Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for October 2017

Apple FaceID Confidence Runs High

Apple FaceID Confidence Runs High

Apple’s latest biometrics push, facial recognition for iPhone, is seen by most to be a trustworthy authentication mechanism, despite it not yet being released into the market.

The results of a survey conducted by Secret Double Octopus, found that among 522 employees of medium and large enterprises, 81% of respondents perceive FaceID as trustworthy, and 91% think it will be easy to use.

The survey, which focused on preferred authentication methods and password usage, found that 73% of employees surveyed said they prefer FaceID to passwords if given the choice, with 70% categorizing FaceID as ‘extremely or very trustworthy’—results from a technology they have never actually used.

Apple’s TouchID, deployed on iPhone 6 and iPhone 7, is the leading alternative to passwords, with respondents ranking it first in all three survey parameters: ease of use, trust and preference.

“We initiated this survey because we wanted to look past the hype to really understand what people think about the authentication methods they are required to navigate daily—anything from passwords, tokens and SMS to TouchID,” said Raz Rafaeli, CEO of Secret Double Octopus. “We also wanted to know what people are expecting from new authentication alternatives, specifically FaceID. The results demonstrate the need for organizations to seriously consider the impact FaceID will have on their security environment and explore how they can leverage the technology both as a second-factor authentication measure, as well as a way to replace passwords altogether, because that is where we are headed.”

The survey also revealed ongoing concerns around password use. Even though 91% of companies having a policy for password strength (longer passwords and frequent replacements, for example), the survey found that many employees are not adhering to even the most basic of protections, and are exposing themselves and their organizations to increased chances for malicious activity. About a quarter (23%) of employees surveyed say they rely on paper notes to remember their passwords. Further, 14% have shared their work passwords with colleagues or other people; 21% of employees use work-related passwords for non-work related online services; and 5% of employees admit they have entered their work-related passwords into fraudulent forms or web pages.

The results are interesting given the results from a survey of the hacking community, which found that facial recognition was rated as the worst tool for authentication by a fifth of respondents—six times more often than fingerprint authentication.

Source: Information Security Magazine

Only a Third of US Office Workers Know What Ransomware Is

Only a Third of US Office Workers Know What Ransomware Is

The threat of ransomware is growing exponentially, yet only a third of US office workers know what it is.

Intermedia’s latest 2017 Data Vulnerability Report, which surveyed 1,000 US knowledge workers, found that even with the increased publicity and impact of global ransomware attacks like WannaCry and Petya, and emerging strains such as BadRabbit, awareness still lags behind. This is not for lack of effort among companies though, with 70% of office workers saying their organization regularly communicates about cyber threats and nearly one-third (30%) saying their organization specifically highlighted the WannaCry ransomware attack as an example.

The stakes are significant: The study shows that the average amount paid in ransom among office workers now stands at approximately $1,400.

Interestingly, the report found that employees shoulder costs of ransomware payments more often than employers: Of the office workers that have fallen victim to a ransomware attack at work, the majority (59%) paid the ransom personally, and 37% said their employers paid. About 68% of impacted owners and executive management said they personally paid a work-related ransom.

Also, more than 73% of impacted Millennial workers, often viewed as the most computer-savvy group of employees, report paying.

“Our latest report shows that, even in the face of increasing attacks, there are large gaps in overall awareness of how to handle a ransomware strike,” said Jonathan Levine, CTO at Intermedia. “Employees are willing to go to great lengths to try to get data back, including paying ransoms out of their own pockets, even though 19% of the time the data isn’t released even after the ransom is paid.”

SMBs are particularly vulnerable to ransomware attacks, the study uncovered.

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat,” Levine continued. “This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must, afford. And hackers realize this.”

Source: Information Security Magazine

CryptoShuffler Trojan Sucks Cash from Wide Range of Crypto-Wallets

CryptoShuffler Trojan Sucks Cash from Wide Range of Crypto-Wallets

The CryptoShuffler Trojan is siphoning funds from cryptocurrency wallets, targeting a wide range of the most popular cryptocurrencies, including Bitcoin, Ethereum, Zcash, Dash, Monero and others.

Uncovered by Kaspersky Lab, the bad code steals cryptocurrencies from a wallet by replacing the user’s legitimate address with its own in the device’s clipboard. To date, criminals have already succeeded in lucratively attacking Bitcoin wallets, stealing equivalent to almost $140,000. The total amounts stolen from other wallets range from a few dollars to several thousands.

