Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for October 2018

#ISC2Congress: NOLA a Model of Resiliency for Cyber

#ISC2Congress: NOLA a Model of Resiliency for Cyber

In his opening keynote to members attending this year’s (ISC)2 Security Congress in New Orleans, CEO David Shearer talked about the resilience of the city in the aftermath of several hard-hitting natural and human created disasters noting, “It’s hard not to be inspired by the resiliency of this region.”

Using New Orleans as a model for resilience, Shearer said, “In my experience resiliency to respond to complex challenges is directly linked to a thorough understanding or a holistic view of the challenges you are likely to face." Shearer also commended the first responders of the region for having a deep understanding of their missions – dealing with bad situations and responding appropriately to the unpredictable. 

Addressing the audience of cybersecurity professionals, Shearer said it is equally as important that, like first responders, experts in the industry do not approach their work through fear, uncertainty and doubt. “They plan for it, they drill for it, they are ready for it. It’s ingrained in what they do and who they are. We need to have a similar mentality about the growing threats we face,” Shearer said minutes before introducing Louisiana congressman Cedric Richmond.

Rep. Richmond, who currently serves on the House Committee on Homeland Security and the House Committee on the Judiciary, validated the need for planning and preparation in noting, “This conference comes at a pivotal time in our nation’s history and future. The secretary of Homeland Security recently warned that the next attack the magnitude of 9/11 won’t involve airplanes. It will be a cyber-attack.” 

Systems at all levels are under attack at all times, Richmond said, which has provoked local, state and national conversations about what is needed to protect the economy and preserve the American way of life.  

“First, federal, state and local governments must be structured and funded to properly protect against, investigate and remove malware on their systems and to serve as effective cyber-defense partners with the private sector,” Richmond said. 

Advocating that the industry look to candidates with nontraditional backgrounds, the congressman also said, “We need a robust cybersecurity workforce to support both the private and public sectors.”

Educating the public on good cyber hygiene and building partnerships between the private and public sector will also help to advance the understanding of why cybersecurity matters. “Although we have made progress in these areas, progress has been too slow and too inconsistent. A game plan has to give everyone clear assignments and responsibilities. If people’s assignments aren’t clear, players and bad actors go uncovered. That’s how you lose a game,” Richmond said.

Source: Information Security Magazine

#ISC2Congress: Humans Are No. 1 Attack Target

#ISC2Congress: Humans Are No. 1 Attack Target

Before launching into the content of her talk, Enterprise Security Awareness Programs That Work, at the 2018 (ISC)2 Security Congress, Theresa Frommel, acting deputy CISO for the state of Missouri, confronted the elephant in the room, asking the audience, “How many of you are nonbelievers?” 

When asked whether their programs were delivered only annually, many in the room mumbled yes. Frommel also received affirmation from the audience when she asked, “Most of you are not doing repetitive monthly trainings?” 

Many organizations still don’t understand why security awareness training programs matter when they don’t see significant improvements in end user behavior, but Frommel said behaviors can change. 

Missouri consists of 600 municipalities comprising 114 counties that broken into 30 state agencies across all legislative and judicial branches. Of the 40,000 employees, the state boasts 950 IT staff of which 20 are in the office of cybersecurity.

Why do companies need effective security awareness programs? Primarily because, Frommel said, 90% of breaches are the result of phishing attacks. 

"In the first quarter of 2018, phishing activity trends were up 46%. More than a third of phishing sites were hosted on sites with HTTPS and SSL certificates, and the number of sites hosting phishing pages rose from 60,000 at the beginning of 2018 to 113,000 in March,” Frommel said adding in a reminder that many of the high profile breaches in the past several years were the result of someone opening a phishing message.

That’s why an effective awareness program needs to understand human behavior, Frommel said. Phishing campaigns are successful because attackers hit the emotion of fear and uncertainty. 

“Sometimes it’s hard to blame the user because they are thinking and asking, ‘Am expecting an attachment? Do I know this user?’ and the answer is yes,” Frommel said. 

In advising the audience on how to mitigate the human risk, Frommel assured, “Human behavior can be changed. Make users another security control, not a security problem. Phishing is no different than any other swindle, but technology can only mitigate email risk to a point. Training should be frequent, brief, targeted and able to change people’s thought processes, which over time, changes the culture.”

Recognizing that technology is only going to go so far, it’s incumbent upon security practitioners to keep encouraging change and thought processes. As for Missouri, it has 40,000 interactive lessons deployed monthly that are 10-15 minutes in length with each lesson focusing on a different topic. Additionally, agencies compete against each other through gamification. 

