Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2017

Qualcomm Announces New Fingerprint Biometrics for Mobile

Qualcomm Announces New Fingerprint Biometrics for Mobile

Today, Qualcomm announced their next generation of fingerprint biometric technology for mobile devices. Their announcement was made during the Mobile World Congress Shanghai 2017 event. Qualcomm Fingerprint Sensors are a significant update to their previous Qualcomm Snapdragon Sense ID fingerprint technology.

The sensors will be available in multiple forms of hardware, including display, glass, and metal varieties. The display sensor version actually goes directly underneath a smartphone or tablet's touchscreen. The first devices to use their technology are expected to launch in the first half of 2018.

Notably, Qualcomm's new ultrasonic scanning system will be able to detect a user's heartbeat and bloodflow. The feature mitigates against fingerprint biometric authentication attacks that use methods such as imprinting a gummy bear with a target's fingerprint marks.

Qualcomm Fingerprint Sensors can be activated even when a device's screen is turned off. The new technology even works underwater. The new biometric system will work with the currently available Qualcomm Snapdragon 630 and 660 platforms, and will also work with future Snapdragon 200, 400, 600, and 800 platforms. The company even plans to expand their new fingerprint technology to non-Snapdragon CPUs.

“We are excited to announce Qualcomm Fingerprint Sensors because they can be designed to support sleeker, cutting-edge form factors, unique mobile authentication experiences, and enhanced security authentication. This provides OEMs and operators with the ability to offer truly distinct, differentiated devices with added value on truly groundbreaking new devices,” said Seshu Madhavapeddy of Qualcomm Technologies, Inc.

The display version of their new fingerprint sensors will be the first commercially announced multifunctional ultrasonic solution for mobile devices that can scan through OLED display stacks of up to 1200µm. The glass sensors can scan through up to 800 µm of cover glass, and the metal sensors can scan through up to 650 µm of aluminum.

Qualcomm is set to release their new sensors to OEMs starting this month, to facilitate the debut of devices with Qualcomm Fingerprint Sensors in 2018.

Source: Information Security Magazine

Microsoft Developing AI-Driven Antimalware for Windows 10

Microsoft Developing AI-Driven Antimalware for Windows 10

Microsoft is working on significant changes for Windows 10 in its upcoming Fall Creators Update. The update doesn't have a known release date yet, but we now know about an important new feature that it'll debut, sometime between September and October.

It's now well understood that antimalware software can no longer be completely local signature dependent in order to be effective against malware attacks.

Microsoft announced that their Windows Defender Advanced Threat Protection system will soon be augmented with AI-driven malware analysis. When a new file is discovered by Microsoft's antimalware cloud server system and determined to be malicious, a signature for it will be created. The AI system will then look for similar malware on other Windows machines that have network connectivity. The new antimalware system eliminates the need for users and system administrators to configure clients and servers to install local patches of antivirus signatures. Theoretically, local zero day attacks should become less frequent.

According to Windows enterprise director Rob Lefferts, 96% of cyber-attacks involve new and zero day malware. It currently takes Microsoft researchers hours to develop a signature. The new AI system should significantly speed up that process, possibly protecting millions of Windows machines sooner than ever.

The new cybersecurity features that will debut in the Fall Creators Update for Windows Defender ATP will initially only be available to enterprise customers. Microsoft plans to eventually make the features available to all Windows 10 users. They've even mentioned that they're working on making ATP available for operating system platforms other than Windows.

The upcoming Fall Creators Update also includes Windows Defender Exploit Guard, which enables companies to restrict how code is executed on their machines. Exploit Guard uses Attack Surface Reduction smart rules for intrusion prevention, and helps users take advantage of vulnerability mitigation capabilities like those formerly offered in the Enhanced Mitigation Experience Toolkit.

Source: Information Security Magazine

Ransomware Vaccine Now Available

Ransomware Vaccine Now Available

Yesterday, new Petya ransomware hit Windows client machines and servers, spreading worldwide after initial infections in Ukraine. The attacks consist of the NotPetya, SortaPetya, and Petna variants of the original Petya malware that was discovered in 2016. This time, the malware family has been targetting the same Windows SMB vulnerability that was exploited by WannaCry.

According to analysis by CyberArk Labs, the new Petya variants appear not to affect Windows endpoints that are configured to use a US English-only keyboard. That leads researchers to believe that the new malware may have been developed by a nation state whose target is a specific country or set of countries. Still, Windows users and enterprises around the world should take the new threat seriously.

