Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

Flaws Allow Hacker to Bypass Card Limits

Flaws Allow Hacker to Bypass Card Limits

New vulnerabilities give hackers the ability to bypass the payment limits on Visa contactless cards regardless of the card terminal, according to new research from Positive Technologies.

In a July 29 press release, Positive Technologies said that researchers tested the flaws several times with five major UK banks and with cards and terminals outside of the UK. They found that the limits could be bypassed 100% of the time and could allow an attacker to steal from accounts.

“The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer 'I can’t do that,' which prevents against making payments over this limit. Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone,” the press release said. 

Checks were bypassed by using a device acting as a proxy to intercept communication between the payment terminal and the card, an attack known as man in the middle (MITM). These MITM attacks can also be accomplished using mobile wallets, allowing a fraudster to charge up to £30 without unlocking the phone. 

“The device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” according to the release.

"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Tim Yunusov, head of banking security for Positive Technologies. "While it’s a relatively new type of fraud and might not be the number-one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."

Source: Information Security Magazine

Malware Cited As Exploit Most Seen By SOC Teams

Malware Cited As Exploit Most Seen By SOC Teams

Working in the security operations center (SOC) is growing increasingly more painful because of an increasing workload and alert fatigue, according to new research, Improving the Effectiveness of the Security Operations Center, published by the Ponemon Institute and sponsored by Devo Security.

Respondents cited malware (98%), known vulnerabilities (80%), spear-phishing (69%) and insider threats (68%) as the most identified exploits in the SOC. 

“Most respondents rate their SOC’s effectiveness as low and almost half say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats and workplace stress on the SOC team are diminishing its effectiveness,” the report said.

In fact, 65% of respondents said that these pain factors would cause them to consider changing careers or leaving their job, and those frustrations exist even in those organizations that consider the SOC essential to their cybersecurity strategy, according to the report. SOCs are struggling, and most of the participants ranked their SOC’s effectiveness as low, with nearly half reporting the SOC is not fully aligned with business needs. 

As a result of these problems, 78% of respondents say the mean time to resolution (MTTR) can be weeks to months – even years. “Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years,” according to the report. In addition to the lack of visibility, threat hunting was also ranked as a top challenge. 

“Threat hunting teams have a difficult time identifying threats because they have too many IOCs [indicators of compromise] to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives,” the report said.

Source: Information Security Magazine

Fake Version of WhatsApp Giving 'Free Internet'

Fake Version of WhatsApp Giving 'Free Internet'

A new scam is impersonating WhatsApp and using the fraudulent claim that its victims will receive "free internet," according to ESET researchers. 

“Researchers in Latin America received a message on WhatsApp stating that the app was giving away 1,000 GB of internet data to celebrate its anniversary. It shouldn’t come as much of a surprise when we say that it was a scam,” the report said and then looked at the situation in greater detail.

The URL seemed suspect to the researchers, who noted that it wasn't an official WhatsApp domain. “Even though businesses may sometimes run promotions through third parties, the rule of thumb here is to check on the company’s website to make sure any promotion is real and valid,” researchers added.

Indeed, clicking on the link delivers the user to a survey page with the WhatsApp logo at the top. Not surprisingly, those who fall for the scam and start answering questions are then invited to share the link with 30 friends in order to be entered in the drawing to win.

Credit: ESET
Credit: ESET

“Apparently their goal here is click fraud – a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign,” the report said. Because it can be repurposed to perform a variety of other functions, click fraud presents many different threats.

“Even though in this case we found no evidence that clicking the link led to the installation of malicious software or that there was any intention to phish for personal information, it doesn’t mean that this cannot change at any time.”

Researchers added that the domain used in this scam is also hosting other fraudulent offers from high-profile companies, including Adidas, Nestlé and Rolex. 

Source: Information Security Magazine

Russian Fake News Targeted Ukraine Elections

Russian Fake News Targeted Ukraine Elections

Russian state-sponsored trolls have been in action again, this time co-ordinating fake news efforts on social media designed to influence last week’s Ukraine elections.