Part of successful programs requires that you are able to track results and ensure employee participation, but it’s also critical that you are able to recognize when the content has become stale and be able to adapt to find more engaging material, said Frommel.

Source: Information Security Magazine

US and UK Governments Back Denial of Supermicro Story

US and UK Governments Back Denial of Supermicro Story

The United States and UK authorities have joined Amazon and Apple in contesting a blockbuster story last week that Chinese spies implanted tiny chips onto supply chain components used in the tech giants’ products.

The Bloomberg story, which cites 17 unnamed sources including three at Apple and four US officials, claimed that the microchips were placed onto motherboards in Chinese factories subsequently assembled into servers by Supermicro.

These servers were apparently purchased by Apple, Amazon and around 30 other companies, and also used by the US and UK government — which could have given Beijing unprecedented access to corporate and state secrets.

Now the US Department of Homeland Security (DHS) and the GCHQ arm the National Cyber Security Centre (NCSC) have both joined Amazon, Apple and Supermicro in denying the claims.

“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” an NCSC statement sent to Reuters explained.

“The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”

A very similar statement was posted by the DHS over the weekend.

“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” it noted.

“Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”

Bloomberg is standing by its story, but whether its claims are true or not, they’ve ratcheted up the tensions between the US and China over trade, security and the global supply chain.

Source: Information Security Magazine

Investigation Uncovers 300+ Possible GRU Officers

Investigation Uncovers 300+ Possible GRU Officers

Russia’s prolific military intelligence service the GRU appears to be on the back foot once again after an investigative news site revealed it managed to locate the identities of over 300 possible agents.

Bellingcat teamed up with Russian partner site The Insider to dig deeper after the British and Dutch authorities revealed the identities of four alleged GRU officers last week. They claimed the men had traveled to the offices of the Organisation for the Prohibition of Chemical Weapons (OPCW) in April to hack the organization via its Wi-Fi network.

Crucially, the four traveled under their real names using diplomatic passports, with subsequent searches revealing one of the men registered as living at Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the Military Academy of the Ministry of Defence is apparently located.

Further searches on the names revealed links to a Russian car ownership database where one of the four alleged GRU officers, Alexey Morenets, was registered as owner of a Lada.

This seemingly innocuous detail proved to be a significant discovery.

“The address to which the car was registered, Komsomolsky Prospekt 20, coincides with the address of military unit 26165, described by Dutch and US law enforcement as GRU’s cyber warfare department. The database entry contained Morenets’s passport number,” the report noted.

“By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address. The individuals range in age from 27 to 53 years of age.”

Even worse for the Kremlin, the database entries apparently contain full names, passport entries and mobile phone numbers, as well as the street address and military unit number: 26165.

This is the infamous unit which the hackers indicted by the US last week are alleged to be stationed with.

The report claimed that if the 305 individuals are indeed GRU officers, the discovery could be “one of the largest mass breaches of personal data of an intelligence service in recent history.”

It comes after a series of missteps by the Kremlin’s fearsome intelligence apparatus, including the unmasking of two GRU officers who attempted to assassinate a double agent in the English city of Salisbury earlier this year, and the indictment of many more by the US authorities for a series of major cyber-attacks.

Source: Information Security Magazine

Credential-Phishing Attempts Highest on Tuesdays

Credential-Phishing Attempts Highest on Tuesdays

Credential phishing campaigns, in which high-profile individuals are unwittingly falling victim to malicious actors who are looking to gain access into business systems, have proven to be a successful attack vector. According to a new Menlo Security report, Understanding a Growing Threat: Credential Phishing, credential phishing is a quickly growing cyber-attack and is increasingly becoming the preferred entry point for most attackers.

Bad actors try to steal user credentials by tricking them into using their login information on fraudulent sites. By either hijacking an existing login page or creating a highly sophisticated login website that closely resembles an authentic site, attackers easily gain access to the network.

The most common targets are public agencies and political organizations, and the attacks are often sponsored by nation-state groups, advanced persistent threat (APT) cyber-criminals or hacktivists, according to the report.

“Attackers know very well how to manipulate human nature and emotions to steal or infiltrate what they want. They use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email,” the report said.

The research found that the most popular phishing lures across Menlo Security’s customer base were associated with OneDrive, LinkedIn and Office 365 logins. Attackers intentionally leverage these work productivity tools because people rely on them to conduct day to day business exchanges.

Apparently hackers enjoy long weekends, as Friday was reportedly the least popular day for attackers, with only 0.8% of phishing emails being sent out before the weekend. Campaigns start to pick up on Mondays, with 11.3% of URLs distributed. After easing into the week, email disbursements increased to 39.8% on Tuesday. Interestingly, the attack setup and the percentage of phishing URLs sent on different days of the week remained the same across every industry.

