Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

TeslaCrypt Posing as USPS in Ransomware Campaign

TeslaCrypt Posing as USPS in Ransomware Campaign

AppRiver have issued a warning over a current TeslaCrypt Ransomware campaign which mimics the United States Postal Service (USPS).

According to the company, TeslaCrypt are targeting users with emails that have USPS colors and graphics, including an attachment which is supposed to be an invoice receipt of a failed delivery attempt. Within the zipped archive file is a simple short obfuscated javascript file that acts as the downloader.

The filenames being used are USPS_delivery_invoice[.]zip for the archive and within, the javascript files use the following naming convention – invoice_[random string] .js, invoice_copy_[random string] .js, or invoice_scan_[random string] .js.

Once executed, the javascript downloader reaches out to one of several websites including: mafiawantsyouqq[.]com, lenovowantsyouff[.]com, whereareyoumyfriendff[.]com, lenovomaybenotqq[.]com, and ikstrade.co[.]kr to pull down files such as 93[.]exe, 45[.]exe, and 26[.exe] among others using the same naming convention. Some versions also reach out to make an http post command to salaeigroup[.]com.

Fred Touchette, Manager of Security Research at AppRiver, advised users to "Remain aware and vigilant as these ransomware attacks show no real sign of slowing down, in fact they seem to be highly effective.”

PandaLabs Technical Director Luis Corrons told Infosecurity that campaigns such as this can be extremely damaging, especially for small- to medium-sized companies, who can find themselves in a situation where they are forced to pay the demands of the hackers or face the closure of their business. 

However, he explained there are several things organizations can do to be as protected and prepared as possible.

These include ensuring antivirus protection is integrated with “proactive technologies that can block ransomware”, educating users by “showing them examples of these types of fraudulent emails” and making sure “software is updated in all endpoints and servers to stop infections via exploit kits.”

Source: Information Security Magazine

CIOs: Hackers Hiding in Encrypted Traffic is Major Threat

CIOs: Hackers Hiding in Encrypted Traffic is Major Threat

Some 90% of CIOs have either been attacked or are expecting to be because cyber-criminals have managed to use encrypted traffic to hide their activity, according to a new study by Venafi.

The security vendor commissioned Vanson Bourne to poll 500 CIOs from large enterprises in France, Germany, US and the UK to compile its new report: 2016 CIO Study Results – The Threat to Our Cybersecurity Foundation.

The study paints the picture of a security industry undermined and weakened by the misuse of keys and certificates.

An alarmingly high proportion of respondents (85%) said they expect incidents of misuse to get worse because current systems blindly trust keys and certificates and the vast majority of organizations have little visibility into their current environment.

A further 87% of CIOs claimed that security controls are failing because they can’t inspect malicious activity or data exfiltration inside encrypted traffic.

This could amount to millions wasted on traditional security tools, Venafi argued.

The problem is only going to get worse, with Gartner predicting 50% of network attacks will come over encrypted traffic by 2017. It’s no surprise that a vast majority of respondents (87%) said they thought the black market in keys and certs is set to rocket.

Compounding the problem are initiatives to increase the number of keys and certificates within organizations.

So-called ‘Fast IT’ efforts designed to deliver quick results will increase the amount of software within organizations and therefore the amount of keys and certs, the report claimed. Nearly eight in 10 (79%) CIOs expect the speed of DevOps to make it more difficult to know what is trusted or not.

'Encryption Everywhere' initiatives driven by fears of NSA snooping in the wake of the Edward Snowden revelations have also got CIOs worried – 95% claimed they are concerned about how to securely manage and protect all encryption keys and certificates in light of such plans.

That’s not to mention the advent of free encryption services like Let’s Encrypt and AWS Key Management Service.

Venafi chief security strategist, Kevin Bocek, argued that the increasing use of these would create a “security lite” version of certificates hosted in the cloud “which gives hackers an easier time.”