The news was revealed by Facebook’s head of cybersecurity policy, Nathaniel Gleicher.

The campaign in Ukraine focused on two main areas: one originating in Russia which led to the removal of 18 Facebook accounts, nine pages, and three groups; and another originating from Russia and the Luhansk region of Ukraine which led to the removal of 83 Facebook accounts, two pages, 29 groups, and five Instagram accounts.

In the former, those behind the operation created fake accounts, impersonated dead Ukrainian journalists and hid their true location as well as driving users to other websites. It involved frequent criticism of the Ukrainian government ahead of the presidential elections last week.

The second operation involved users posing as members of the Ukrainian military and focused on the conflict in the east of the country, centered around Luhansk.

However, the activity stretched well beyond Ukraine to the other side of the world.

Gleicher explained that his team was also forced to remove 12 Facebook accounts and 10 Facebook pages after spotting a fake news effort in Thailand designed to influence public opinion. It appears to have links with the Russian state.

“The people behind this small network used fake accounts to create fictitious personas and run pages, increase engagement, disseminate content, and also to drive people to off-platform blogs posing as news outlets,” he said.

“They also frequently shared divisive narratives and comments on topics including Thai politics, geopolitical issues like US-China relations, protests in Hong Kong, and criticism of democracy activists in Thailand. Although the people behind this activity attempted to conceal their identities, our review found that some of this activity was linked to an individual based in Thailand associated with New Eastern Outlook, a Russian government-funded journal based in Moscow.”

Facebook also removed 181 accounts and 1488 pages involved in a coordinated inauthentic activity campaign in Honduras. It traced back these efforts to social media managers in the government there.

Source: Information Security Magazine

UK Abused Access to EU Database For Years: Report

UK Abused Access to EU Database For Years: Report

The UK has been slammed for illegally copying and sharing a database of EU citizens, but is taking “practical steps” to address the issue, according to a new report.

European commissioner for security, Julian King, refused to cite the UK by name when challenged on the findings of a classified report revealed by EU Observer.

He told the site, “those are meant to be confidential discussions that we have with the individual member states."

However, King did say that measures were being taken to address the failings outlined in the report.

It apparently details how the UK broke data protection laws by making multiple copies of the EU’s Schengen Information System (SIS) database, which contains the details of suspects, undocumented migrants and others wanted by the police.

Although the UK is not in the travel-free Schengen zone, it was granted access to the SIS since 2015 for security purposes.

It’s claimed that the multiple copies exposed the data to an increased risk of loss or theft, as did the UK government’s sharing the information with contractor IBM, which may have been obliged to hand it over to the US authorities under the terms of the Patriot Act.

The report also claims that as the database is continually updated, the UK’s versions, stored on laptops and PCs at airports and in government offices, are always out-of-date, meaning some individuals could be wrongly identified.

Together, these issues “constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects,” the report is said to have stated.

However, King claimed it wasn’t just the UK which had fallen short on data protection best practice.

"It is not just one member state that has some challenges in this area, there are a number of member states that have challenges in this area,” he said.

The revelations come at a crucial juncture as the UK seeks to leave the EU following a change of Prime Minister and accession of a right-wing government. One of the key areas of discussion between negotiators on both sides is security, with the UK looking to maintain access to such databases and other information-sharing agreements.

Source: Information Security Magazine

E-Retailers Need to Prepare For Holiday Spikes

E-Retailers Need to Prepare For Holiday Spikes

Web traffic during Amazon Prime Day, in which 250 e-commerce merchants participated, reflected a significant uptick in the US, according to Akamai.

The fifth annual event spanned 48 hours this year, resulting in a 14% spike in web traffic. “This increase in participation and strong revenue figures mean that traffic was up as shoppers researched and purchased items. We tabulated and analyzed aggregate statistics from global online retail traffic that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points. For our baseline, we used the month of June 2018 and did not adjust for the fact that 2018 Prime Day was 36 hours vs. 48 hours for Prime Day 2019,” according to a July 25 blog post.

Interestingly, the surge in US traffic resulted in a decline in global traffic, “with the exception of LATAM, where baseline traffic increased nearly three times as much as the US,” according to the research. 