Gaining access to corporate networks is only the beginning of a much larger and more destructive attack, and the report found that credential phishing is so effective that threat actors are able to evade generic threat intelligence solutions.

"The difficulty of detecting credential phishing attacks shows that while the TTPs of a credential phishing attack may be simple, the technology needed to detect and protect enterprises and their users from these attacks – and to provide visibility into such attacks – must be intelligent, impenetrable and advanced," the report said.

Source: Information Security Magazine

Fake News Domains Spoof UK News Sites

Fake News Domains Spoof UK News Sites

A security vendor has discovered nearly 200 domains spoofing legitimate UK news sites in order to spread fake news.

DNS security firm DomainTools ran a search on five of the UK’s most popular sites: BBC News, Sky News, ITV News and the websites of the Guardian and the Daily Mail newspapers.

It discovered 197 domains with a high risk score, of over 70. These included: bbcnew[.]info; theguarsian[.]com; synews[.]co; ifvnews[.]cn; dailymail[.]cm.

Known as typo-squatting, this tactic typically relies on users to mis-type their favorite sites and in so doing end up on the fake version. Also known as URL hijacking, it can be used to generate revenue from pop-up ads, harvest user information, or even to covertly download malware to the victim's machine.

In this case it appears that those behind the registrations are looking to spoof the news sites to peddle fake news.

DomainTools warned internet users to pay more attention to the URLs they’re visiting, by hovering over links to see where they’re being taken to. Sneaking extra letters into a well-known domain, such as Yahooo[.]com and using “rn” to appear like an “m” are common techniques, it claimed.

“These malicious domains are a kind-of double whammy, as they can be both engaged in the spread of fake news and in spreading malicious software,” argued DomainTools director of product management, Tim Helming.

“While malicious software can be damaging for the organization or the individual, fake news has a broader corrosive aspect, as it can damage the very institutions on which our democracies stand. These ideas can polarize and galvanize extreme forces in our country, ultimately ending as a threat to us all, especially where trusted news sources such as the ones above are concerned.”

Some 82% of cybersecurity professionals agree that fake news influenced the US election, according to a survey by the vendor at Black Hat last year. They argued that a combination of proper education (73%), social media filters (46%) and blacklisted websites (29%) could help prevent its spread.

Source: Information Security Magazine

Fin7 Hackers Breached US Chain Burgerville

Fin7 Hackers Breached US Chain Burgerville

A regional US fast food chain has become the latest victim of the notorious Fin7 hacking group after a breach of card data involving countless customers.

The FBI informed Pacific North West chain Burgerville on August 22 that it had been a target of the group, also known as Carbanak.

It was believed that the attack was a brief one, carried out a year previously, in September 2017. However, further investigation revealed it was still ongoing, with remediation finally completed by the firm on September 30.

Burgerville claimed it still doesn’t know how many customers were affected because the group was “adept at concealing their digital footprints.” However, it warned anyone that has visited a restaurant between September 2017 and 2018 may have had their card data compromised. With over 40 locations, this could amount to a sizeable breach.

Credit and debit card information, including names, card numbers, expiration dates, and the CVV numbers were taken — meaning the details would be relatively easy to monetize on the dark web.

Customers are advised to review card statements for any unusual activity, obtain an annual credit report and consider freezing their credit.

Three alleged members of the Fin7 group were arrested earlier this year and each charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

Experts guessed that the breach was the result of POS malware installed on the Burgerville network.

“What is somewhat surprising is the length of time it took to discover the attack — nearly a whole year,” continued AlienVault security advocate, Javvad Malik. “This reinforces the need for companies to implement robust monitoring and threat detection capabilities so that any attack or malware can be discovered in a timely manner to reduce the overall exposure.”

Source: Information Security Magazine

GRU Officers Allegedly Hacked Wi-Fi Networks Worldwide

GRU Officers Allegedly Hacked Wi-Fi Networks Worldwide

Russian military intelligence officers allegedly travelled in person to the offices of targeted organizations in Switzerland, Brazil, Malaysia and the Netherlands to compromise Wi-Fi networks in a wide-ranging cyber-espionage campaign, it has emerged.

The allegations were made by the US Department of Justice (DoJ) as it indicted seven GRU officers yesterday for computer hacking, wire fraud, aggravated identity theft, and money laundering.

When the officers couldn’t obtain targeted users' log-ins or the hacked accounts didn’t give them the necessary privileged access, they allegedly travelled physically to hack them via Wi-Fi connections, including hotel Wi-Fi networks.

Anti-doping agency WADA, and the Organisation for the Prohibition of Chemical Weapons (OPCW) — which was investigating the Salisbury poisoning and use of chemical weapons in Syria — are said to have been among the targets.

