Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2018

USB in Locked PC Triggers Denial-of-Service Attack

USB in Locked PC Triggers Denial-of-Service Attack

The latest news from Bitdefender researcher Marius Tivadar – that a vulnerability in the way Windows handles NTFS file system image can trigger a blue screen of death – is not surprising. Fixes to blue screen errors in issues associated with NTFS.SYS have been released in the past.

Tivadar published his proof-of-concept (PoC) code on GitHub, in which he was able to execute the denial-of-service (DoS) attack by using a handcrafted NTFS image. The attack “can be driven from user mode, limited user account or Administrator,” wrote Tivadar. “It can even crash the system if it is in in locked state.” 

Stored on a USB thumb drive that was inserted in a Windows PC, the NTFS image crashed the system within seconds. It’s worth noting that the PoC is not malware but a malformed NTFS file. 

In July 2017, Tivadar reported the DoS attack to Microsoft and included the forged 10MB NTFS image that would crash Windows 7 and Windows 10 systems. He also included a PoC video

Addressing the impact of the issue, Tivadar wrote, “Auto-play is activated by default, this leads to automatically crashing the system when usb is inserted. Even with auto-play disabled, system will crash when the file is accessed.” 

The researcher reported that he strongly believed the behavior should be changed in large part because of the alarming discovery that an attacker could insert the USB stick and cause the system to crash while the computer is locked. 

“Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine,” Tivadar wrote. 

Despite his plea, the final email response he received said, “Your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch).”

At the time the vulnerability was disclosed, Microsoft said it did not want to assign a CVE to it, according to Tivadar. It did, however, write, “Your attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.” And apparently Microsoft has come around and is reported to have issued a fix for the Windows 10 vulnerability. 

Source: Information Security Magazine

WebLogic Server Patch Needs a New Fix

WebLogic Server Patch Needs a New Fix

Patching doesn’t always resolve security issues. Attackers have found a bypass around the newly released but faulty patch for Oracle WebLogic flaw, and hackers are again able to exploit the vulnerability. 

The April 2018 Critical Patch Update, which contained 254 new security fixes, included a patch for the Oracle WebLogic Server flaw (CVE-2018-2628), which affected versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server. 

However, The Hacker News reported today that a Chinese security researcher, who claims to be part of the Alibaba security team, discovered a work around so that the WebLogic vulnerability can again be exploited, allowing attackers to gain complete control of a vulnerable server. 

“Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily,” the researcher tweeted

Given that the proof-of-concept exploit was previously published on Github, bypassing the patch is rather easy for skilled hackers to figure out, particularly when they are sharing information on social media. 

Currently there is no evidence of servers being hacked with this vulnerability, but Oracle WebLogic Server has been known to be targeted by malicious actors. With a reported surge in activity with this disclosed vulnerability, users should block port 7001 to mitigate an attack. 

In January, SANS Technology Institute reported that attackers were leveraging a web application server flaw (CVE-2017-10271) that Oracle claimed to have patched. Chinese security researcher Lian Zhang published proof-of-concept (PoC) exploits in December 2017. 

When vulnerabilities are disclosed, companies often rush to release a fix before the flaw can be exploited in the wild. This newly discovered faulty patch suggests that rushing to release an update doesn’t do much to fix the problem. 

The news should not prevent users from installing the April patch update because attackers continue to scan the internet for vulnerable servers. Infosecurity Magazine attempted to reach Oracle but it declined comment.

Source: Information Security Magazine

Jordan Hamlett Jailed for Attempts to Access Trump Tax Returns

Jordan Hamlett Jailed for Attempts to Access Trump Tax Returns

White hat hackers should heed caution when thinking about whose information they chose to tinker with while researching security flaws. While many Americans and security researchers alike do want to see the tax returns of President Trump, few would risk going to jail to get their hands on the documents.

But to jail private investigator Jordan Hamlett will go. Last week the Sunset, Louisiana, native was convicted for false representation of a social security number. In addition to being ordered to pay $14,794.96 in restitution to the U.S. Department of Education, Hamlett has been sentenced to 18 months in federal prison, with an additional two years of supervised release.

