Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for May 2017

Gmail Embraces Machine Learning

Gmail Embraces Machine Learning

Google has rolled out new security features for Gmail customers, including early phishing detection using machine learning, click-time warnings for malicious links and unintended external reply warnings.

The new machine learning models in Gmail are based on a dedicated service that selectively delays messages (less than 0.05% of messages on average) to perform rigorous phishing analysis and further protect user data from compromise. This helps block spam and phishing messages from showing up in the inbox with over 99.9% accuracy, according to Andy Wen, senior product manager for Counter Abuse Technology at Gmail.

“This is huge, given that 50 to 70% of messages that Gmail receives are spam,” he said.   

The detection models also integrate with Google Safe Browsing’s machine learning technologies for finding and flagging “phishy” and suspicious URLs, and then combine a variety of techniques (such as reputation and similarity analysis on URLs), allowing Gmail to generate new URL click-time warnings for phishing and malware links.

“As we find new patterns, our models adapt more quickly than manual systems ever could, and get better with time,” Wen said.

On the warnings front, Gmail for Work now displays unintended external reply warnings to users to help prevent data loss. For instance, if a user tries to respond to someone outside of her company domain, she will receive a quick warning to make sure she intended to send that email. It's a good first line of defense against imposter campaigns, like business email compromise/whaling attacks. 

“Because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone you interact with regularly, to avoid displaying warnings unnecessarily,” Wen explained. “When employees are empowered to make the right decisions to protect data, it can improve an enterprise’s security posture.”

Gmail also has now built in defenses against ransomware and polymorphic malware, by combining thousands of spam, malware and ransomware signals with attachment heuristics (emails that could be threats based on signals) and sender signatures (already marked malware).

Other new features include the implementation of hosted S/MIME, to encrypt email while in transit; the Data Loss Prevention for Gmail service to protect sensitive information, and alerts when TLS encryption between mailboxes is not supported or when a message can’t be authenticated.

Source: Information Security Magazine

Shadow Brokers Offer Monthly Service of SWIFT Info, Exploits and Nuke Data

Shadow Brokers Offer Monthly Service of SWIFT Info, Exploits and Nuke Data

The Shadow Brokers, they of the NSA hacking tools leak, have announced plans to institute a monthly subscription for new exploits.

The “exploits-as-a-service” offering will go for 100 Zcash per month, which is a cryptocurrency. That translates at the time of writing to approximately $28,000. The Shadow Brokers are claiming a raft of evil goodies (baddies?), including: Web browser exploits, router exploits, mobile handset exploits and tools, items from newer Ops Disks, exploits for Windows 10, compromised network data from more SWIFT providers and central banks, and compromised network data from Russian, Chinese, Iranian or North Korean nukes and missile programs. The group previously also warned of a June data dump for yet more NSA hacking tools.

If that seems like an outsized claim, you’re not alone in thinking that. Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, questions why, if it possesses such tools, Shadow Brokers doesn’t simply use them itself, especially if it does indeed have compromised SWIFT network data.

“Zero-day exploits still do not account for the majority of successful breach attack vectors, and they are, relatively speaking, already quite populous in both the dark and open web; comprised SWIFT networks on the other hand are what led to the $80m dollar digital heist last year that would have been $1bn if not for a mere typo. So why would a group of hackers need to peddle exploits and the like if they have, at their disposal, the means to steal untold amount of money? I for one am very skeptical of the group and their motives.”

However, as the group demonstrated with its very real dump of NSA hacking tools, they have made good on threats in the past and some say it’s worth taking seriously.

"The whole situation is really scary,” said Csaba Krasznay, product evangelist at Balabit, in an email. “On one hand, if the exploits are really existing and someone (or multiple parties) buys them, we may be faced with another Wannacry campaign as we can be sure that the buyer(s) will monetize those exploits. On the other hand, if the whole story is not true, Shadow Brokers' questionable ‘reputation’ may suffer [further], and it may seek to prove trustworthiness in another destructive way. Whatever the truth is, it is clear now that the governments should handle their cyberweapons in ways similar to the handling of their weapons of mass destruction.”

He added, “Those codes shouldn't get to a Shadow Broker-like group, and this is a governmental responsibility."

This is the latest “business model” that the group has tried out. It has had varying success with auctions and direct sales in the past, where it asked for millions in both cases.

“None of the past models has generated any revenue for them, neither from government agencies interested in offensive security nor from security companies trying to build protections,” said Mounir Hahad, senior director at Cyphort Labs, via email. “I suspect this new model will have better success given the price tag is much lower. My concern would be with rogue entities like cybercrime groups which now would have a more affordable access to weapons of choice. Some not-so-well funded foreign governments may dip their toes in as well.”

