpose of management and configuration.”

The exploit comes as more and more IoT devices are enslaved to botnets like Mirai.

“As consumers, we should avoid exposing any IoT products we own directly to the internet,” Heiland said. “This will help avoid being compromised and potentially being part of the next Mirai botnet. Also, we must remember to keep our products patched with the latest firmware.”

Photo © wwwebmaster 

Source: Information Security Magazine

Data Breaches Increase 40% in 2016

Data Breaches Increase 40% in 2016

There has been a 40% increase in data breaches compared to one year ago—even though from a headline perspective, 2015 seemed to be a bigger year for mega-breaches.

A report from CyberScout and the Identity Theft Resource Center on the numbers around publicly reported breaches found that in 2016, there were a total of 1,093 incidents in 2016, up from 780 in 2015—a new record in reported numbers. That said, changes in state breach notification laws made more incidents public than ever before.

The report shows that 52% of data breaches exposed Social Security numbers, an increase of 8.2% over 2015 figures; but only 13% of data breaches exposed credit card or debit card information—a decrease of 7.4% from 2015.

The spike in SSN exposures is in clear alignment with the surge of CEO spear phishing attacks, which target this type of information. These efforts (also known as business email compromise schemes) in which highly sensitive data, typically information required for state and federal tax filings, was exposed. As early as February, the IRS had already seen a 400% surge in this type of activity prompting both consumer and industry alerts addressing this issue.

Overall, hacking/skimming/phishing attacks were the leading cause of data breach incidents for the eighth year in a row, accounting for 55.5% of the overall number of breaches. That’s an increase of 17.7% over 2015 figures.

 The business sector again topped the list in the number of data breach incidents, with 494 reported, representing 45.2% of the overall number of breaches. The medical industry overall reported 377 incidents, accounting for 34.5% of them. The education sector had 98, representing 9%, the government/military (72) came in at 6.6% and the banking/credit/financial sector (52) at 4.8%.

Breaches involving accidental email/internet exposure of information was the second most common type of breach incident at 9.2% of the overall number of breaches, followed by employee error at 8.7%. With the exception of hacking, all other categories reflected decreases from 2015 figures.

“For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks,” said Matt Cullina, CEO of CyberScout and vice chair of ITRC’s Board of Directors. “With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution.”

Photo © cherezoff

Source: Information Security Magazine

A Third of Consumers Watch Pirated Content

A Third of Consumers Watch Pirated Content

Consumers are showing little aversion to watching pirated content: While 69% of US consumers said that streaming or downloading pirated video content is illegal, 32% of them said they watch it anyway.

A new survey by Irdeto, conducted online by YouGov, also found that a slightly higher percentage—74%—of respondents think that producing or sharing content is illegal (as opposed to simply watching it).

When consumers watch pirated video content such as movies, TV series or live sports, it results in content creators losing money that would be dedicated toward future video content, while also typically benefiting criminal organizations. Yet many consumers are nonetheless eager to pirate content to seek out the programming they desire.

When told that pirated video content can result in studios losing money, meaning they cannot invest in creating content, 39% of consumers said that this knowledge has no effect on the amount of pirated video content they want to watch.

And, only 19% of respondents said that the financial damage caused by piracy would stop them from watching pirated content altogether. However, many consumers do fully understand the negative impact piracy has on the content creation business.

 “The negative impact that piracy has on the content creation industry extends much further than lost revenue,” said Lawrence Low, vice president of business development and sales, Irdeto. “Piracy deters content creators from investing in new content, impacting the creative process and providing consumers with less choice. It is becoming increasingly important for operators and movie studios to educate consumers on the tactics employed by pirates and to further promote innovative offerings that allow consumers to legally acquire content.”

In regards to the most popular pirated content, the survey found an even split between consumers who prefer to pirate movies and TV shows. About a quarter (24%) of consumers who watch pirated content are most interested in watching TV series. An additional 24% of respondents are most interested in pirated movies that are currently showing in theaters. The survey also found that consumers are interested in pirating DVD and Blu-ray movies (18%), live sports (10%) and OTT original content from Netflix, Hulu, iTunes and others (9%).

“Education on the impact of piracy to consumers is an important element of an anti-piracy strategy,” said Rory O’Connor, vice president of services, Irdeto. “It is important for content owners to educate themselves on the three elements of consumer choice when selecting a service: content, value and convenience. To avoid pirates stealing market share, content owners and operators need to make sure they are implementing a comprehensive, 360-degree anti-piracy strategy that includes watermarking, detection and enforcement.”