In September 2016, Hamlett, who has a history of reporting security flaws, attempted to use the president’s social security number to file a Free Application for Federal Student Aid (FAFSA), a crime to which he pleaded guilty in December 2017. The charges had many in the security industry concerned about the limitations of what ethical hackers were permitted to do within the confines of the law. 

Federal law enforcement agencies argue that Hamlett committed a serious crime when he used a data retrieval tool of the IRS and made six unsuccessful attempts to access the president’s federal tax information, though the accused said he had no intention to deceive.

In a memo submitted to the U.S. District Court's Middle District of Louisiana on October 26, 2017, Hamlett's attorney wrote, "Hamlett attempted to call the IRS and provide notice of his belief that the FAFSA Data Retrieval Tool contained major vulnerabilities…[and] investigative resources of the federal Government have been unable to produce one shred of evidence that Hamlett was intending to do anything other than his stated intent."

Forbes Magazine reported that after Hamlett had pleaded guilty, “the DRT was made unavailable on student financial aid websites, fafsa.gov and StudentLoans.gov. At the time, the IRS noted that it was working to resolve a security issue but 'the online data tool will be unavailable for several weeks.'"

The case involved several federal agencies, from the FBI to the Department of Education, all of whom agree that Hamlett’s sentencing underscores the severity of the crime and that serious crimes beget hefty consequences. U.S. Attorney Brandon J. Fremin said the sentence “should send a strong signal to those who would misuse the identities of others.” 

“Attempts to obtain federal tax information of any American through fraudulent or deceptive practices by illegally using personal identifying information will not be tolerated," Fremin said. "Every American up to and including the President of the United States should enjoy a certain level of comfort knowing that his personal identifying information is not being used for illicit purposes." 

FBI Special-Agent-in-Charge Eric J. Rommal said, “The FBI will vigorously investigate criminals who exploit government information systems using other’s personally identifiable information, in full cooperation with our law enforcement stakeholders."

Source: Information Security Magazine

NHS Gets £150m Cyber-Spending Boost

NHS Gets £150m Cyber-Spending Boost

The NHS is set to receive a £150m cash injection to fund improved cybersecurity, including a new deal to upgrade all health and care organizations to Windows 10.

The government announcement over the weekend claimed the three-year funding plan would help the health service respond more quickly to threats and allow local trusts to spot and isolate attacks before they have a chance to spread.

The NHS was famously decimated by the WannaCry ransomware campaign last May, with an estimated 19,000 operations and appointments cancelled, with disruption at 34% of England trusts and infections at a further 603 primary care and other NHS organizations, including 595 GP practices.

The upgrade to Windows 10 will at least make systems more resilient to such threats, although it was a lack of prompt patching that is thought to have exposed many of the NHS endpoints that became infected last year; something an upgrade to a new OS wouldn't necessarily help. 

"The NHS is signalling that an inherently more secure operating system is less risk than a less secure O/S, running next generation endpoint security," said Lastline director of threat intelligence, Andy Norton. "Of course it does not address the problem of legacy apps that won't run on Windows 10. Nor does it solve the user case of WannaCry; Windows 10 was still vulnerable."

The government claimed it would be funding a new NHS Digital Security Operations Centre to boost our improve incident detection, prevention and response.

Also included in the £150m plan are: £21 million to upgrade firewalls and network infrastructure at major trauma center hospitals and ambulance trusts, £39m to fix “infrastructure weaknesses” at NHS trusts and new powers assigned to the Care Quality Commission to inspect trusts on their cybersecurity capabilities.

Health and care organizations will be required to implement a new toolkit of 10 best practice security standards and the government will also fund a text messaging alert system to ensure trusts have access to accurate information in the event that internet and email services go down.

“We know cyber-attacks are a growing threat, so it is vital our health and care organizations have secure systems which patients trust,” said health secretary, Jeremy Hunt. “This new technology will ensure the NHS can use the latest and most resilient software available — something the public rightly expect.”

NHS Digital CEO Sarah Wilkinson welcomed the extra cash.