Thanks to Cybereason researcher Amit Serper, there's now a “vaccine” that can be applied to Windows machines that haven't yet been infected. Serper's discovery findings have been confirmed by TrustedSec, Emsisoft, and PT Security. Unlike the killswitch for WannaCry that was discovered by Marcus Hutchins, Serper's “vaccine” must be manually applied. He warns that his idea is merely a temporary fix.

When the new Petya variants get access to a victim's Windows partition, it looks for a file named “perfc.dll.” If the malware can't find a file with that name, it commences with its malicious encryption process. Lawrence Abrams has developed a batch file for performing Serper's fix, which should make performing it easier for remote administrators who must apply it to multiple Windows clients. It can be downloaded here.

Upon Serper's discovery, he received multiple job offers. “I'm very happy with working for Cybereason, please stop emailing me. Also, appreciate the praises but let's not go crazy. I'm not that good,” he said. In a later tweet, he added, “Thanks for all the kind words. This is a temporary fix, let's focus on patching, less on thanking me. Thanks again, I'm humbled.”

Source: Information Security Magazine

Phishing and Social Engineering Cause Over Half of Cyber Incidents

Phishing and Social Engineering Cause Over Half of Cyber Incidents

The Business Continuity Institute (BCI) has called for improved user education and cyber resilience after revealing that nearly two-thirds (64%) of global firms have experienced at least one cyber “disruption” in the past year.

The BCI’s latest Cyber Resilience Report comprises interviews with 734 respondents from 69 countries, and found one in six (15%) had experienced at least 10 disruptions in the 12-month period.

A BCI spokesman confirmed to Infosecurity that “disruption” refers in this case to “any cyber event that has a negative impact on the organization.”

Phishing and social engineering were the primary cause of more than half (57%) of disruptions, highlighting the urgent need for improved user education.

Those figures echo findings from this year’s Verizon Data Breach Investigations Report (DBIR), which revealed phishing was a part of 21% of attacks in 2016, up from only 8% the year previous.  

With time of the essence when it comes to dealing with a threat, it’s disappointing that 67% claimed it takes their organization over one hour to respond to an incident, while 16% said it can take over four hours.

A third (33%) said that the ensuing disruption following an attack cost the firm more than €50,000 (£44K, $57K) while 13% experienced losses in excess of €250,000 (£222K, $284K).

One in five SME respondents (18%) reported cumulative losses of more than €50,000, a big deal for smaller firms.

On the plus side, 87% of organizations polled reported having business continuity arrangements in place to respond to cyber incidents.

The WannaCry epidemic and this week’s ‘NotPetya’ attacks have shown just how fragile major organizations’ IT infrastructure is.

Big name firms including DLA Piper, Maersk, Merck, WPP and others have all been struck by the latest ransomware ‘worm’ to use NSA exploits and a host of other propagation and infection techniques.

David Thorp, executive director at the BCI, argued that IT silos need to be broken down if firms want to improve their resilience to such threats.

“Co-operation is key to building cyber and organizational resilience,” he added. “Different disciplines such as business continuity, information security and risk management need to come together, share intelligence and start speaking the same language if they want to build a safer future for their organizations and communities.”

Source: Information Security Magazine

UK Firm Gets £60K Fine After Pen Test Failure

UK Firm Gets £60K Fine After Pen Test Failure

Privacy watchdog the Information Commissioner’s Office (ICO) has sent a warning shot across the bows of the UK’s SMEs, fining one company £60,000 after a cyber-attack took advantage of poorly protected web infrastructure.

Video game rental business Boomerang Video failed to follow best practice security steps and subsequently suffered an attack which exposed the personal details of over 26,000 customers, the ICO revealed.

It is said to have failed to carry out regular pen testing which would have uncovered the SQL injection flaw the attacker exploited.

Boomerang also failed to ensure its password for the WordPress section of its site was complex enough to foil attackers.

If that wasn’t enough, the ICO found some information stored unencrypted, and the data that was protected could also be accessed by virtue of the decryption key being accessible.

Finally, encrypted cardholder details and CVV numbers were stored on the firm’s web server for longer than was necessary, running counter to best practices around data minimization.

ICO enforcement manager, Sally Anne Poole, argued that businesses of all sizes that handle personal info have to comply with data protection laws.

“Boomerang Video failed to take basic steps to protect its customers’ information from cyber-attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers,” she added.

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening. I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

Poole also warned that fines could be a lot higher under the EU General Data Protection Regulation (GDPR), which is set to come into force on May 25 2018.

Source: Information Security Magazine

Global Companies Hit as Ransomware Attack Continues

Global Companies Hit as Ransomware Attack Continues

Companies in the UK, USA and across Europe are reported to have been infected with the widely-reported ransomware.