Photo © Scanrail 1

Source: Information Security Magazine

UK Orgs: Less Than Half 'Fully Aware' of GDPR, Malware Top Security Concern

UK Orgs: Less Than Half 'Fully Aware' of GDPR, Malware Top Security Concern

Security and traffic visibility solution companies LogRhythm, ForeScout and Gigamon have joined forces to carry out jointly-commissioned research assessing the current state of play regarding UK cyber-readiness, the biggest threats to business security and C-level concerns.

Of the 2000 IT professionals the firms quizzed in the survey, less than half (47%) of UK businesses were fully aware of the EU General Data Protection Regulation (GDPR), despite the pending regulations being widely publicized. Furthermore, only 40% were fully aware of the NIS Directive, which, like EU GDPR, comes into effect in 2018, meaning only a third of businesses felt they are currently prepared to meet both regulations.

Speaking at a press roundtable in London this week Ross Brewer, vice-president and managing director EMEA at LogRhythm, said that the GDPR represents a “massive shift” in the security regulation landscape, arguing that “boards really need to get a handle on this topic because it’s going to catch them out.”

“With fines of up to 4% of their global turnover at stake, businesses simply cannot afford to take the ‘wait and see’ approach,” he added.

In terms of the biggest security concerns looming over companies, 42% said that malware was the number one worry; more than a third noted stolen credentials as the main threat whilst 27% opted for web vulnerabilities. What’s more, 80% of respondents said their confidential data may be vulnerable to attack with 44% admitting to suffering a breach, three-quarters of those losing sensitive data as a result.

“There’s been a fundamental shift in the industry in the last decade,” explained Brewer, “which is the fact that we’ve built these environments on a prevention-centric security strategy on the basis that we can built a perimeter, protect our assets and these people [cyber-criminals] aren’t going to get into our infrastructure and they won’t have access to our assets, so we’re going to be okay. Clearly, that’s been proven the world over to be a fallible strategy. It’s no longer ‘if’ we’ll get hacked, it’s when we’ll get hacked and how quickly can we identify and recover from it.”

When it comes to visibility across the entire network, a resounding 96% of those polled believed this to be an important part of defending company data. However, almost three-quarters also admitted that they need to improve their detection, prevention and response capabilities.

ForeScout’s VP of sales Myles Bary, also speaking at the roundtable, said that now is the time that businesses need to reduce their security risks by having better visibility of devices when they connect to the network.

“In every organization that we see, there are more devices attached to the network than they thought they had,” he warned. “We’re able to give them the actual data points that they have 30% more devices [for example] attached to the network than they thought they had; we’ve even had organizations with up to 60% more devices, which is pretty horrific if you consider that they are there to know exactly what is on their network, and they just don’t know.”

Finally, the research revealed that there is a growing demand from businesses for better collaboration amongst security vendors. Just over half of the organizations polled use more than five security suppliers, with 82% wanting security vendors to offer more complementary – as opposed to competing – products and work together more effectively to fight hackers.

“Too many businesses are struggling to fight today’s ever-determined hackers, which means security vendors need to make sure they are fighting smarter, together,” argued Trevor Dearing, marketing director EMEA at Gigamon. “The problem for many businesses is that they don’t know where to start, subsequently picking ad-hoc solutions that fail to integrate. But that integration is critical to detecting, isolating and eliminating threats before any damage has been done.

“It’s our responsibility, as leaders in our field, to join forces so that they can maximize their data and investments as much as possible. After all, the cyber-criminals are increasingly pooling resources and working collaboratively – so why shouldn’t we?”

Source: Information Security Magazine

ONS: Nearly Two Million Annual Cybercrime Incidents

ONS: Nearly Two Million Annual Cybercrime Incidents

There were nearly two million cybercrime incidents in the UK in the year ending September 2016, and a similar number related to online fraud, according to the latest official Office of National Statistics report.

The ONS cautioned that its Crime Survey for England and Wales included only “Experimental Statistics” for fraud and cybercrime, with questions specific to these elements included in the report for the past 12 months.

This means the stats are still in the “testing phase” – however they represent a decent snapshot into the current level of these crimes in the UK.

Specifically, the ONS survey revealed 1.97 million cybercrime incidents, the vast majority of which were related to the category of "computer virus" (1.3m), with the remainder featuring "unauthorized access to personal info" (667,000).

As a result, there were almost 1.6 million victims of these crimes – aged 16 or over – in the report period.

