Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2017

White House Advisers Warn of CNI Cyber-9/11

White House Advisers Warn of CNI Cyber-9/11

President Trump’s advisers have warned of an impending 9/11-style attack on the nation’s critical infrastructure and called for “direction and leadership to dramatically reduce cyber risks.”

The National Infrastructure Advisory Council (NIAC) was commissioned by the National Security Council (NSC) to review over 140 federal “capabilities and authorities” in order to evaluate what needs to be done to secure infrastructure against targeted attacks.

The resulting report out this week claimed that although both government and private sector have “tremendous” resources to defend critical systems from attack, they’re not properly organized, harnessed or focused.

It added:

The challenges the NIAC identified are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions.”

Specifically, these recommendations include establishing separate, secure networks for critical infrastructure (CNI), including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.

Information sharing is also high on the wish list: the report calls for a pilot of M2M info-sharing technologies, and the rapid declassification and proactive sharing of threat intelligence with CNI operators.

That’s not all. The report recommends best-in-class scanning tools and assessment practices; a public-private expert exchange program to strengthen IT professionals’ skill sets and a streamlining of the security clearance process for CNI owners.

The NIAC also wants “limited time, outcome-based market incentives” to encourage CNI owners to invest in state-of-the-art technologies.

An operational task force is required comprising experts in government alongside electricity, finance and communications sectors to take decisive action, it added.

The White House National Security Adviser should review these recommendations and chart a path forward, it concluded.

Although there have been precious few attacks on US CNI over the years – aside from an alleged Iranian attack on a New York dam – the warning signs are that hostile states increasingly have the capabilities to launch one.

Most experts point to the sophisticated Kremlin-linked attacks on Ukrainian power stations in December 2015 and 2016, which led to widespread outages in the country.

Source: Information Security Magazine

Attackers Scam $500K in Ethereum from Enigma Users

Attackers Scam $500K in Ethereum from Enigma Users

Hackers have compromised the social media accounts of crypto-currency platform Enigma, managing to make off with $500,000 in fraudulent scam gains before the company took back control.

Enigma is prepping for a crypto-token sale on Sept.11. Scenting an opportunity, enterprising hackers managed to alter the company’s website, and sent out targeted spam emails asking for interested parties to send funds now for the sale. However, instead of buying tokens of course, the money (in the virtual currency known as Ethereum) went into the criminals’ own wallets.

According to TechCrunch, the spam targeted 9,000 users that were part of an Enigma mailing list. The gambit managed to take in enough of them to net around $500,000, the outlet reported—even though Enigma had previously said it wouldn’t collect funding until next month.

 “Cryptocurrencies are one of the more lucrative targets for account hijackers.” Phil Tully, principal data scientist at ZeroFOX, told Infosecurity. “They’re decentralized, making it hard to recover any losses; they’re pseudonymous, making real-world attribution difficult; and they’re irreversible, rendering it impossible to recover losses after attacks like scams and ransomware delivery. For these reasons, among others, cryptocurrencies have blossomed into hackers’ and scammers’ preferred method of payment, especially in the realms of DDoS and ransomware.”

In the case of the Enigma breach, social channels like Slack provided access to a key demographic of digitally-connected people who are most interested in getting into the booming crypto game, but who also lack the specialized expertise necessary to tell a legitimate from an illegitimate offer.

As for how the attackers gained access to Enigma’s accounts in the first place, “attackers compromised accounts through ‘credential stuffing,’ which relies on victims using weak or overlapping passwords among multiple digital accounts,” said Tully. “When attackers discover a password that was dumped as part of a previous third-party breach, they can pivot and try to use the same password or slight variations of it to log into a victim’s other associated digital accounts.”

To mitigate credential stuffing attacks, Tully advised that users should always enable multi-factor authentication on all social and digital accounts, check to see if accounts have ever been compromised in a large-scale data breach by using a service like, be wary of too-good-to-be-true offers, especially when they involve sending cryptocurrency payments, and be vigilant when engaging with the social media accounts of legitimate cryptocurrency brokers or trading platforms, as they are frequently victims of convincing impersonations.

