Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

UK’s NCA Shares Threat Data with 50 Web Hosters

UK’s NCA Shares Threat Data with 50 Web Hosters

The UK’s National Crime Agency is claiming a new threat information sharing initiative has already helped web hosters reduce the threat to their servers by 12%, potentially saving them millions.

The NCA said last week that it shared details related to over 30,000 separate threats with internet hosting companies as part of a joint program with CERT-UK.

Around 50 organizations took part over a near three-month-long program, using info on malware infections, phishing attacks, DDoS and command and control (C&C) systems to help take remedial action.

The crime agency’s initial analysis claimed the 12% reduction in the volume of malicious domains over a whole year could reduce cybercrime losses by “tens of millions of pounds.”

Specially trained officers from police Regional Organised Crime Units (ROCUs) are now being sent out to support those organizations that benefited from the threat intelligence.

“Working with industry to jointly combat cybercrime is a priority for the NCA, and sharing timely, customized intelligence with hosting companies can contribute to the protection of the UK internet infrastructure,” said NCA industry partnerships boss Paul Hoare.

“Many alert recipients have taken timely action against the threats identified, and this is likely to have prevented losses to individuals and businesses further down the line.”

The threat alerts are also available to firms who sign up to the government’s Cyber-security Information Sharing Partnership (CISP) initiative, designed to improve situational awareness for members by facilitating the sharing of threat and vulnerability information.

Governments and their law enforcement and intelligence agencies are increasingly being put under pressure to share the wealth of threat information they collect with the private sector, in order to bolster the resilience and economic well-being of UK PLC.

BH Consulting founder and Europol advisory group member, Brian Honan, welcomed the news.

"Many though have criticized these initiatives as being primarily one way, whereby information from the private sector is going into the public sector but very little is coming back in return. This type of sharing from the NCA is a welcome change to that status quo and the quality of the information they share will be of major benefit to the ISPs," he told Infosecurity.

"One can only hope that now the ISPs have real actionable information they will work on it to make the internet a safer place for all."

In the US, efforts to legislate on such matters have backfired, after rights groups and technology giants came out against the Cybersecurity Information Sharing Act, which was nevertheless passed by the Senate last month.

Its opponents argue that the law could introduce major privacy issues and even make it harder for international firms to do business with their US counterparts.

Source: Information Security Magazine

New POS Malware Lands Ahead of Busy Festive Shopping Season

New POS Malware Lands Ahead of Busy Festive Shopping Season

Security researchers are warning of a new POS malware strain which has the potential to cause yet more pain for retailers and their customers in the run up to the busy festive season.

AbaddonPOS was initially discovered by Proofpoint analysts as it was being downloaded as part of a Vawtrak infection, they wrote in a blog post.

Specifically it was delivered via either weaponized Office documents downloading Pony malware or an Angler EK Bedep infection. Downloader TinyLoader was then loaded by Vawtrack to download more shell code—finally triggering AbaddonPOS.

AbaddonPOS is only around 5KB in size but has been fitted with anti-analysis and obfuscation techniques to prevent manual and automatic analysis.

For example, it uses a CALL instruction to hinder static analysis.

Most of the malware’s code is not obfuscated, however, except for the code used to encode and transmit stolen credit card data.

It then relies on a custom binary protocol to exfiltrate the stolen data, rather than HTTP.  

The firm concluded:

The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice. While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cyber-criminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.

AbaddonPOS isn’t the only piece of malware set to cause problems for retailers as they prepare for the busy Christmas shopping period.

Cherry Picker has been active since 2011 but remained under the radar thanks to its highly covert nature, according to Trustwave.

The POS malware apparently cleans itself from an infected system once it has found what it was looking for, using remote software TeamViewer to remove and overwrite files and logs.

Source: Information Security Magazine

Google Preps New Service after Global Email Encryption Warning

Google Preps New Service after Global Email Encryption Warning

Email encryption is getting better but certain countries are deliberately preventing SSL requests from initiating, undermining industry efforts, according to a new report from Google.

The study, in partnership with the University of Michigan and the University of Illinois, reveals that overall email security is better than it was two years ago.