“As developers begin to use these free services, it’s even harder for organizations to know which certs can actually be trusted. Worse still, this is an issue affecting at least eight out of 10 CIOs,” he told Infosecurity by email.

“This can lead to an outright crisis of trust; developers will live fast and security teams will be scrambling to keep up. As time goes on and we see more business turn to the convenience and cost-effectiveness of free certs, the whole foundations of our digital world could begin to crack; the economic impact of which could be huge.”

Source: Information Security Magazine

FBI Served Apple 12 Other iPhone Access Requests

FBI Served Apple 12 Other iPhone Access Requests

Apple has been served with at least 12 additional requests by the US government in recent months to break into iPhone devices, it has been revealed, undermining the FBI’s argument that it isn’t trying to set a precedent with the San Bernardino case.

Unsealed court documents from Apple attorney Marc Zwillinger in response to a magistrate order from a Brooklyn court show the requests made in various jurisdictions of the US since last October, but all under the controversial All Writs Act.

Apple objected in 10 cases, has requested but not received a copy of the underlying motion in another and is waiting to receive a new warrant in the final case.

Not all of these cases are the same as the one relating to the San Bernardino shooter Syed Rizwan Farook as they relate to older iPhone models which Apple would be able to extract data from more easily, even if locked.

However, some involve newer iOS versions (iOS 8 or later) with the same kind of strong passcode-based data encryption that Apple claims it is being ordered to effectively backdoor in order to allow the FBI to ‘brute force’ Farook’s device.

This would seem to at least undermine FBI director James Comey’s argument in an open letter over the weekend that “the San Bernardino litigation isn’t about trying to set a precedent or send any kind of message.”

In fact, it goes to the heart of the argument between Apple and the FBI.

The tech giant is claiming that if it accedes to this request now it could not only set a legal precedent for the Feds to follow but also potentially lead to the backdoor falling into the hands of cybercriminals, undermining security for millions of its customers.

The FBI claims what it is seeking is “limited and its value increasingly obsolete because the technology continues to evolve.”

Apple’s position has been backed by several Silicon Valley rivals including Google and Facebook, but Bill Gates is more skeptical – despite denying he is siding with the FBI as reported in the Financial Times.

Source: Information Security Magazine

Check Point Announces Breach Detection and Operation Technology Partnerships

Check Point Announces Breach Detection and Operation Technology Partnerships

Check Point has announced partnerships with SCADAfence and GuardiCore to secure smart manufacturing networks and protect critical assets in the modern data center.

The collaboration between SCADAfence and Check Point mitigates inherent risks for manufacturers including operational downtime, process manipulation and theft of intellectual property, which can come with connecting operation technology networks with traditional information technology networks in the pharmaceutical, chemical, automotive and food and beverage industries.

“Check Point’s ICS/SCADA cyber security solutions provide advanced threat prevention paired with ruggedized appliance options and comprehensive protocol support with full visibility and granular control of SCADA traffic in order to ensure vital industrial assets are never compromised,” said Alon Kantor, vice president of business development, Check Point.

“We are pleased to have SCADAfence join us in offering an augmented solution to help keep customers one step ahead in securing these critical infrastructure and industrial control organizations”

Also, GuardiCore’s breach detection technology, a core component of its Data Center Security Suite, has been integrated with Check Point to help organizations better protect their data centers from targeted attacks. GuardiCore now works with Check Point vSEC Virtual Gateways to provide real-time data center breach intelligence, allowing administrators to block ongoing and future attacks inside the data center and at the perimeter.

Once GuardiCore detects a breach inside the data center, it provides Indicators of Compromise to Check Point Security Gateways using the STIX API, allowing security administrators to block future attacks in the data center and at the perimeter.

Kantor said: “Integrating Check Point vSec Virtual Gateways with IOCs generated by GuardiCore enhances our comprehensive security platform. Now, our customers can quickly detect breaches and block future attacks by securing virtual machines (VMs) and applications with the full range of protections of the Check Point Software Blade architecture.”