Source: Information Security Magazine

Ropemaker Allows Attackers to Change the Content of an Email—After It's Delivered

Ropemaker Allows Attackers to Change the Content of an Email—After It's Delivered

A new email exploit, dubbed Ropemaker, allows a malicious actor to edit the content in an email—after it’s been delivered to the recipient and made it through the necessary filters.

For instance, an attacker could swap a benign URL with a malicious one in an email already delivered to an inbox, or edit any text in the body of an email whenever they want—all without direct access to that inbox.

First uncovered by Mimecast’s research team, a successful exploit could even undermine those that use SMIME or PGP for signing. 

“The origin of Ropemaker lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML,” explained Matthew Gardiner, a spokesperson at Mimecast, in a blog. “While the use of these web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.”

He added, “Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.”

Brian Robison, senior director of security technology at Cylance, said that there are aspects of the threat that are not necessarily new, but should nonetheless be on the radar for any organization.

"This advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended,” he explained in via email. “Modern email applications render HTML as if it were a webpage using CSS to make the email ‘look’ nice. This is currently standard practice within every legitimate marketing organization in the world.”

He added, “Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank’s website; then the button is actually linked to different site entirely—like badbank dot com, or something where you are tricked into clicking on that link that and exposing your credentials on the fake banking site.”

The technique will work on most popular email clients and online email services.  Fortunately, Mimecast has yet to see Ropemaker exploited in the wild. 

Source: Information Security Magazine

Records Leaked for 25 Footballers Using Banned Substances in 2010 World Cup

Records Leaked for 25 Footballers Using Banned Substances in 2010 World Cup

A hacking team calling themselves the Fancy Bears (and which may or may not be affiliated with a similarly named APT group) has continued the tradition of leaking private documents that detail athletes’ use of potentially performance-enhancing drugs.

In this case, the group has published the records of 25 football players—including ex-Premier League players Carlos Tevez, Dirk Kuyt and Gabriel Heinze—that were awarded therapeutic use exemptions (TUEs) during the 2010 FIFA World Cup in South Africa.

Fancy Bears also said that it has proof that 160 players failed drug testing in 2015, including for cocaine and ecstasy.

To be clear—the 25 players who have been compromised have done nothing wrong. TUEs are exemptions given to athletes to use banned substances in very limited situations: The athlete has to show that he or she would suffer significant health problems without taking it; and that there is no reasonable therapeutic alternative.

As the US Anti-Doping Agency explained, “The TUE application process is thorough and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field.”

Tevez and Heinze for example used betamethasone – a corticosteroid used to treat everything from joint inflammation and arthritis to athsma and Chron’s disease; while Kuyt used dexamethasone to combat tooth pain.

The leak echoes previous releases of stolen documents by the Russian APT group known as Fancy Bear (aka APT28). While it’s unclear if Fancy Bears has any relationship with the singular Fancy Bear, the strategies are similar.

In 2016 Fancy Bear released documents from the World Anti-Doping Agency (WADA), with confidential medical information for US Olympic gymnastics star Simone Biles as well as Serena Williams, among others. The docs suggest Biles has ADHD and takes medication for that, and that Williams was treated with corticosteroids for injuries.

The group—well known for APT activities around the world including the US election-season hacking last year—claimed responsibility for the hack of a WADA database. WADA at the time said the hack was likely in revenge for its decision to recommend that the International Olympics Committee ban all Russian athletes at the Rio Games.

Recorded Future’s research arm Insikt Group had the below to say on the attack:

“Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organizations," said Recorded Future’s research arm Insikt Group, in a statement. "When the Russian athletic team was banned from participating in World Athletics Championships in London, embarrassing IAAF doping reports about major Western athletes were made public. As international pressure on Russia intensifies, with open calls to strip Russia of World Cup in 2018 and recent the FIFA investigation into suspected prohibited substance abuse of the national soccer team, today's release was almost guaranteed to surface."