To this end, the number of encrypted emails received by Gmail from non-Gmail senders during the period increased from 33% to 61%.

In addition, the percentage of messages encrypted with TLS sent from Gmail to non-Gmail addresses increased from 60% to 80%.

And over 94% of inbound messages to Gmail were said to have carried some form of authentication.

But there were also causes for concern, as Google wrote in a supporting blog.

“First, we found regions of the internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen ‘opportunistic TLS’ using technologies that we pioneered with Chrome to protect websites against interception.

Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name. While this type of attack is rare, it’s very concerning as it could allow attackers to censor or alter messages before they are relayed to the email recipient.”

In Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho, over 20% of emails are delivered without encryption because computers force communication in plain text. In Tunisia the figure is above 96%.

This so-called “STARTTLS stripping” happens on over 60% of the 700,000 SMTP servers Google found in the world that are still failing on encryption.

The Mountain View giant said that to help notify users of possible dangers, it is looking to roll-out new functionality which will alert them when they receive an email through a non-encrypted connection.

Source: Information Security Magazine

Key Positive Enterprise Trends Emerge in Cybersecurity

Key Positive Enterprise Trends Emerge in Cybersecurity

Although cybersecurity incidents are daily news, with reports of escalating impacts and costs that are sometimes measured in the billions, at least one survey has identified new reasons for optimism.

According to the Global State of Information Security Survey 2016 from PricewaterhouseCoopers (PwC), the vast majority of organizations—91%—have adopted a security framework or, more often, an amalgam of frameworks.

The most frequently followed guidelines are ISO 27001, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and SANS Critical Controls. Respondents say adoption of these types of guidelines enable them to identify and prioritize threats, quickly detect and mitigate risks and understand security gaps.

A risk-based framework allows companies to better communicate and collaborate on cybersecurity efforts, internally and externally. These frameworks also can help businesses design, monitor and measure goals toward an improved cybersecurity program. And many say that risk-based standards have helped ensure that sensitive data is more secure.

In another extremely positive trend, PwC noted that technology advances can dim the focus on the cybersecurity competencies and training of people. So it is encouraging to find that top security executives and Boards of Directors are playing increasingly prominent roles.

This year, 54% of respondents reported they have a CISO in charge of their security program, and 49% have a CSO. Today’s CISO is a business manager who should have expertise not only in security but also risk management, corporate governance and overall business objectives.

Also, 46% of survey respondents said their Board participates in information security budgets, which may have contributed to this year’s significant boost in security spending. Other notable outcomes include identification of key risks, helping foster an organizational culture of security and better alignment of information security with overall risk management and business goals.

Also, the report noted that 59% of respondents leverage Big Data analytics to model and monitor for cybersecurity threats, respond to incidents, and audit and review data to understand how it is used, by whom and when.

This is important, considering that a data-driven approach can shift cybersecurity away from perimeter-based defenses and enable organizations to put real-time information to use in ways that can help predict cybersecurity incidents. Data-driven cybersecurity allows companies to better understand anomalous network activity and more quickly identify and respond to cybersecurity incidents.

Some businesses are combining Big Data with existing security information and event management (SIEM) technologies to generate a more extensive view of network activity. Others are exploring the use of data analytics for identity and access management to monitor employee usage patterns, flag outliers and identify improper access.

And finally, speaking of data sets, another positive trend is partnering up to sharpen security intelligence. Over the past three years, the number of organizations that embrace external collaboration has steadily increased, the report found. This year, 65% of respondents said they collaborate to improve cybersecurity and reduce cyber-risks, up from 50% in 2013.

And those that do work with others cite clear benefits. Most organizations say external collaboration allows them to share and receive more actionable information from industry peers, as well as Information Sharing and Analysis Centers (ISACs), government agencies and law enforcement. Many also say information sharing has improved their threat awareness.

Source: Information Security Magazine

InstaAgent Pulled After Stealing User Names and Passwords

InstaAgent Pulled After Stealing User Names and Passwords

A popular mobile app has been pulled from Google Play and the App Store after a researcher warned that it lifted users' names and passwords without their knowledge.

