Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

#BHUSA: Defending Against Morphing DDoS with SODA

#BHUSA: Defending Against Morphing DDoS with SODA

In session at the Black Hat USA conference in Las Vegas, F5 Networks researchers outlined the challenges of morphing DDoS attacks and announced the release of a new open source tool called SODA in an effort to help test defenses for attack resilience.

SODA is an acronym for Simulation of DDoS Attacks and provides multiple traffic generation tools to simplify DDoS protection testing. The inspiration for SODA came from a July 2018, attack against encrypted email provider cby an aggressive form of Distributed Denial of Service (DDoS) attack that was constantly morphing its' tactics. The attack and its unique approach to disruption inspired F5 Networks researchers to figure out how to help organizations better defend themselves against the new type of DDoS.

Mudit Tyagi, Architect, Security Products, F5 Networks, explained that the attack vectors used in the Protonmail morphing DDoS attack included common attack methodology including UDP and syn floods.

"What made the attack so complex to defend against that the attacker kept on changing the attack, they kept on morphing," he said.

Tyagi added that after the Protonmail attack, his team took it upon themselves to figure out how to catch morphing attacks. The first step was to build a tool that could simulate morphing attacks, so organizations could test their own defences to see what would happen and what might be lacking. The end result of that effort is SODA.

What made the attack so complex to defend against that the attacker kept on changing the attack, they kept on morphingMudit Tyagi, Architect, Security Products, F5 Networks

"SODA can be used to put down any part of your infrastructure," explained Mikhail Federov, Product Management Engineer, Security, F5 Networks.

The SODA tool integrates a number of integrated DDoS attacks and then morphs the vector with predefined pattern and interval. On the defender or blue team side, Federov explained that the setup brings together multiple components to help simulate an environment. Among the tools is the DVWA (Damned Vulnerable Web Application),the pfSense firewall, telegraf for sending metrics, influxDB for storing the data and then finally Grafana for the dashboard. Users put the DDoS solution of their choice in front of the firewall and can then see how it is able to respond to SODA simulated attacks.

Tyagi said that what typically happens is organizations configure static vectors for DDoS response with set thresholds, for example limiting UDP traffic at a certain traffic volume. Given that morphing DDoS attacks can take aim at different resources, in his view, thresholds don't work. They also don't work because good traffic is also blocked and the potential for false positives is non-trivial.

Federov commented that simply doing anomaly detection at the network level is not accurate either and the lesson learned from testing with SODA is that there is also a need to use anomaly detection at the application level.

Tyagi added that SODA is a tool that can be used by organizations to enable bakeoffs in a way that tests resilience for morphing attacks.

"We don't care what you use for DDoS, ProtontMail got attacked and we got really charged and we wanted to help the community to defend against similar types of attacks," he said. "Whatever you use, .focus on intelligent mitigation and test your posture, we understand it's hard and that's why we give you a kit with SODA."

Source: Information Security Magazine

Researchers Detect Spambot Recording Victims' Screens as They Watch Sexual Content

Researchers Detect Spambot Recording Victims' Screens as They Watch Sexual Content

Researchers at ESET have discovered malware-distributing spam campaigns targeting people in France.

Dubbed Varenyky, the malicious payload comes with several dangerous functionalities. Not limited to the sending of spam, it can also steal passwords and even spy on victims’ screens while they watch sexual content online.

The first spike in ESET telemetry for this bot came in May 2019, and after further investigation, researchers were able to identify the specific malware used in the spam’s distribution.

“We believe the spambot is under intense development as it has changed considerably since the first time we saw it. As always, we recommend that users be careful when opening attachments from unknown sources and ensure system and security software are all up to date,” said Alexis Dorais-Joncas, leading researcher at the ESET R&D center in Montreal.

As explained in an ESET blog post, Varenyky first infects victims – exclusively French-speaking users in France – with a fake invoice that lures the target into providing “human verification” of the doc. From there, the spyware executes the malicious payload.

After infection, Varenyky executes Tor software, which enables anonymous communication with its command-and-control (C&C) server.

“It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its command-and-control server on the computer,” added Dorais-Joncas. “One of the most dangerous aspects is that it looks for specific keywords, such as bitcoin and porn-related words, in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server,” he added.

ESET explained that, interestingly, the targets of all the spam runs observed were users of Orange S.A., a French internet service provider.

Source: Information Security Magazine

LokiBot Gets Sneakier With Steganography

LokiBot Gets Sneakier With Steganography

The LokiBot malware continues to evolve and is now using steganography to cloak its malicious files, according to a report from Trend Micro this week.

