Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Akamai Bot Manager Takes Aim at Bot Traffic

Akamai Bot Manager Takes Aim at Bot Traffic

The scourge of the bots shows no sign of waning: A fresh study shows that upward of 60 percent of an organization’s Web traffic may be generated by programs that operate as an agent for a user or another program or simulate human activity.

The finding has prompted Akamai Technologies to debut the Akamai Bot Manager, aimed at helping users better identify and understand what types of bot traffic are hitting their sites.

Nearly all online businesses can be impacted by various types of bot traffic. This traffic may include scrapers that grab content or price information, automated “clicks” that fraudulently increase ad revenues and transactional bots that can be used to purchase limited availability goods and services, making them unavailable to legitimate customers.

Further, there are situations where the impact of bot activity on the business may be beneficial, while the impact on site performance is not. As such, organizations require a way not only to identify the type of bot activity they are experiencing, but also to provide a variety of techniques to most effectively respond to different types of bot traffic beyond simple blocking. In the case of malicious bots, simply blocking them alerts the bot operator that protections are in place and triggers the bot to evolve in order to better evade detection.

Instead, Akamai Bot Manager uses a variety of management techniques—slowing or delaying bot traffic, serving alternate content, redirecting to an alternate origin, or identifying bot traffic and allowing customers to take independent action.

“Bot activity is in many ways a ‘cost of doing business’ when you sell online, and up until now, there has not been a good way to achieve the visibility into bot traffic necessary to make truly informed decisions,” said William Avellan, IT director at internet retailer U.S Auto Parts Network. “With Bot Manager, we have the information we need to solve all of the bot problems we’ve been facing including content theft, price scrapers, and even identifying the IP transit providers hosting these bots.”

Bot Manager also contains a pre-defined directory of more than 1,300 pre-defined bot signatures in 15 different categories of legitimate web and business services, making it easier to rapidly identify commonly seen bot traffic. And, companies can create custom bot signatures and categories reflecting the impacts that new and/or unique bots to their sites have on their business and IT infrastructure.

Detection features include the automatic identification of clients that have engaged in web scraping behavior against other Akamai customers; customers can then apply a unique management policy to each custom or pre-defined category.

 “The web is full of bots and until now, companies had two choices, block them or suffer in silence. Unfortunately, neither choice was ideal,” said Stuart Scholly, senior vice president and general manager, Cloud Security Solutions, Akamai. “With Bot Manager, we’re changing the game when it comes to bots. We’re giving our customers the power and flexibility to put a true bot management strategy in place that best fits their business goals and objectives.”

Photo © Ken Wolter/

Source: Information Security Magazine

Dangerous RCE Flaws Found in Popular E-Com Software

Dangerous RCE Flaws Found in Popular E-Com Software

Security experts have gone public with two Remote Code Execution vulnerabilities branded high-risk, after the e-commerce software vendors responsible failed to patch the issues despite being told about them at the end of December.

High-Tech Bridge Security Research Lab revealed the flaws in popular software providers osCommerce and osCmax in separate advisories yesterday, having notified the firms privately on 21 December.

Both are remote code execution flaws made possible by Cross Site Request Forgery (CSRF) and have been given a CVSSv3 base score of 5.3. However, the security vendor claimed both are easily exploitable via social engineering, so are in reality a much bigger threat to customers.

OsCommerce is particularly vulnerable as it claims to serve over 280,000 e-commerce store owners worldwide.

“The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment,” the advisory noted.

“Successful exploitation of the vulnerability requires attacker to access to administrative panel, however it can also be successfully exploited by remote non-authenticated attacker via CSRF vector to which the application is also vulnerable.”

High-Tech Bridge found two RCE via CSRF flaws in popular e-commerce and shopping cart application provider osCmax.

They’re characterized as PHP Local File Inclusion vulnerabilities and can be exploited to execute arbitrary PHP code on the target system.

High-Tech Bridge CEO, Ilia Kolochenko, warned osCommerce admins to be careful not to open any suspicious links in emails, on social networks, or comms platforms like WhatsApp.

