Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2019

Consumers Terrified After Hackers Worm into Nests

Consumers Terrified After Hackers Worm into Nests

Multiple consumers have reported being terrified after hackers infiltrated the Nest cameras in their homes, with one malicious actor making claims of a North Korean missile threat, according to CBS News.

California resident Laura Lyons reported that malicious actors gained control of her Nest security camera, which belted out a terrifying emergency alert warning them to find shelter because three missiles from North Korea were headed to the US.

Another family in South King County, Washington, reported a hacker gained access to their Nest security camera and verbally assaulted the mother and children, according to K5 News.

What consumers might not understand, though, is that it’s not vulnerabilities that are causing this. “It is the reuse of existing passwords that have already been exposed in previous attacks,” said Laurence Pitt, security strategy director, Juniper Networks.

“If people want to keep these important devices safe, they need to use strong and unique passwords at a minimum, and make the investment in a password management tool (1Password, my favorite, or LastPass, for example). This can help to create strong passwords and then stores them in a safe place so that there’s no need to try and remember them all,” Pitt said.

In a prepared statement shared with Infosecurity, Nest confirmed that there indeed was no vulnerability or breach.These recent reports are based on customers using compromised passwords [exposed through breaches on other websites]. In nearly all cases, two-factor verification eliminates this type of the security risk.

“We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”

News of the hacks has raised questions about who is responsible for the security of in-home connected devices. “Consumers will need to rethink how much of a security risk they’re willing to take in exchange for the convenience of a connected device, appliance, or car,” said Pat Ciavolella, digital security and operations director for The Media Trust.

"The problem with consumers, as I see it, is understanding the security vs. convenience trade-off.  It's a tough choice for companies to make: potentially frustrate a customer by forcing them to do a password reset or allowing the customer to have convenience at the expense of their privacy and/or security,” said Lisa Plaggemier, chief evangelist, InfoSec Institute.

“Consumers are very quick, it seems, to choose convenience. Even when consumers exhibit bad security habits that make them vulnerable (in this case, using the same password on multiple accounts), when something goes wrong, the consumer blames the device provider.

“Bottom line: If more companies would adopt the measures Google is putting in place (forcing password resets, and preventing breached credentials from being reused), I think consumers would start to accept it as 'normal' instead of an inconvenience.”

Source: Information Security Magazine

More Money, More Worries About Cyber Risk

More Money, More Worries About Cyber Risk

Executives at financial services companies are increasingly concerned about risks, but as technology becomes more integrated in managing financials, more executives say that cybersecurity is increasingly becoming the most important type of risk, according to a new Deloitte survey, Global Risk Management Survey, 11th Edition.

When asked which risk types would grow in importance over the next two years, 67% of financial services executives named cybersecurity, according to the report, up from 41% in 2016.

Despite identifying the increased risk from cyber, approximately half of the respondents said their companies are extremely effective or very effective at managing this risk. When looked at in different categories, 58% of respondents said rated their organizations as effective at managing disruptive attacks, 57% for financial losses or fraud, 54% for cybersecurity risks from customers and loss of sensitive data, and 53% for destructive attacks.

When asked about managing risks from nation-state attacks, though, only 37% of financial services executives felt their institutions were effective.

Still, the study reflected a continued growth in cybersecurity risk awareness, with only 31% of respondents saying it is a challenge to "get the businesses to understand their role in cybersecurity risk," down from 47%.

The concerns are not unwarranted, particularly given the news that more than 24 million banking and financial records were left exposed. Protecting the financial services sector from increasing cybersecurity risks is one reason banks, fintech companies, data aggregators and others have joined a nonprofit by FS-ISAC with the goal of creating and supporting a unified API standard that allows consumers and businesses to share data with greater confidence and control.

“Balancing financial innovation with the critical need for data security is one of the main reasons we created the Financial Data Exchange (FDX),” said Don Cardinal, managing director of FDX. “This is the first time the industry has come together to fund a single standard that secures financial data sharing.”

Source: Information Security Magazine

Targeted Attacks Abusing Google Cloud Platform

Targeted Attacks Abusing Google Cloud Platform

Google Cloud Platform (GCP) services have been targeted by a newly discovered malware campaign delivering malware via PDF file decoys, according to Netskope Threat Research Labs.

Attackers are reportedly using the Google Cloud App Engine platform to deliver malware with PDF decoys, identified as PDF_Phish.Gen, and GCP URLs that redirect victims to malicious payloads. The research conducted by the team verified evidence of these attacks targeting governments and financial firms worldwide, with multiple decoys possibly linked to the Cobalt Strike advanced persistent threat (APT) group.

