Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2019

Not Managing Open Source Opens Door for Hackers

Not Managing Open Source Opens Door for Hackers

Organizations continue to face challenges with managing open source risk, according to a new report published today by Black Duck by Synopsys.

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).

While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.

“At the end of the day, all software is vulnerable to attack – without exception – and the nature of open source software is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs,” said Cody Brocious, hacker and head of hacker education at HackerOne.

“The security risk is significantly diminished by increasing visibility. If you’re not using open source components, you’d be using closed source components – either commercially available or hand-rolled – that have just as high of a likelihood of being vulnerable. Except that you just don't know about the bugs, unlike with open source components.

“There are a multitude of tools which can be used to scan your codebase to determine which open source components (and versions) are in use, and check this against various vulnerability databases. Example tools include Dependency-check from OWASP, and commercial tools such as SourceClear and Snyk.”

Source: Information Security Magazine

Data Dispersion Yields More Off-Prem Risk

Data Dispersion Yields More Off-Prem Risk

The vast majority (84%) of global organizations host critical or sensitive assets with third-party vendors, according to a comprehensive study published by The Cyentia Institute and commissioned by RiskRecon.

The study analyzed the third- and fourth-party cyber risks of 18,000 organizations across 200 countries and found that the average firm has 22 internet-facing hosts, while some maintain more than 100,000 hosts. “That matters because protecting a large internet presence is a different ballgame than protecting a tiny one, regardless of any other factors,” the report said.

Additional findings revealed that 27% of companies host their assets with at least 10 external providers. Overall, 65% are hosted on a netblock that is owned by an external entity, with 57% of firms using hosts in multiple countries.   

The growth of data dispersion has been enabled by the cloud, yet global companies are starting to see that putting sensitive enterprise and consumer data in the hands of external players creates vulnerabilities. In addition, high-value assets are three times as likely to have severe findings off-premise than on-premise, the report found.

“Since a huge portion of a modern organization’s value-generating activities relies on internet-enabled processes and 3rd party relationships, that surface is much more extensive than one might expect. In this section, we identify and measure key aspects of the internet risk surface through the data sample collected,” the report said.

“Your risk surface is anywhere your ability to operate, your reputation, your assets, your legal obligations or your regulatory compliance is at risk,” explained Kelly White, RiskRecon’s CEO and co-founder, in a press release.

“The digital transformation has moved the enterprise risk surface well beyond the internal enterprise network, with 65% of all enterprise internet-facing systems hosted with third-party providers. The data show that enterprises are not keeping up, with the security of internally hosted systems being much better managed than third-party hosted systems. This dilemma has now become critical because organizations are failing to understand how to manage their entire risk surface based on the volume of external digital exposure they face.”

Source: Information Security Magazine

Developer Reveals Phishing Exploit in Chrome

Developer Reveals Phishing Exploit in Chrome

In a proof-of-concept (PoC) blog post published earlier this week, developer James Fisher disclosed a new phishing method in Chrome for mobile on Android in which the browser hides the URL bar.

After hiding the URL bar, the browser “passes the URL bar’s screen space to the web page. Because the user associates this screen space with 'trustworthy browser UI,' a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar,” Fisher wrote.

“In my proof-of-concept, I’ve just screen shotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters 'gmail.com' in the inception bar!”

Still, Fisher’s post has gotten a variety of responses on Twitter, with several noting that they are unable to get the PoC working on Chrome.

"Whilst the proof of concept by Mr. Fisher isn't perfect, Google and others should consider implementing mitigation techniques like the 'Line of Death' to make the demarcation between browser UI and web content more obvious," said Gavin Millard, VP of intelligence, Tenable.

"Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber-savvy individual. Exploiting this could lead to confidential information disclosure and fraud.”

A Google spokesperson told Infosecurity, “Protecting users from phishing has always been important to us. We're constantly improving more holistic solutions to phishing like Safe Browsing, security keys, and Chrome’s password manager. Our team is aware of this issue and continues to explore solutions."

Source: Information Security Magazine

Credential Stuffing Costs Firms $4m Each Year

Credential Stuffing Costs Firms $4m Each Year

Credential stuffing attacks are costing EMEA businesses on average $4m each year, according to new research from Akamai.

The content delivery firm commissioned the Ponemon Institute to interview 544 IT security professionals in the region who are familiar with these attacks on their organization.

It found that companies are experiencing an average of 11 credential stuffing attempts each month, with each attack targeting 1041 user accounts.

Akamai calculated the $4m cost based on the financial impact of these attacks on application downtime ($1.2m), loss of customers ($1.6m), and the extra involvement of IT security ($1.2m) as well as the cost of follow-on fraud.

Complexity appears to be hampering efforts to contain credential stuffing. Surveyed companies had an average of 26.5 operational customer-facing websites for cyber-criminals to target via automated bot attacks.