Source: Information Security Magazine

MouseJack Flaw Affects Billions of Devices

MouseJack Flaw Affects Billions of Devices

A massive security risk in wireless mice and keyboard dongles is leaving billions of PCs, Macs and millions of enterprise networks at risk.

Using an attack which Bastille researchers have named “MouseJack,” hackers can remotely hack the mice from within 100 meters away. Once paired, the MouseJack operator can insert keystrokes or malicious code with the full privileges of the PC owner and infiltrate networks to access sensitive data. The attack is at the keyboard level; therefore, PC’s, Macs and Linux machines using wireless dongles can all be victims.

Affected vendors include: Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, AmazonBasics, but most non-Bluetooth wireless dongles are vulnerable.

“MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network,” said Chris Rouland, founder, CTO, Bastille. “The MouseJack discovery validates our thesis that wireless internet of things (IoT) technology is already being rolled out in enterprises that don’t realize they are using these protocols.”

As protocols are being developed so quickly, they have not been through sufficient security vetting, he added: “The top 10 wearables on the market have already been hacked and we expect millions more commercial and industrial devices are vulnerable to attack as well. MouseJack underscores the need for security across the entire RF spectrum as exploitation of IoT devices via radio frequencies is becoming increasingly popular among the hacker community.”

The MouseJack vulnerability affects a large percentage of wireless mice and keyboards, as these devices are ubiquitous and often found in sensitive environments. While some vendors will be able to offer patches for the MouseJack flaw with a firmware update, many dongles were designed to not be updatable. Consumers will need to check with their vendor to determine if a fix is available or consider replacing their existing mouse with a secure one.

“Wireless mice and keyboards are the most common accessories for PC’s today, and we have found a way to take over billions of them,” said Marc Newlin, Bastille’s engineer responsible for the MouseJack discovery. “MouseJack is essentially a door to the host computer. Once infiltrated, which can be done with $15 worth of hardware and a few lines of code, a hacker has the ability to insert malware that could potentially lead to devastating breaches. What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”

Photo © anaken2012

Source: Information Security Magazine

(ISC)2 Opens Noms for US Government Security Awards

(ISC)2 Opens Noms for US Government Security Awards

(ISC)2 has opened the nominations process for its 2016 U.S. Government Information Security Leadership Awards (GISLA).

The GISLA program, which is sponsored by the (ISC)2 U.S. Government Advisory Council (USGAC), was established in 2004 as part of (ISC)2’s effort to recognize government information security leaders whose commitment to excellence is helping to improve government information security and to advance an in-demand workforce.

Awards are given in several categories to recognize individuals whose initiatives in the areas of technology improvement, process/policy improvement, workforce improvement and as an up-and-comer have led to significant improvements in the security posture of a department, agency or the entire US government. Awards are also given for outstanding team projects in the areas of community awareness and industry partnership.

“Each year, GISLA nominees demonstrate that people can be their organization’s greatest cybersecurity asset,” said Dan Waddell, (ISC)² managing director, North America Region, and director, U.S. Government Affairs. “Through the GISLA program, (ISC)2 is in the unique position to set the bar for the future workforce and to validate to organizations that investing in the human element of security will yield a high return.”

A nominations committee comprised of senior information security experts from government and industry will review and select winners from the six categories of finalists based upon the selection criteria and eligibility requirements. The submission deadline for nominations is March 11, 2016.

(ISC)2 officials, sponsors and others will honor the 2016 GISLA recipients at a gala dinner and awards ceremony being held on May 19, 2016, in conjunction with (ISC)2’s CyberSecureGov training event in Washington D.C.

Photo © Chones

Source: Information Security Magazine

Most SSL VPNs are Wildly Insecure

Most SSL VPNs are Wildly Insecure

VPNs are a time-worn fixture of the enterprise landscape, allowing users to securely access a private network and share data remotely through public networks. Unfortunately, they’re also often full of security issues, like the fact that 77% of tested SSL VPNs still use the insecure SSLv3 protocol.