Recently highlighted as one of the top three malware strains of 2018, LokiBot started out as a password- and cryptocurrency wallet–stealing malware on hacker forums as early as 2015, but it has evolved, according to Trend Micro. It has taken to abusing the Windows installer and updating the methods that it uses to stay on the victim's system.

Now, Trend Micro has identified a new variant of the malware that uses steganography to help hide its malicious intent. It installed itself as a .exe file, along with a separate .jpg image file. The image file opens, but it also contains data that LokiBot uses when unpacking itself.

This LokiBot variant drops the image and the .exe file into a directory that it creates, along with a Visual Basic script file that runs the LokiBot file. Its unpacking program uses a custom decryption algorithm to extract the encrypted binary from the image.

Trend Micro has seen LokiBot hiding inside image files before. In April, it reported a variant of the malware that hid a .zipx attachment inside a .png file.

Steganography has two benefits for malware authors, warned the researchers. First, it provides another layer of obfuscation, helping the malware to slip past some email security systems. Second, it provides the malware authors with more flexibility. This variant used the VBScript file interpreter to execute the malware rather than relying on the malware to execute itself. This means that the authors can change the script to alter the technique that LokiBot uses to install itself.

Steganography is becoming an increasingly common form of obfuscation for malware authors. Other notable uses of the technique include the Stegoloader backdoor Trojan, and the Vawtrak malware, which hid update files in favicons. The 2019 the VeryMal campaign also used the technique to hide malware in advertising images.

Source: Information Security Magazine

IBM's Warshipping Attacks Wi-Fi Networks From Afar

IBM's Warshipping Attacks Wi-Fi Networks From Afar

You've heard about wardriving, but what about warshipping? Researchers at IBM X-Force Red have detailed a new tactic that they say can break into victims' Wi-Fi networks from far.

The company calls the technique warshipping, and it is a more efficient evolution of wardriving, a popular technique among hackers seeking access to any wireless network they can find. Whereas wardrivers drive around a wide area with a directional antenna looking for wireless networks to crack, IBM's researchers took a more targeted approach.

Speaking at Black Hat USA, IBM researchers explained how they used off-the-shelf components costing under $100 to create a single-board computer with Wi-Fi and 3G capability. This enables it to connect to a Wi-Fi network to harvest data locally and then send it to a remote location using its cellular connection. The small device runs on a cell phone battery and easily fits into a small package.

Attackers can then send the device to a company via regular mail, where it will probably languish in a mail room for a while. During this time, it can connect to any Wi-Fi networks it finds in the building and harvest data – typically a hashed network access code. It sends this back to the attacker, who can then use their own resources (or a cloud-based cracking service) to extract the original access code. At this point, they have access to the company's Wi-Fi network.

The warship device could access the Wi-Fi network and mount a man-in-the-middle attack, impersonating a legitimate Wi-Fi access point and coaxing company employees to access it. It would then be able to harvest their credentials and other secrets, IBM explained.

The device could be programmed to wake up periodically and use its 3G network to check a command and control server for instructions on whether to begin its attack or go back to sleep. This would help preserve its battery, IBM said.

The concept works in practice, warned the company, which said: "In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems."

Chris Henderson, global head of IBM X-Force Red, has written up the attack at SecurityIntelligence.

Source: Information Security Magazine

Children's Tablet Revealed Location, Researchers Found

Children's Tablet Revealed Location, Researchers Found

Researchers at the Black Hat security conference this week have revealed vulnerabilities in a leading child's tablet product.

The researchers, from security company Checkmarx, found several flaws in the LeapPad Ultimate, a rugged tablet device by LeapFrog, ThreatPost reported today.

The flaws revolved around Pet Chat, an app that lets children talk to each other in a virtual room using pet avatars and predefined phrases. The app creates a peer-to-peer Wi-Fi connection (also known as Ad Hoc mode) that broadcasts the tablet's presence to similar devices using the SSID Pet Chat.

Checkmarx researchers used WiGLE, a wireless network mapping website, to track the location of LeapPads using Pet Chat. The vulnerability would allow anyone online to find the location of a LeapPad using Pet Chat by seeking them out on public Wi-Fi or tracking the device's MAC address.

Because Pet Chat didn't require authentication between devices, anyone near a LeapPad running the app could send an unsolicited message to the child with it, potentially using the preset phrases to lure the child into danger.

The LeapPad's outgoing traffic was also unencrypted, using HTTP rather than the TLS/SSL-encrypted HTTPS, the researchers warned.

They disclosed the Pet Chat vulnerability to LeapFrog in December 2018, although the company didn't remove it until June 2019.