It’s also possible that security firms themselves will subscribe to the service in order to analyze and patch the issues, though the ethics of doing so are murky at best.

STEALTHbits, incidentally, has issued a free Shadow Brokers Vulnerability Utility that helps organizations determine their risk exposure to known Shadow Broker exploits such as the WannaCry ransomware.  

Source: Information Security Magazine

A Third of UK Firms Don't Have Cyber-Insurance

A Third of UK Firms Don't Have Cyber-Insurance

UK firms are increasingly protecting themselves with cybersecurity risk insurance, but there’s a long way to go: Nearly a third of them have not taken out insurance yet.

According to findings from research firm Ovum, even among those that have insurance, only 28% said they have cybersecurity insurance that covers all risks.

The UK fares worse than the rest of the world: 31% of UK executives surveyed say their firm has no cybersecurity insurance, compared to 40% in other countries surveyed (US, Canada and the Nordics).

“The UK will soon be subject to General Data Protection Regulation (GDPR), which introduces higher fines in cases of data breach,” said Steve Hadaway, general manager for Europe, the Middle East and Africa at FICO, which sponsored the research. “Even if attacks don’t increase in volume, firms could end up paying more, which makes having comprehensive insurance more important. At the same time, companies have a right to expect that they will pay less if their protection is better. The onus is on the cybersecurity insurance industry to make sure insurance rates are fairly set for each individual firm, based on a sound analysis of its risk.”

Even though the majority of firms surveyed have cybersecurity insurance, most say that the risk assessment process insurers use needs improvement. Just 31% of respondents think their premiums reflect an accurate assessment of their risk. Nearly as many, 29%, said they don’t believe the assessment accurately reflects their risk, and 11% said they don’t know how their insurance is priced. A full 69% of respondents say insurers should do more to explain how they price risk.

Cyber-insurance covers many things. According to stats from CFC Underwriting, privacy breaches (31%) accounted for the largest number of claims last year, followed by financial loss (22%) and ransomware (16%). Malware accounted for only 7% of claims, followed by DDoS attacks (5%), “unauthorised access to systems” (5%), and business interruption (4%).

Source: Information Security Magazine

IT and Biz Leaders: Boards Don’t Take Security Seriously

IT and Biz Leaders: Boards Don’t Take Security Seriously

Nearly half of IT and business decision makers globally don’t think their boards are capable of effectively managing cybersecurity threats, despite the vast majority (77%) believing it is now the C-level’s responsibility, according to new research from Control Risks.

The global consultancy polled nearly 500 IT and business leaders from public and private sector organizations with over 2000 employees in 20 countries.

The results reveal that many are concerned their board simply doesn’t take online threats seriously enough, despite 43% claiming a cyber-attack has resulted in the misuse of sensitive or confidential information, and 41% stating it’s led to a loss of customer data.

In the UK, things were slightly less pronounced, with 38% claiming the board doesn’t take security seriously enough.

Control Risks associated director for cybersecurity in Europe and Africa, Jayan Perera, claimed public-private partnerships and industry-wide threat intelligence sharing initiatives have helped to raise the awareness of cyber security risks to board level executives in the UK.

“In addition, the financial industry – a prominent part of the UK’s economy – has in recent years been very active in building a proactive and fully engaged governance structure around cyber-risks, which helps to understand why the UK is showing a high level of confidence in their board level executives”, he told Infosecurity.

However, there’s still plenty of work to do and IT teams need to assume much of the responsibility for communicating what cyber-risks the board should be worried about, he added.

“To answer these questions competently, the security and risk functions of any organization should articulate the specific cybersecurity threats and potential impacts that they have identified to the board in plain English. This is fundamental to getting them comfortable with cybersecurity as a topic and also empowers them to ask questions and make decisions more effectively,” Perera argued.

“When this is combined with clear risk reporting on ongoing vulnerabilities and areas of strength and weaknesses in security controls, it provides a solid foundation for boards to take a more active role in engaging in cybersecurity issues.”

The most mature organizations will not only communicate these threats to their boards frequently but also “exercise” them on the highest impact attack scenarios, he added.

“Through this kind of threat-led exercising, boards can grasp that responding to a cyber-attack and preventing its most impactful elements relies upon a cohesive, cross-organizational response that supports technical teams to remediate the direct technical problem as well as providing wider business teams with direction to reduce business impact,” Perera concluded.