High-Tech Bridge conducted large-scale Internet research on live and publicly-accessible SSL VPN servers, and found that in addition, only about a hundred of the tested servers have SSLv2.

“SSLv3 protocol was created in early 1996,” explained the firm in its report. “Today, its failings are recognized and it’s not recommended, with the majority of international and national security standards and compliance norms, such PCI DSS or NIST SP 800-52, prohibiting its usage due to numerous vulnerabilities and weaknesses discovered in it over the years.”

About three-quarters (76%) of tested SSL VPNS also use an untrusted SSL certificate. An untrusted certificate allows a remote attacker to impersonate the VPN server, perform man-in-the-middle attacks, and intercept all the data, including files, emails and passwords the user passes over the allegedly “secure” VPN connection. The largest risk observed was due to usage of default pre-installed certificates from the vendors.

The bad news doesn’t end there: 74% of certificates have an insecure SHA-1 signature, despite the fact that the majority of web browsers plan to depreciate and stop accepting SHA-1 signed certificates, as the algorithm’s weaknesses can potentially allow an SSL certificate to be forged, impersonating a server and intercepting critical data.

About 41% of SSL VPNs use insecure 1024 key length for their RSA certificates, which are used for authentication and encryption key exchange. RSA key length below 2048 is considered insecure, allowing various attacks.

10% of SSL VPN servers that rely on OpenSSL are still vulnerable to Heartbleed. And, only 3% are compliant with PCI DSS requirements, and none is compliant with NIST guidelines, which are considered a minimum required level of security.

Overall, less than 3% of tested SSL VPNs got the highest “A” grade for security, while almost 86% got the lowest failing “F” grade.

“Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and Internet technologies,” said Ilia Kolochenko, CEO of High-Tech Bridge. “A lot of things can be done to improve reliability and security of SSL VPNs.”

Photo © kubais

Source: Information Security Magazine

Last Year 700 Million Records Were Compromised

Last Year 700 Million Records Were Compromised

Over 700 million data records were compromised last year thanks to 1,673 data breaches, according to digital security firm Gemalto.

The vendor tracks publicly available global breach data and ranks incidents according to their impact to compile its Breach Level Index.

In 2015, 22 records were lost every second, yet in only 4% of total cases strong encryption was used to render that stolen data useless to the attacker.

The majority of incidents (53%) were related to identity theft rather than financial access (22%) or account access (11%).

This is a shift away from a pattern of previous years, when credit card and other financial data was the main target for cybercriminals, according to Gemalto data protection CTO, Jason Hart.

He argued that it’s hard to remediate attacks compromising personal data.

“As companies and devices collect ever-increasing amounts of customer information and as consumers’ online digital activities become more diverse and prolific, more data about what they do, who they are and what they like is at risk to be stolen from the companies that store their data,” Hart added.

“If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with.”

Malicious outsiders accounted for the majority of breach incidents (58%), with accidental loss (24%) and then malicious insiders (14%) coming next.

However, some argue that the damage and costs associated with insider threats can often outweigh those that stem from external attackers.

Over three-quarters of breaches (77%) happened in North America – although the high number could be down to mandatory notification laws there. Europe (12%) and APAC (8%) came next.

Government was by far the most targeted sector, accounting for 43% of records lost, followed by healthcare (19%). That makes sense considering the major attacks on the US OPM, and health companies Anthem and Premera.

More than 3.6 billion data records have been exposed since 2013, when Gemalto began the index.

Source: Information Security Magazine

TEISS – Brexit Will be Damaging for Information Sharing Initiatives

TEISS – Brexit Will be Damaging for Information Sharing Initiatives

The potential British exit from the European Union could disrupt the major engine for economic growth that is the internet.