This isn't the first time that children have been exposed by technology that purports to help them. In February, security consulting firm Pen Test Partners discovered that cybersecurity in children's smart watches had failed to improve following a report from the Norwegian Consumer Council in early 2018. The European Commission issued a recall order for one smartwatch, called Safe-KID-One, from German company ENOX, which sent information including location history and phone numbers in the clear. Malicious users could send commands to any watch making it call another number of their choosing.

LeapFrog didn't return our request for comment by press time.

Source: Information Security Magazine

#BHUSA Need For Technologists to Be Recognized and Empowered

#BHUSA Need For Technologists to Be Recognized and Empowered

In a panel at Black Hat USA, cryptographer Bruce Schneier; Camille Francois, research and analysis director at Graphika and fellow at Harvard Law School Berkman Center; and Eva Galperin, director of cybersecurity at the EFF, talked about the benefits of technologists to society.

In a panel titled “Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society,” Francois said that the concept of technologists are not new “and not tied to the nature of Black Hat and DEFCON.” Meanwhile, Galperin talked of how the EFF’s need to add technologists was expanded in the 1990s as people “who explained things to lawyers or take on large challenges like securing endpoints,” but the role of the technologist requires a different set of skills and day-to-day work from what most companies were doing.

This is because the “notion of adversarial research is an act of public interest technology,” Schneier said, and that it is "not new to me, or new to the community.” 

Schneier said that the concept of finding systems that are sold and relied on, and tested without the permission of the company or government, should be welcome as "they are evaluated and determine whether they should they be used."

“When we do this as academics or in a threat lab, we are engaging in the public interest,” Schneier said.

Francois asked about when the Edward Snowden leaks were disclosed, saying that there was a reliance on technologists to help journalists with stories. “I was called by Glenn Greenwald to look at the documents, and journalists needed associate technologists to figure out what was going on,” Schneier said.

Francois said that there is a need to better prove the capabilities of technologists who serve the public interest. Schneier said: “We are seeing a lot more groups trying to bridge technology and policy and especially our area of tech security. Some is for fame and glory, some is for funding. Technologists want to do collaboration.”

Galperin said that the EFF’s niche of human rights in technology is “now touching everyone’s lives” and as technologists become more mainstream and important, “the opportunity for misunderstanding is higher.” She said that she is finding that battles that were thought to have been won, such as backdoors in end-to-end encryption, are being re-fought.

Source: Information Security Magazine

#BHUSA Jeff Moss Talks of Need to be Better Communicators

#BHUSA Jeff Moss Talks of Need to be Better Communicators

Opening Black Hat USA’s keynote, founder Jeff Moss talked of the need to focus on better communication, and look at “how we communicate and what we talk about.”

Moss said that a lot of the talks over the past 20+ years at Black Hat had been on wanting the attention of management and political leaders and the board. Now they are listening, he questions what the industry are going to do with that.  

“How we communicate really determines our outcomes, so for example now that the spotlight is on us, if we communicate well to the board you might get more budget, and if you communicate poorly to the board, you might get fired,” he said.

He asked how you communicate what “cyber” or “security” is and the language we use causes us to think of problems in a certain way and “leads in a direction we may not want to go in.”

Moss used the example of cyber being seen as the fifth domain by the military, but said that does not mean it is equal “and we are using language in a way that doesn’t fit.”

Moss said that despite being in the early days of the internet, there are going to be several defining trends, including “centralized versus decentralized”, which Moss said he believes in the latter “but there are efficiency gains in centralized.”

Moss said that we’re in a “centralization phase” and that will enable law enforcement and regulation and if the trend continues, he speculated, none of us will be surprised that we are more regulated.

“I’m a big believer that most of our problems are communications problems,” he said, saying that inDEFCON post-mortems, 80% of the problems are communications related and “totally fixable communications problems.”

Moss concluded by saying: “This gives me a lot of hope because we can fix communications problems. We are not inventing a new kind of maths, but what we have to do is reorder the way we think about things and reorder the way in which we communicate things and once we do that, you’ll see we will get completely different outcomes. Whether it is outcomes from our boss, or politicians or regulation. It is a bit of a soft skill that leads to better outcomes.”

Source: Information Security Magazine

Microsoft, Apple Level Up Bounties

Microsoft, Apple Level Up Bounties

Microsoft and Apple have both leveled up their bug bounty programs with new incentives for security researchers.

Microsoft has doubled the top bounty reward for vulnerabilities in its Azure cloud software to $40,000. It also introduced a hacker environment called the Azure Security Lab, which is a cloud infrastructure dedicated to letting cybersecurity researchers test out their skills in an IaaS environment.