Users of InstaAgent have been urged to change their Instagram passwords immediately after the news came to light.

The app, which was popular in the UK and downloaded by hundreds of thousands of users, promised to show users who was viewing their profile.

But German developer David Layer-Reiss took to Twitter on Tuesday to warn users that the app was stealing their log-in credentials in order to do so. It was also found to be posting ads into users’ accounts.

The developer allegedly behind the controversial app, Turker Bayram, has issued an apology in broken English.

“Please be relax. Nobody account is not stolen,” he said. “Your password never saved unauthorized servers. There is nothing wrong. But again and again we apologize from our precious users.”

Not content, Layer-Reiss has raised question marks over the man behind the app and his company, “Zunamedia.”

“Another strange fact is that it is nearly impossible (for me) to identify the developer of InstaAgent (his AppStore dev name was Turker Bayram). And why didn't the #InstaAgent developer sign his statement?” he wrote in a blog post.

“And if you are making an WHOIS to the server you cannot get any informations because of domains proxy. Why is he hiding his identity? Who is Zunamedia ?”

Rapid7 security research manager, Tod Beardsley, claimed it was unusual that both Google and Apple approved such a dubious looking app.

"While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations,” he explained.

“Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed.”

Source: Information Security Magazine

Former Council Worker Aces SANS Cyber Academy Exams

Former Council Worker Aces SANS Cyber Academy Exams

A civil servant who worked for Newcastle City Council for 15 years has come top of the class at the new SANS Cyber Academy with one of the highest ever scores in the GIAC information security exams.

Ross Bradley, who spent the past decade and a half processing parking fines for the local authority, has a bright future ahead of him in the cybersecurity industry after aceing the internationally recognized qualifications.

The results are a coup for SANS but also highlight the possibility of finally reducing chronic skills shortages in the industry.

The training institute launched what it claimed to be the world’s first ‘cyber boot camp’ back in April with the aim of getting recent graduates up to speed with real world infosecurity skills so they can more easily walk into a paid job.

With this in mind, the Cyber Academy compresses two years’ worth of training into just eight weeks, with only 31 “high potential” students chosen from over 25,000 candidates after completing an aptitude test.

Bradley and his fellow students completed the GIAC exams with scores which put them in the top 10% worldwide, SANS said.

"I was wary of quitting my job and starting the Academy, especially when I saw that people working in forensics and with degrees were going. I thought to myself, ‘I don’t have a degree, I just work for the council’, but I’m glad I went,” said Bradley.

“I wasn’t expecting to do so well but I knew I had to work extremely hard. I put a lot of work in and I’m glad it paid off.”

Fellow student, Kate Booth, a former university lecturer, praised the academy for offering an alternative way for women to enter what is still a very male-dominated industry.

“I was always interested in maths and science when I was at school and my parents gave me a lot of encouragement to do what I was interested in, but we need to do more as a country to support women into cybersecurity,” she explained.

“There is still a way to go, but initiatives like this can really help women to break through.”

Source: Information Security Magazine

Microsoft Patch Fail as Update Crashes Outlook

Microsoft Patch Fail as Update Crashes Outlook

Microsoft has been forced to reissue a critical patch first released on Tuesday after users took to the web in numbers to complain it crashed their version of Outlook.

MS15-115, which was released in Microsoft’s monthly security update round on 10 November, was designed to fix several vulnerabilities in Windows.

The most severe of these could allow remote code execution “if an attacker convinces a user to open a specially crafted document or to go to an untrusted webpage that contains embedded fonts.”

However, soon after the updates were released by Microsoft, angry customers took to online forums to complain that it had crashed Outlook.

One had the following to say on the TechNet site on Wednesday:

“Today I`ve deployed latest outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too.

Come on guys, do you EVER do proper QA before releasing anything office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”

IT staff took to Reddit’s Sysadmin page to vent further. One user complained: “Vice Prez of our Company was pissed at me all day. This was somehow my fault.”

