Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for March 2017

Poor Passwords, Cloud and Network Complexity Plague Orgs

Poor Passwords, Cloud and Network Complexity Plague Orgs

An array of organizations still vulnerable to brute force attacks as attackers target default or easily-guessed usernames and passwords to breach enterprise defenses.

That’s according to Ixia’s first annual security report, an overview of 2016’s biggest security events based on research from the company’s global Application and Threat Intelligence (ATI) Research Center. It shows that increasing complexity and attack surface expansion is being compounded by cloud and internet of things (IoT) growth, and that network segmentation also a problem.

While increases in malware are clearly a major threat to both enterprises and service providers, network complexity is creating its own vulnerability, the report found. The average enterprise is using six different cloud services, and network segmentation is increasing, yet 54% of enterprises are monitoring less than half of those network segments, and less than 19% of companies believe that their IT teams are adequately trained on the wide array of network appliances they are managing.

 “Organizations need to constantly monitor, test and shift security tactics to keep ahead of attackers in the fast-paced threat landscape we all deal with today. This is especially important as new cloud services and increased IoT devices are routinely being introduced,” said Marie Hattar, CMO at Ixia. “To do this effectively, organizations must start by studying their evolving attack surface and ensure they have the proper security expansion measures in place. Simple but effective testing and operational visibility can go a long way to improving security.”

Gaining access to accounts is often done the old-fashioned way—brute force guesses, starting with the most obvious. The top five username guesses were root, admin, ubnt, support and user; while the top five password guesses were null, ubnt, admin, 123456 and support (ubnt, is the default username for AWS and other cloud service offerings that use Ubuntu). IoT was also a notable target with “pi” for Raspberry PI.

Malware continued to dominate over 2016 but there were a few months—namely June, July, and August 2016—during which ransomware phishing appeared to have outpaced conventional malware phishing. The top five phishing target websites globally were Google, Paypal, Facebook, Microsoft, and Alibaba; while Adobe updates were found to be the most prevalent drive-by updates for delivering malware or phishing attacks.

Meanwhile, the report also found that the top exploited uniform resource identifier URI paths and content management systems included WordPress. WordPress URI paths were the two most exploited in 2016, showing how attackers are targeting sites built on the popular platform; WordPress was by far the most exploited content management system, with Joomla a distant second.

Source: Information Security Magazine

Necurs Botnet Returns with Get-Rich-Quick Spam

Necurs Botnet Returns with Get-Rich-Quick Spam

The Necurs botnet has seen a recent spike in activity, shifting its intent from malware distribution to penny stock pump-and-dump spamming.

According to Cisco Talos, over the past year Necurs has been used primarily for the distribution of Locky ransomware and Dridex. But after it mysteriously went offline earlier this year, Locky distribution declined significantly.

Now, “rather than distributing malware in the form of malicious attachments, it appears to have shifted back to messages,” said Cisco researchers Sean Baird, Edmund Brumaghin, Earl Carter and Jaeson Schultz, in an analysis. “This is not the first time that Necurs has been used to send high-volume pump-and-dump emails….This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.”

Email campaigns associated with Locky and Dridex generally pose as transaction notifications, and purport to contain shipping notifications and ACH transaction notifications. Necurs’ new round of emails do not contain any malicious hyperlinks or attachments. Instead, they claim to be hot stock tips.

“It…claims that InCapta Inc ($INCT) is going to be bought out at $1.37 per share by DJI (a drone company) based on information purportedly obtained from colleagues at an M&A firm in Manhattan. The email explains that DJI is moving forward with the buyout,” Cisco explained. And, it appears to be effective: The firm said that shares of InCapta, a mobile application development company, has seen a significant increase in trading volume.

This is a classic get-rich-quick scheme, with the messages going so far as to guarantee “massive returns.” The messages were sent in relatively high volumes, with tens of thousands seen just over the course of the morning on 20 March. The addresses being blocked spiked to over 150,000 during the course of two waves of the new campaign.

The takeaway? The attackers appear to be changing their methodologies as well as the strategies they use to monetize systems under their control. Interestingly, Cisco analysis also found that the same email addresses seem to be used in both Necurs’ malware distribution efforts and the spam campaign, “hinting at the fact that Necurs operators may use a shared database of email addresses even when clients request different services.”

This is not the first time this year that Necurs has been observed changing its spots. In February, Anubis Networks observed it taking a page from Mirai, and setting itself up to act as infrastructure for DDoS attacks. It was also seen loading a new module—indicating that it can add new capabilities at any time.

