Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

Photo Shared via iPhone Leads to JetBlue Evacuation

Photo Shared via iPhone Leads to JetBlue Evacuation

Passengers heading to Tampa, Florida, experienced an unusual delay on Tuesday. Those on board a JetBlue flight out of Newark, New Jersey, were evacuated after a person used the AirDrop feature on the Apple phone to send an image of a suicide vest to multiple iOS devices on the plane, according to the Daily News

Several passengers on the flight surprisingly received the image through Apple’s AirDrop feature, which allows users to share content with nearby devices through Bluetooth technology. Given that the person delivering the photo had to be within Bluetooth range, it was presumably a passenger as the plane had already left the gate and was on the runway waiting for takeoff, the report suggested. 

There’s no real way to trace a Bluetooth MAC address to an individual or their device unless all devices were confiscated from the passengers on the flight, according to Dr. Richard Gold, head of security engineering at Digital Shadow. “Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures.”

The issue is just the latest concern with Bluetooth. There have been a number of reports of people abusing the AirDrop feature on iOS devices that uses Bluetooth technology to send unwanted photos of various natures to unsuspecting receivers since the feature was introduced in 2011, Gold said. 

In addition to being difficult to trace, people typically leave the Bluetooth function on, said Chris Morales, head of security analytics at Vectra. “I used to admittedly walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner. It is very easy. The easiest way to not receive things over Bluetooth is to require a pin for connectivity or to just turn it off.”  

Source: Information Security Magazine

Businesses Shine a Light on Shadow IT

Businesses Shine a Light on Shadow IT

The issues surrounding shadow IT that have long plagued security because of unmonitored and unsupported cloud applications and devices are increasingly coming under proper control, according to the 2019 Duo Trusted Access Report

The report found that threats from applications and devices that have traditionally been lurking in IT environments are being mitigated through the implementation of a zero-trust model. Enterprises appear to be catching up with cloud expansion and addressing concerns of shadow IT because the report found that the average number of organizations protecting cloud apps reportedly surged 189% year-over-year.

The report assessed the security of thousands of the world’s largest and fastest-growing organizations and examined 24 million devices used for work. Research showed that the use of out-of-date devices has dropped precipitously, which could be a function of the ever-growing remote workforce. According to today’s press release, a third of all work is done on a mobile device, a 10% increase year-over-year. In turn, organizations are hardening mobile defenses against malware. 

In addition, biometric verification has seen a double-digit jump to more than 77% of business devices, and organizations are outright rejecting authentication based on policies for location-rooted devices, device locks not enabled or a lack of disk encryption.

“Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities,” the press release said.

As organizations continue to experience shifts in digital transformation, they are enforcing security controls that establish user and device trust through a zero-trust security model. 

“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, head of advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”

Source: Information Security Magazine

US Coast Guard Issued Cyber-Safety Alert

US Coast Guard Issued Cyber-Safety Alert

The US Coast Guard recommended that ships update their cybersecurity strategies after a malware attack “significantly” degraded the computer systems of a deep draft vessel in February, according to a press release

In the marine safety alert, the Coast Guard wrote that the vessel involved in the February cyber incident was inbound to the Port of New York and New Jersey during an international trip when it reported that its onboard network was being impacted by a cyber incident.

The Coast Guard responded, and after an analysis conducted alongside an “interagency team of cyber experts” it concluded that while the functionality of the boat’s computer system was impacted, control systems were not. The computer system was used for managing cargo data and communicating with the Coast Guard and shore-side facilities.

“Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard,” the alert said.

Targeting governmental and military assets will continue to be valuable for those seeking to disrupt our society, said Tim Mackey, principal security strategist for the Cybersecurity Research Center at Synopsys

“This incident highlights lessons for everyone to take – whether you’re in government or in a corporate setting – vigilance starts with preparedness. All systems contain weaknesses, and software systems are no different. An up-to-date inventory of all software assets, including versions, origins and update procedures, is a bare minimum operational requirement for deployed software,” said Mackey. 