“However, modern spear-phishing campaigns can be very efficient, for example many web-shop owners will immediately open a link coming from a client who had already spent a $100 in the shop. Attackers, can buy one product for $100, and get all your customer database just after to sell it for $100,000,” he told Infosecurity.

“Moreover, we saw cases when a CSRF exploit was hosted on a trusted website, where victims regularly visit everyday, minimizing any interaction with victim."

Source: Information Security Magazine

Instagram Set to Switch On Two Factor Authentication

Instagram Set to Switch On Two Factor Authentication

Photo sharing platform Instagram is set to switch on two-factor authentication capabilities to improve account security for its users in a long overdue move.

The Facebook-owned company has over 400 million users to date, many of them corporate account holders or others who use the platform as a marketing channel and a means to interact with customers.

Now the firm has finally confirmed to TechCrunch that it is joining countless other web companies in rolling out added authentication security for users.

This will mean that soon, on log-in, users will be asked to link their account to a phone number.

If a hacker then tries to log in using a victim’s email address and password – which they’ve stolen or phished – they will not be able to complete the log-in process as they won’t have the one-time passcode sent to the account holder’s mobile.

The move comes over four years after parent company Facebook offered users the option of switching on two-factor authentication. Other big names providing the service include Google, Yahoo, Apple and Twitter.

In fact, it’s fast becoming the industry norm, so Instagram is somewhat late to the game here.

With phishing attacks becoming increasingly realistic and voluminous, and password-cracking tools readily available on the darknet, all web-facing firms really need to move to two-factor authentication to improve account security.

The infamous iCloud hack in particular showed the potentially damaging repercussions of not doing so.

While hacked Instagram accounts are unlikely to cause the same kind of embarrassment for the user, they still have the potential to send out irritating spam to followers, and could even damage account holders financially.

The report cited the case of artist Rachel Ryle, who uses the platform to share hand drawn stop-motion animations.

After someone hacked her account and began spreading spam, some 35,000 followers apparently unfollowed her, scuppering a hefty sponsorship deal she had lined up.

Image credit: tulpahn /

Source: Information Security Magazine

Hollywood Hospital Paid $17,000 Ransom to Decrypt Files

Hollywood Hospital Paid $17,000 Ransom to Decrypt Files

A Californian hospital struck by a ransomware infection which resulted in it being forced to cancel patient appointments has admitted it paid a $17,000 ransom to have key files decrypted.

The Hollywood Presbyterian Medical Center made headlines this week when it emerged that unnamed ransomware had effectively forced a lock down of IT systems.

Staff are said to have declared an internal emergency when it hit on 5 February and were forced to use pen and paper and fax machines as email and online patient records were inaccessible.

Reports at the time suggested lab work, X-rays and CT scans were affected, with outpatients forced to miss treatment and some patients even sent to other hospitals.

However, in a lengthy statement on the matter yesterday, hospital president and CEO Allen Stefanek argued that patient care had “not been compromised in any way.”

Original reports of a 9000 BTC ($3.8m) ransom being demanded were wide of the mark – the actual amount was a more modest 40 BTC ($16,880).

The hospital ended up paying that to the cyber-criminals behind the attack.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” said Stefanek.

“HPMC has restored its electronic medical record system (‘EMR’) on Monday, February 15th. All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event.”

Given that law enforcers from the FBI and LAPD were said to have been drafted in to investigate the attack, it seems that their advice was to pay the ransom – hinting that the variant used was one which couldn’t be cracked, like Cryptowall.

In fact, it was reported last year that an FBI cyber specialist and assistant special agent told attendees at a conference that some ransomware is so good at encrypting files that “we often advise people just to pay the ransom.”

Source: Information Security Magazine

Dridex Gang Gets ‘Locky’ with New Ransomware Campaign

Dridex Gang Gets ‘Locky’ with New Ransomware Campaign

Security experts are warning that the same infrastructure used to deliver the infamous Dridex banking trojan is now behind a major new email-based ransomware campaign.