While it’s safe to assume the release of this information has been done for politically motivated reasons, such data being released means they could have had access to players' medical records, added Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, via email: “It is therefore not such a gigantic leap to assume that other private information about these individuals could also be accessed, compromised, and leveraged for more financially sensitive information. Additionally, this attack could be chained with something like spear phishing attacks to further target individuals.”

Source: Information Security Magazine

90% of Orgs Record Exploits for Vulnerabilities More than Three Years Old

90% of Orgs Record Exploits for Vulnerabilities More than Three Years Old

A new report from Fortinet has revealed that, in Q2 2017, 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Even after 10 or more years following a flaw’s release, 60% of companies still experienced related attacks, the firm discovered.

“This is highly concerning,” Richard Absalom, senior analyst at Information Security Forum, told Infosecurity. “Organizations are still not getting to grips with well-known vulnerabilities and taking basic steps (e.g. patching) to reduce them. A number of factors might cause such slow reactions: from infosec departments being under-resourced, to organizations running old systems that would need to be temporarily shut down in order to be patched.”

Fortinet also claimed that poor security hygiene and risky application usage are enabling cyber-criminals to carry out destructive worm-like attacks that take advantage of exploits at record speed, with adversaries spending less time developing ways to break in. Instead they are focusing on leveraging automated and intent-based tools to infiltrate with more impact to business continuity.

In fact, almost 44% of all exploit attempts occurred on either Saturday or Sunday, showing that automated threats do not take weekends or nights off.

“Newer worm-like capabilities spread infections at a rapid pace and can scale more easily across platforms or vectors,” said Phil Quade, chief information security officer, Fortinet. “Intent-based security approaches that leverage the power of automation and integration are critical to combat this new ‘normal’.”

“You don’t need to look very far into the past to see the impact of a worm attack,” added Absalom. “NotPetya caused severe disruption to operations in many organizations, bringing some to almost a complete halt. For a lot of organizations, it took weeks to recover – some are still dealing with the impact, close to two months since the malware was released.”

Source: Information Security Magazine

DDoS Attacks on the Rise Again: Akamai

DDoS Attacks on the Rise Again: Akamai

DDoS attacks rose again in Q2 for the first time in almost a year as the black hats returned to tried-and-tested tools and techniques including PBot, Mirai and Domain Generation Algorithms (DGA), according to Akamai.

The cloud delivery provider crunched data collected from over 230,000 servers in more than 1600 networks to compile its State of the Internet/Security Report for Q2 2017.

It revealed 28% increase in the volume of DDoS attacks since Q1, following three straight quarters of decline.

Attackers appear to be more determined than ever, with victim organizations being hit on average 32 times over the period. One gaming firm was hit a whopping 558 times in Q2, the report revealed.

To launch such attacks, DDoS-ers are returning to some old favorites, including PBot malware which allowed them to build a mini-botnet capable of launching a 75Gbps attack, the largest recorded in the quarter.

Domain Generation Algorithms were first introduced back in 2008 with Conficker, but are still being commonly used in C&C infrastructure by DDoS-ers today, according to Akamai. This is because the technique allows them to generate an endless number of random domains names, confounding white hat efforts to capture them.

Finally, the report revealed that Mirai is now being used frequently in “pay for play” attacks, as a DDoS service-for-hire.

“Attackers are constantly probing for weaknesses in the defenses of enterprises, and the more common, the more effective a vulnerability is, the more energy and resources hackers will devote to it,” said Martin McKeay, Akamai senior security advocate.

“Events like the Mirai botnet, the exploitation used by WannaCry and Petya, the continued rise of SQLi attacks and the re-emergence of PBot all illustrate how attackers will not only migrate to new tools but also return to old tools that have previously proven highly effective.”

Egypt came out of nowhere to become the biggest source of DDoS attack traffic (32%), with the UK dropping from second place in the past two quarters to a position out of the top five.

However, UK firms were on the receiving end of a huge number of web application attacks during the period: 32.6 million. This is still some way behind the number one target: US firms were hit by over 122 million attacks.

In total, web app attacks increased 5% quarter-on-quarter and 28% year-on-year, with SQLi attacks accounting for more than half (51%).

