Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2017

Experts Protest Plans to Grab Social Passwords at US Border

Experts Protest Plans to Grab Social Passwords at US Border

Nearly 150 rights groups and tech, security and law experts have signed an open letter condemning comments from the US Homeland Security secretary earlier this month that border control officer may require travellers’ social media log-ins as a condition of entry to the country.

John Kelly told a House Homeland Security Committee that his department is currently considering the plans, claiming that those who don’t co-operate won’t be allowed to come to the US.

Since late 2016, there has been an optional policy to disclose access to social media accounts at the border, but these plans would take that to a whole new level.

The groups, which include the American Civil Liberties Union, Human Rights Watch and the Electronic Frontier Foundation, argued in the letter that such a move would fail to increase national security and be a “direct assault on fundamental rights.”

It added:

“This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while travelling, and would discourage travel for business, tourism, and journalism.”

The proposal would also set a precedent which could see foreign governments around the world follow suit, undermining the civil liberties of American travellers and compromising cybersecurity as well as goodwill with other nations.

“The first rule of online security is simple: Do not share your passwords. No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals,” the group argued.

In the meantime, there have been reports that some travellers are being detained by border officials and pressured into providing access to their mobile devices.

Oregon senator Ron Wyden has written a letter to Kelly, claiming he will introduce legislation soon to guarantee that “the Fourth Amendment is respected at the border by requiring officers to obtain a warrant before searching devices.”

He argued that not only does the practice violate privacy and civil liberties, but it could also “needlessly divert agency resources away from those who truly threaten our nation.”

Source: Information Security Magazine

#TEISS: The Jigsaw Effect – How Hackers Groom Your Staff

#TEISS: The Jigsaw Effect – How Hackers Groom Your Staff

Speaking at The European Information Security Summit in central London Tim Wilson, CISO at Optum International, shone a light on how cyber-criminals piece together partial sources of information to construct an individual’s identity and form the basis of an attack – which he referred to as the ‘Jigsaw Effect'.

Wilson reflected on how this technique has been used in real life and just how damaging it can be, citing the example of a large breach on healthcare company Anthem in January 2015, in which some 78 million health and personal records were affected.

“In that breach, the FBI believed there was the use of the ‘Jigsaw Effect’ to identity a member of staff to carry out a spear phishing attack. What we do know, is that it was a state sponsored attack to remove as many records as possible.”

Wilson explained that the whole planning for this attack started back in February 2014, and that one member of staff was targeted via their professional and social media presence on the internet – a random jigsaw of information spread out all over the place.

“The member of staff concerned,” he continued, “was on a professional networking site, but they were also on a dating site, and also on Facebook, They were sharing lots of information about themselves in lots of different places, and somebody, somewhere, found this information and made them a target.”

His point here was that our actions on the internet, mainly our social networking activity, can put both us as individuals and our organization at risk.

So how can you protect yourself? Wilson stated this comes down to having a better understanding of your own privacy when posting personal information on the internet, and taking practical steps to ensure we do that, and whilst, in an ideal world, this would fall under the responsibility of networking service providers to keep us safer, the onus is currently with us as individuals to vet how much information we are sharing and where.

“You need to treat your online security in the same way you treat your real, physical security,” he concluded.

Source: Information Security Magazine

FBI in the Dock Over iPhone Hack Details

FBI in the Dock Over iPhone Hack Details

Three media groups have gone to the courts to try and force the FBI into disclosing who helped it to hack the iPhone of San Bernardino shooter Syed Farook, and how much it cost the taxpayer.

Associated Press, Vice Media and USA Today parent company Gannett have filed with the US District Court in Washington, claiming there’s “no adequate justification” for the FBI withholding the information.

The agency last released a small amount of information last month on the case, although key parts were redacted as it claimed divulging any more could allow black hats to develop “countermeasures” against its work. The news groups claim the FBI is using national security to weasel out of its Freedom of Information Act commitments.

“Release of this information goes to the very heart of the Freedom of Information Act's purpose, allowing the public to assess government activity – here, the decision to pay public funds to an outside entity in possession of a tool that can compromise the digital security of millions of Americans,” lawyers argued, according to the BBC.

The Feds sought outside help to crack the phone of the San Bernardino shooter after failing to get Apple to comply with a heavy-handed court order.

At the time, Apple rightly argued that if it engineered a backdoor to circumvent the phone’s built-in security – including an auto-erase after 10 incorrect guesses and a millisecond delay to neuter brute force attempts – it would set a dangerous precedent and could fall into the wrong hands.