Even more account takeover opportunities are presented by multiple log-in types across desktops, mobile web browsers, third-parties and mobile app users, it claimed.

Only a third (35%) said that they have good visibility into such attacks, while around the same number (36%) claimed they are able to quickly detect and remediate.

An overwhelming number of respondents (88%) agreed it’s difficult to differentiate real employees from imposters.

“Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing attacks — and keeping costs under control,” argued Akamai senior director, Jay Coley.

“Companies need bot management tools to monitor their behaviors and distinguish bots from genuine log-in attempts. Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device.”

Source: Information Security Magazine

Police Warn Schools About Money Mule Recruiters

Police Warn Schools About Money Mule Recruiters

Scottish police have written to every secondary school in the country warning parents and guardians that pupils are increasingly being recruited by cybercrime gangs as money mules.

Young people are typically approached online via social media ads or even WhatsApp messages, according to reports.

“People are enticed in with the belief it’s quick, easy money and assured nothing will happen to them. If you do enter into this agreement, you are breaking the law. It is a criminal offence and the effect on your life can be huge,” warned detective inspector Graeme Everest of the Organised Crime and Counter Terrorism Unit (OCCTU).

“The fraudsters involved in orchestrating mule accounts are often from serious organized crime groups and any involvement with them can be dangerous. There are victims affected by fraud across Scotland and this can have a devastating effect on people financially and emotionally. It isn’t a victimless crime and by laundering money gained from these victims, you are playing a part in this."

Money mules could be handed a sentence of up to 14 years behind bars for laundering funds on behalf of criminal gangs.

Yet the number of young people being recruited into this burgeoning part of the cybercrime underground is increasing.

Anti-fraud non-profit Cifas reported a 26% rise in reports of money mules aged 21 and under between 2017 and October 2018. In the first 10 months of last year alone, 9,636 money mule perpetrators under the age of 21 were identified in the UK by Cifas members.

“Money laundering is an insidious crime which helps criminals prosper from their illegal conduct,” argued Andrew Laing, deputy procurator fiscal for specialist casework.

““Parliament has viewed money laundering as a serious offence and offences of money laundering can attract long custodial sentences. [We have] been working closely with the police, other law enforcement agencies and the banks and we will take robust action against any person involved in money laundering where there is sufficient evidence to do so.”

Source: Information Security Magazine

Google Bans Chinese Developer from Play Store

Google Bans Chinese Developer from Play Store

App developer DO Global, a Chinese developer partly owned by Baidu that generates over a half billion installs, has been banned from Google Play after the store received reports the apps were part of an ad fraud scheme, according to BuzzFeed News.

As of April 26, 46 apps from DO Global had reportedly been removed from the Play store. In addition, the news outlet reported that ad inventory for purchase through Google’s AdMob networks is no longer available in DO Global apps, “suggesting the ban has also been extended to the internet giant's ad products.”

After earlier reports that a cache of apps was part of an ad fraud scheme, Google investigated malicious behavior. “When we find violations, we take action, including the removal of a developer’s ability to monetize their app with AdMob or publish on Play," a Google spokesperson told BuzzFeed News.

On April 27, DO Global issued the following statement:

In the past week, we have noticed a series of reports about our apps by the media. We fully understand the seriousness of the allegations. As such, we immediately conducted an internal investigation on this matter. We regret to find irregularities in some of our products’ use of AdMob advertisements. Given this, we fully understand and accept Google's decision. Moreover, we have actively cooperated with them by doing a thorough examination of every app involved.

We would like to thank the media, our partners, and the public for their support. Moving forward, we will strictly follow relevant regulations and continue conducting a comprehensive review of our products. Lastly, during this process, we have caused misunderstandings and great concern due to our being unable to communicate in a timely manner and provide complete information. We offer our sincere apologies.

The news comes only weeks after Check Point researchers reported a clicker campaign that was using malware to conduct fraudulent activities against ad agencies in a series of infected applications from Google Play. Infosecurity has reached out to Google for comment, and this story will be updated if we receive a response.

Source: Information Security Magazine

Security Flaws in P2P Leave IoT Devices Vulnerable

Security Flaws in P2P Leave IoT Devices Vulnerable

Malicious actors could exploit critical security vulnerabilities in a peer-to-peer (P2P) communications technology used across millions of internet of things (IoT) devices, according to research first reported by KrebsonSecurity.

Security researcher Paul Marrapese initially reported the vulnerabilities to the device vendor on January 15, 2019, but received no response. Nor did the vendor respond to the second or third advisory notices with intent to disclose. After three months, the critical flaws were publicly disclosed on April 24.

Developed by Shenzhen Yunni Technology Company Inc., Ltd., iLnkP2P is one of several communications technology solutions often used by device manufacturers, according to Marrapese, adding that the vulnerabilities are specific to devices using the iLnkP2P solution.