Speaking in a panel session at The European Information Security Summit in London, Adrian Davis, Managing Director of (ISC)2, said the potential “Brexit” will affect the political side of sharing, but not the professional side.

“The thing to remember, it is a political decision that will affect the political side of sharing, but not professionals as they have social networks across industries and I’d argue that if we do leave, more people to leave to rebuild those links,” he said.

“It comes down to one simple thing: if we don’t share the bad guys will win and destroy trust, and ruin one of the best engines for economic growth of the last 15-20 years. We have to build trust in the internet and maintain trust regardless of politics.”

Also on the panel was Mike McLellan, head of incident handling at CERT UK. He said that from the perspective of the response team, the exit could affect the EU stance on mandatory reporting and the requirement to report breaches. “That could be something we lose out on, but it is important depending on focus,” he said.

The panel focused on building trust and sharing information. Davis claimed that we have to share information, be it process, technology or product. “If don’t share you cannot deliver and anyone can copy it and you cannot recoup the cost,” he said.

“What you don’t know will hurt you – Target will attest to that. If suppliers don’t look after information and if you are connected over internet or personally, your risks have changed to a level that you cannot express.”

McLellan agreed, saying that you need trust as the attacker is good at that and works at scale, and we need to work to build more trust more quickly across organizations.

However he called for better sharing of information in formats that are useable, as current reports in PDF format are time consuming and do not scale well. He said: “We work closely with the OASIS group so we share in a structured format, but it doesn’t matter what format it is in as long as it is known.”

Scott Algeier, executive director of IT-ISAC said that information is not the goal, but instead should be treated as a tool. He said: “The goal is to implement risk management practises and too often we see information sharing as the goal, but we need to do it better. There are advanced companies who can consume STIX and some who cannot, but you still have small companies for whom this is not that useful.

“In ISAC there are members who can consume it and others who cannot, so it is important to understand what best practise is for you, and target specific campaigns and identify subsets of member companies of like-minded companies in addition to sharing new threat reports and information exchange.”

Source: Information Security Magazine

MasterCard Set for Global ‘Pay-by-Selfie’ Launch

MasterCard Set for Global ‘Pay-by-Selfie’ Launch

Credit card giant MasterCard is set to extend its ‘pay-by-selfie’ facial recognition technology to 14 countries including the UK this summer as part of its ongoing attempt to crack down on identity fraud.

The firm told the FT that the decision was made after trials of the system in the US and the Netherlands went well.

It means that UK customers will soon be able to complete their online purchases simply by taking a photo of themselves via their smartphone.

The idea is that, like other biometric authentication systems, it will reduce the risk of identity fraud because it doesn’t rely on the user inputting passwords or other credentials which can be phished and reused by scammers.

The card giant is also said to be trialing iris and voice recognition technology, as well as a system which authenticates by measuring the user’s heartbeat via a connected bracelet device.

Paco Garcia, CTO at UK start-up Yoti, welcomed the news from MasterCard.

“By offering an alternative to the hassle of remembering passwords and usernames, they are making their customers’ lives easier and more secure,” he argued.

“The key challenge for any of the selfie authentication solutions we are seeing emerge at the moment is ensuring the right live person is in front of their phone.”

Intel Security CTO, Raj Samani, also welcomed the news.

“In today’s technology driven world, it’s about time passwords caught up and evolved with it, because the reality is there have been many developments in the security industry that don’t rely on consumer memory to keep information secure anymore – one being biometric security,” he argued.

It’s thought the new service will be particularly for younger customers, who are used to taking selfies with their phones.

According to Get Safe Online, the top 10 internet fraud campaigns between September 2014 and August 2015 cost the UK over £268 million.

The average sum stolen was £738 per person, it claimed.

Meanwhile, the Office of National Statistics estimated 5.1 million cases of fraud in the UK over the past year, although this also includes offline incidents.

Source: Information Security Magazine