Source: Information Security Magazine

FBI Boss Dismisses Trump Wiretap Claims

FBI Boss Dismisses Trump Wiretap Claims

FBI director James Comey has slapped down allegations from Donald Trump that former President Barack Obama wiretapped his 2016 campaign HQ, while confirming the Feds are investigating potential links between the Trump campaign and Moscow.

Appearing with NSA director, Mike Rogers in front of the House of Representatives Intelligence Committee yesterday, Comey was unequivocal.

“With respect to the president's tweets about alleged wiretapping directed at him by the prior administration, I have no information that supports those tweets,” he’s fi.

The controversial FBI boss also confirmed for the first time that the authorities have been investigating links between the Trump campaign and the Kremlin since last July.

National security advisor Mike Flynn has already been forced to resign after lying about meetings with the Russian ambassador, and attorney general Jeff Sessions has also recently come under the spotlight for similar reasons.

Considering Comey has already publicly stated that he believes Russian President Putin wanted Trump to win the race for the White House last year, many will question why he didn’t disclose the investigation to the US public ahead of the election.

On the other hand, the former Republican party member was quick to intervene in the run-up to the election by announcing the bureau was to reopen its investigation into Hillary Clinton’s use of a private email server – before closing it again just two days before polling day.

Comey also warned at the committee hearing yesterday that Russian agents would attempt to influence the 2020 US presidential election and possibly the congressional elections next year.

John Bambenek, threat systems manager at Fidelis Cybersecurity, argued that while there’s little evidence to suggest Russian interference impacted the final vote count, “the real impact is the harm and destabilization we continue to bring upon ourselves.”

“A US that is consumed with bitter infighting and openly questions the legitimacy of its own institutions is dramatically less able to curtail Russia's geopolitical ambitions. That is exactly what they want,” he added.

Hank Thomas, COO at Strategic Cyber Ventures, argued that the recent election interference by the Kremlin – primarily by hacking and releasing damaging Democratic Party emails to aid Trump, is straight out of the Russian military information operations handbook.

“The level of access and the speed of maneuver that weak cybersecurity provides them is ripe for exploit. They want to move out as fast as they can while the hunting is easy and the potential to influence as many critical events as possible exists," he added. "They will in parallel attempt to gain and maintain persistent access on western networks of interest. Russian military doctrine has for years emphasized reinforcing success, even on the traditional kinetic battlefield. This is no different.”

Source: Information Security Magazine

Saks Fifth Avenue Privacy Snafu Exposed Customer Data Online

Saks Fifth Avenue Privacy Snafu Exposed Customer Data Online

Luxury US department store Saks Fifth Avenue accidentally made public the personal details of tens of thousands of its online customers, exposing them to the risk of follow-on fraud and cyber-attacks.

Email addresses, names and some phone numbers were discovered in plain text on the store’s website, relating to customers who had signed up to waiting lists to buy products, according to BuzzFeed News.

It’s unclear how long they were publicly accessible for, but the store’s owner – Canada-based Hudson’s Bay Company – apparently took them offline when contacted.

A statement from the firm sought to play down the seriousness of the privacy snafu:

“We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”

Some of the exposed email accounts belonged to government employees, according to the report.

Javvad Malik, security advocate at AlienVault, argued that firms are primarily focused on protecting payment card and password data – although these credentials are relatively easy to replace.

“Personal, and personally identifiable information on the other hand isn’t so easy to change or replace once it is out in the wild. Therefore, it merits just as much, if not more protection than payment data or passwords,” he added.

“Criminals know the value of this and will go after companies, regardless of size or vertical. Therefore, all companies need to take the threats into consideration when dealing with sensitive information.”

Follow-on phishing, vishing and other fraud attempts are a common way to monetize such information.

As if that wasn’t enough, the report also revealed that the Saks website is not 100% HTTPS, meaning that man-in-the-middle snoopers could grab customer log-in-related information.

Source: Information Security Magazine

Cisco Issues Critical Advisory After Vault7 Disclosure

Cisco Issues Critical Advisory After Vault7 Disclosure

Cisco has issued a critical security advisory detailing a vulnerability affecting over 300 of its switch models, which it found after analyzing the “Vault7” release of CIA exploits.

The network giant explained on Friday that the flaw could allow a remote attacker to take control of an affected device.