It’s widely believed that the FBI paid in excess of $1 million to an outside group, possibly infamous Israeli firm Cellebrite, to help them crack the iPhone.

Ironically, Cellebrite itself was recently hacked, highlighting the danger of the authorities sanctioning the creation of technology backdoors, which can then quite easily fall into the wrong hands.

Source: Information Security Magazine

#TEISS: How to Make Cybersec Awareness Training Stick

#TEISS: How to Make Cybersec Awareness Training Stick

Speaking at The European Information Security Summit in central London, Professor Angela Sasse, professor of human-centred technology and director, UK Research Institute in Science of Cyber Security at UCL, discussed the changes companies need to make to get cybersecurity awareness training to resonate better with their employees.

In her session ‘HOW TO: Design a training programme that works with the way people naturally behave’, Sasse said that there is “something that’s a bit rotten at the core” of security awareness, and it’s the assumption that “people are at fault” for security problems.

“The temptation is there that in the mind of a technology person making changes to technology is immediately expensive, and then say ‘surely doing a bit of training is cheap in comparison’ – but it’s not if you’re not really getting any changes or results,” Sasse explained.

There is a need to clean up security awareness training, she added, but it cannot be done in a haphazard way.

“In most organizations today, awareness training is just background noise. This stuff is being pushed at people but its going passed them and they are not engaging with it and not changing as a result.”

A key part of Sasse’s message was that changing security behavior requires a big effort; there’s a process you need to guide users through until their behavior becomes natural to them, and the most important element of that is engagement.

“If you want to change people’s behavior the first thing we need to do is stop this one-way communication where we blast things at people and engage – and I mean really engage. You need to really work with your people and embark on having ongoing conversations with them about what the threats are out there.

“We will change people mostly by getting them to engage with one another. In discourse within organizations, security often doesn’t feature at all, and if it does it’s often in a negative way and people are complaining about it. That’s what we want to change – we want people to talk about security, discuss the risks, but help each other out. The more people talk about security to each other, the better things will become.”

To conclude, Sassse highlighted four important steps organizations need to take to make these changes and improve their security awareness training for the better:

1.    Security hygiene: make it easy for people to do the right thing
2.    Authoritative, trustworthy instructions: single source, unified terminology
3.     Target: who needs to change what
4.    Engagement: socialising security events, games, etc

Source: Information Security Magazine

Yahoo and Verizon Agree $350m Price Reduction

Yahoo and Verizon Agree $350m Price Reduction

Yahoo and Verizon have finally agreed new terms in a deal which will see $350 million (£281m) cut from the original asking price for the internet pioneer.

Verizon, which bought AOL in 2015 for $4.4 billion, will now pay a similar amount – $4.48 billion – for Yahoo.

It will also “share certain legal and regulatory liabilities” stemming from the two massive data breaches disclosed by Yahoo last year which compromised an estimated 1.5 billion accounts.

Specifically, Verizon will pay half of any liabilities related to “non-SEC government investigations and third-party litigation” but Yahoo will have to foot the entire bill for shareholder lawsuits and SEC investigations.

“We have always believed this acquisition makes strategic sense. We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo’s tremendous talent and assets into our expanding portfolio in the digital advertising space,” said Marni Walden, Verizon president of product innovation and new businesses.

“The amended terms of the agreement provide a fair and favorable outcome for shareholders. It provides protections for both sides and delivers a clear path to close the transaction in the second quarter.”

The huge price cut should serve as a cautionary tale for businesses on the importance of maintaining a strong cybersecurity posture and good visibility into network activity.

Matt Middleton-Leal, CyberArk vice president for the UK, Ireland and Northern Europe, claimed the fallout from the deal should cement cybersecurity as a board-level issue.

“In discussions we’ve had among our customers’ senior leadership, it’s absolutely possible to put in place a proactive framework to prioritize risk mitigation around known vulnerabilities to stop attackers early in the process, protect valuable data and maintain brand integrity,” he added.

“We hope this business outcome will have a ripple effect among other global organizations – the more the industry shares and collaborates on effective cybersecurity strategies, the more effective we’ll be in combating a common enemy.”

Source: Information Security Magazine

Stealthy Cybercrime Group Targets Russian Businesses

Stealthy Cybercrime Group Targets Russian Businesses

A cybercrime group called RTM has been discovered relentlessly targeting businesses in Russia and neighboring countries using small campaigns aimed at funneling cash out.