While research by Kaspersky Lab has claimed that this is not the Petya variant, as reported earlier, but instead is a brand new variant, companies including US pharmaceutical Merck, law firm DLA Piper and a hospital in Pittsburgh, and UK digital advertising firm WPP are among those who have been affected.

Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows, said: “There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilizes the EternalBlue SMBv1 worm functionality. More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up.”

At the time of writing, the Bitcoin wallet associated with this attack showed 27 payments had been made; all of which were made today.

Brian Hussey, VP of cyber threat detection and response at Trustwave, said: “This version is a much more advanced approach that requires a sophisticated skillset in programming and truly renders everything on the victim’s computer fully inaccessible. It does not just encrypt user files on the existing Operating System, rather it launches a custom bootloader that encrypts the Master File Table and the Master Boot Record, as well as system files.  It restarts the computer and launches directly into the Petya bootloader, thereby cutting any access to the Operating System (or any files) at all, until the ransom is paid and the computer can go back to booting normally. 

“Original versions of Petya released in 2016 showed programming errors that allowed a security analyst to decode the ransomed files.  This issue was fixed in recent versions of the malware and I wouldn’t expect this to be present in current versions”

However Kaspersky Lab researchers said that its preliminary findings suggested that it is not Petya. It said: “This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.”

In terms of how it infected business, early analysis suggested that it uses a combination of the EternalBlue vulnerability that was used for the WannaCry ransomware in May, as well as Windows Management Instrumentation Command-line (WMIC) and the PsExec tool.

Also, it was reported that Posteo administrators have disconnected the email address associated with paying the ransomware. Pinkard said: “This means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so.”

Source: Information Security Magazine

#Petya Ransomware Spreading Beyond Ukraine, Expert Claims

#Petya Ransomware Spreading Beyond Ukraine, Expert Claims

Mass reports have surfaced of a new ransomware attack, believed to be a variant of Petya, affecting various computers in Ukraine. So far, the country’s central bank, local metro and Kiev’s Boryspil Airport have been hit, with various other companies also claiming they have suffered the same fate.

However, the attack does not appear to be limited to Ukraine; in a blog post security expert Graham Cluely wrote:

“There have been additional reports that the Spanish offices of multinational companies such as law firm DLA Piper have been hit by a malware attack that is encrypting files on their computers and demanding a ransom of US $300 in Bitcoin be paid to the extortionists.”

There have also been reports of infections in Russia, India and the UK, and “it seems unlikely that that will be the end of it,” Cluely added.

“I really hope you learnt a lesson from the WannaCry ransomware outbreak and put some secure backup systems in place,” he wrote.

It is not currently known for certain how the infection is spreading, but some researchers have taken to Twitter to claim it is using the same technique as WannaCry to target the SMBv1 EternalBlue exploit and take advantage of unpatched Windows machines.

Affected systems are displaying this message:

“Ooops, your important files are encrypted.

“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service.

“We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.”

Source: Information Security Magazine

Deloitte: Oil and Gas Companies Poorly Prepared for Cyber-Attack

Deloitte: Oil and Gas Companies Poorly Prepared for Cyber-Attack

According to a report released yesterday by Deloitte LLP, the oil and gas industry is especially at risk for cyber-attack. The report, Protecting the Connected Barrels—Cybersecurity for Upstream Oil and Gas, authored by Anshu Mittal, Andrew Slaughter and Paul Zonneveld has the industry concerned.

Ponemon Institute research publicized in February says that the energy sector was the second most prone industry to cyber-attacks, with almost 75% of companies hit by at least one significant cyber-incident in 2016.

There are many reasons for the industry to worry. When the authors of the Deloitte report visited oil fields in the United States, Zonneveld observed some lax security practices. “(It) was like walking into the 1980s, with shared passwords and passwords written down on paper,” he said to Bloomberg. Only 14% of oil drilling operations have fully operational security monitoring operations. In a report from the Industrial Control Systems Cyber Emergency Response Team dated in 2015, more than 30% of cyber-attacks on critical infrastructure had an unknown infection vector, or were untraceable.

The differing priorities of all stakeholders and entities involved in oil and gas systems adds a layer of complexity which poses a cybersecurity challenge. IT prioritizes confidentiality and intergrity over availability. Drlling and well site operations, which have programmable logic controllers and sensors, prioritize availability more than confidentiality and integrity. Plus, older technological components, which are often more difficult to secure, must work with much newer components.