The bug affects Cisco IOS and IOS XE software and exists in the Cluster Management Protocol (CMP), which typically uses Telnet for inter-cluster communications and commands.

Cisco explained it as follows:

“The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options.”

A remote attacker could therefore exploit the two-fold bug to execute arbitrary code, gaining full control over a device or causing it to reload.

The list of affected products is huge, covering 264 Catalyst switches, 51 industrial Ethernet switches, the Cisco RF Gateway 10, SM-X Layer 2/3 EtherSwitch Service Module and more.

There are no current workarounds for the flaw and Cisco is recommending affected users disable Telnet for incoming connections and instead use SSH.

“Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs),” it added.

The firm also recommended customers use its IOS Software Checker tool in order to determine their exposure to any IOS vulnerabilities.

It will be releasing security updates to fix the issue but there’s no further information on when.

The bug was discovered after Cisco analyzed info released by WikiLeaks relating to a trove of CIA-developed zero-day exploits, dubbed “Vault7”.

If true, it means the agency might have been actively exploiting the vulnerability to attack and/or monitor targets.

WikiLeaks founder Julian Assange claimed last weekend that certain tech firms affected by the leak are dragging their heels over co-operation with the non-profit because of a conflict of interest with their government clients.

Source: Information Security Magazine

WikiLeaks Says Tech Firms Slow to Co-operate on Patching

WikiLeaks Says Tech Firms Slow to Co-operate on Patching

WikiLeaks founder Julian Assange has claimed that some US tech giants affected by the recent “Vault7” leak of CIA exploits have been slow to co-operate because of a conflict of interest with their government work.

The whistleblower site made public a treasure trove of info on vulnerabilities developed by the agency to hack products and services from the likes of Microsoft, Google, Apple, WhatsApp and Cisco, as well as many non-US firms.  

Although they shone a light on shady intelligence practices, the leaks have also given black hat hackers a gold mine of info which could help them craft their own cyber-attacks against innocent users.

WikiLeaks’ editor-in-chief noted in an update over the weekend that Mozilla and others had “exchanged letters” with the non-profit and received technical details on some of the vulnerabilities – which were not made public in the initial release.

However, he claimed: “Google and some other companies have yet to respond other than to confirm receipt of our initial approach.”

Assange added that most of these “lagging companies” have a conflict of interest because they carry out sensitive work with US government agencies.

He added:

“In practice such associations limit industry staff with US security clearances from fixing holes based on leaked information from the CIA. Should such companies choose to not secure their users against CIA or NSA attacks users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts.”

Assange signed off by warning that if such firms continue to “drag their feet”, WikiLeaks will compile and publish a league table ranking their responsiveness and “government entanglements” for users.

The organization is thought to be keen on holding the affected companies to a 90-day disclosure deadline, in the manner of Google’s own Project Zero initiative.

One organization affected by the leaks, Cisco, has already released an advisory on Friday for a bug affecting over 300 switch models.

Source: Information Security Magazine

Star Trek Ransomware Demands Monero Payments

Star Trek Ransomware Demands Monero Payments

Security researchers have discovered a new Star Trek-themed ransomware variant requesting the use of crypto-currency platform Monero for payment.

Flagged on Twitter by Avast reverse engineer, Jakub Kroustek, the Python-based ransomware has no reported victims thus far, according to Bleeping Computer.

However, given that there’s apparently no known way to decrypt it at present, it probably won’t be long before this changes.

It masquerades as the popular stress testing app Low Orbital Ion Cannon, targeting over 600 file types with RSA 4096-bit encryption.

Affected files will be renamed with the “.kirked” suffix.

“No crafty detection evasion is employed. It generates a single AES key for use in encrypting all files, which is encrypted with the public key and written to disk,” explained Webroot reverse engineer, Eric Klonowski.

“Files are encrypted with AES in CBC mode, are prepended with the file size and IV in plaintext, and are padded out to 16 bytes with spaces. The malware relies on the common PyCrypto libraries for all encryption.”

Interestingly it’s one of the first documented ransomware types to demand payment in Monero – of around $1000 – rather than the more popular Bitcoin.

On payment, the ransomware authors promise to send an appropriately named “Spock” decryptor.

“The Kirk malware demonstrates that ransomware crypto can be effectively implemented in a few lines of code with relatively few weaknesses,” explained Klonowski.

The discovery is yet another sign of the growing diversity of ransomware variants and proof that the malware is still popular among the black hat community as a way to make a quick buck.