“The new Windows Operating System has a range of advanced security and identity protection features that will help us to keep NHS systems and data safe from attack,” she added. “This is one of a suite of measures we are deploying to protect the service from cyber-attack.”

The move comes a fortnight after MPs demanded the government move faster to agree on its spending plans for cybersecurity in the health service.

The Public Accounts Committee gave it a June deadline to come up with an estimate on costs.

Source: Information Security Magazine

NATO Triumphs in Locked Shields Cyber Defense Exercise

NATO Triumphs in Locked Shields Cyber Defense Exercise

A team from NATO has won the annual Locked Shields cyber-defense exercise, the largest of its kind in the world comprising experts from 30 nations.

The international “live fire” exercise invited over 1000 technical experts and decision makers from NATO and EU countries to practice the defense of complex IT networks in the face of simulated cyber-attacks.

“The exercise serves as a valuable platform for senior decision-makers to practice the co-ordination required to address complex cyber-incidents, both internally and internationally. In the strategic game of Locked Shields, Blue Teams had to determine at what level the information should be shared, who has the authority to make a decision and give guidelines, what are the potential legal implications,” explained Michael Widmann, chief of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) Strategy Branch.

“Overall the exercise was a success. Teams coordinated in a complex and dynamic environment and addressed key issues necessary to endure intense cyber-attack.”

This is the first time NATO entered a team comprising members of different agencies, so if nothing else the exercise illustrated the strength of the military alliance.

This year dealt with attacks on critical infrastructure protection, with a focus on the need to improve collaboration between the technical experts, civil and military participants and decision-makers, according to NATO.

“The exercise involved around 4000 virtualized systems and more than 2500 attacks altogether. In addition to keeping up more than 150 complex IT systems per team, the Blue Teams had to be efficient in reporting incidents, executing strategic decisions and solving forensic, legal and media challenges,” explained Aare Reintam, project manager of technical exercises at CCDCOE.

“Protection of critical infrastructure is essential for ensuring the efficient operation of both military and civilian organizations, it is the foundation of our modern digital lifestyle.”

The focus on CNI is particularly timely given increased activity from Russian state hackers, which both the National Cyber Security Centre (NCSC) and US authorities have issued alerts on.

Source: Information Security Magazine

PyRo Mine Malware Uses NSA Tool to Collect Monero

PyRo Mine Malware Uses NSA Tool to Collect Monero

Attackers are known to leverage any means available to go after cryptocurrencies, and Fortinet researchers reported this week that hackers are using a new crypto-mining malware they are calling PyRo Mine to quietly collect Monero.

The Python-based malware uses an NSA exploit to spread to Windows machines while also disabling security software and allowing the exfiltration of unencrypted data. By also configuring the Windows Remote Management Service, the machine becomes vulnerable to future attacks.

"Researchers have discovered malware authors using the ETERNALBLUE exploit in cryptocurrency mining malware, such as Adylkuzz, Smominru, and WannaMine. PyRo Mine uses the ETERNALROMANCE exploit," wrote Fortinet security researcher Jasper Manuel in his blog.

The malicious URL with a downloadable zip file compiled with PyInstaller is dangerous because it packages Python programs into stand-alone executable so that the attacker does not need to install Python on the machine to execute the program.

“Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven’t patched or don’t pay attention to when we are downloading/clicking,” said chief security architect at ACALVIO, Chris Roberts.

The combined attack techniques Manuel discovered in analyzing the scripts and packages let the malicious actor stay hidden while deploying additional attack vectors. Because they don’t make a lot of noise, they can go unnoticed for longer periods of time.

“Looking at the script, I realized that the code was copied from the ETERNALROMANCE implementation found on the exploit database website, with a few modifications to fit its need. This malware gets the local IP addresses to find the local subnet(s), then iterates through all the IPs of these subnets to execute the payload,” said Manuel.

After the attacker successfully accesses the system, they can start mining for Monero, most likely chosen “because it is designed to mine common CPUs present in every laptop and desktop where most crypto-mining relies on expensive GPUs,” said Chris Morales, head of security analytics at Vectra.