In its favor, Microsoft appears to have acted quickly to resolve the issue, reissuing KB 3097877 by Thursday. It noted the following in a revision message:

“Bulletin revised to inform customers that the 3097877 update for Windows 7 and Windows Server 2008 R2 has been rereleased to correct a problem with the original update that could cause some applications to quit unexpectedly. Customers who have already successfully installed the update on Windows 7 or Windows Server 2008 R2 systems should reinstall the update.”

This is by no means the first time this year Microsoft has got into trouble with users by releasing patches which have subsequently caused problems.

And last December it was forced to pull not one but two fixes for similar reasons.

Photo © George Dolgikh

Source: Information Security Magazine

NIST Awards $1.86Mn IoT Privacy Grant

NIST Awards $1.86Mn IoT Privacy Grant

Amid growing concerns that internet of things (IoT) devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, the NIST National Strategy for Trusted Identities in Cyberspace (NSTIC) has awarded a $1.86 million grant to build a secure data storage system.

NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies and other organizations to improve the privacy, security and convenience of online transactions. The pilot program team includes Tozny, which has built a password-free cryptographic authentication system, its parent company Galois, which builds open and secure technologies for government and commercial organizations; IOTAS, which provides smart-home technology for apartment buildings; GlobeSherpa, a mobile transit ticketing company; SRI International, the non-profit research institute and leader in biometric authentication; and 6 Degrees Consulting, which specializes in privacy policy.

Tozny, will serve as the technical lead for the NSTIC pilot program.

The team will build a data storage and sharing platform that guarantees security and enables new use cases for collaborative connected devices—with an initial focus on allowing consumers to securely store and share private information across IoT-enabled smart homes and transportation systems. The system will protect the users’ data from being involuntarily shared, while at the same time enabling multiple IoT services and devices to easily collaborate in better serving smart home and connected device users.

The pilot program will initially focus on two NSTIC pilot program applications:

Smart Home IoT Authentication – Due to lack of standards and security expertise, many commodity IoT devices and cloud services have not been designed to be secure, easy to use and interoperable. Furthermore, elements of the system that are authenticated typically use weak passwords for login. IOTAS is already operating a smart-home pilot in apartment units in Portland, Oregon and San Francisco, CA. NSTIC support will allow IOTAS and Tozny to collaborate to add transparent but privacy-preserving authentication and encryption to this pilot.

Transit IoT Authentication – Many municipalities are deploying mobile ticketing in their public transit platforms, which allows riders to buy transit tickets on their mobile phone and use the phone itself as the ticket. Password authentication is a barrier for users suffering from password fatigue—particularly acute for mobile devices where inputting sufficiently complex passwords is challenging. NSTIC support will fund collaboration between Tozny and GlobeSherpa to pilot secure, password-free authentication.

 “In the rush to build IoT products and services, security and privacy is often ignored until it’s too late,” said Isaac Potoczny-Jones, founder of Tozny and Galois’ principal investigator for the project. “The collective vision of this team is to enable data sharing between everyday connected devices, while putting security and privacy first. By the end of the pilot, users will be able to create accounts and authenticate to their home without passwords; prove that they’ve purchased transit tickets just by walking to their bus; and have their home and transit systems securely communicate and collaborate—all while preserving the user’s privacy.”

Source: Information Security Magazine

Top 50 UK Websites Offer Up Big Risk

Top 50 UK Websites Offer Up Big Risk

It turns out that visiting any of the top 50 Web domains in the UK exposes visitors to an immense amount of risk, thanks to the outsized number of scripts and code that those sites are employing.

Menlo Security researchers examined the inner workings of the top 50 UK sites, and found, on average, that a browser will execute 19 scripts for each.

The top UK website executed 125 unique scripts when requested. But even taking out this outlier, 8% of the top 50 sites executed more than 50 scripts, and 72% of the top 50 sites executed fewer than 20 scripts.

“Knowing that visiting a top 10 site means that I’m allowing my browser to execute more than 25 scripts according to our data (that’s 25 scripts that may or may not be well written and/or secure), is a concern,” researcher Jason Steer said in a blog. “What’s more is that going to a top 25 UK website exposes my browser to more than 100 scripts without any knowledge of how good or bad they may be, and from over 50 unique websites in the background.”