As for fraud, there were 3.6 million incidents and 2.9 million victims in total, with the majority (53%) coming via online channels.

However, the extend of cyber fraud varied by offence, with 75% of “non-investment frauds” indicated by victims to have involved the use of the internet, versus less than half (45%) of bank and credit account fraud.

Sundeep Tengur, financial crimes specialist at analytics firm SAS, argued that fraud affects businesses of all sizes.

“In light of recent and ongoing regulatory focus around securing electronic payments, mitigating cyber threats and improving data governance, businesses are being urged by policy-makers to do more to protect their customers from the scourge of fraud,” he added.

“Regardless of how Brexit shapes the UK legal and regulatory framework going forward, the fight against fraud and financial crime is bound to grow at an unrelenting pace.”

An ONS report in October 2015 claimed to have recorded 2.5 million cybercrime incidents over the previous 12 months, although that figure was estimated on a “large scale field trial” between May and August, so is not suitable for comparison with the latest stats.

Source: Information Security Magazine

Obama Commutes Chelsea Manning's Sentence

Obama Commutes Chelsea Manning's Sentence

President Obama has commuted the sentence of Chelsea Manning, the transgendered former US Army intelligence analyst who was serving 35 years in prison for leaking state secrets.

On the eve of the inauguration of the deeply polarizing President-elect Donald Trump, Obama overrode his secretary of defense and issued an order that will allow Manning to walk free. The move does not pardon her however, and she remains convicted of her crimes, which include stealing and disseminating 750,000 pages of documents and videos to WikiLeaks.

Manning was handed a 35-year sentence on a host of charges, including communicating national defense information to an unauthorized source, to, following a courtroom confession back in 2013, when she was still Pfc. Bradley Manning.

In 2009 and 2010, Manning admitted that she—he at the time—smuggled out several SD disks with reams of classified information, including contents of Significant Actions files, or SigActs, which detail military actions on the ground in both Iraq and Afghanistan. Manning said in the confession that the motivations for betraying US secrets involved human rights and opposition to the way the wars were carried out.

The documents she leaked included more than 250,000 diplomatic cables, in addition to hundreds of thousands of other confidential documents. These however were not classified as “top secret,” and Manning is seen as a whistleblower by her supporters.

Many have expressed deep dismay at the commutation, including those high up in the Pentagon, according to reports. Outgoing Defense Secretary Ash Carter, as well as top US Army leaders, recommended against President Obama commuting the bulk of Chelsea Manning’s sentence, a senior defense official told Fox News.

And, Sen. Tom Cotton, Republican of Arkansas and a member of the Senate Armed Services Committee—said that "we ought not treat a traitor like a martyr."

"I am very surprised," the Arkansas Republican, an Army veteran who served in both Iraq and Afghanistan, told Jake Tapper on CNN. "Chelsea Manning pleaded guilty to very serious crimes leaking highly classified information that put at risk the lives of our troops and our diplomats, our intelligence officers—allies who helped us around the world.”

As to the charge of being a traitor, it should be noted that Manning was never convicted on the most serious charge that she faced: aiding the enemy, which would qualify as treason and would have carried a life sentence.

Supporters, which include the ACLU, Amnesty International and digital rights group Fight for the Future, said that the commutation is an act of human mercy, as Manning has faced what they characterize as cruel and unusual punishment in prison.

In 2015 for instance, a military court found her guilty of four charges, which included possession of LGBTQ reading material like the Caitlyn Jenner issue of Vanity Fair, and having a tube of expired toothpaste in her cell. For that, she received 21 days of recreational restrictions, excluding her from time in the gym, library and outdoors.

Manning said at the time that she had done nothing to warrant the hearing other than speak out on the treatment of prisoners and her struggle as a trans woman behind bars. She also said that the whole thing started when she complained that military correctional staff denied her access to the prison legal library. During the closed disciplinary hearing, Manning was required to present her own defense—the ACLU said that she’s been denied an attorney as punishment for unruly behavior.

In June 2016, Manning attempted to take her own life. A prison disciplinary subsequently found her guilty of “conduct which threatens” because of it, along with a charge for prohibited property for possessing an unmarked copy of Hacker, Hoaxer, Whistleblower, Spy, by Gabriella Coleman. She received seven days of solitary confinement.

The punishment and treatment of Manning also has been held up in juxtaposition with that of General David Petraeus, who leaked secrets that were in fact classified as top secret to his ghostwriter and mistress, and, the FBI alleged, to outside reporters. For that, he received only probation and a fine of $100,000.