Consumers are increasingly using mobile for online shopping, which was reflected in the research as well. “Looking at just Prime Day 1, the year-over-year change shows a healthy increase (12.94%) for mobile, with a decrease for desktop and a very large drop (-21.42%) for tablets,” the report said.

The report warned that retailers need to be aware of these spikes in traffic in order to prepare for future online sales and the holiday season, according to Akamai’s Chris Wraight. “Also, the growing number of shoppers who use their mobile device to research means that it is vital to present images and videos quickly, regardless of device, browser or connection speed,” wrote Wraight.

With a spike in traffic comes the additional threat of cyber-attacks. The report also found that “nearly 10 billion total bot attacks during the 48 hours of Prime Day is equal to the number of retail-specific bot attacks we detected from May to December 2018. Prime Day was very attractive to threat actors due to the high visibility of Prime Day and the larger number of retailers offering their own promotions. Detecting, correctly interpreting and remediating credential stuffing attacks needs to be a top priority of retailers, especially going into the Q4 holiday peak traffic season.”

Source: Information Security Magazine

Uptick in Ransomware, Mobile Banking Malware

Uptick in Ransomware, Mobile Banking Malware

Ransomware dominated the first half of 2019, while mobile banking malware threats grew by more than 50% from 2018 to 2019, according to Check Point’s Mid-Year Trends Report.

“This year collaborations between threat actors allowed even more destructive attacks that paralyzed numerous organizations worldwide. What ends with a ransomware attack usually starts with a more silent sequence of bot infections,” the report said. 

Though there was an 18% decrease in the number of global organizations impacted by crypto-miners from 2018 to 2019, the report found that there was a sharp increase in supply chain attacks. “Software supply chain attacks attracted public and government attention,” the report said. 

“In such attacks threat actors inject malicious code into components of legitimate applications, victimizing a large number of unsuspecting users. The accumulation of several cases since the beginning of the year led the American government to devote special attention to this evolving threat and will soon publish official recommendations on ways to minimize the impact of such attacks.”

In addition, the vast majority (90%) of attacks leveraged older vulnerabilities that were registered in 2017 and earlier, and more than 20% of attacks used vulnerabilities that are at least seven years old, according to the research.       

2019 has also seen a surge in sextortion scams and business email compromise (BEC). “This year saw the sextortion scammers doing everything possible to make their victims worried enough to pay up and avoid the publication of the alleged sexual materials. This mainly includes providing the victim’s personal credentials as evidence, which were usually leaked in previous data breaches or purchased in underground forums,” the report said. 

Also on the rise are attacks targeting resources and sensitive data in public cloud environments. According to the report, “So far this year, cloud cryptomining campaigns stepped up, upgraded their technique set and were capable of evading basic cloud security products, abusing hundreds of vulnerable exposed Docker hosts and even shutting down competitors’ cryptomining campaigns operating in the cloud.”

Source: Information Security Magazine

Silicon Valley Issues Election Security Report

Silicon Valley Issues Election Security Report

A San Mateo, California, grand jury issued a report this week that focuses on San Mateo County’s email and online communication platforms, which are vulnerable to hijacking and propagating disinformation in the guise of election instructions or announcements.

“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public. Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report said.

In San Mateo County, the Assessor–County Clerk–Recorder and Elections (ACRE) uses email, social media and website to collect voter information directly from local election offices. Attackers hijacked the election results webpage in 2010; six years later, the county suffered a breach resulting from a spear-phishing email. 

After analysis, the grand jury determined that "the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure,” according to the report.

The report goes on to make specific recommendations that include the use of FIDO physical security keys, which Satya Gupta, CTO of Virsec, said is a bit unsettling. “Two-factor authentication should be the norm for any important business transaction and is used and offered by most online services. Intercepting SMS codes with a [man-in-the-middle] attack is actually quite difficult, and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real probably seems to be county agencies using social media platforms to communicate official business. Stronger authentication may help but will not stop the torrent of false social media information we should expect during this election cycle.”