The “Locky” ransomware variant is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware, security firm Proofpoint explained in a blog post.

What particularly piqued the interest of the researchers who discovered it was the fact that the botnet behind the spam mail is the same as that which delivers the majority of emails containing the infamous Dridex trojan.

It’s apparently also responsible for some non-Dridex malware including Ursnif, Shifu and ransomware variants Nymaim and TeslaCrypt.

The firm added that, just like Dridex, the actors behind Locky are “pushing the limits” of campaign size, with spam volumes rivaling the biggest Dridex campaigns ever seen.

“Coincidentally, the same day we tracked the large spam campaign, we also spotted Locky being distributed in a Neutrino thread usually spreading Necurs,” Proofpoint continued.

“When run on the same virtual machine, the document from both the Neutrino drop and the spam emails generate the same individual ID, point to the same Bitcoin wallet, and appear to use the same infrastructure. This can be explained either by a common actor or, more likely, by a distribution in affiliate mode.”

As for the ransomware itself, Locky is said to encrypt files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.

It’s not confirmed yet whether this will actually decrypt the victim’s files, however.

Interestingly, over the past few weeks, while the Dyre trojan has fallen silent those behind Dridex have been experimenting with new attack vectors, according to security researchers.

Source: Information Security Magazine

Greenwich University Exposes Student Info Online

Greenwich University Exposes Student Info Online

The University of Greenwich is under fire after it accidentally posted sensitive information on postgraduate students including details on health issues to its public-facing website.

The incident appears to have breached the Data Protection Act and watchdog the Information Commissioner’s Office (ICO) is said to be investigating.

The matter was brought to the attention of the BBC by a student at the university who came across the information through a simple Google search.

Details included students' names, addresses, dates of birth, mobile phone numbers and signatures, alongside minutes from a university committee governing research students.

These notes apparently included information on mental health and other medical problems as well as details of one student whose brother was fighting in a Middle Eastern army – with references made to an asylum application, the BBC claimed.

Emails between staff and students were also said to have been exposed online.

The university has contacted Google to remove cached copies of the data from the web, and apologized for the error.

"This was a serious error, in breach of our own policies and procedures. The material has now been removed. This was an unprecedented data breach for the university and we took action as quickly as possible, once the issue came to light,” said secretary Louise Nadal.

"At the same time, I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published.”

Experts were quick to highlight the case as a failure of policy and procedure.

Michael Hack, senior vice president of EMEA operations at Ipswitch, argued that forthcoming European data protection regulations will levy severe financial penalties on this kind of thing in the future if it’s found to stem from negligence.

“Whether private or public sector, when it comes to securing, storing and sharing confidential data, organizations must make sure they have the right policies and process in place,” he added.

“This includes using secure data management and transfer technologies, security systems and most importantly, providing essential staff training across the board.”

Greg Hanson, VP business operations EMEA at Informatica, argued that a data-centric security strategy is a must in today’s climate.

“In order to protect data, wherever it may be, organizations need to be able to identify where it originates in order to secure it, whether it is in transit or at its destination. For many organizations, a complete reassessment of security procedures is required,” he added.

Source: Information Security Magazine

Glibc Flaw Affects Linux Machines and IoT

Glibc Flaw Affects Linux Machines and IoT

A major vulnerability in the GNU C Library could result in remote code execution, and may affect most Linux machines.

The vulnerability affects all version of the GNU C Library, commonly known as glibc, since version 2.9. According to research by Google’s Staff Security Engineer Fermin J. Serna and Technical Program Manager Kevin Stadmeyer, a full working exploit was enabled and a patch made available.

Serna and Stadmeyer said in a statement: “You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack.

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”

The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Remote code execution is possible, but requires bypassing the security mitigations present on the system, such as ASLR.

The bug was reported to glibc maintainers in July 2015, but has been present in glibc 2.9 since May 2008. Carlos O’Donnell, Principal Software Engineer at Red Hat, said in an advisory that the vulnerability has likely not been publicly attacked, but that execution control can be gained without much more effort.