Further, when looking at just how much “stuff” a browser downloads when visiting a top 50 UK website, the firm found that on average, the visitor’s browser will download 1.2MB of code. Media sites held the top two places for amount of downloaded code (No. 1 was a media site downloading 4.9MB of code), followed by social media, to make up the top 5 UK websites.

One site outside the top 50 took the cake: It downloaded 6.1MB of code.

Menlo researchers also looked at the backend code on the top 50 UK websites to see which ones were running versions of web-server code. When he cross-referenced that information with the MITRE CVE database to look at known vulnerabilities for the versions reported, he found that 15 of the top 50 sites (30%), were running vulnerable server versions.

Microsoft IIS version 7.5 was the most prominent vulnerable version, reported with known vulnerabilities going back more than five years.

“There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly, attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers,” said Steer. “The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week.”

It should be noted that the sites in question are quite varied. At number 17 is a sinkholed malware domain that would indicate there are clearly a large number of infected computers still to clean up in the UK, Steer noted. News sites and social media dominated the top 20, with Google and Facebook taking over the top five spots. Banking and retail were also well represented throughout the top 50 list. There were also two adult content sites in the top 50, and a house/property search site made it at number 20.

Regardless, users don’t really have a way to protect themselves. “For many non-technical users, it’s not really an option to deploy, meaning the vast majority of users cannot make an educated choice on script permissions,” Steer said. Security professionals have been using browser plugins like NoScript for years; however, it makes the web-surfing experience worse.

Source: Information Security Magazine

Third of Global Organizations Lack Confidence in Ability to Detect Sophisticated Cyber Attacks

Third of Global Organizations Lack Confidence in Ability to Detect Sophisticated Cyber Attacks

The 2015 edition of EY’s annual Global Information Security Survey, Creating trust in the digital world, has revealed a corporate world still worried about the latest generation of cyber-attacks.

The survey of 1,755 organizations from 67 countries found that 88% do not believe their information security structure fully meets their organization’s needs and that when it comes to IT security budgets, just over two-thirds want their budgets to be increased by up to 50% to align their organization’s need for protection with its management's tolerance for risk.

There were a variety of sources of concern for respondents. The most likely sources of cyber-attacks cited were criminal syndicates (59%), hacktivists (54%), and state-sponsored groups (35%) retained their top rankings. However, compared with last year’s survey, respondents rated these sources as more likely: up from 53%, 46%, and 27%, respectively, in 2014.

Encouragingly, the survey also found that companies currently feel less vulnerable to attacks arising from unaware employees (44%) and outdated systems (34%); down from 57% and 52%, respectively, than they did a year earlier. However, they feel more threatened today by phishing and malware. Almost half (44%) of respondents ranked phishing as their top threat—up from 39% in 2014—while 43% consider malware as their biggest threat. The latter figure was 34% in 2014.

“Organizations are embracing the digital world with enthusiasm, but there must be a corresponding uptick in addressing the increasingly sophisticated cyber threats,” commented EY Global Cybersecurity Leader Ken Allan. “Businesses should not overlook or underestimate the potential risks of cyber breaches. Instead, they should develop a laser-like focus on cybersecurity and make the required investments. The only way to make the digital world fully operational and sustainable is to enable organizations to protect themselves and their clients and to create trust in their brand.”

But such protection was not being felt in general by respondents who felt that organizations were falling short in thwarting a cyber-attack. Just over half (54%) indicated that their firm lacked a dedicated function that focuses on emerging technology and its impact while 47% did not have a security operations center.

Slightly more than a third (36%) did not have a threat intelligence program, while 18% did not have an identity and access management program. More than half (57%) said that the contribution and value that the information security function provides to their organization is compromised by the lack of skilled talent available, compared with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving.

Offering advice on how firms needed to react, EY global risk leader Paul van Kessel said: “Cybersecurity is inherently a defensive capability, but organizations should not wait to become victims. Instead, they should take an ‘active defense’ stance, with advanced security operations centers that identify potential attackers and analyze, assess and neutralize threats before damage can occur. It is imperative that organizations consider cybersecurity as an enabler to build and keep customers’ trust.”

Source: Information Security Magazine