However, according to a recent 2017 predictions report from Trend Micro, this year will likely see more cyber-criminals turn to Business Email Compromise and other techniques in a bid to generate greater profits from their endeavors.

Source: Information Security Magazine

Pwn2Own 2017 Sets Record on Day 2

Pwn2Own 2017 Sets Record on Day 2

Pwn2Own, the annual hacking contest sponsored by the Zero Day Initiative (ZDI) and Trend Micro, has set a record for successful exploits, logging 17 entries with 11 successful attempts.

The record came on the second day of the event, which is celebrating its 10-year anniversary. In total, contestants were awarded $340,000 and 97 Master of Pwn points for the day’s unique research.

According to Trend Micro’s results blog post, Track A focused on Adobe and Microsoft products and resulted in the successful exploits of Adobe Flash, Microsoft Edge and Microsoft Windows. ZDI awarded $220,000 and 60 Master of Pwn points to Track A contestants.

Additionally, contestants on Track B looked at Mozilla and Apple products. The teams competing were able to successfully exploit Apple Safari and Mozilla Firefox, resulting in $120,000 and 37 Master of Pwn Points.

On Day 1, contestants were awarded $233,000 and 45 points for Master of Pwn, with five successful attempts (and 20 different bugs in the successful exploits), one partial success, two failures and two entries withdrawn.

This year’s contest features the largest ever amount of prize money up for grabs, with more than $1 million up for the taking. This year's event features 11 teams of contestants targeting products across five categories—30 different attempts in total. Each contestant has three attempts within their allotted timeslot to demonstrate the exploit. The categories are: Virtual Machine Escape (Guest-to-Host); Local Escalation of Privilege; Web Browser and Plugins; Enterprise Applications and Server Side.

Source: Information Security Magazine

PoS Breach Hits High-End Eateries Across the US

PoS Breach Hits High-End Eateries Across the US

The latest victim of a credit card/point-of-sale technology breach is Select Restaurants, the owner of several special-occasion eateries across the US.

According to its website (on which Google has placed a “this site may be hacked” warning label), Select’s stable of food joints includes Boston’s Top of the Hub; Parker’s Lighthouse in Long Beach, Calif.; the Rusty Scupper in Baltimore, Md.; Parkers Blue Ash Tavern in Cincinnati; Parkers’ Restaurant & Bar in Downers Grove, Ill.; Winberie’s Restaurant & Bar with locations in Oak Park, Ill. and Princeton and Summit, New Jersey; and Black Powder Tavern in Valley Forge, Pa.

According to Brian Krebs, the likely vector for the hack is Select’s PoS vendor, which is called 24×7 Hospitality Technology. Having obtained a copy of a letter that 24×7 Hospitality CEO Todd Baker sent to Select, Krebs reported that the company said that hackers had access to all of Select’s PoS systems from late October 2016 to mid-January 2017.

Indeed, the letter confirms that hackers had access to all of 24×7 customers’ payment systems—which would include those at 200 Buffalo Wild Wings locations across the country.

The systems, the letter said, were hacked by a “sophisticated network intrusion through a remote access application.”

“PoS malware can strike in a number of ways,” said John Christly, Global CISO, Netsurion, a provider of managed security services for multi-location businesses, via email. “Simple phishing emails can prompt internal personnel to accidentally open malicious links and attachments, resulting in malware on the network and connected devices. It can also involve hackers spreading malicious code by breaching the remote-access services designed to maintain the payment processing systems. These remote-access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of PoS machines.”

24×7 said the attackers subsequently executed the PoSeidon malware variant, “which is designed to siphon card data when cashiers swipe credit cards at an infected cash register,” Krebs noted. He added, “Given how much risk and responsibility for protecting against these types of hacking incidents is spread so thinly across the entire industry, it’s little wonder that organized crime gangs have been picking off POS providers for Tier 3 and Tier 4 merchants with PoSeidon en masse in recent years.”

Select has yet to comment on the situation, and so far, nothing is known about the potential effect on restaurant patrons, including the number of compromised cards.

Christly noted that in today’s threat landscape, a typical firewall can no longer be set up once and run without consistent monitoring, tweaking and ensuring the data coming from it was correlated with other systems.

“Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical unmanaged firewall,” he explained. “It takes a different approach to stop some of these advanced attacks, and many products and service providers simply do not have the ability to stop them before they do real damage.”