Tod Beardsley, Security Research Manager at Rapid7, said that like the GHOST vulnerability from 2015, this will affect lots of Linux client and server applications, and like GHOST, it's pretty difficult to "scan the internet" for it, since it's a bug in shared library code.

“There are certainly loads and loads of IoT devices out in the world that aren't likely to see a patch any time soon,” he says. “So, for all those devices you can't reasonably patch, your network administrator could take a look at the mitigations published by RedHat, and consider the impact of limiting the actual on-the-wire size of DNS replies in your environment. While it's may be a heavy-handed strategy, it will buy you time to ferret out all those IoT devices that people have squirrelled away on your network.”

Dave Palmer, Director of Technology at Darktrace, said: “It seems that this bug primarily affects the servers that run company applications and internet services, but probably also much of the IoT. However, it is still unclear how easy it is to exploit.

“Uncertainty surrounds not only this bug, but all future threats. It is simply impossible to guess where next vulnerabilities will be discovered. So as companies run around trying to work out if and how this will affect them, they should also fundamentally re-think how they are protecting the entirety of their systems. Without an immune system, which automatically monitors for abnormality, it is extremely difficult to keep up with today’s threat landscape.”

David Flower, MD EMEA at Carbon Black said: “Linux users have long since held the belief that their systems are secure by design and are invulnerable to attack. However, the string of high-profile Linux malware; from last year’s Mumblehard, which had gone undetected for five years, to 2012’s Snakso, which gave hackers remote access to servers, has proven this belief to be false. Google’s discovery of Glibc has delivered another significant blow to this misconception, highlighting that a basic flaw has been present within the code itself.

“Whilst it has yet to be exploited by hackers, those that fail to patch the vulnerability will face a significant threat now that the bad guys have been alerted to its presence.”


Source: Information Security Magazine

Apple: We Won’t Build ‘Backdoor’ to Unlock Gunman's Phone

Apple: We Won’t Build ‘Backdoor’ to Unlock Gunman's Phone

Apple has point blank refused to bypass its own security mechanisms with new software which the FBI can use to unlock and read information on the iPhone of one of the San Bernardino gunmen.

A court order issued by a California magistrate yesterday effectively asks Apple to create a new custom iOS version to install on the device – an iPhone 5C running iOS9 – which will allow the FBI to brute force the passcode.

The order noted that Apple’s “reasonable technical assistance” should accomplish three important functions:

“It will bypass or disable the auto-erase function whether or not it has been enabled; it will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, Bluetooth, Wi-Fi or other protocol available on the subject device; and it will ensure that when the FBI submits passcodes to the subject device, software running on the device will not purposefully introduce any additional delay between the passcode attempts beyond what is incurred by Apple hardware.”

The auto-erase function wipes all data after 10 incorrect passcode guesses, while the milliseconds-delay feature was introduced by Apple to neuter brute force attacks by making them take years to carry out.

The magistrate, Sheri Pym, asked Apple to respond if it was not possible to create a workaround as described above.

Tim Cook took the opportunity to do so in a long letter decrying the government’s attempts to undermine the security of Apple devices, although he notably didn’t reveal whether it was technically possible to do so or not.

While claiming no sympathy for the terrorists and pointing out that Apple has assisted the investigators to do “everything that is both within our power and within the law to help them,” he would not sanction the creation of software with the potential to unlock anyone’s iPhone.

He added:

“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control  …

For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”

Cook also took issue with the FBI’s apparent attempts to use the All Writs Act of 1789 as a legal justification for this expansion of its authority.

He argued:

“The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

The news comes in the same week EU security agency Enisa came out in favor of strong encryption and against any attempts by law enforcers to undermine this by demanding backdoors.

Image credit: endermasali /

Source: Information Security Magazine

Spear Phishing Incident Average Cost is $1.6M

Spear Phishing Incident Average Cost is $1.6M

Spear phishing has become an endemic scourge: 95% of US and 83% of UK respondents in a recent Cloudmark survey said that they have experienced spear phishing attacks (91% combined).