The team reportedly detected several targeted attacks predominantly in the banking and finance sector, all of which were EML files that carried an .eml extension and contained the same detection name, which triggered alerts.

“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely,” researchers wrote.

Though PDF readers typically warn users about potential security risks with document that are connects to a website, researchers said, “Once 'remember this action for this site' is checked for a domain, this feature allows any URL within the domain without any prompt.” Leveraging this default option allows the attacker to successful execute multiple attacks without prompting the security alert.

Each of the files used in the attack reportedly downloaded Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.

“The PDF decoy detected in our customer instances downloaded a word document named 'Doc102018.doc' containing obfuscated macro code…On execution, the victim is presented with a message to enable editing and content mode to view the document,” the report said.

The research suggests that continued adoption of the platform will create an increased cyber-attack surface where hackers can target the infrastructure.

Source: Information Security Magazine

Sneaky Malvertisers Target Apple Users with Hidden Malware

Sneaky Malvertisers Target Apple Users with Hidden Malware

Security researchers have warned of a new malvertising campaign using steganography techniques to target Apple users.

The VeryMal group has run multiple campaigns since August 2018, attempting to redirect users to the veryield-malyst domain, according to Confiant security engineer, Eliya Stein.

As many as five million users may have been subject to the most recent campaign, which used steganography to hide the payload from security tools.

“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” explained Stein.

“The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

In this case the campaign is designed to drop a trojan known as Shlayer, an adware installer which uses “an atypical installation routine” in a bid to evade detection.

VeryMal campaigns are typically only active for a few days, in this case from January 11-13 on two top-tier exchanges representing around a quarter of the top 100 publisher sites, Stein added.

US-based Mac and iOS customers are the target for VeryMal.

The practice of steganography, in this case hiding JavaScript malware inside an image file, has become increasingly popular of late, according to Stein.

This could be hurting the ad industry dear. Confiant calculated the financial impact of just one day of this campaign at over $1.2m — factoring in publishers losing money from interrupted user sessions and increased use of ad blockers by disgruntled users in the future.

Ad exchanges also lose out from having inventory access cut off, and advertisers suffer ad fraud from infected devices, not to mention users with infected machines, explained Stein.

Confiant detected and blocked over 191,000 impressions across its publisher customers for this campaign, whilst a further two in December apparently yielded over 437,000 impressions.

Source: Information Security Magazine

Scamming the Scammers: How a Security Biz Tricked Social Media Phishers

Scamming the Scammers: How a Security Biz Tricked Social Media Phishers

A UK-based cybersecurity vendor has detailed how it turned the tables on an angler phishing operation posing as Virgin Media support on Twitter.

This particular type of phishing attack is a relatively new tactic. It involves the scammer registering fake Twitter accounts that masquerade as legitimate customer support and then monitoring the real support accounts for irate customer messages.

They then jump in quickly to exploit the customer’s frustration and the immediacy of Twitter to send messages back to those customers, typically loaded with malicious links.

This is what happened to a member of the team at pen-testing firm Fidus Information Security when they complained to Virgin Media via Twitter.

After receiving replies from the official account and a legitimate-looking fake they decided to have some fun.

First, they attempted to test how gullible the scammers were, providing a fake name (Wade Wilson, aka comic book character Deadpool) and address (Savile Row police station).

The scammers subsequently requested card details linked to the Virgin Media account, to which Fidus replied with a set of test credit card details.

After the card didn’t authorize for the scammers, they tried to persuade their ‘victim’ into handing over details to another card. At the same time, the security vendor was in turn trying to trick them into clicking on a link to site hosted by its company, to expose their IP address.

In the end the firm faked a screenshot of an AmEx fraud alert SMS featuring its own phishing link requesting that the user click to verify their card details.

That appears to have been enough to phish the phishers.

“After sending a fake SMS message we received a click on our web server. At this point the game was up as the IP linked back to our website and we never received a reply back,” the vendor explained.

“We reported this all back to Twitter, who’ve since suspended the account, and Police in the UK in the hope some action can be taken against those responsible.”

Source: Information Security Magazine

HPE Targets Girl Scouts for Next-Gen White Hats

HPE Targets Girl Scouts for Next-Gen White Hats

A new cybersecurity curriculum targeting junior Girl Scouts aged 9-11 aims to shift the image of the young girls in green from cookie distributors to cyber defenders, according to news from Hewlett Packard Enterprise (HPE).

