Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

MWR Opens HackFu for Entry

MWR Opens HackFu for Entry

MWR InfoSecurity has announced the launch of the ninth annual HackFu Challenge, designed to test contenders’ hacking, scripting, tinkering, lock-picking, crypto and problem-solving skills to the extreme.

Initially conceived as a way to improve the skills of MWR’s own team, HackFu has grown over the years to become an unconventional, yet highly-effective approach to personal development for security professionals. The two-day event will take place at an as-yet undisclosed UK location in June, and contenders are invited from today to compete for a place at the event.

Martyn Ruks, Technical Director at MWR InfoSecurity, told Infosecurity that HackFu provides an environment where people can learn, develop and test out a range of skills that are unlikely to be found at typical training events or capture the flag events.

He said: “In the past we’ve taught skills in Windows, Linux, networking, reverse engineering, malware investigation, wireless, physical security, Smart Tech, SCADA and many more areas. But these skills are taught at many events already – so to be satisfied with that would mean missing the bigger picture. The difference with HackFu is that we also provide challenges in leadership, collaboration, problem solving, project management and negotiation with a specific cyber security focus.

“The reason for doing this is because we know that skills in these areas are just as important for improving the security industry, yet there are fewer opportunities to learn or practice them in safe environments where the consequences of making mistakes is reduced. So everyone’s HackFu experience will be different but equally important in teaching and developing the skills that they need in their current and future roles.”

In advance of June, MWR is inviting potential participants to compete in its pre-event challenges. Contenders who show superior skill will be invited to participate in this year’s HackFu, either onsite at the secret venue or remotely, in a new feature being introduced for this year’s event.

Ruks said that the primary purpose of MWR’s HackFu is to set a standard in developing cyber security skills in the UK and beyond, and to use any interest generated in the event to draw attention to the cyber skills gap.

“There is a vast array of roles that exist in this exciting and dynamic sector beyond pen testing and this event is designed to illustrate the techniques and capabilities needed to excel in cyber security,” he said.

“By capturing the public’s imagination, MWR believes the industry can not only raise awareness of the skills gap it faces, but also emphasise the opportunities the sector offers to those with the right aptitude.

He went on to explain that HackFu was originally conceived to test and improve current cyber security and team-work skills, in a way that allows exploration into technical areas outside an individual’s comfort zone, inspiring participant teams to come up with creative solutions to difficult problems.

“After all, this is what’s needed to combat the complex threats organisations face on a daily basis. We purposefully design some elements of the competition to encourage users to think laterally, as it’s not just about technical ability – but also the mental capacity, to challenge what’s perceived as normal to discover what’s actually possible.”

Over the coming months, MWR will be releasing additional information of its HackFu blueprint to help other organisations plan and execute similar events. To find out more about HackFu 2016, see footage of last year’s event and download the challenges visit the website.

In the opening session of the Infosecurity Magazine Virtual Conference, Cyber Security Challenge and National Crime Agency will present on "Securing the Next Generation of White Hats" at 915am GMT. Full details here

Source: Information Security Magazine

Cyber Crooks Steal $80 Million from Bangladesh Bank

Cyber Crooks Steal $80 Million from Bangladesh Bank

Hackers made off with $80 million from Bangladesh’s central bank last month and nearly swiped $20m more but the alarm was raised just in time, according to reports.

It’s still unclear exactly how cyber-criminals breached the Bangladesh Bank’s systems, but according to two senior officials there, once inside they stole credentials allowing them to make payment transfers.

With those in hand they then made a series of transfer requests with the New York Federal Reserve Bank over the course of a weekend in early February.

The New York Fed processed four of the three dozen requests, transferring a whopping $81m into accounts in the Philippines, according to Reuters.

The heist would have hit $1bn but a spelling mistake in the routing instructions raised the alarm and a fifth transfer of $20m was apparently stopped.

The New York Fed claimed its systems were not breached. The US authorities are understood to have offered to help the Bangladesh Bank find out what went wrong and recover the stolen funds.

FireEye’s Mandiant division is said to have been recruited to help with computer forensics in the case.

The hackers should have been stopped much sooner than they were, according to James Romer, EMEA chief security architect at SecureAuth.

“Organizations should strengthen their capabilities against cyber adversaries by layering adaptive authentication methods such as device recognition or analysis of the physical location of the user, which continually verify the true identity of the end user,” he argued.

“Not only will it maintain a simple user experience but it also makes any credentials, which have been stolen through a vulnerability such as this, ineffective when sold on or when used to access other sites by anyone other than the individual customer.”