Source: Information Security Magazine

Experts: Bots Could Herald Third Revolution in Warfare

Experts: Bots Could Herald Third Revolution in Warfare

A group of world-renowned AI and robotics specialists has urged the UN to prevent these technologies being repurpozed into autonomous weapons, as new research from IOActive claims current industrial and commercial robots could already be considered a major insider threat.

The open letter includes signatories such as Tesla founder Elon Musk and cautions that “lethal autonomous weapons threaten to become the third revolution in warfare.”

It continues:

“Once developed, they will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways. We do not have long to act. Once this Pandora’s box is opened, it will be hard to close. We therefore implore the High Contracting Parties to find a way to protect us all from these dangers.”

IOActive principal security consultant, Lucas Apa, told Infosecurity that it’s not just robots in the defense industry that people should be worried about, but the ones in homes and factories.

That’s because the research firm has just released an update to research released earlier this year which discovered around 50 vulnerabilities in six of the biggest robotics manufacturers, including SoftBank Robotics, UBTech and Universal Robots.

These could be exploited to steal sensitive corporate information, spy on users or even launch physical attacks.

Some of the vulnerabilities discovered included data sent unencrypted; no, or easy-to-bypass, authentication; insufficient authorization to protect key functionality; weak cryptography; weak default configurations and weak open source frameworks and libraries.

So-called “cobots” built by Universal Robotics could be hacked remotely to bypass in-built safety features, causing potentially fatal harm to their human colleagues on the factory floor.

Those used in the home or in commercial environments like SoftBank’s popular Pepper robot, could be hacked to do the same, said IOActive.

In fact, Pepper, of which tens of thousands of units have been sold worldwide, could also be hacked to capture and leak audio and video. This is what IOActive means when it describes robots as the next potential 'insider threat'.

“Companies, IT teams and end-users should be aware of the possible risks and threats robots can introduce if they are insecure. On top of this knowledge, education on security comes second for everyone in their organization, with training not only for engineers and developers, but also for executives and all others involved in product decisions,” explained Apa.

“Developers, engineers and product managers should learn at least the foundations of security best practices, and adapt them to their development life-cycle. Furthermore, vendors should have a clear communication channel for reporting security issues and handling reports, we expect more security research to be done in the future on this field so they should get ready.”

Source: Information Security Magazine

Attacks on the Cloud Increase by 300%

Attacks on the Cloud Increase by 300%

 The number of attacks on cloud-based accounts has increased by 300%, according to Microsoft’s Security and Intelligence report.

It claimed that consumer and enterprise Microsoft accounts are a tempting target for attackers, and the frequency and sophistication of attacks on cloud-based accounts are accelerating. “The Identity Security and Protection team has seen a 300% increase in user accounts attacked over the past year” it said, claiming that a large majority of these compromises are the result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services.

Elsewhere, the number of Microsoft account sign-ins attempted from malicious IP addresses has increased by 44% in comparison to Q1 of 2017 to Q1 of 2016. “Security policy based on risk-based conditional access, including comparing the requesting device’s IP address to a set of known ‘trusted IP addresses’ or ‘trusted devices’, may help reduce risk of credential abuse and misuse,” the report advised.

Oliver Pinson-Roxburgh, EMEA director at Alert Logic said: “There are a number of sophisticated attacks that rely on new detection capabilities most organizations do not have today and they are increasing as organizations get better at security best practices.”

In the recent Alert Logic Cloud Security report for 2017, it claimed that it saw close to 37% more incidents in on-premise data centers, leaving each public cloud deployment to withstand just over (on average) around 400 incidents in the 18-month period covered by this report. “Even lower incident rates do not necessarily translate to lower risk—especially when, as is increasingly more common, businesses rely on the public cloud to handle their highest-value assets,” he said.

James Clegg, VP EMEA at FireMon, said: “Attacks on cloud providers is the easy way into hybrid cloud enterprises who are struggling with the complexity of controlling security across all domains and security vendors. Just relying on the encryption from your SD-WAN vendor does not assure the journey.” 