As a result of what many see as inhumane, unfair and outsized treatment, the drumbeat for clemency has gotten louder and louder. Over the course of her imprisonment, more than 100,000 people signed an official Whitehouse.gov petition, meeting the threshold to require a response from the President. Hundreds of thousands also have signed previous petitions organized by Fight for the Future and other groups decrying her treatment while in prison. The ACLU and more than a dozen prominent LGBT organizations sent a letter to President Obama calling for her commutation, Amnesty International sent a letter to President Obama, and supporters sent over 25,000 emails to the White House. Human Rights Watch also sent a letter to President Obama supporting clemency.

“Chelsea’s release is [a] massive victory for free speech, human rights and democracy,” said Evan Greer, campaign director of Fight for the Future. “As someone who has become friends with Chelsea over the last year, but has never had a chance to see her face or give her a hug, I'm overjoyed that she will be able to share her beautiful self with the world. She has so much to offer, and her freedom will be a testament to the power of grassroots organizing. I’m so excited for the world to get to know her as the compassionate, intelligent and kind person who she is.”

Photo © LEE SNIDER PHOTO IMAGES 

Source: Information Security Magazine

New Mac Malware Uses Ancient Code to Spy on Biotech Firms

New Mac Malware Uses Ancient Code to Spy on Biotech Firms

A Mac-based espionage malware that Apple calls “Fruitfly” is making the rounds, targeting biomedical research facilities.

Malwarebytes, which recently spotted the bug, said that the malware specializes in screen captures and webcam access, and can also determine screen size and mouse cursor position, change the mouse position, and simulate mouse clicks and key presses in a kind of rudimentary remote control functionality.

Malwarebytes also observed the malware downloading a perl script that can be used to build a map of all the other devices on the local network, giving information about each device including its IPv6 and IPv4 addresses, name on the network and the port that is in use. It also appears to be making attempts to connect to those devices.

“Although [there is] no evidence at this point linking this malware to a specific group, the fact that it's been seen specifically at biomedical research institutions seems like it could be the result of exactly that kind of espionage…at the heart of stories about Chinese and Russian hackers targeting and stealing US and European scientific research,” the firm noted in an analysis.

This is the first new Mac malware of 2017, discovered after an IT administrator spotted some strange outgoing network traffic from a particular Mac. Malwarebytes noted that the code is unlike anything its researchers have seen before.

Thomas Reed, director of Mac Offerings at Malwarebytes, told Infosecurity that the code uses an odd mixture of perl, Java and native Mac binaries all in one file. This, plus the extreme age of some of the code, is “very unique,” he said.

The research team found that the malware was extremely simplistic on the surface, consisting of only two files and some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.

 “We shouldn't take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don't know the Mac very well and were relying on old documentation. It could also be that they're using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

Nonetheless, Malwarebytes is calling the malware “Quimitchin” instead of Fruitfly, after the Aztec spies who would infiltrate other tribes.

“Given the 'ancient' code, we thought the name fitting,” the analysis noted.

And while the malware could go back years, it hasn't been discovered until now. That’s likely because it’s being used in very tightly targeted attacks, limiting its exposure.

“This appears to be a tightly targeted attack on a specific group. This reinforces my belief that future Mac threats will not be widespread,” Reed told us. “Apple tends to crush any widespread malware very quickly, as in the case of the KeRanger ransomware. In order for malware to be successful on the Mac, it must be stealthy and avoid attracting attention. The only way to do that is to tightly control who gets infected, by choosing to infect only selected victims. Such malware can be very hard to spot.”

Apple said it would release updates soon to protect against future infections. Researchers are still not sure exactly how this malware gets onto the system, but the usual advice almost certainly applies: beware of phishing attacks, and avoid downloading anything from unknown sites. Once infected though, Reed said it’s easy to remove with standard AV software.

Photo © science photo

Source: Information Security Magazine

(ISC)² Names New Board Members

(ISC)² Names New Board Members

(ISC)² has announced the newly elected officers for its board of directors.

The 13-member board provides governance and oversight for the organization, grants certifications to qualifying candidates, and enforces adherence to the (ISC)² Code of Ethics.