The oil and gas industry has a large cyber-attack surface constituting many vectors. One company alone stores petabytes worth of sensitive data, uses half a million processors for just oil and gas resovoir simulation, and shares thousands of production and drilling control systems with vendors and partners around the world. One attack can cost millions of dollars and put the environment and human lives at risk.

Report author Andrew Slaughter emphasizes the industry significance of Deloitte's findings. “The culture needs to change, and that’s happening but it takes time," he said. "This report serves as a call to arms."

Graph published by Deloitte Industry Press illustrates the cyber-attack vulnerability of different aspects of oil and gas operations.
Graph published by Deloitte Industry Press illustrates the cyber-attack vulnerability of different aspects of oil and gas operations.

Source: Information Security Magazine

Ukraine Businesses Hit by Petya Ransomware

Ukraine Businesses Hit by Petya Ransomware

Multiple businesses in the Ukraine have been hit by a new ransomware variant, said to be related to the Petya family.

According to early reports, freight company Maersk is among those who have confirmed that its IT systems are down “across multiple sites and business units”. Also affected are reportedly the banks, power grid companies including the state-owned Ukrenergo and Kyivenergo, postal service, government, media, airport and cell providers.

A Ukrenergo spokesperson told Forbes that power systems were unaffected, saying: "On June 27, a part of Ukrenergo's computer network was cyber-attacked. Similarly, as it is already known with the media, networks and other companies, including the energy sector, were attacked. Our specialists take all the necessary measures for the complete restoration of the computer system, including the official [website]."

A picture of an infected PC was posted by Kiev Metro Alerts, which tells the victim that “your files are no longer accessible, because they have been encrypted” and that ‘nobody can recover your files without our decryption service’ which comes at a cost of $300 worth of Bitcoin.

According to early research by BitDefender, the variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents the victim’s computers from being booted up in a live OS environment and retrieving stored information or samples.

Research by Kaspersky Lab has revealed this to be a variant of the Petya ransomware, which returned with a rebranded version named GoldenEye in 2016.

According to F-Secure, instead of encrypting files on disk, Petya will lock the entire disk, rendering it pretty much useless. “Specifically, it will encrypt the file system’s master file table (MFT), which means the operating system is not able to locate files,” researchers claimed.

“It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system. Going after the MFT is a fast attack that takes far less time than encrypting data files, but the overall affect is the same – the data becomes inaccessible.”

Allan Liska, intelligence architect at Recorded Future, said: “‘This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine. The payload of the phishing attack is twofold: an updated version of the Petya ransomware (older version of Petya are well-known for their viciousness, rather than encrypt select files Petya overwrote the master boot record on the victim machine, making it completely inoperable).

“There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine). Our threat intelligence also indicated that we are now starting to see US victims of this attack.

“There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking Trojan, it steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host.  Which means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.”

Source: Information Security Magazine

Michigan Healthcare Company Hit by Non-WannaCry Ransomware

Michigan Healthcare Company Hit by Non-WannaCry Ransomware

Airway Oxygen, a Michigan-based healthcare supplier, has announced that it was hit by a ransomware attack in April. About 550,000 people were directly affected.

The company said: “An investigation revealed that the intruders had access to patient health information for approximately 550,000 current and past customers of Airway Oxygen. Additionally, the personal information of approximately 1,160 current and former employees of Airway and its sister company were also compromised."

Airway Oxygen is a private company that makes medical equipment such as lift chairs, wheelchairs, CPAP supplies, oxygen machines and mobility scooters.

The company has been informing their clients that their personal data has been breached in a letter dated June 2017. In the letter, the company explains “On the evening of 18 April 2017, we learned that unidentified criminals have gained access to our technical infrastructure and installed ransomware in order to deny Airway Oxygen Inc. access to its own data.” According to the company, home addresses, telephone numbers, health insurance policy numbers and diagnoses may have been leaked. Social Security numbers, credit card numbers, debit card numbers, and bank account numbers were not affected.

The firm didn't specify which particular ransomware malware was used in the attack, but the incident predates WannaCry. It's also unclear which monetary amount the attacker demanded, and whether or not Airway Oxygen paid the ransom.

The company added: “We have reported the incident to the FBI and will cooperate with their efforts. We have hired a cybersecurity firm to assist in conducting an investigation to assess the cause and impact of the breach. In addition, we are identifying further actions to reduce the risk of this situation recurring."

Healthcare information is one of the most sensitive types of data that can be compromised in a cyber-attack. The most important set of federal American regulations which govern how medical data is handled is the Health Insurance Portability and Accountability Act.

Source: Information Security Magazine