Source: Information Security Magazine

Dark Web Hackers Are Attacking Each Other Relentlessly

Dark Web Hackers Are Attacking Each Other Relentlessly

Cybercriminals operating inside the Dark Web continuously launch attacks and surveillance attempts designed to disrupt their fellow black hats, new Trend Micro research has revealed.

The security vendor set up several honeypots in Tor, consisting of: a closed black market; a blog advertising services; a closed underground forum; and a private file server.

The installations exposed one or more flaws which could allow an attacker to take control, according to senior threat researcher, Marco Balduzzi.

Trend Micro recorded as many as 170 attacks daily on one of its honeypots in May 2016, although the volume can partly be explained by Tor proxies like Tor2web, which effectively exposed its hidden services to the public internet without requiring any additional configuration.

After filtering out Tor2web, however, the attacks continued – hitting around 44 per day in July.

These included disruptive defacements; attempts to hijack communications going to and from the honeypot; and data theft from the FTP file server; Monitoring of IRC conversations via logins to the simulated chat platform; and manual attacks against the custom app running the forum.

Interestingly, while attacks from the public internet tended to use automated tools, those emanating from the Dark Web were usually manual in nature and more cautious, Balduzzi explained.

“For example, once they gained access to a system via a web shell, they would gather information about the server first by listing directories, checking the contents of databases, and retrieving configuration/system files,” he revealed.

“These manual attackers often deleted any files they placed into our honeypot; some even went ahead and left messages for us … indicating that they had identified our honeypot. Interestingly, attackers seem to be aware that compromised hidden services in the Dark Web are gold mines as all originating attacks like DDoS or SPAM will be automatically anatomized by Tor.”

Indexing and searching is more difficult on the Dark Web, highlighting the determination of the black hats to spy on and disable the operations of their competitors, Balduzzi concluded.

Source: Information Security Magazine

NATO Cyber-Defense Group Adds New Nations to Its Ranks

NATO Cyber-Defense Group Adds New Nations to Its Ranks

The NATO Cooperative Cyber Defence Centre of Excellence is expanding.

NATO CCD COE, which is based in Estonia, has added two new members, Belgium and Sweden, while Bulgaria and Portugal will soon follow.

“International cooperation of like-minded nations in cyber-defense is becoming inevitable. We are witnessing a growing interest towards our applied research, trainings and exercises, but the preparedness of nations to contribute themselves reflects more than just recognition to the work that has been done,” said Sven Sakkov, director of the multinational and interdisciplinary hub of cyber-defense expertise. It proves that we offer needed support for member nations and the international community in building their cyber-defense.”

The accesion of Belgium and Sweden was celebrated with a flag-raising ceremony at the headquarters, with a delegation of cyber-commands from 16 nations.

Founded in 2008, NATO CCD COE is a NATO-accredited international military organisation supporting its member nations and NATO with cyber-defense expertise in the fields of technology, strategy, operations and law. The heart of the Centre is a diverse group of experts: researchers, analysts, trainers, educators from military, government and industry backgrounds.

NATO CCD COE also is the home of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The Centre also organizes the world’s largest and most complex international technical cyber-defense exercise, Locked Shields.

Source: Information Security Magazine

8,000 Vulnerabilities Found in Pacemakers

8,000 Vulnerabilities Found in Pacemakers

A staggering 8,000 vulnerabilities have been discovered in one of the most widespread medical advancements keeping people alive today: The pacemaker.

White Scope, which has reported all of the vulnerabilities to DHS ICS-CERT, examined seven different pacemaker programmers from four different manufacturers, with a focus on programmers that have RF capabilities. Thousands of flaws in third-party libraries came to light—a state of affairs that outlines the issues involved in software security updates for these devices.

All of the programmers that White Scope examined had outdated software with known vulnerabilities. Many of them run Windows XP.

“As seen in other medical device verticals, keeping devices fully patched and updated continues to be a challenge,” the team said. “Despite efforts from the FDA to streamline routine cybersecurity updates.”

The firm also uncovered that pacemaker programmers do not authenticate to pacemaker devices, and don’t require that physicians do, either; programmers instead boot directly into the programming software on the device without first requiring any type of login or password. Any pacemaker programmer can reprogram any pacemaker from the same manufacturer. Also, all of the pacemaker systems the researchers examined had unencrypted filesystems on removeable media.

White Scope also noticed a lack of cryptographically signed pacemaker firmware, adding another layer of security problems: It would be possible to update the pacemaker device with a custom firmware. 

This is already a raft of potential issues, but that’s not where it ends. Worryingly, they were able to obtain pacemakers to test directly from eBay auctions. Some were used and contained patient data. Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300 and pacemaker devices $200-$3000.