Effective January 14, the following individuals assumed board officer positions:

  • Chairperson:  Wim Remes, CISSP (Belgium)
  • Vice Chairperson:  Jennifer Minella, CISSP (USA)
  • Treasurer:  Allison Miller, CISSP (USA)
  • Secretary:  Dr. Kevin Charest, CISSP, HCISPP (USA)

“I would like to express my sincere gratitude to the outgoing board officers for all of their efforts to strengthen (ISC)² and for their ongoing commitment to advancing the profession,” said (ISC)² CEO David Shearer. “I also thank Greg Mazzone, Richard Nealon, Howard Schmidt and Freddy Tan, whose board terms ended in December, for their many contributions. I look forward to working with the new officers over the next year as they help us advance the organization.”

Members of the (ISC)² Board of Directors are elected each year from among the organization’s global membership. The board is comprised of (ISC)²-certified volunteers who are industry leaders from around the globe representing business, government and academia. 

Source: Information Security Magazine

Carbanak Uses Google for C&C Comms

Carbanak Uses Google for C&C Comms

The infamous Russian Carbanak cybercrime gang has begun using various Google services for its command and control (C&C) communications, enabling it to hide in plain sight, according to Forcepoint.

The cybersecurity firm recently investigated a weaponized RTF document which, when opened, uses social engineering to trick the recipient into clicking on an envelope image to “unlock the contents.”

However, doing so brings up a dialog box asking if the user then wants to open the file unprotected.vbe.

If they do that, then VBScript malware typical of the Carbanak group will execute.

However, Forcepoint also discovered a new 'ggldr' script module encoded inside the main VBScript file, capable of utilizing Google services for its C&C comms.

“The ‘ggldr’ script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user, a unique Google Sheets spreadsheet is dynamically created in order to manage each victim,” explained senior security researcher, Nick Griffin.

“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.”

As such, the ploy represents a much better chance of success than registering random new domains, or domains with no reputation, he argued.

Forcepoint has notified Google and is working with the web giant on this particular abuse of its services.

But the trend of using legitimate web services to hide C&C communications is increasingly widespread.

Just last year, researchers discovered an Android botnet that uses Twitter instead of traditional C&C servers.

Carbanak has been around since at least 2013, when it was found using advanced APT techniques to steal up to $1 billion from 100 banks worldwide over a two-year period.

In March last year it reappeared with an apparent focus on the Middle East, Europe and the US.

Source: Information Security Magazine

Amnesty: Snoopers’ Charter Violates Basic Human Rights

Amnesty: Snoopers’ Charter Violates Basic Human Rights

Amnesty International has launched another broadside on the UK government, claiming that when it comes into force the Investigatory Powers Act (IPA) could have “devastating consequences” for human rights.

The colloquially titled ‘Snoopers’ Charter’ was criticized during its passage through parliament by rights groups, technology and legal experts, three separate committees and even former NSA technical director, William Binney – all of whom the government and most opposition parties ignored.

Binney argued that the mass surveillance powers it enshrines are actually self-defeating for the security services, as there is simply too much information to sift through – meaning some terror suspects slip through the net.

Even the UN’s privacy tsar warned that the bill violated the basic human right to privacy and EU law.

His claims were partially substantiated after the European Court of Justice (CJEU) ruled in December that the forerunner of the IPA, known as DRIPA, was effectively illegal.

Amnesty argued that the law’s highly intrusive bulk surveillance and hacking powers are “lacking any requirement for individualized, reasonable suspicion” and as such violate basic human rights.

In its new report, Dangerously Disproportionate: The Ever-Expanding National Security State in Europe, it argued:

“All powers under the new law – both targeted and mass – will generally be authorized by a government minister after review by a quasi-judicial body composed of members appointed by the Prime Minister. This raises serious concern that the Act lacks provision for an independent authorization and oversight mechanism. Warrants would generally be issued by the Secretary of State (i.e. the Minister responsible for the security services), on a range of vague grounds such as the ‘interests of national security’ or the ‘economic well-being of the United Kingdom’.”

What’s more, judicial commissioners will not be able to fully assess the merits of applications for warrants, and in some cases will not be required to do so at all if the authorities decide the matter is urgent.

The security services can also add the names or people, places and organizations to warrants without the need for further review, Amnesty explained.

It’s also been argued that forcing ISPs to collect and store the web browsing records of the entire populace is a cybersecurity disaster waiting to happen if hackers get their hands on the data – which could prove to be a goldmine for extortionists.

Rafael Laguna, CEO of Open-Xchange, welcomed the report.

“The Snoopers’ Charter grants excessive powers to a government which has not consulted the tech community or considered the ramifications of bulk data collection,” he argued. “Without independent judicial oversight and warrants, these bulk data collection powers are the tools of a dictatorship.”

Source: Information Security Magazine