Fidelis Cybersecurity CSO, Justin Harvey, claimed the case shows how important it is to protect powerful access credentials like the ones stolen.

“The financial services industry is one of the most regulated in the world, but that doesn’t mean it can’t be attacked by cyber-criminals. This latest hack is a clear reminder that compliance and adhering to banking regulations isn’t enough,” he added.

“Multi-layered security needs to be implemented, regularly updated and sophisticated monitoring solutions need to be in place to flag and – if necessary – quarantine suspicious behavior. At least the Federal Reserve Bank of New York’s provisions seemed to have saved the full £1bn from being stolen.”

Source: Information Security Magazine

Adobe Issues Patch for 23 Flash Flaws

Adobe Issues Patch for 23 Flash Flaws

As predicted earlier this week, Adobe has been forced to issue yet another patch for its much-targeted Flash Player, this time fixing 23 vulnerabilities.

APSB16-08 was issued yesterday and covers Windows, Macintosh and Linux platforms.

It’s a critical update that fixes heap overflow, use-after-free, integer overflow and memory corruption vulnerabilities.

One in particular, CVE-2016-1010, is already being used in limited, targeted attacks in the wild, according to Adobe.

In fact, it was that bug that prevented the update from being released on Tuesday on Adobe’s regular security update cycle, according to Qualys CTO, Wolfgang Kandek.

“A successful exploit of this vulnerability gives the attacker Remote Code Execution on the target machine,” he explained in a blog post. 

“Attack vector includes malicious websites set up for the purpose of attack using Search Engine Poisoning, ‘normal’ websites that have been hacked and are under the control of the attacker, and e-mailed documents (Word, PDF) that include a malicious Flash component.”

Microsoft has also released a delayed update to take account of the Adobe fix: MS16-036.

“With that, we are changing our ranking for the security bulletins for this month – MS16-036 now takes the highest priority followed by MS16-023 for Internet Explorer,” said Kandek.

Flash is fast becoming marginalized on the web, in part because of its poor track record on security.

It’s not supported by iOS, Android or Windows Phone and will be switched off for display ads by Amazon and Chrome soon.

One positive from that may be the end of exploit kits, which currently rely heavily on exploiting vulnerabilities in the buggy Adobe software, according to F-Secure security adviser, Sean Sullivan.

He wrote in the vendor’s annual threat report out this week that notorious EKs like Angler could become a thing of the past if Chrome and the other major browsers de facto scrap support for Flash.

Source: Information Security Magazine

Rosen Hotels Becomes Latest Chain to Suffer Data Breach

Rosen Hotels Becomes Latest Chain to Suffer Data Breach

US chain Rosen Hotels & Resorts looks like the latest hotel firm to suffer a major data breach after failing to spot an unauthorized cyber intrusion for over 17 months.

In a lengthy statement on the matter the firm claimed it began receiving reports in early February from guests who saw unauthorized charges on their cards after staying in one of the chain’s hotels.

A cybersecurity firm hired to investigate found evidence of foul play.

The statement continued:

“Findings from the investigation show that an unauthorized person installed malware in RH&R’s payment card network that searched for data read from the magnetic stripe of payment cards as it was routed through the affected systems. In some instances the malware identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the malware only found payment card data that did not include cardholder name. No other customer information was involved. Cards used at RH&R between September 2, 2014 and February 18, 2016 may have been affected.”

Rosen Hotels & Resorts said it would be emailing or sending a letter to affected guests for whom it has a name and contact details, but it warned everyone who has stayed at one of the firm’s hotels over the affected period to be vigilant.

“You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner,” it said.

There’s a dedicated helpline for customers who think they may have suffered identity theft as a result of the breach, and the hotel chain claimed they can order a free annual credit report from three nationwide specialist companies: Experian, Equifax and TransUnion.

Rosen is by no means the first hotel chain to be hit by a data breach of this kind.

Others whose security has been found wanting recently include Hyatt, Trump Hotels, Hilton Hotels and Starwood Hotels.

Kane Hardy, VP of EMEA at Hexis Cyber Solutions, argued that hotels are an obvious target given the wealth of personal information they hold on guests.

“In addition, the very nature of hotels means that there are a variety of different devices connecting to internet services and networks. As history has shown us then as the number of endpoints increases, so does the risk of attack,” he added.

“In the hotel industry, reliance on traditional perimeter security is not enough. It is becoming critical for organizations to be able to persistently correlate threat intelligence from within networks to actively respond and eliminate these security issues.”