Reports suggest four GRU officers set up hacking equipment in the boot of a car parked in the OPCW’s offices in The Hague.

They are said to have been disrupted by Dutch intelligence officers, who confirmed the equipment had also been used at the Swiss hotel used by the Canadian Centre for Ethics in Sport (CCES) and a hotel in Kuala Lumpar, where investigations were underway into the downing of Malaysia Airlines flight MH17 over Ukraine.

"State-sponsored hacking and disinformation campaigns pose serious threats to our security and to our open society, but the Department of Justice is defending against them," said attorney general Jeff Sessions in a statement.

"Today we are indicting seven GRU officers for multiple felonies each, including the use of hacking to spread the personal information of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program.”

Other victim organizations named in the indictment included US nuclear power provider Westinghouse Electric Company, which was targeted with spear phishing attacks.

The US indictments, which are more for PR purposes than anything else as Russia won’t extradite the officers, follow the UK government’s attribution to the GRU of major cyber-attacks against the DNC and WADA, as well as Bad Rabbit.

Source: Information Security Magazine

12.5m Business Email Accounts Accessible via Web

12.5m Business Email Accounts Accessible via Web

Cybercriminals have found new ways to infiltrate corporate emails, which has resulted in a $12bn cost to businesses over the last five years, according to Digital Shadows. Compromised corporate accounts are commonly traded on the dark web, where criminals stand to earn a pretty penny, particularly if the email accounts are those of employees in accounting or finance departments.

According to the report, researchers detected 33,568 email addresses of finance departments that had been exposed by third parties. Of those, 83% included passwords. On dot-com domains, the research found 18,163 credentials exposed. It also includes images of exchanges on a special-access dark web forum where a criminal is looking for accounting emails from companies in the US and South Africa.

These financially motivated malicious actors have expanded their attack methods beyond the commonly used, and quite reliable, phishing attacks to include account takeover attacks or simply paying for access. In another forum, a hacker is asking for as little as $150 to break into corporate email accounts, suggesting that cyber-criminals are winning in the digital war on fraud.

With social engineering and email spoofing, they are using more targeted campaigns. All the while, companies are inadvertently making it easier for them to compromise email accounts. In fact, according to the report, entire company email inboxes have been left exposed on the internet, which translates to more than 12 million archived files exposed because of misconfigurations in rsync, FTP, SMB, S3 buckets and NAS drives.

Researchers also discovered sensitive, personal and financial information exposed on 27,000 invoices, 7,000 purchase orders and 21,000 payment records as a result of faulty backups.

“Phishing continues to be a very serious problem associated with business email compromise, but, unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down,” said Rick Holland, CISO at Digital Shadows.

“Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge it is relatively easy for cyber-criminals to find whole email boxes and accounting credentials – indeed we found criminals actively looking for them.”

Source: Information Security Magazine

DevOps Producing More Insecure Apps Than Ever

DevOps Producing More Insecure Apps Than Ever

Traditional applications continue to introduce risks into the enterprise, and the number of serious vulnerabilities has increased across most sectors, according to WhiteHat Security. The 2018 Application Security Statistics Report: The Evolution of the Secure Software Lifecycle found that in addition to traditional applications, the vulnerabilities in agile development frameworks, micro-services, application programming interfaces (APIs) and cloud architectures also pose security challenges.

While the financial, healthcare and retail sectors have seen some improvements, all major industries struggle with long windows of exposure. When combined with the length of time to fix vulnerabilities, these factors have elevated risk levels beyond those of last year’s report.

“Businesses are transitioning from traditional applications and legacy systems to web and mobile applications that are purpose-built to serve up superior customer experiences,” said Craig Hinkley, CEO of WhiteHat Security. “However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats.”

New applications have become the very foundation of an enterprise’s digital transformation and to add value to their offerings, companies have had to adopt new software development practices. Yet the report findings suggest that businesses are still not building security into the app development lifecycle.

According to the report, nearly 70% of every application is comprised of reusable software components. In addition, the top four most likely vulnerabilities – information leakage (45%), content spoofing (40%), cross-site scripting (38%) and insufficient transport layer protection (23%) – have not changed in the past year.

“DevOps is now mainstream, but the adoption of security within the DevOps process is still lagging. Our work to track this trend for the past three years has shown that organizations continue to grapple with an increase in application releases, increased volume and complexity of attacks, and an ever-widening AppSec skills gap,” said Setu Kulkarni, vice president of corporate strategy at WhiteHat Security.

“However, we also find that organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and that their time to fix improves by 25%.”

Source: Information Security Magazine