Hackers don't get to color outside the lines. Instead, the Lab includes a series of scenario-based challenges that they can follow to try and exploit the system. They can earn up to $300,000 if they succeed, according to Microsoft's blog post announcing the Lab.

Hackers wanting access to the Azure Security Lab must request a Windows or Linux VM.

Apple is also reportedly fleshing out its existing bounty program in two ways. Forbes reports that the company will announce plans to give security researchers developer versions of its iPhone, featuring access to the underlying software and hardware that normal users don't get. These phones, which will be available only to existing participants in Apple's invitation-only bug bounty program, will let them inspect system memory, for example.

Apple will also unveil a bug bounty program for its macOS operating system, according to the report. This could mean that researchers like Linus Henze, who discovered a bug in the Mac operating system's keychain password manager earlier this year, will finally get paid. The teenager had originally planned not to privately disclose the bug to Apple because it hadn't been paying for macOS bugs.

An announcement at Black Hat 2019 this week would mark the third anniversary of Apple's original bug bounty program, in which it promised to pay up to $200,000 for the best reported security flaws.

Source: Information Security Magazine

Cloud Security Alliance Releases New Threat List

Cloud Security Alliance Releases New Threat List

Cloud Security Alliance has unveiled its Top Threats to Cloud Computing: Egregious Eleven report, which lists the top 11 cybersecurity problems facing cloud computing users. It is the first major update to the list since 2016, when Alliance released the Treacherous 12, although it has released reports taking a deep dive into the threats with case studies in the interim.

Data breaches still top the list, unmoved since 2016. Other perennial threats remaining on the list from last time are poor identity management, insecure APIs, account hijacking, insider threats and the abuse and nefarious use of cloud services.

That leaves room for five new threats.

Weak control plane

In this scenario, the user doesn't understand how data flows in the cloud and might not have secure processes for securing and verifying it.

Metastructure and applistructure failures

This risk revolves around the application programming interfaces that allow customers to extract information about security protections and operations in the cloud. Examples include logging and audit information. Cloud service providers (CSPs) must understand what to provide and customers must use this wisely, the report warns.

Misconfiguration and inadequate change control

It's no wonder that this threat appeared on the list. It concerns the misconfiguration of cloud resources that could then expose sensitive information. Every accidentally exposed S3 bucket or Elasticsearch database falls into this category.

Lack of cloud security architecture and strategy

The big problem here is a misunderstanding of the shared-responsibility model. Customers lift and shift their operations into the cloud assuming that the CSP will take care of all the security, without understanding their own responsibilities.

Limited cloud usage visibility

This is the culprit behind shadow IT, when users buy cloud applications without informing IT and then use them insecurely.

What's interesting about this release is its increasing focus on administrator mistakes rather than purely on external bad actors and more traditional security issues. In short, the security challenges are becoming more nuanced, according to Alliance, which suggests a gradual maturing of the cloud security landscape.

Source: Information Security Magazine

Poor University Cybersecurity Opens UK Students Up to Phishing Attacks

Poor University Cybersecurity Opens UK Students Up to Phishing Attacks

As A-Level results day rolls around, UK universities are sorely lacking in cybersecurity protections, according to security company Proofpoint.

The company tested the UK's top universities, as ranked by the Complete University Guide, and found 65% of them were not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records.

DMARC is a protocol that organizations can use to decide whether email servers should accept an email, making it a useful weapon against phishers. Without it, you can't be sure that an email sent to you came from a legitimate sender rather than a phisher spoofing that domain.

Adenike Cosgrove, cybersecurity strategist at Proofpoint, said that the lack of a published DMARC record leaves universities open to impersonation attacks, which could be a problem next week when students start getting their A-Level results.

“In this particular example, cyber-criminals would spoof the university’s domain and send emails to would-be students’ consumer mailboxes (Gmail, Hotmail, etc.)," she explained. "Without DMARC, criminals can use the exact email address of the university in question. With DMARC, the university can block (with a ‘reject’ policy) any unauthorized use of its domain, communicating to receivers (i.e., the consumer ISPs in this case) that any unauthorized senders using its domains should be blocked. In essence, DMARC works to protect consumers (outbound), employees (inbound) and business partners from email fraud.”

Although 35% of the top 20 universities in the UK had published a DMARC record, only 5% of them were using the strictest settings, which are the ones that would block fake emails from reaching the students, Proofpoint warned.

Students should be extra diligent when receiving email from universities, the company warned, especially if they request log-in credentials or threaten to suspend an account if they don't click on a link. They should use strong passwords that are individual to each account, it concluded.

Source: Information Security Magazine