"By taking a next generation approach to integrated network and endpoint threat verification with automated persistent response, hotel groups can better mitigate threats before data loss occurs. This approach can be effective in protecting data, even if the network is compromised.”

Source: Information Security Magazine

March Madness Opens the Door for March Badness…and Sadness

March Madness Opens the Door for March Badness…and Sadness

It’s March, and in the US that means St. Patrick’s Day, last-minute tax scrambling and, of course, March Madness. Security experts are warning that the annual college basketball tournament could turn into March Badness, if cyber-criminals have their way.

The tournament, which starts on Thursday, March 17, is one of the most watched, and anticipated, sporting events every year, up there with the Super Bowl and the World Series when it comes to enthusiasm and viewership in the States. But, games also traditionally fall during business hours, and as a result, plenty of office workers will be tuning in via their mobile devices and online to watch the action.

According to Dan Lohrmann, chief strategist and chief security officer (CSO) at Security Mentor, a Pacific Grove, Calif. security awareness training provider, security professionals at organizations of all sizes are preparing for a surge of potential March Madness related cyber-attacks through the beginning of April. This is because nearly every aspect of any employee’s involvement with March Madness could open up the employee, as well as the organization, to a number of cyber-risks.

“Cyber-criminals are well aware of the popularity of March Madness and are already preparing spear phishing emails to millions of college basketball fans, as well as non-basketball fans who are merely participating in the ever-popular office pools,” he said via email. “Organizations and their employees should all beware of spear phishing links related to college basketball games. They should also be careful of people loading unauthorized apps on their devices. For example, are these apps malware free?”

Mark Parker, senior product manager at enterprise cloud security provider iSheriff, also pointed out the potential for watering-hole attacks; employees should be careful what they Google.

“As with anything popular, criminals are drawn to an easy to exploit opportunity,” he said. “Just as thieves target frequently visited locations that provide a target rich environment, so do the online crooks behind malware. Pillagers hang out near the watering holes that draw the prey, because it is easier than hunting the prey outright.”

A few things to watch out for:

  • Rogue March Madness apps, across many device types, that promise score and bracket updates but also deliver advertising and malware
  • Thousands of drive-by and download and install malware infections from March Madness-related sites, both legitimate and spoofed
  • Phishing attacks targeting users following their March Madness brackets on popular sites such as ESPN, CBS Sports and Yahoo
  • Malware masquerading as video players that will allow the user to stream the games
  • Links posted in forums, comments and social media that promise March Madness info or streams, but only direct the user to an infected site
  • A large influx of fake betting sites used to grift the credit card info of unsuspecting users

Lohrmann also pointed out that time and bandwidth issues with streaming games on work equipment is also important because the bandwidth usage alone during the day can slow down operational systems, almost like a denial of service attack. The organization should also take the time to re-emphasize policies and procedures.

“We can certainly still have fun at work if a local team is playing,” Lohrmann said, advising, “It can be beneficial to all involved to find the time to watch the game together on a television in the breakroom and have a team-building party, etc.”

Photo © Aspen Photo/Shutterstock.com

Source: Information Security Magazine

Boardroom-CISO Communications Breakdown is Endemic

Boardroom-CISO Communications Breakdown is Endemic

CISOs and the board of directors are missing the mark when it comes to cybersecurity reporting.

According to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cybersecurity threats.

Despite a general consensus that more automation can help address the security personnel staffing shortages, the report found that cybersecurity reporting still is dominated by manual methods: 81% of IT and security executives employ manually compiled spreadsheets to report data to the board. This process can lead to incorrect reporting and oversight of important data, whether it is due to intentional manipulation or human error.

One of those areas of oversight is security spending, interestingly enough. The most common type of information reported about cybersecurity issues is about known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data-loss incidents. Information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

The research also uncovered that IT and security executives say they frequently report breaches, but admit they don’t know about all of them: Four out of five respondents say they report major data breaches to the board, yet more than a third report they do not know all of the data breaches that occurred during 2015.

Interestingly, this lack of accuracy and completeness appears to worry a minority of businesses. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.

 “Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.

Overall, only one-third of IT and security executives in the survey said that they believe that the board understands the information about cybersecurity threats that is provided to them. And fewer than two in five IT and security executives believe that risk is reduced as a result of their conversations and reports to the board.

“Arguably, the most important statistic noted in the figure below is that only 37% of IT and security executives agree or strongly agree that organizational risk is reduced as a result of their conversations with and reports to the board—in fact, 5% of those we surveyed either disagree or strongly disagree that risk is reduced,” the report concluded. “The point of IT and security executives presenting information to a board of directors should be informing the board about cybersecurity threats and what is being done to address them—at many organizations that clearly is not happening, and so boards are not helping to reduce risk.”