“Clipboard hijacking attacks like this have been previously seen in the wild, targeting online payment systems; however, experts believe cases involving a cryptocurrency host address are currently rare,” researchers said.

CryptoShuffler’s mechanism is simple yet effective, capitalizing on the common transaction process used by most cryptocurrency users: They copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction. The trojan simply monitors the infected device’s clipboard, and replaces the user's wallet address with one owned by the malware creator. Therefore, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to, and as a result, the victim transfers their money directly to criminals.

“CryptoShuffler’s ability to replace a destination literally takes milliseconds because it’s so simple to search for wallet addresses—the majority of cryptocurrency wallet addresses have the same beginning and certain number of characters,” Kaspersky said. “Therefore, intruders can easily create regular codes to replace them.”

To keep crypto savings safe, users should pay close attention during transactions, and always check the wallet number listed in the destination address line against the one they are intending to send coins to. Users should also be aware that there is a difference between an invalid address and an incorrect address: In the first case, the error will be detected and the transaction won't be completed; in the latter, there’s no alert.

“Cryptocurrency is not tomorrow's technology anymore. It is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals,” said Sergey Yunakovsky, malware analyst at Kaspersky Lab. “Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So, users considering cryptocurrency investments should think about protecting their investments carefully.”

Source: Information Security Magazine

Code Signing Certs Traded for $1000+ on Darknet

Code Signing Certs Traded for $1000+ on Darknet

Digital code signing certificates are being traded on the dark web for over $1000, undermining trust in the entire authentication system on which the internet is based, according to new Venafi research.

The cybersecurity vendor teamed up with the Cyber Security Research Institute in a six-month project to peel back the curtain on the shadowy underground markets used to buy and sell illegal goods and services.  

It found code signing certificates available for purchase for up to $1200, making them more expensive than some counterfeit passports, handguns and stolen credit cards.

Attackers can use these certificates to hide the malware used for attacks in encrypted channels, making them highly sought-after.

Venafi chief security strategist, Kevin Bocek, explained that the certs could be sold many times over before losing their value, ensuring they are a major money-maker for cyber-criminals.

He described the research as a “rude awakening” for the system which essentially defines trust on the web.

“With no knowledge of which certificates should really be trusted, IT teams will have to either assume they can’t trust their applications and software, or risk criminals using their certificates to slip past defenses undetected to distribute malware. Neither option is acceptable,” he told Infosecurity.

“The only way organizations can effectively protect themselves is by having complete intelligence and control over every single certificate in use and trusted. But since firms have an average of more than 16,000 certificates they’re unaware of, this is no small feat. This is why it’s so important to automate the discovery, inventory and reputation scoring of every digital certificate, and for every code signing certificate in use, it’s key must be protected and every use controlled and audited.”

The researchers claim they only scratched the surface of the illegal darknet trade in code signing certificates, explaining they believe TLS, VPN and SSH key and certificate trading is also rife.

Source: Information Security Magazine

EU to Declare Cyber-Attacks “Act of War”

EU to Declare Cyber-Attacks “Act of War”

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document, said to have been developed as a deterrent to provocations by the likes of Russia and North Korea, will state that member states may respond to online attacks with conventional weapons “in the gravest circumstances."

The framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

Security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The suspected state-sponsored group known as Dragonfly has also been active of late probing US energy facilities.

That said, definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with Nato moves in the past establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense.

That states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.

Source: Information Security Magazine

Virtual Reality Could Help Close Workforce Gap

Virtual Reality Could Help Close Workforce Gap

About three-quarters of respondents in a recent survey said that virtual reality (VR) tools could be a critical next-gen approach to addressing the cybersecurity workforce gap.

By 2020, a projected 1.8 million cybersecurity jobs will be unfulfilled, leaving organizations scrambling to think outside of the box when it comes to attracting talent. In a survey from ESG and ProtectWise based on the opinions of 1,000 US-based millennials/post-millennials (the workforce’s newest generation and the next one poised to enter it, 74% said that the presence of VR tools increases their likelihood of pursuing a career in cybersecurity.

Meanwhile, 65% admitted that they haven’t been exposed to cybersecurity in school, and only 9% of 16-24-year-olds said they are interested in pursuing the cybersecurity field at some point in their career. The top reason for this is a general lack of awareness—39% cited a general lack of knowledge about cybersecurity as a career path—both pointing to a massive opportunity for education on cybersecurity as a viable profession.