Though not widely spread as of yet, those who have not patched these known vulnerabilities remain potential targets as experts expect to see more of these types of attacks in the future.

Source: Information Security Magazine

Security Pros Support Data Collection Regulations

Security Pros Support Data Collection Regulations

While most security professionals believe that government officials lack a real understanding of the threats to digital privacy, they overwhelmingly agree that governments should regulate the way social media companies collect user data.

At last week’s RSA Conference, more than 500 security professionals participated in a Venafi survey that asked myriad questions about what governments should and shouldn’t be able to regulate. The survey revealed surprising results about how industry professionals view the role of government in cybersecurity and privacy. Despite Mark Zuckerberg’s statement when he testified before the US Senate that Facebook was a force for good, not everyone agrees with the social media giant’s CEO.

Dr. Andrea C. Simmons, owner and director of i3GRC, wrote in a recent blog post, “To imagine that the big tech companies have 'got it right,' that they are adequately securing our data and responsibly managing them, would be, frankly, foolhardy. They are all driven by profit and the requirement to meet the needs of their shareholders."

Survey participants must share that sentiment, as 70% agreed that it is the role of the government to protect user privacy through regulating the collection of personal data by social media companies.

However, 72% don’t believe that their government officials have a sound conception of the actual threats that impact user privacy. Additionally, 74% said that their government lacked an understanding of the wider cyber-threat landscape.

“These results are disturbing,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “While security professionals agree that government officials do not understand the nuances of social media and digital privacy, they’re still looking to them to regulate the technology that permeates our daily lives.”

When it comes to regulating backdoors and encryption, the numbers dropped, though the results remain significant. Nearly half (45%) of the respondents believe governments should be able to impose encryption backdoors on private companies.

Bocek expressed concern over the number of security professionals that believe encryption backdoors are a viable security solution. “There is no question that they will undermine our global economy and make digital communication much more vulnerable. Any backdoor will be extremely lucrative, so cybercriminals will spend an enormous amount of effort to steal one. And once a backdoor is leaked, it’s certain to be available to the highest bidders on the dark web.”

Source: Information Security Magazine

UK SMBs Urged to Test Cyber-Resilience

UK SMBs Urged to Test Cyber-Resilience

The National Cyber Security Centre (NCSC) is backing a new campaign designed to help SMBs measure their resilience to cyber-attack.

The Would You Be Ready? campaign is being managed by Prince of Wales charity Business in the Community and launched to coincide with Responsible Business Week 2018.

It poses a series of online questions to SMB owners designed to test their response to a fictional cyber-attack, flood or large scale civil unrest.

SMBs comprise over 99% of all businesses in the UK, employing 16 million people, or 60% of the private sector.

However, nearly half (43%) claim they have no business continuity, disaster recovery or crisis management plans in place, despite more than two-fifths (43%) suffering at least one cyber security breach or attack over the past 12 months, according to the latest government figures out this week.

“We know that cybersecurity can feel daunting for SMEs, but the good news is that by following some simple, quick and low-cost steps you can shield your business from most online attacks. Having strong passwords, backing up data and taking steps to avoid phishing attacks should be as second nature to a small firm as cashing up or locking the doors at night,” explained NCSC director for engagement, Alison Whitney.

“Whether you own a bakery, a building firm or you sell products online, by taking the Would You Be Ready? resilience test and following our advice you can avoid the common cyber-attacks that can cost your time, money and reputation.”

That advice comes in the form of the NCSC’s Small Business Guide on cybersecurity, which includes tips on backing-up, protecting against malware and phishing, keeping mobile devices safe and password management best practices.

“SMEs are the backbone of the UK economy, and the impact that an issue or crisis could have on a small or medium business is significant, with potentially life-changing consequences for owners and employees, as well as having a negative effect on the economy,” argued BITC resilience director, Joey Tabone.

“We are urging SME owners across the UK to take the test and use BITC’s free advice to scrutinize their own business practices to ensure they’re protected against future incidents that could put their business, and their livelihoods, in jeopardy.”