“These devices are supposed to be controlled, as in they are supposed to be returned to the manufacturer after use by a hospital,” researchers said. “In two instances, we were able to confirm that patient data was stored unencrypted on the programmer. In one instance, we discovered actual unencrypted patient data (SSNs, names, phone numbers, medical data…etc.) on a pacemaker programmer. The patient data belonged to a well-known hospital on the east coast and has been reported to the appropriate agency. These types of issues highlight the need for strong device disposal policies from hospitals.”

To change this state of affairs, information-sharing is a real opportunity in this space, the firm said.

“Surprisingly, the architecture and even technical implementation of pacemaker systems across manufacturers is very similar,” White Scope said. “We suspect that some of this similarity is due to the technical restraints associated with implanted technologies.  Other similarities, however, indicate that there is some cross-pollination between pacemaker manufacturers.  Given the similarities between systems, we hope that pacemaker manufacturers work together to share innovative cyber security designs and compete on user experience and health benefits as opposed to competing on cybersecurity.”

Pacemakers are not a new source of concern. Back in 2012, Barnaby Jack of security vendor IOActive found that several vendors’ pacemakers can be remotely controlled and commanded to deliver an 830-volt shock via a laptop, thanks to software programming flaws on the part of medical device companies. That is, of course, enough to kill someone, and Jack noted that the vulnerabilities open the door to “mass murder.”

Source: Information Security Magazine

Fancy Bear US Election Hackers Doctored Leaked Documents

Fancy Bear US Election Hackers Doctored Leaked Documents

The Russian hackers behind the break-in at the Democratic National Committee last summer have been caught engaging in “tainted leaks”—i.e., inserting fake information into stolen documents and then releasing them in a disinformation effort.

The first victim of this treatment, according to an investigation by Citizen Lab, was a journalist and noted Kremlin critic David Satter. From there came the discovery of 200+ unique targets spanning 39 countries (including members of 28 governments).

“The list includes a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies and members of civil society,” the firm said in a summary of the campaign. “After government targets, the second largest set (21%) are members of civil society including academics, activists, journalists and representatives of non-governmental organizations.”

Satter was a top target, having been banned from Russia in 2013 after carrying out investigative reporting on Russian autocracy. He has also published a book arguing that a series of bombings that prompted the second Chechen War were engineered to facilitate Vladimir Putin’s political rise. 

Last October, Satter’s emails were stolen and later published on the CyberBerkut hacking blog after he fell for a phishing lure. Citizen Lab said that unpublished reporting lifted from his emails about Radio Liberty’s Russian investigative reporting project also was leaked to the National Endowment for Democracy (NED), with carefully modified false information. For instance, it removed all reference to Radio Liberty.

“This manipulation created the false appearance that prominent Russian anti-corruption figures, including Alexei Navalny, were receiving foreign funding for their activities. (Alexei Navalny is a well-known Russian anti-corruption activist and opposition figure),” Citizen Lab explained. “We also note how the document was used in an effort to discredit specific reports about corruption among close associates of Russian President Vladimir Putin.”

It added, “We believe that by removing specific references to Radio Liberty, the perpetrators are aiming to give the impression of a broader subversive campaign not limited to a single news organization. Doing so allows the perpetrators to falsely associate non-US funded organizations, such as independent NGOs, to appear to be linked as part of this larger, fictitious program.”

The leaked document also made reference to an article that had not yet been published at the time the document was released, which suggests ongoing surveillance operations.

As for Fancy Bear, aka APT28, numerous links suggest it has ties to these operations; including marked similarities to short codes used in the lures and a collection of other phishing links now attributed to the meddlers in the 2016 US election. The campaign that targeted the DNC also included the same Google security-themed phishing ruse, and abused another URL shortening service, Bit.ly. Citizen Lab also found similarities in domain naming and subdomain structures between the tainted leaks campaign and operations linked to Fancy Bear. In fact, the link used to phish John Podesta shares distinct naming and subdomain similarities with domains linked to the phishing operation against Satter.

“The phishing URLs in this campaign were encoded with a distinct set of parameters using base64. When clicked, the links provided key information about the targets to the phishing website,” explained Citizen Lab. “An identical approach to parameters and encoding has been seen before: in the March 2016 phishing campaign that targeted Hillary Clinton’s presidential campaign and the Democratic National Committee.”

It added, “This domain/subdomain naming schema is also extremely close to one featured in Mandiant’s 2017 M-Trends report, in a phishing operation linked to APT28 which targeted OAuth tokens in an effort to obtain persistent access to a victim’s Google account, and to bypass the security of two-factor authentication.”