This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system. It then has the ability to upload files from the compromised system to its Command and Control (C&C) server.

The group also alters accounting software files that contain bulk transfer details in order to execute fraudulent payment orders.

It also has a fingerprinting module to find systems on which specialized accounting software is installed. In particular, the group is looking for signs of popular accounting software called 1C: Enterprise 8, which is used by businesses to make bulk transfers via remote banking systems (RBSes).

“While inspecting RTM bot’s network communications, we saw that they were requesting one specific file created by 1C: Enterprise 8,” explained ESET, in a white paper. “This file…contains bulk transfer details and is used as an intermediary step in RBSes to execute payment orders. By altering this text file, the criminals can make monetary gains off it by, for example, modifying the recipient account details.”

This problem was severe enough to warrant an advisory from FinCERT, the Russian CERT responsible for fighting cybercrime targeting Russian financial institutions. It warned potential victims in late 2016 that criminals were going after 1c_to_kl.txt export files.

This specific attack vector was also used by at least one other group: Buhtrap.

“For a long time now, groups like Corkow and Buhtrap have been specifically targeting business RBS users,” ESET researchers noted. “These groups use complex backdoors and custom tools to steal from their corporate victims. RTM is another manifestation of this trend, where specialized criminals are mounting targeted attacks against financial institutions’ clients to maximize their financial gains.”

Lately, other groups have been using similar tactics targeting businesses in other parts of the world. In fact, last summer, MELANI, a Swiss reporting and analysis center for information assurance, issued a newsletter warning companies against hacker groups using the Dridex malware to target offline payment software.

“While we have not seen RTM activities outside of Russia and its neighbors, it would not come as a surprise to see them target other countries in the world,” the researchers noted.

Source: Information Security Magazine

Ransomware Doubles Since July

Ransomware Doubles Since July

The percentage of ransomware attacks doubled during the period July to December 2016, to account for 10.5% of all recognized malware attacks during that time.

According to Check Point’s H2 2016 Global Threat Intelligence Trends report, the Locky ransomware was the most common type. It accounted for 41% of all ransomware attacks. The report also found that Locky was also the No. 5 malware overall (accounting for 4.3% of attacks). Locky started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.

Cryptowall was the No. 2 ransomware (27%), and started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.

Cerber was the third-most common ransomware (23%), and represents the world’s biggest ransomware-as-a-service scheme. Cerber is a franchise scheme, with its developer recruiting affiliates who spread the malware for a cut of the profits.

Beyond ransomware, the Conficker worm was the most common (14.5% of all malware attacks), continuing its reign at No. 1. It allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.

Sality was the next-most common (6.1%), a virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.

And, the Cutwail botnet came in at No. 3 (4.6%). Cutwail is mostly involved in sending spam emails, as well as some DDoS attacks. Once installed, the bots connect directly to the C&C server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.

Hummingbad was the leading mobile malware, representing 60% of all attacks between July and December.

Source: Information Security Magazine

Hacker That Tried to Frame Krebs for Heroin Goes to Jail

Hacker That Tried to Frame Krebs for Heroin Goes to Jail

A Dark Web bigwig who tried to frame security researcher Brian Krebs for heroin trafficking back in 2013 is going to jail for 41 months.

The 31-year-old hacker, variously known as Sergey Vovnenko, Sergey Vovnencko, Tomas Rimkis, Flycracker, Flyck, Fly, Centurion, MUXACC1, Stranier and Darklife, most recently of Naples, Italy, was arrested on June 13, 2014, following an international investigation led by the US Secret Service in coordination with Italian law enforcement. He had been detained by the Italian authorities pending the resolution of extradition proceedings, which he contested for more than 15 months.

From September 2010 through August 2012, Vovnenko, the administrator of two criminal online hacking forums, operated with his conspirators an international criminal organization devoted to stealing user names and passwords for bank accounts and other online services, as well as debit- and credit-card numbers and related personal identifying information.

Vovnenko admitted that, in order to steal the data, he operated a botnet consisting of more than 13,000 computers. He also said that he used the widespread Zeus banking trojan to steal financial information and record the keystrokes of the users of infected computers, a number of which were located in New Jersey.

According to the indictment, Vovnenko was a high-level administrator of several online criminal forums and used his position to traffic in the data he stole as part of the conspiracy. These forums featured electronic bulletin boards for criminal activity, including the purchase, sale, and use of stolen log-in credentials and payment card data, as well as discussions related to cybercrime activity such as malicious computer hacking.