Source: Information Security Magazine

#BSidesScot: Understand the Move from Consultant to Client

#BSidesScot: Understand the Move from Consultant to Client

Doing security is easy, but there can be some specific challenges in a large corporate company.

Delivering the opening keynote at BSides Scotland in Glasgow, CISO Paul Midian said that doing security can be easy generally, but for it to “be a thing in a large corporate is different”. He claimed that the “blindingly obvious is overlooked” and in his previous positions as a penetration tester and a consultant he overlooked them.

These included getting budget and knowing what to do with it. Midian said that when you figure out what you want to do and what it costs, you need money to do it.

“When I started, a large part of the security budget sat in IT so I had to take money away from them and this creates the wrong type of friction as their budget is compressed anyway.”

Having got the budget, then you need to procure and Midian claimed that this is “particularly difficult” when dealing with procurement, who will need to compare to other available products for the best price, and particularly so when you want to buy a piece of technology from a small start-up with no competitors.

In terms of people, Midian said that this was one of the biggest changes from consulting to client work, as on the consultant side it is relatively easy as the review is about keeping client happy, while on the client side there is not a common set of drivers and security risk is another thing the board is managing.

He also said that articulating what you want to do is pretty critical, and as he does not work for a security company “99% of people forget about security within 24 hours and that is why I reiterate  why culture is critical.”

“I am a believer in humans being the cause of every security problem and humans attack us and security is fundamental,” he said. “I learnt that getting stuff done is hard, as the business does do dumb things.”

Pointing at some common questions he gets asked about cybersecurity, he detailed these as the key reasons people state for not doing security, but that things were getting better:

  • We have to keep the business running
  • This will make us a bunch of incremental revenue
  • The CEO has asked for this personally
  • We’ve done it that way before

He concluded by looking at other issues, such as how fast vulnerabilities are fixed, and how he was looking to start an agile approach to inject pace into the process and not have issues “caught in queues”.

He also encouraged understanding of how pen tests happen on the client side, and to know your client and understand when their busy cycles are.

Midian concluded by saying: “The role of the CISO is to represent security to the business and the business to security.”

Source: Information Security Magazine

Introducing the New, Refined NIST Version 1.1

Introducing the New, Refined NIST Version 1.1

Lauded as a successful and flexible Cybersecurity Framework, National Institute of Standards and Technology (NIST) has been widely adopted by industries across both the private and public sector. Today, NIST will host a public webcast explaining the updates released by the US Commerce Department, NIST Version 1.1.

Since its inception, countless organizations have used the tool to manage their cyber risk, many of whom have shared their perspective on how NIST has enabled them to bring stakeholders together to manage risk.  “According to Gartner, the framework is now used by 30% of US organizations and is projected to reach 50% by 2020,” said Nozomi Networks president and CEO Edgard Capdevielle.

Infrastructure giants from Bank of America, U.S. Bank and Pacific Gas and Electric, as well as Intel, Apple, AIG, QVC, Walgreens and Kaiser Permanente, are among those who have applied the existing framework. Countries across the globe from Italy to Israel and Uruguay have either adopted NIST or established their own version of the frameworks.

According to Capdevielle, “The updates to authentication and identity, self-assessing cybersecurity risk and management and vulnerability disclosure will help encourage broader adoption of the Cybersecurity Framework and cultivate a culture of innovation through transparency that the industrial and cybersecurity community could definitely use more of.”

The evolution of the threat landscape and technologies that put today’s digital enterprise at risk demanded that the framework be revisited. This update refines, clarifies and enhances the first Version 1.0, said Matt Barrett, program manager for the Cybersecurity Framework.

“It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things,” Barrett said.

As an example of the positive impact NIST has across industries, the Transportation Security Administration (TSA) has released an update to its Pipeline Security Guidelines that was directly influenced by NIST’s framework.

Additional events on the NIST calendar this year include a Cybersecurity Risk Management Conference in Baltimore, Maryland, this fall. Those looking for additional guidance for the new frameworks can find helpful information on the Cybersecurity Framework website.

Source: Information Security Magazine