“This asset inventory should also include a detailed accounting for all known weaknesses, and procedures should be in place to ensure newly disclosed weaknesses or vulnerabilities are amended to the inventory. The goal of this process to ensure that systems are both patched and that the potential attack surface for the asset can be quantified. Armed with this information, threat models can be created which then guide mitigation efforts.”

Source: Information Security Magazine

NCSC in DNS Warning as Hijackers Focus on Home Routers

NCSC in DNS Warning as Hijackers Focus on Home Routers

The UK’s National Cyber Security Centre (NCSC) has issued a warning about DNS hijacking threats, as reports emerge of widespread attacks in Brazil affecting 180,000 users.

The NCSC posted the advisory on Friday as a follow-up to one issued in January. DNS hijacking attackers typically take control of an authoritative DNS server, change the entries stored there and in so doing covertly redirect users to servers under their control, in a Man in the Middle attack.

This is what happened in the DNSpionage campaign revealed earlier this year and the Sea Turtle attacks which Cisco Talos last week claimed are still ongoing.

However, DNS hijackers are also targeting consumers with a slightly different modus operandi, Avast revealed in a recent blog post.

These attacks look to modify the settings on home routers, potentially via cross-site request forgery (CSRF) web-based attacks, so that they use rogue DNS servers. Once again, the end goal is to secretly redirect the user to a phishing page or one capable of installing malware on their machine.

Avast claims to have blocked over 4.6m CSRF attacks during February and March alone in Brazil, adding that 180,000 users have had their DNS hijacked in the first half of 2019.

The initial CSRF attack often happens via malvertising when a user visits a compromised website.

“When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction,” it said.

“In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests.”

GhostDNS, Navidade and SonarDNS are the three exploit kits being used in these attacks. Once a rogue DNS server is installed, the attackers look to monetize their efforts via phishing to steal Netflix and banking credentials from consumers; replacing good ads with malicious ones to steal traffic for profit; and installing browser-based crypto-jacking scripts.

Avast urged consumers to stay on the latest router firmware version; use strong and unique log-ins for online banking and routers; and to check their banking sites have a valid certificate.

Source: Information Security Magazine

NHS Still Running 2000+ XP Computers

NHS Still Running 2000+ XP Computers

The NHS still has over 2,000 machines running Windows XP, the government had revealed, despite official support for the operating system running out in 2014.

The figures came in response to a parliamentary written question tabled by Jo Platt, the shadow Cabinet Office minister.

Parliamentary under secretary of state at the Department of Health, Jackie Doyle-Price, replied that the health service was running around 2300 XP computers as of July this year.

Platt criticized the figures as an indictment of the government’s failure to prioritize cybersecurity.

“The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure. How many more warnings will it take before they listen and take action?” she said.

“The next Labour government will provide not only the resourcing but also the vital leadership, organization and dedication needed to get our public sector fit and resilient to fight the cyber-threats of the 21st century.”

The NHS was famously caught out by the WannaCry ransomware worm of 2017, which affected around a third of trusts and led to the cancellation of an estimated 19,000 operations and appointments.

Despite repeated warnings, and patches being made available by Microsoft, even for XP, systems were not updated quickly enough, leading to the ensuing chaos which is said to have cost the NHS around £92m to clean-up.

However, the government has been taking steps to address the problems, with a £150m cash injection announced last year said to be for Windows 10 upgrades, along with other measures.

Doyle-Price was also keen to put the 2300 figure in context: the NHS runs a total of around 1.4 million computers.

“This equates to 0.16% of the NHS estate,” she said. “We are supporting NHS organizations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience.”

A report from Centrify last week revealed that the NHS has successfully repelled over 11.3 million email-based cyber-attacks over the past three years.