Photo © Scott Maxwell/LuMaxArt

Source: Information Security Magazine

Siloed Network Security Leads to 5+ Incidents Per Year

Siloed Network Security Leads to 5+ Incidents Per Year

Faced with a lack of security personnel and far too many network “blind spots,” almost three-quarters of Global 2000 companies experienced five or more network-based security incidents in the past 12 months.

Frost & Sullivan's Network Visibility Survey found that 72% of respondents saw that number—mostly driven by attacks on managed devices.

Perhaps expectedly, managed end user computers were the most-targeted, with nearly one-third of companies in the US, 19% of companies in the U.K. and 50% of German companies reporting five or more incidents mounted on PCs and Macs. Managed servers also served as gateways for attack in 27% of companies in the US, 19% of companies in the UK and 36% of German companies.

This sustained offensive against managed devices is leading to low customer confidence in security agents being deployed, the survey added. In fact, 37% of respondents reported they have low confidence in their patch management agents, followed closely by a lack of faith in mobile device management agents (35%), encryption agents (28%) and antivirus agents (27%).

In reality, the problem lies in a persistently siloed approach to network security—and a lack of personnel/automation within the security apparatus. Too many organizations deploy network security technologies in silos, with little or no communication between products and teams, leading to blind spots—and then they don’t have the headcount to adequately deal with the situation manually.

Most companies surveyed said that they have areas within their networks that can't be properly analyzed by their security gear—opening the door for unknown applications, traffic, devices and users to rummage through the corporate network undetected.

“The majority of traditional security tools typically operate as independent silos not designed to interoperate with each other,” the report noted. “Traditional security tools like VA and intrusion detection/intrusion prevention systems (IDS/IPS) have very specific use cases. VA scans end points for configuration errors and exploitability from known vulnerabilities. IDS/IPS sound alarms when a suspected perimeter breach is detected. Perimeter network defenses do each individual element well. However, many of these network defenses do not share contextual information with other peer security tools and don’t provide any native controls for threat mitigation.”

Firewall, vulnerability assessment and ATD products suffered the most from blind spots, followed closely by network intrusion prevention systems, security information and event management, enterprise mobility management and antivirus technologies.

"In today's distributed enterprise, creating a truly secure network, whether managed or unmanaged, requires instant visibility into the devices that are connecting to it, paired with an ability to automate threat responses," said Rob Greer, CMO and SVP of products at ForeScout, which commissioned the survey. "Vulnerable entry points are widespread, and the rise of the Internet of Things (IoT) devices and mobile computing is only increasing the security attack surface. Automation can help security teams orchestrate their technologies to help eliminate network blind spots—giving them true visibility and actionability into their connected devices."

Meanwhile, IT professionals unanimously responded that they would welcome a set of pre-determined security controls within each network security technology to facilitate automation and save critical resources. That's especially true for firewalls (67%), IPS (65%) and antivirus (63%).

"We've confirmed what most people already expect—that no company is truly secure without its security technologies working together. A siloed security approach can create network blind spots that have costly, long-term impacts on business continuity and brand reputation," said Chris Kissel, industry analyst for Network Security Research, at Frost & Sullivan. "Without full network visibility, these attack surfaces will only increase, given the fast-growing number of bring-your-own device (BYOD) and Internet of Things (IoT) devices being connected to corporate networks."

Photo © Photographee.eu

Source: Information Security Magazine

ISIS Data Breach Leaks Recruits’ Details

ISIS Data Breach Leaks Recruits’ Details

The Islamic State (IS) has suffered an apparent insider data breach which could provide Western intelligence agencies with vital information on how to disrupt and dismantle the jihadist movement.

Sky News claimed to have received a USB stick containing information on 22,000 IS recruits, including names, addresses, telephone numbers, places of birth and sponsors into the organization.

The data was apparently collected via detailed questionnaire forms by IS as would-be recruits passed into Syria.

It’s said to have been stolen from the head of IS internal security by a disillusioned former Free Syrian Army convert to the cause, who now claims that the movement has been taken over by former soldiers of Saddam Hussein’s Iraqi Baath party.

As such, this could technically be described as an insider breach – although with the stakes far higher than those facing breached organizations closer to home.

IS recruits from 51 countries including the US, UK and Canada were identified on the list, and while many were known to the West, crucially there are many names on there that weren’t, Sky News claimed.