Despite the circumstantial evidence, Citizen Lab said that it wasn’t able to make a more conclusive technical link to Fancy Bear, which is widely believed to be a nation-state actor supported by the Kremlin. But Forbes carried out its own investigation using information uncovered by SecureWorks and found plenty of evidence:

For instance, one web domain used in the attacks covered by Citizen Lab's report – myaccount.google.com-securitysettingpage[.]tk – was also spied by security firm SecureWorks in previous Fancy Bear attacks. SecureWorks, the first firm to find evidence that Google password phishing led to the DNC breach, said between March 18th and March 29th 2016 that domain was used by Fancy Bear to create 224 Bitly shortlinks to phish Gmail users. That was the same domain used in the spear phish on Podesta, as well as another prominent Clinton campaign staffer, according to SecureWorks' analysis. That made it pretty clear the hackers who hit Satter were the same as those behind the DNC breach, the firm added.”

As to whether the information leaked from the DNC had been doctored, no analysis has been applied to it so far. But this kind of tampering is likely to become more and more widespread.

"Tainted leaks are the next frontier of disinformation: an attempt to really tamper with the integrity of large sets of information that people will believe to be genuine," John Scott-Railton, researcher at Citizen Lab, told Forbes.

Source: Information Security Magazine

Microsoft Issues Out-of-Band Security Update

Microsoft Issues Out-of-Band Security Update

Microsoft has quietly added to its May Patch Tuesday security updates by fixing eight critical vulnerabilities in its Malware Protection Engine.

Redmond said at the end of last week that it had released an updated version of the engine – 1.1.13804.0 – to fix five denial of service and three remote code execution vulnerabilities.

Once again it was Google researchers from the firm’s Project Zero team, including Tavis Ormandy and colleague Mateusz Jurczyk, that discovered the bugs.

Jurczyk wrote: “Through fuzzing, we have discovered a number of ways to crash the service (and specifically code in the mpengine.dll module), by feeding it with malformed input testcases to scan.”

He explained that the heap buffer overflow, heap corruption and unspecified memory corruption issues were the most important as they could lead to arbitrary code execution.

“On the other hand, "null_1-4", "div_by_zero" and "recursion" are low severity bugs that can only be used to bring the service process down,” he added.

The full list of vulnerabilities is as follows: CVE-2017-8535; CVE-2017-8536; CVE-2017-8537; CVE-2017-8538; CVE-2017-8539; CVE-2017-8540; CVE-2017-8541; and CVE-2017-8542.

Attackers can apparently exploit the above flaws by getting the Microsoft Malware Protection Engine to scan a specially crafted file.

Microsoft continued:

“An attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”

The good news is that admins will typically not need to do anything this time around as these patches will update automatically.

Source: Information Security Magazine

Disney ‘Hackers’ Were Bluffing, Says CEO

Disney ‘Hackers’ Were Bluffing, Says CEO

Hackers that tried to extort money from Disney by threatening to make public an upcoming movie ahead of its release date appear to have been bluffing, the firm’s boss has revealed.

Chairman and CEO Bob Iger said the media giant had, to its knowledge, not been hacked.

“We had a threat of a hack of a movie being stolen. We decided to take it seriously but not react in the manner in which the person who was threatening us had required,” he told Yahoo Finance.

“We don’t believe that it was real and nothing has happened.”

The hackers apparently demanded a large payment in Bitcoin, and threatened to release five minutes of the stolen film followed by subsequent 20-minute instalments if their demands weren’t met.

Disney likely took the threat seriously given that a similar incident occurred last month when a hacker uploaded the upcoming series of Netflix prison drama Orange is the New Black to The Pirate Bay after the streaming giant refused to pay a ransom.

In that case, a third-party production vendor used by the studios was to blame, after its security was compromised by the hacker.

Iger acknowledged the elevation of cybersecurity to a “front burner issue.”

“Technology is an enabler to run our businesses more securely, whether that’s protecting our intellectual property or protecting our guests or employees around the world,” he argued.

Unfortunately, many boardrooms don’t share Iger’s enthusiasm for cybersecurity-related issues.

Just 5% of FTSE 100 companies claim to have a technology expert on the board, despite most of them (87%) identifying cybersecurity as a major risk to the firm, according to a recent Deloitte report.

Yet cybersecurity is something the C-level need to get urgently up to speed with, as increasing numbers are targeted by whalers.

Just this month, Barclays CEO Jes Staley was tricked into emailing someone pretending to be the bank’s chairman, John McFarlane.

Source: Information Security Magazine