Restaurants looking to protect themselves at the highest level should implement the following, he added: File integrity monitoring (to tell you when files have changed that weren’t supposed to change); unified threat management appliances (used to integrate security features such as firewall, gateway antivirus and intrusion detection); security information and event management (used to centrally collect, store and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues); and next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems).

Source: Information Security Magazine

63% of Orgs Use Cloud, IoT Without Proper Security

63% of Orgs Use Cloud, IoT Without Proper Security

A full 63% of enterprises are using cloud, big data, internet of things (IoT) and container environments without securing sensitive data.

According to the 2017 Thales Data Threat Report, 93% of respondents will use sensitive data in an advanced technology (defined as cloud, software as a service or SaaS, big data, IoT and container) environments this year—and a majority of those respondents (63%) believe their organizations are deploying these technologies ahead of having appropriate data security solutions in place.

Interestingly though, while concerns about data security in cloud environments remain high, they’ve dropped off since last year. In 2016, 70% of respondents voiced worries about security breaches from attacks targeting cloud service providers (CSPs); in 2017, 59% expressed fears about this. That makes it still the No 1 concern, but by a far smaller margin than just a year ago.

The second biggest concern, cited by 57% of respondents, is "shared infrastructure vulnerabilities", followed by "lack of control over the location of data" (55%). On the SaaS side, 57% of respondents report they are leveraging sensitive data in SaaS environments – up from 53% in 2016. When it comes to SaaS insecurities, respondents are most fearful about online storage (60%), online backup (56%), and online accounting (54%).

“Most major cloud providers have larger staffs of highly trained security professionals than any enterprise, and their scalability and redundancy can provide protection from the kinds of DDoS attacks that can plague on-premises workloads,” said Garrett Bekker, principal analyst for information security at 451 Research. “Perhaps as a result of the recognition of these public cloud security realities, security concerns overall for public cloud are waning.”

Big data is a big topic of conversation—so it might be unsurprising to learn 47% of respondents are using sensitive data in big data environments. When it comes to security hered, respondents cite their top fear as "sensitive data everywhere" (46%), followed by "security of reports" (44%) and "privileged user access" (36%).

IoT adoption is even higher, with 85% of respondents taking advantage of IoT technology and 31% using sensitive data within IoT environments. Despite IoT’s popularity, and despite the personal or critical nature of many IoT tools (medical and fitness devices; video cameras and security systems; power meters), only 32% of respondents report being ‘very concerned’ about their data. When pressed about their top fears, 36% of respondents cited "protecting the sensitive data IoT generates", followed by "identifying sensitive data" (30%) and "privacy concerns" (25%).

Meanwhile, although less than five years old, container environments have proven exceptionally popular. Eighty-seven percent of respondents have plans to use containers this year, with 40% already in production deployment. But similar to the emerging IoT environment (and owing to their relative immaturity), there remains a lack of enterprise-grade security controls in most container environments. Security is cited as the number one barrier to container adoption by 47%, followed by ‘unauthorized container access’ (43%), "malware spread between containers" (39%), and "privacy violations resulting from shared resources" (36%).

The report also found that while advanced technologies show great promise and business benefits, they are relatively young and in some cases, untested. Understanding this risk, respondents are gravitating towards a proven security control—encryption. According to the report, 60% of respondents would increase their cloud deployments if CSPs offered data encryption in the cloud with enterprise key control. Data encryption (56%) and digital birth certificates with encryption technology (55%) are also listed as the two most popular security options for IoT deployments. Rounding out the list is containers, with 54% of respondents citing encryption as the number one security control necessary for increasing container adoption.

Organizations interested in both taking advantage of advanced technologies and keeping data secure should strongly consider: Deploying security tool sets that offer services-based deployments, platforms and automation; discovering and classifying the location of sensitive data within cloud, SaaS, big data, IoT and container environments; leveraging encryption and bring your own key (BYOK) technologies for all advanced technologies, the report recommended.

“The digital world we live in, which encompasses everything from cloud to big data and the IoT, demands an evolution of IT security measures,” said Peter Galvin, VP of strategy, Thales e-Security. “The traditional methods aren’t robust enough to combat today’s complicated threat landscape. Fortunately, adopters of advanced technologies are getting the message—as evidenced by the number of respondents expressing an interest in or embracing encryption. Putting an ‘encrypt everything’ strategy into practice will go a very long way towards protecting these powerful, yet vulnerable, environments.”

Source: Information Security Magazine