One of the files is said to be labelled ‘Martyrs’ and apparently contains a list of names of recruits prepared to carry out atrocities on Western targets.

German’s federal police force, the BKA, is also in possession of the documents which have been certified as authentic.

The names may have been collected as far back as 2013, according to the Guardian.

German interior minister, Thomas de Maizière, claimed the documents would help to shine a light on “the underlying structures of this terrorist organisation.”

While the theft of tens of thousands of paper documents by the whistleblower would have been virtually impossible, as has been demonstrated in the past, increasingly powerful thumb drives provide a quick, easy and discrete alternative. 

Source: Information Security Magazine

F-Secure: Exploit Kits Could Become Marginalised by 2017

F-Secure: Exploit Kits Could Become Marginalised by 2017

Cybercriminals may be forced to look beyond exploit kits to alternative infection channels in the near future as Flash becomes increasingly marginalized, according to F-Secure’s new Threat Report for 2015.

F-Secure Labs security adviser, Sean Sullivan, wrote in the report that most major exploit kits like Angler and Nuclear rely on taking advantage of vulnerabilities in the ‘lowest hanging fruit’ currently around – Adobe Flash.

By December 2015, Angler EK was listed as the fourth most prevalent threat seen by the Finnish security firm behind the Gamarue trojan, Dorkbot worm and Njw0rm worm.

In the UK in particular, Angler EK, along with Trojan:W97M/MaliciousMacro and Trojan:JS/Redirector were among the most reported highly reported threats in 2015.

“Adobe’s Flash is the last ‘best’ plugin still standing for exploit kits to target,” Sullivan argued. “But for how long?”

He predicted that with Amazon and Google switching off Flash ads and the lack of support on iOS and other platforms, it’s only a matter of time before the major browsers force users to whitelist any sites requiring Flash.

But while this will “decapitate” exploit kits as we know them, cybercriminals will likely focus their attention on other channels such as malicious email attachments like macro malware, he claimed.

Another option is .zip files with malicious JavaScript attachments, Sullivan told Infosecurity by email.

“Whatever technique works, it won't need to be as persistent as today if extortion [via ransomware] continues to trend. Get in fast, determine valuable files, and encrypt,” he argued.

“Perhaps it will return to being a race to reverse patches in an attempt to target those who have yet to patch. A smaller window of opportunity, but what does that matter if malware manages to encrypt your files before that? Prevention is critical and it will become more so.”

In the meantime, the same advice should be applied to mitigate the threat of exploit kits: update software as soon as a patch becomes available.

Source: Information Security Magazine

Most CIOs Fear Fines Under New Euro Data Protection Laws

Most CIOs Fear Fines Under New Euro Data Protection Laws

Nearly 90% of CIOs are concerned that their current security policies and procedures are putting them at risk of serious fines under new European data protection laws, according to a new study from Egress Software Technologies.

The encryption services provider claimed that 87% of the IT leaders it spoke to from companies with more than 1,000 employees were worried their firm was at risk of fines of up to 4% of annual turnover, according to strict new penalties levied by the European General Data Protection Regulation (GDPR).

In addition, over three-quarters (77%) of respondents said they were frustrated that staff failed to use technology like encryption made available to them to ensure they work more securely.

Egress CEO, Tony Pepper, claimed users often find ways to bypass security measures and “take the risk” if they think these tools will slow down business processes.

“Another problem is that IT is often as resistant as users. As the research shows, ease of deployment is a big driver for selecting what technology gets prioritized and dealing with users is often a bit of a headache,” he told Infosecurity.

“This is creating a real barrier to deployment. When asked to describe discussions they had had around deploying encryption-based secure communication solutions – such as email encryption – almost half of the respondents said they thought users would find it too complicated and it’d create a help desk nightmare.”

The study also appeared to reveal that the series of high profile attacks publicized in the media over the past year are having an effect on security policy.

Some 49% of respondents said they prioritize external threats, while just 20% focus mainly on accidental breaches from within – despite the latter accounting for the vast majority of incidents.

Pepper argued that IT leaders must make security “invisible to the user” so that it’s seamlessly integrated into the everyday tools they’re used to using – but added that “technology is really just half the battle.”

“If you want people to adopt security you need to make them understand why – the education piece is vital. This could be someone sending an email, but equally it could be making them understand why they should not click on a phishing email,” he argued.

“This also includes having clear policies and procedures around data, so that everyone knows exactly what level of information assurance should be applied in each situation. There should be no ambiguity.”

Source: Information Security Magazine