“Employers are seeking candidates for tier-one analyst roles who have prior security experience, when in reality 87% of cybersecurity workers don’t start in the field,” the report noted. “Employers also want cybersecurity candidates with highly technical skills to which the average student is not exposed, including intrusion detection, attack mitigation and secure software development. Advanced certifications are required for roles that aren’t necessarily advanced, which deters workers who can earn an attractive salary and develop innovative technology in other fields without the burden of earning more credentials.”

The survey also revealed that this younger group is very aware of next-gen technology, and that gamification of the enterprise is something they would welcome. The survey found that 76% play games regularly and have a high affinity for VR tech. About 58% have used/regularly use VR technologies and expect to do so in the future—and are attracted to jobs that incorporate them. Meanwhile, 72% agreed that access to VR/AR in cybersecurity would make them more effective.

“One solution [to the workforce gap] may be to use technologies that capitalize on humans’ natural ability to reason visually and spatially in order to solve critical problems,” the report said. “Immersive technologies incorporating virtual reality (VR), augmented reality (AR) and collaborative gaming principles accomplish this and are being used to problem-solve in other industries—in healthcare to combat obesity, in automobile manufacturing to reduce waste and inefficiency and in the US Army to train recruits. The cybersecurity industry could similarly build solutions that enable fast, effective anomaly detection and remediation based on technologies that do not require highly specialized certifications and education. Doing so could open up the cybersecurity talent pool, particularly among millennials and post-millennials who are avid gamers and have a strong affinity for VR.”

Source: Information Security Magazine

T-Mobile USA Calls Customers to Warn on SIM Hijacking

T-Mobile USA Calls Customers to Warn on SIM Hijacking

T-Mobile USA is warning some customers that they could be targeted by hackers looking to hijack their SIM cards.

According to reports, the company has contacted “a few hundred” customers in last two weeks, in the wake of a website flaw that was initially reported by Vice’s Motherboard. The bug, which was patched October 10, allowed hackers to access customers' email addresses, account numbers and phone IMSIs. Armed with this information, bad actors could impersonate the user to gain access to an account and duplicate the SIM card, gaining control over the phone number. In turn, with access to the phone, they could intercept SMS codes for two-factor authentication and gain access to bank accounts and the like.

One of the affected T-Mobile customers, Lorenzo Franceschi-Bicchierai, wrote that he got a call from customer service to warn him "of a detected alert" about his personal information.

The bug was reported in early October by Karan Saini, founder of startup Secure7. But it had been exploited since at least August 6, when a black-hat uploaded an exploitation tutorial on YouTube.

Initially, T-Mobile said that there was no indication that customer accounts were affected in any broad way—though clearly that is not the case. However, the carrier now has said the number of affected users is quite low, representing a tiny fraction of its 70 million customers.

"We found that there were a few hundred customers targeted," a spokesperson told Franceschi-Bicchierai “We take our customers' privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure."

Source: Information Security Magazine

'unCAPTCHA' Defeats Google CAPTCHA with 85% Accuracy

'unCAPTCHA' Defeats Google CAPTCHA with 85% Accuracy

unCAPTCHA, an artificial intelligence-based automated system designed at the University of Maryland, can break Google's audio-based reCAPTCHA challenges with an accuracy of 85%.

Google has been working on refining and strengthening reCAPTCHA for years, a Turing test-based methodology for proving that website users aren’t robots, and recently extended it to mobile websites for Android users.

unCAPTCHA, to be fair, doesn’t address what most of us are familiar with: Challenges asking us to read distorted text and type it into a box. Instead, the AI is trained to crack audio challenges, which are offered as an option for people with disabilities.

unCaptcha combines free, public, online speech-to-text engines with a phonetic mapping technique. The system downloads the audio challenge, breaks it into several digital audio clips, then runs them through several text-to-speech systems to determine exact and near-homophones, weights the aggregated results by confidence level, and then sends the most probable answer back to Google.

The results of the trial showed that the AI could solve 450 reCAPTCHA challenges with an 85.15% accuracy in 5.42 seconds: That’s less time than it takes to listen to the challenge in the first place.

The research work proves that bad actors don’t need significant resources to mount a large-scale successful attack on the reCaptcha system.