The fact that two-factor authentication isn’t already being used is very appalling to Pierluigi Stella, CTO of Network Box USA, who pointed out that "in 2019, a grand jury should not be the body that has to propose the adoption of what should be obvious security measures." 

“The people running the security policies of the institutions that are in charge of the election process are not forcing the issue and ensuring the adoption of the highest security standards already. We do not need a grand jury to state the obvious. These situations baffle me to no end. Two-factor authentication may not be the ultimate solution, yes, but it surely goes a long way towards making hackers' lives miserable, hence enhancing and augmenting the element of data safety,” Stella said.

Source: Information Security Magazine

Louisiana Governor Declares Emergency After Ransomware Blitz

Louisiana Governor Declares Emergency After Ransomware Blitz

The governor of Louisiana has declared a state of emergency after ransomware attacks knocked out IT systems in three school districts.

The outages occurred in Sabine, Morehouse, and Ouachita parishes in North Louisiana, with the declaration made to ensure that cybersecurity experts from the state’s National Guard, State Police, Office of Technology Services and others are on hand to help local governments respond.

"The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since," said John Bel Edwards in a statement.

“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.”

It’s not the first time such a declaration has been made, something similar happened in Colorado in 2018 after a SamSam attack crippled local services. However, the latest incident highlights the continued threat posed by ransomware.

In South Africa, some Johannesburg residents have suffered power outages after local provider City Power was hit by ransomware on Thursday morning, local time. Customers are unable to access the firm’s website for information and suppliers are unable to log invoices, it said in a series of tweets over the past few hours.

“City Power will continue to work throughout the night to recover the systems and restore remaining applications. We are hoping that if everything goes according to plan, everything should be restored by Friday,” it said.

Ilia Kolochenko, founder of security firm ImmuniWeb, argued that this is just the beginning.

“Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber-gangs. These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive. Cryptocurrencies make such crimes technically impossible to investigate in most cases, letting the wrongdoers enjoy impunity,” he added.

“Law enforcement agencies are already overburdened with an increasingly growing pipeline of sophisticated investigations, often aggravated by continuous lack of financing and unfriendly colleagues from foreign jurisdictions. Unless governments develop, finance and duly enforce security regulations purported to safeguard cities and municipalities, we will soon dive into a darkness, facing grave accidents involving airports and other objects of critical infrastructure.”

Source: Information Security Magazine

Russia Targeted Election Systems in All 50 US States

Russia Targeted Election Systems in All 50 US States

Voting infrastructure in all 50 US states was probably infiltrated by Russian intelligence over the past few years, according to a new Senate Intelligence Committee report.

Although there’s no evidence that any votes were changed or any voting machines were manipulated, the heavily redacted report does reveal that hacking activity began as far back as 2014 and continued into “at least 2017.”

Investigators from the FBI and Department of Homeland Security (DHS) analyzed the activity of suspect IP addresses discovered in 2016 and came to the conclusion that Russian activity was far more widespread than the 21 states previously assumed to have been targeted.

“DHS assessed that the searches, done alphabetically, probably included all 50 states, and consisted of research on general election-related web pages, voter ID information, election system software, and election service companies,” the report claimed.

“State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.”

Although there were opportunities to interfere with voting, the hackers – which displayed TTPs associated with state-sponsored Russians – appear to have chosen not to in 2016. However, this could change next time around, the report warned.

"If Russia's preferred candidate does not prevail in the 2020 election, the Russians may seek to delegitimize the election,” it argued. “The absence of any successful cyber intrusions, exfiltrations or manipulations would greatly benefit the US public in resisting such a campaign.”

Piers Wilson, head of product management at Huntsman Security, warned that hackers have a good chance of being successful in future elections, and governments must focus on improving their response.

“The operation of voter registration systems; the design, build and operation of electronic voting systems; the management of polling booths – all depend on technology and hence knowing how well defended these disparate systems are is no different,” he said. 

“There will always be actors looking to disrupt the democratic process so governments must be able to react swiftly to any attacks, and have the right contingency plans in place to keep the faith of the electorate.”

Source: Information Security Magazine