In terms of the Krebs incident, Vovnenko purchased heroin, had it mailed to his home, and then spoofed a phone call from one of his neighbors alerting the local police. Krebs though had already infiltrated the forum, and was able to monitor the scam in real time and alert local police well in advance of the delivery.

The plot, under the heading “Krebs Fund,” involved creating a bitcoin wallet for the exclusive purpose of accepting donations from other members. The goal was to purchase heroin in Krebs’ name and address from a seller on the Silk Road criminal marketplace.

The hacker posted at the time: “Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the ‘Helping Brian Fund,’ and shortly we will create a bitcoin wallet called ‘Drugs for Krebs’, which we will use to buy him the purest heroin on the Silk Road. My friends, his withdrawal is very bad, let’s join forces to help the guy! We will save Brian from the acute heroin withdrawal and the world will get slightly better!”

Such antics are now beyond Vovnenko’s purview. He has been sentenced to jailtime, three years of supervised release and restitution in the amount of $83,368.

Source: Information Security Magazine

#TEISS17: Achieve Cyber Resilience With Your People

#TEISS17: Achieve Cyber Resilience With Your People

Cybercrime, regulation, the Internet of Things (IoT) and people factor are the four most common problematic areas for security professionals.

Speaking at The European Information Security Summit in central London, Steve Durbin, managing director of the Information Security Forum highlighted these four well-covered areas, and in particular the human factor, stating that we are at a stage where users are accustomed to using their own devices and accessing corporate systems to do online shopping, having internet wherever we go and using smartphones or tablets that we take into the workplace, take home and put on TV screen. “But we have not thought to change the password on the router,” he said.

“If we can get that right, we can switch from people being the weakest to strongest link in the chain.”

Referring to the attitude of the business to cybersecurity issues, Durbin said: “If you mention to a business leader a problem from the 1980s, they will ask 'why haven't you fixed it'?” However he said that a breach has “a very long tail”, and post-breach investigation and business changes and forensics require time and energy and this concerns boards.

Durbin also mentioned the concept of cyber fatigue, and that boards will ask why basic issues have not been fixed. To address this, he recommended regularly measuring investments so you understand the investments you are making in security, and come up with a cyber-risk model for your business.

He argued: “This is the real nub of where we are going from a security standpoint. Align risk with the direction the business is moving in, and put in place appropriate guides and engage broadly across the business. Establish something like ISF Cyber Resilience Framework, you also need board level sponsorship and engage with business and people you do not usually associate with the cyber resilience team – PR, legal, HR – as [a breach] has implications on process and your security standpoint as they are experts in their area.

“Assess the ability to respond and assess how to adjust from past, present and future not just for your business, but with other businesses. Cyber is still not perceived as being a competitive advantage; there is a willingness to share information across business, and once you have done that you can put together a cyber-response.”

Source: Information Security Magazine

#TEISS17: National Cyber Strategy and Centre Need Industry Embrace

#TEISS17: National Cyber Strategy and Centre Need Industry Embrace

Speaking at The European Information Security Summit in central London on the UK’s cybersecurity strategy, James Snook, deputy director of the Office for Cyber Security and Information Assurance, said that the launch of the five year strategy recognized that “cyber is a big deal for this government.”

Snook acknowledged that the “Cyber landscape is too complex for government” but its announcements around the strategy will allow companies to engage with government. “We cannot create technology experts overnight, so NCSC has been placed as a part of GCHQ to attract deep technical expertise and we opened it to be accessible for everyone who wants to work with it,” he added

“The center is there to be the single authority of cybersecurity in the government and understand the threat level. It will manage risk and incident management capability as we worked on it with CERT UK, and also I hope organizations see this as an opportunity to put staff in there and work with it. This is the most significant part of strategy.”

The NCSC, which was opened last week by the Queen, will enable better DNS filtering, dealing with what Snook called the “nuisance attacks” that “can be avoided by following simple best practice”, working with industry to block malicious websites hosting malicious code and getting rid of the threat before it reaches the target.

“We will focus our resources on the APT and sophisticated attacks, and trial this internally in government to make sure it works, as the government is a massive target for attacks,” he said.

He concluded by saying that there is an incentive to better increase the number of skilled professionals as the UK “has masses of potential and more than we are exploiting”, but small-to-medium enterprises are struggling and the return on investment for the venture capitalists is potentially greater in the UK than in the USA, so collaboration is needed.

Source: Information Security Magazine