HPE has teamed up with the Girl Scouts to launch a cybersecurity education program specifically for young girls to learn and test out their cyber savvy using a newly debuted interactive online game. The game is dubbed Cyber Squad, and the program is initially being rolled out with Girl Scouts of Nation’s Capital, in counties throughout Washington D.C., Maryland and Northern Virginia.

The narrative game was custom-designed specifically for the Girl Scouts pro bono by HPE’s women in cybersecurity group. Cyber Squad takes players through mock scenarios and simulates the consequences of both risky and safe online behaviors.

At a time when 86% of girls engage in online chats unbeknownst to their parents, this new educational tool is critical to keeping young women safe online. Given that 69% of teens regularly receive electronic exchanges from strangers and don’t share that information with their parents, they are becoming increasingly vulnerable to negative online behaviors and privacy risks. In fact, according to HPE’s press release, 27% of young people willingly agree to in-person meetings with someone they have only met online.

“Kids are becoming more mobile, networked and connected, but this also comes with alarming risks and dangers. Making basic cybersecurity awareness at a young age is imperative, and as fundamental as safety skills in the physical world, like learning how to cross the street,” said HPE chief information security officer Liz Joyce in a press release.

“As someone who tackles cyber risks and crime by day and goes home to a young daughter at night, I know just how critical this education is. Through this collaboration, we hope to arm Girl Scouts with the cybersecurity literacy and knowledge they need to be savvy, secure and safe online, and to empower them to be good digital citizens.”

To address the growing concerns of online behavior and communication, the curriculum will cover four crucial areas, including personal information and digital footprint, online safety, privacy and security, and cyber-bullying.

Those Girl Scouts who complete the game and a corresponding curriculum (taught via troops) will earn an embroidered patch for their uniforms certifying their newfound knowledge. The curriculum and game are intended to foster cyber and STEM smarts in fun and relatable way.

Source: Information Security Magazine

UK Public: Drones Are National Security Risk

UK Public: Drones Are National Security Risk

The British public is dead-set against the use of drones, with the vast majority believing that as they continue to represent a national security risk and that cyber experts must do more to mitigate the threat from above.

Think tank Parliament Street polled 2000 members of the public to compile its latest report, Drones 4 U.

It appears as if recent incidents at two London airports has had a major impact on the public perception of unmanned aerial vehicles (UAVs).

Three-quarters (75%) believe them to be a national security threat, with only 2% disagreeing, according to the report.

Over a third (38%) said they want to see drones banned altogether, but a larger number (83%) backed a mandatory licensing system for owners similar to firearm regulations.

The vast majority (83%) of those surveyed also believe the UK is failing to keep up with the threat of developments in drone technology, and a similar number (84%) want cyber experts to do more to help during serious incidents.

Drones flying over Gatwick Airport caused chaos last month as both runways were forced to close, leading to an estimated 800 cancelled flights affecting 120,000 passengers over several days. The incident was a much worse repeat of a 2017 closure of the same airport due to UAVs when a runway was shut for 14 minutes.

A similar problem hit Heathrow Airport earlier this month.

Such incidents are becoming increasingly frequent. According to Parliament Street, drones have flown dangerously close to passenger aircraft in the airspace around Gatwick at least five times over the past four years.

There are also concerns over drones potentially being hijacked by hackers and used to cause incidents like the ones above.

PwC warned last year that GPS receivers are a major weakness in civilian drones as they’re dependent largely on unencrypted signals.

“Without secure authentication mechanisms, location spoofing is possible. The internal measurement units rely on data from other sensors on the drone and measure direction of travel — if they are fed incorrect information, the drone’s course or altitude could be altered,” it added in a blog post.

“Another potential vulnerability is the functionality to configure a drone to ignore communications from the ground during flight. This is meant to be a safety control, but it could be attractive to threat actors looking to cause harm … it is important that end-to-end security is employed to secure any drone-enabled service.”

Source: Information Security Magazine

Modular “Anatova” Ransomware Resists Analysis

Modular “Anatova” Ransomware Resists Analysis

Security researchers are warning of a newly discovered and highly sophisticated strain of modular ransomware featuring special capabilities to resist analysis.

Dubbed “Anatova” by McAfee, the malware has been detected across the globe, in the US, UK, Russia, Italy, Sweden and beyond. It was discovered in a private P2P network, using a game or application icon to trick users into downloading it.

Compiled on January 1 this year, Anatova is believed to have been created by “skilled malware authors.”

Each sample analyzed by McAfee had its own unique key, a rarity in the ransomware world, and featured strong protection against static analysis.