Spear phishing is effective: despite deploying traditional security solutions, 84% of respondents experienced spear phishing attacks that penetrated their security solutions. It’s also costly: Of those experiencing attacks over the last 12 months, 81% suffered some negative impact as a result, with an average financial cost of $1.6 million—and some losses in the tens of millions of dollars.

Unfortunately, human awareness of the issue appears to be lagging the risk. A full 79% of respondents test their employees’ responses to spear phishing attacks, and 78% of those had failure rates of up to a quarter of their employees.

Only 3% had no failures.

Also, a good percentage of companies appear to be in a state of denial when it comes to the targets on their backs. Only 73% of respondents feel that spear phishing currently poses a threat to their organization. About three-quarters (77%) feel that it will pose a threat within the next 12 months. And this gap is reflected in respondents’ actions, as only 71% have implemented a specific solution to prevent spear phishing, leaving a large number of respondents poorly protected. Those 71% are depending on traditional anti-spam (84%) and anti-virus (81%) software to protect their users, along with staff training (79%) and educational campaigns (64%).

“The high financial losses—$1.6 million on average—are only part of the story; other respondents experienced loss of reputation or even customers, drop in stock price or other negative effects,” the report noted. “In some sectors, more than half of respondents (55%) suffered a loss of customers; in others, almost half (47%) suffered a financial loss.”

Anti-spam and anti-virus technology can be effective in blocking some kinds of generic phishing. About 45% of respondents have deployed secure web gateways or URL filtering solutions, which might be effective in protecting users from threats such as fake bank or webmail login pages hosted on hacked domains. And secure email gateways and file sandboxing (deployed by 58% and 28% of respondents, respectively) can be effective against malware deployment, an attack which 30% of respondents have experienced.

But ultimately, the human is the weakest link.

“For example, in so-called CEO fraud or Business Email Compromise (BEC) attacks, the spear phisher masquerades as the company’s CEO or another executive and instructs an employee in the finance department to send money via wire transfer to a bank account controlled by the phisher,” the report explained. “These messages almost never contain an attachment or a call-to-action URL, so they will bypass traditional security technology easily.”

BEC attacks are widespread. Sixty-three percent of respondents received spear phishing involving the spoofing of a CEO for financial gain in the last 12 months; in one sector, 48% received more than 30 such attacks over that period. Almost half of respondents said that the financial staff or department were specifically targeted in cyber-attacks.

Photo © igor.stevanovic

Source: Information Security Magazine

Mazar BOT Can Erase Android Phones

Mazar BOT Can Erase Android Phones

A fresh campaign bent on information exfiltration and erasing unsuspecting victims’ phones is spreading via random text message.

Heimdal Security uncovered the Mazar BOT Android malware, which, aside from being new on the scene, is notable in that it gains administrative rights that give it the ability to do almost anything with the victim's phone.

The malware also can read SMS messages, which means it can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites.

The attack chain begins with a message: “You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message.”

If the APK, a program file for Android, is run, it will gain administrator rights on the victim’s device. The malicious APK also retrieves TOR and installs it on the victim’s phone, and then uses the anonymity browser to connect to the command and control server.

From there, the attackers can do any number of things, including harvesting data, tracking locations, monitoring messages and calls, and even erasing the phone altogether. Attackers also can do things like send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill.

But wait, there’s more. 

Heimdal noted that the attackers behind Mazar BOT also implemented the Polipo proxy, which is used to cache web pages for offline access, amongst other things. Through this proxy, cyber-criminals can change the traffic flow and interpose themselves between the victim’s phone and a web-based service, for a man-in-the-middle attack.

Interestingly, the code contains protections for Russians.

“Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option,” said Andra Zaharia, security specialist at Heimdal Security, in a blog. “Mazar BOT will check the phone to identify the victim’s country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user.”

Until now, Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks, she added.

“Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always),” Zaharia said. “We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication.”

Photo © evgdemidova

Source: Information Security Magazine