Source: Information Security Magazine

Oracle to Release Critical Patch Update

Oracle to Release Critical Patch Update

Oracle will release its Critical Patch Update on July 16, 2019, which will include seven new fixes for the Oracle database server, according to a pre-release announcement.   

“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle wrote.

The Critical Patch Update is a collection of patches for multiple security vulnerabilities, and the July 16 update contains 322 new fixes. Six of the security vulnerabilities were reportedly discovered by the Onapsis Research Labs team.

"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the announcement stated.

Two of the six different patches that were originally reported by the Onapsis Research Lab team addressed "critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years,” researchers wrote. “Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.”

The two vulnerabilities reported by Onapsis are an unrestricted file upload, which was originally reported in November 2018 and leads to remote code execution (CVSS 9.1), and a reflected server-side request forgery, which was originally reported in April 2019 and can lead to a denial of service (DoS) and a client-side remote code execution (CVSS 9.6).

If left unpatched, these vulnerabilities have the potential to allow remote execution and DoS, disrupting critical services such an ERP system convert this attack into a critical one, since it affects all availability, confidentiality and integrity of the data.

“Both vulnerabilities allow remote command execution, one in any EBS client and the other one directly on the server side. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed, and customers should prioritize implementation of the patches in order to avoid malicious exploitation,” the blog stated.

Source: Information Security Magazine

Monroe College Campuses Downed by Ransomware

Monroe College Campuses Downed by Ransomware

Multiple campuses of Monroe College have had their systems downed after a ransomware attack reportedly struck the for-profit institution on July 11. 

The attack reportedly affected each of Monroe’s campuses in Manhattan and New Rochelle, New York, and St. Lucia, and emails have been compromised. Infosecurity contacted Monroe College via the email listed on its website, but the message was returned as undeliverable, indicating that systems are still downed.

The college took to Twitter to share the news with its online students.

In a statement, Marc Jerome, president of Monroe College, said, “Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible,” according to Insider Higher Ed.

“In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served."

An attacker demanded the college pay $2 million to have its files decrypted. Jackie Ruegger, executive director of public affairs at the college, reportedly told Inside Higher Ed that the college knows who conducted the attack. Infosecurity attempted to call the numbers listed on the Twitter message, but the recipient disconnected the calls. 

The attack follows a number of university cyber-attacks, including the recent OSU, Graceland University and Missouri Southern State University email-based breaches in the last few months. According to recent data from Mimecast’s State of Email Security report, 56% of organizations in the education sector saw an increase in phishing with malicious links or attachments in the last year. It took 31% two to three days to get back to a recovered state upon suffering an email-based attack. Nearly half (42%) of organizations say ransomware has impacted their business operations in the last 12 months and 73% have experienced two to five days of downtime as a result of the ransomware attack.

Source: Information Security Magazine

Nearly 20% of Organizations Still Run Windows 7

Nearly 20% of Organizations Still Run Windows 7

Despite the awareness that in six months Microsoft will officially end its support for its nearly 10-year-old operating system, Windows 7, 18% of large enterprises have not yet migrated to Windows 10, according to new research from Kollective.

At the start of 2019, researchers found that 43% of companies were still running Windows 7. Of those, 17% didn’t even know about the end of support. In its most recent analysis of 200 US and UK IT decision makers, the report revealed that organizations have a long way to go to prepare for the much anticipated end of Windows 7 support.

Six months later, 96% of IT departments have started their migration, and 77% have completed the move. However, given that the migration from Windows XP to Windows 7 reportedly took some firms more than three years to complete, companies that have not started migration are at risk of missing the final deadline.

In order to aid organizations in deploying a new OS to all endpoints, Microsoft has provided different options for companies still running Windows 7, one of which includes an extended support package at an annual cost of up to $500,000 for a company with 10,000-plus endpoints, the research said.