On April 26, Marrapese published a blog in which he listed the prefixes of devices that are known to be vulnerable. Warning users that hackers could exploit the P2P connection and access IoT devices, including security cameras, without the owner’s knowledge, Marrapese wrote:

Over 2 million vulnerable devices have been identified on the Internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.

Marrapese also tweeted: “Millions of security cameras, baby monitors, and 'smart' doorbells have serious vulnerabilities that allow hackers to spy on their owners.”

Even if devices encrypt traffic, Marrapese said they are likely not free from the risk of being exploited. “Analysis of a wide range of devices has suggested that most devices do not employ encryption at all, or do so in an insecure fashion. Some vendors (notably VStarcam) have gone as far as outright lying about their use of encryption.”

Source: Information Security Magazine

FinServ Sees 60% Spike in Business Email Compromise

FinServ Sees 60% Spike in Business Email Compromise

Financial services organizations are increasingly targeted by attackers using impostor emails attempting to commit fraud, according to the 2019 Email Fraud in Financial Services report published by Proofpoint.

The study analyzed more than 160 billion emails sent from 2017 to 2018, according to research. Research revealed that these business email compromise (BEC) attacks have grown by an alarming 60% from the same time in 2017. All of the attacks reportedly shared a high degree of social engineering.

The malicious actors employed domain spoofing to send the nefarious messages. The messages, which appeared to come from trusted domain sources, most often requested payments using fake identities. In addition, most attackers dispersed the emails on Mondays from 7 a.m. to 2 p.m. so that they appeared more legitimate to unsuspecting employees.  

Of the financial services firms that were targeted, 56% reported that more than five employees were targeted by BEC attacks in the final quarter of 2018. “In other words, the identities of at least five of the companies’ employees were weaponized to target other employees within that organization. About 37% of companies were targeted using two to five spoofed employee identities,” the report said.

The subject lines used in BEC attacks on financial services organizations frequently have a payment-related subject line, but attackers also use shipment-related subject categories in these impostor attacks, the report said.

“While email fraud is not unique to financial services organizations, this industry’s employees hold the keys to one of the most potentially lucrative paydays for cyber-criminals. One wrong click can expose an entire brand and its customers to substantial risk and even bigger losses,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in an email.

“It is critical that organizations prioritize the implementation of solutions that defend against these attack methods, specifically against domain spoofing, display-name spoofing and lookalike domains and [that they] train employees to identify and report socially engineered attacks across email, social media and the web.”

Source: Information Security Magazine

Docker Hub Breach Exposes 190K Users

Docker Hub Breach Exposes 190K Users

Docker Hub has suffered a major security breach exposing around 190,000 accounts, the firm revealed to its users over the weekend.

According to an email to customers shared online, the world's largest container image library discovered unauthorized access to its platform last Thursday. The database in question is said to have stored a “subset of non-financial user data.”

“During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users),” the notice from director of Docker Support, Kent Lamb, continued.

“Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

The firm is now requiring affected users to change their password for Docker Hub, and any other accounts it may have been used to secure.

It said users can view security actions on their GitHub or Bitbucket accounts to check for any suspicious activity.

“For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place,” Lamb added.

With access to users’ autobuilds, hackers could theoretically add malware to containers, which could then be deployed in live environments.

Microsoft was quick to point out that its images weren’t affected by the incident.

This isn’t the first time Docker Hub has come under scrutiny for its security practices.

Last June, security vendor Kromtech claimed to have found 17 malicious docker images stored on Docker Hub for an entire year, resulting in over five million downloads which enabled the malware authors to make $90,000 from illegal cryptomining.

Source: Information Security Magazine

Magecart Skimming Code Found on GitHub

Magecart Skimming Code Found on GitHub

Security experts are warning e-commerce site webmasters to be prepared for more Magecart attacks after spotting skimming code uploaded to a GitHub page.

The hex-encoded piece of JavaScript code was uploaded on April 20 by user “momo33333,” who had joined the software development platform the same day.

“Most often the skimming code — written in JavaScript and obfuscated — is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted,” explained Malwarebytes head of threat intelligence, Jérôme Segura.

“However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.”

He warned that over 200 e-commerce sites have already been injected with this particular skimming code.

According to Segura, the compromised sites load the script within their source code right after the CDATA script and/or immediately before the tag.

Although the skimmer was quickly taken down after Malwarebytes informed GitHub, compromised Magento sites are still at risk of malicious injection in the future, he warned.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods,” Segura concluded. “Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.”

Back in October, a researcher warned that hackers were exploiting multiple zero-day vulnerabilities in Magento extensions which had not been patched by the vendor.

Multiple groups are using the Magecart code to covertly harvest payment card details from e-commerce sites as they are entered by unwitting consumers.

The latest, number 12, was discovered in January targeting French advertising agency Adverline with a plan to compromise its content delivery network via a digital supply chain attack.

Source: Information Security Magazine