Most strings are encrypted, using different keys to decrypt them, and 90% of calls are dynamic and use only standard Windows APIs and C- programming, the vendor claimed. The malware also initiates a memory cleaning procedure if it comes across one of a list of usernames commonly used by virtual machines/sandboxes.

Files are encrypted via Salsa20 and the malware will also hunt down any files on network shares, with 10 DASH coins ($700) demanded in return for decryption.

“Finally, when all steps are completed, the ransomware will follow the flow of cleaning code…mainly to prevent dumping memory code that could assist in creating a decryption tool,” McAfee explained.

The ransomware is modular in architecture, leading to speculation that its authors could package these capabilities up with information-stealing or other functionality to improve the chances of monetizing attacks.

The findings highlight the fact that ransomware remains a major threat to organizations, despite more publicity being focused on crypto-mining in 2018.

Earlier this month the Texan city of Del Rio warned that it had been hit by a major ransomware-related outage.

Europol last year warned that ransomware would be a top threat to businesses for years to come.

Source: Information Security Magazine

Google Under Investigation for Another Alleged GDPR Breach

Google Under Investigation for Another Alleged GDPR Breach

Google is under investigation in Sweden over alleged breaches of the GDPR, just days after it was issued with a major €50m fine in France.

Swedish regulator Datainspektionen revealed earlier this week that it launched the investigation into collection of Android users’ location data, after receiving a complaint from the Sveriges Konsumenter (Swedish Consumer Association) linked to allegations in an earlier report by Forbrukerrådet (the Norwegian Consumer Council).

“In summary, the complainant holds that the way Google provides itself access to the location data of users of its mobile operative system Android by ways of its so called ‘Location History’ and ‘Web & App Activity’ is in breach of the GDPR,” the authority said.

“According to the complainant, the report by Forbrukerrådet states that Google use deceptive design, misleading information and repeated pushing to manipulate users into allowing constant tracking of their movements. In essence, the complainant holds that the processing of location data in this way is unlawful and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR.”

A supervisory letter sent to the web giant requests more information and answers to a series of questions by February 1.

Specifically, it wants to know the total number of Swedes who have had location data slurped through the services and how many data points are gathered on average per individual, broken down for every hour of the day.

It asks for privacy policies, data impact assessments and records of processing activities, and wants to know the legal basis for processing, why data is being collected, and when and how consumers are notified, among other details.

The investigation highlights the continued scrutiny of firms under the GDPR. Although we have yet to hear about a major investigation undertaken due to concerns over data security, one is surely not far away as the regulators begin to flex their muscles.

Source: Information Security Magazine

Another Bank Found in Elasticsearch Database Leaks

Another Bank Found in Elasticsearch Database Leaks

What was reported earlier this week as only two Elasticsearch database misconfigurations that left millions of bets and thousands of personal records exposed has evolved into a trove of disclosures involving more than 24 million banking and financial records at several organizations, including Bancolombia, according to security researcher Bob Diachenko.

As the week has progressed, Diachenko has revealed the names of different organizations that were part of his Elasticsearch discovery, including Citi and Ascension, a data and analytics company. Today, Diachenko has revealed his exchange with yet another company, Bancolombia, whose database misconfigurations left records exposed.

In an email to Infosecurity, Diachenko wrote:

To discover data breaches, leakages, and vulnerabilities on the Internet, we at SecurityDiscovery.com use public search engines only, such as Shodan, Censys etc. When we find a public database (data that’s fully accessible to anyone without any restrictions) we collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, we employ a Responsible Disclosure model to privately communicate the findings with data owners (the company or organization that left the information publicly accessible) and help them implement specific security safeguards to protect their private data.

On Nov 29th I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information (credit cards details) was related to Bancolombia, so I decided it would be the quickest possible solution to prevent this data from being stolen and report the incident directly to bank authorities.

Shortly after I contacted Bancolombia, instance has been secured (Nov. 30) and on the next day I was contacted by a representative of a company that managed the data, Waumovil, who thanked me for the heads up and said that "unfortunately we had some open ports that I was not aware”.

In an attempt to get ahead of what has been dispersed on social media, Bancolombia responded to Diachenko, asserting that none of its systems had been compromised but that the information was “stolen at trade,” according to a translation of the statement.

"We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cyber-criminals to manage the entire system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains," Diachenko said.

"Although the company reacted fast to secure their data it is unclear how long it may have been publicly available or who else might have accessed the files. Data privacy and data protection laws like GDPR are a good first step but companies and charities need to be proactive when it comes to data protection." 

Source: Information Security Magazine