Source: Information Security Magazine

UK Charities Exposed to Cyber-Attack, Says Government

UK Charities Exposed to Cyber-Attack, Says Government

Many of the UK’s charities lack awareness of and resources to address cyber-threats, despite being as vulnerable to attack as private sector businesses, according to a new government report.

The Cyber security among charities report is based on qualitative research into the UK’s third sector.

Unsurprisingly it revealed that awareness of cyber-threats can be lacking and often left to the outsourced IT provider to deal with.

There’s a perception in the sector that businesses are actually more at risk from attack, despite many charities holding sensitive information on donors.

Part of the issue here is that many such organizations don’t have the resources to fund a permanent IT security expert in-house, with responsibility in some cases handed to CEOs and even finance staff.

Cybersecurity training is rarely given to staff and volunteers as the perception is it’s too expensive and difficult to arrange given the large number of remote workers. Cyber-insurance is also largely eschewed in the industry because of financial pressures, the report claimed.

Although many charities are concerned with the loss of sensitive information associated with donors or service users, the loss of non-personal data apparently causes fewer sleepless nights.

This is despite the fact that the research uncovered several examples of non-personal data loss where the charities involved “incurred a sizeable financial cost” from the breach, although the experience of such an incident is more likely to spur them on to taking action, it claimed.

It concluded:

“There is a need for basic awareness raising among staff and trustees, and upskilling of those responsible for cyber security – so they know the basic technical controls they can put in place. It may also help to disseminate government information and support via the organizations with which charities already have established relationships, such as the Charity Commission. Finally, making use of private sector expertise among trustees may also help individuals within charities to champion the issue.”

The government backed its Cyber Essentials scheme and the National Cyber Security Centre’s 10 Steps to Cyber Security guide as good places to start in helping organizations get a baseline of best practice security in place.

Helen Stephenson, CEO of the Charity Commission for England and Wales, also promoted the organization’s Charities Against Fraud website.

“Charities have lots of competing priorities but the potential damage of a cyber-attack is too serious to ignore,” she added. “It can result in the loss of funds or sensitive data, affect a charity’s ability to help those in need, and damage its precious reputation. Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cybersecurity.”

Source: Information Security Magazine

UK Boards Untrained and Unprepared for Cyber-Threats

UK Boards Untrained and Unprepared for Cyber-Threats

UK boardrooms are woefully unprepared to cope with cyber-threats, with only 2% of the UK’s largest firms offering comprehensive training to their executives, according to a new government report.

The Cyber Governance Health Check analyzes the state of security in FTSE 350 firms.

It found that although cyber-risk has been elevated to the top of the list in over half (54%) of organizations, much higher than the 2014 figure of 29%, training remained a challenge.

Over two-thirds (68%) of boardrooms polled claimed that they’ve not received any training to deal with a cyber incident, while 10% don’t even have an incident response plan in place.

What’s more, 46% of boards still don’t review or challenge any reports on the security of customer data. Although that figure has fallen by 15% from the previous study, it’s still a worryingly high proportion, given the coming GDPR.

In fact, only 6% of firms said they’re completely prepared for the sweeping new privacy legislation from Brussels, which will come into force in May 2018.

The right to erasure (right to be forgotten) is causing the biggest compliance headaches (45%).

In addition, less than a third (31%) of boards receive comprehensive management information related to cyber-risk, and just over half (57%) said they have a clear understanding of the potential impact of loss of, or disruption to, key info and data assets.

Rob Wilkinson, corporate security specialist at Smoothwall, argued that boardroom education on cyber-risk is vital given that most incidents occur through human error on the part of employees.

“Security is an issue that must be taken seriously by each and every company; whether you’re an SME as part of a wider supply chain, a large telecoms company or even an electricity firm, no company is immune to a hack or breach,” he added.

“In this vein, ensuring a strong security culture is instilled throughout the workforce is crucial to making sure staff are constantly vigilant and aware of the threats. If the top brass don’t pay attention to these threats, it’s not going to set a good example for the rest of the business’ employees.”

Source: Information Security Magazine