“The combined versions of Microsoft Windows operating systems equal more than 50 percent of global operating system usage. Windows 10 has the lion’s share of the market, which bodes well for security since Microsoft’s support for Windows 7 will end in January 2020,” wrote the Center for Internet Security (CIS), which released the CIS Controls Microsoft Windows 10 Cyber Hygiene Guide on July 11.

“Though many businesses are better prepared now than they were for the end of Windows XP, the move to Windows 10 comes with its own set of challenges,” said Dan Vetras, CEO of Kollective. “The migration itself is only the first step. IT managers moving to Windows 10 now have to prepare their networks for increasingly frequent ‘as a service’ updates to the OS. They will need to ensure their networks are ready for more testing, more roll outs and more network congestion to keep up to date.”

Source: Information Security Magazine

Chinese Software Engineer Accused of US IP Theft

Chinese Software Engineer Accused of US IP Theft

A Chinese software engineer is still on the run after being accused of stealing intellectual property for his new employer.

Xudong (“William”) Yao, 57, worked at a Chicago-based manufacturer of equipment for train engines from August 2014, according to a December 2017 indictment unsealed last week.

Yet after just two weeks in his role, Yao had downloaded 3000 files containing proprietary and trade secret information relating to the system that operates the manufacturer’s locomotives, the Department of Justice (DoJ) claimed.

Other information, including technical documents and source code, was also downloaded by Yao over the next six months. At the same time, he apparently reached out to and accepted a place at a Chinese firm that provides automotive telematics service systems.

After Yao’s employment was terminated for unrelated reasons in February 2015, he made copies of all the stolen trade secret info and traveled home to China to start his employment at the company there.

Flying from Chicago O’Hare airport in November that year, he is alleged to have had in his possession the stolen trade secrets, including nine copies of control system source code and system specs explaining how the code worked, according to the indictment.

Yao face a maximum 10 years behind bars if found guilty of the nine counts of theft of trade secrets. But it’s unlikely he will be caught, unless he makes the mistake of setting foot back in the US or an allied country.

China has long been considered a prodigious stealer of intellectual property, whether its state-backed cyber-espionage designed to give domestic companies an advantage, or the behavior of individuals looking to abuse their insider positions at Western companies.

In June, a Chinese engineer was found guilty of conspiring to illegally export US semiconductors with military applications back home.

Source: Information Security Magazine

Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Japan-based cryptocurrency exchange Bitpoint has become the latest to lose tens of millions of dollars in a cyber-attack.

The firm said it was forced on Friday to stop all services — including withdrawals, deposits, payments, and new account openings — while it investigated the incident. It has also notified the relevant authorities in Japan.

Hackers managed to steal funds not only from the firm’s hot wallets, but also its offline cold wallets. After first detecting an error in Ripple remittances, Bitpoint said it realized it had been the victim of a cyber-attack. It then took another three hours before the firm realized the attack also compromised funds stored in Bitcoin, Bitcoin Cash, Litecoin, and Ethereal.

A total of around 3.5 billion yen ($32 million) had been stolen, most ($23m) of which were customer-owned funds. The remainder belonged to Bitpoint, but it’s not clear at this stage whether the firm is planning to reimburse its customers.

The firm is the latest in a long line of cryptocurrency exchanges to come under the scrutiny of cyber-criminals. Last year, two Japanese exchanges were hit: Zaif lost 6.7bn yen ($60m) after hackers stole it from a hot wallet, while Coincheck lost 500m NEM tokens worth $530m at the time.

Just last month, Singaporean cryptocurrency exchange Bitrue was estimated to have lost around $4.5m in funds after hackers breached a hot wallet and moved the funds to other exchanges. A month previous, hackers stole in the region of $41m from Binance in a single hot wallet transaction.

In most incidents, at least the majority of stolen money is returned to customers.

Last month, Europol convened a meeting of cryptocurrency experts at its HQ in the Hague in a bid to share best practice and build partnerships to improve policing of digital crimes.

Source: Information Security Magazine