“Prior work has generally assumed that attackers against CAPTCHA systems are well-resourced,” the researchers said in a paper. “In particular, the standard threat model involves an attacker who can attack the CAPTCHA tens or hundreds of thousands of times for a relatively small number of successes, and can scale this attack to abuse services.”

They added, “An attacker with many resources can afford a lower success rate, and thus some have argued that even a success rate of 1/10,000 is sufficient to threaten the integrity of services. In our work, we will assume an attacker with limited resources; unlike previous works attacking captchas, our threat model limits the attacker to one computer, one IP address, a small amount of RAM and limited training data (less than 100MB). Therefore, we aim for accuracy benchmarks above 50%, as a low-resource attacker cannot afford a lower percentage of success.”

Source: Information Security Magazine

McAfee Says "No" to Foreign Govt Code Reviews

McAfee Says "No" to Foreign Govt Code Reviews

Security giant McAfee has decided to discontinue a policy of allowing foreign governments to analyze its source code for hidden backdoors.

The policy is seen as an essential step for US and other Western tech firms looking to sell into the Russian and other regions, ostensibly intended to allay any security concerns foreign governments may have.

However, it’s increasingly seen as a risk which could actually expose the provider’s software, despite the possibility for such tests to be conducted so that no code is allowed to leave the premises.

McAfee is said to have made the decision after it was spun-off from Intel.

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokeswoman told Reuters. “This decision is a result of this transition effort.”

McAfee now joins Symantec, which adopted the policy in 2016 amid security fears.

It’s not just the Russian government involved here; a recent Cybersecurity Law passed in China could lead to Beijing demanding code reviews from any “critical information infrastructure” provider wanting to operate in the country.

Again, the government claims such measures are necessary to protect national security, but critics have suggested it could also give agents an opportunity to research their own backdoors.

The value of AV tools as a means for intelligence operatives to monitor targets has been brought to light by the recent showdown between the US government and Russian security firm Kaspersky Lab.

It is claimed Russian intelligence may have used backdoors in its products to spy on and steal info from an NSA contractor.

Kaspersky Lab therefore seems to be going in a different direction to McAfee and Symantec, forced to open up its source code to the US government in a bid to regain trust after Washington banned its products for federal use.

Cesare Garlati, chief security strategist at the non-profit prpl Foundation, argued that all software should be open source, available for scrutiny by all.

“There is consensus in the security community that the so called ‘security through obscurity’ never worked: just look at Windows Microsoft or Adobe Flash if you need proof,” he added.

“Close source software does not make any software more secure. In fact, is the exact opposite. All recent high-profile incidents involve reverse engineering of closed source software, identification of vulnerabilities and their systematic exploit."

Source: Information Security Magazine

UK Government Blames WannaCry on North Korea

UK Government Blames WannaCry on North Korea

The British government has joined the likes of Microsoft and others in blaming North Korea for the devastating WannaCry ransomware attack that hit hundreds of thousands of victims in May, including over a third of NHS trusts in England.

Security minister, Ben Wallace, told BBC Radio 4’s Today program on Friday that the hermit nation “was the state that we believe was involved in this worldwide attack on our systems.

“We can be as sure as possible. I can’t obviously go into the detailed intelligence but it is widely believed in the community and across a number of countries that North Korea had taken this role,” he claimed.

Wallace also claimed North Korea had launched other attacks aimed at stealing foreign currency; potentially a reference to its attacks on Bitcoin exchanges in recent months.

Earlier this month, Microsoft president, Brad Smith, made similar remarks.

“I think at this point that all observers in the know have concluded that WannaCry was caused by North Korea using cyber tools or weapons that were stolen from the National Security Agency in the United States," he told ITV News.

WannaCry caused chaos around the globe when it landed in mid-May. It could have affected many more victims than the 300,000 it hit if it hadn’t been for a “kill switch” discovered by researcher Marcus Hutchins.

In the end, the ransomware managed to compromise many organizations that had failed to patch a known SMB vulnerability for which Microsoft had issued a fix in March.

Scores of them were NHS trusts: 81 to be precise.

WannaCry caused the cancellation of an estimated 19,000 operations and appointments and infected hundreds of primary care and GP practices.

A National Audit Office (NAO) report released last week revealed that systemic failures in the NHS and Department of Health left the health service woefully exposed to the threat.

Source: Information Security Magazine