Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Attackers Spoofing Known Tech, Security Brands

Attackers Spoofing Known Tech, Security Brands

Researchers at GreatHorn have identified what they are calling a widespread attack in which attackers spoofed both the Microsoft brand in the display name and the Barracuda Networks brand in the return path and received headers, with the goal of stealing credentials.

The team identified an attack notable in that the return path spoofs a noreply.barracudanetworks.com return path. “The attackers crafted the received headers so that it appears to have gone through multiple “Barracuda” hops prior to sending the email via a server designed to look like a Barracuda server. Microsoft has then automatically appended legitimate received header details to the spoofed headers, making it appear that much more legitimate,” researchers wrote.

According to today’s blog post, attackers leveraged a known security flaw in Microsoft’s handling of authentication frameworks. Rather than dictating how it wants domain-based message authentication, reporting, and conformance (DMARC) failures and exceptions to be handled, “Microsoft Office 365 typically ignores those directives and, at best, treats them as spam or junk instead of quarantining or rejecting them, making it more likely for the user to interact with such spoofs.”

That a major tech company has not embraced DMARC is in line with the findings of a recent report, Tech Companies Make Progress in Anti-Phishing Protection, published by ValiMail. The report found that 90% of large tech companies are vulnerable to spoofing, yet only 49% of global technology companies are already enforcing DMARC anti-phishing technology.

“This is a good example of how attackers are adapting to user awareness and preventative technology,” said Terence Jackson, chief information security officer at Thycotic. “User education and email protection technology is needed, but we have to make sure that user training is continuous and the technology we put into place is not static but dynamic and utilizes a degree of machine learning to analyze these types of new attacks.

“Attackers are going to great lengths to obtain user credentials to access sensitive data. Hopefully GreatHorn’s customers had multifactor authentication enabled, which should have limited the scope of this attack. But as we’ve seen before, users tend to reuse passwords on multiple sites, which again highlights the need for the use of password managers and better personal cyber hygiene.”

Source: Information Security Magazine

Mailgun Web Issues from WordPress Plugin Hack

Mailgun Web Issues from WordPress Plugin Hack

Email automation and delivery service Mailgun, announced that it has resolved a security incident that resulted from a massive coordinated attack against WordPress sites.

“The mailgun.com webpage began issuing redirects to sites outside of our domain. We immediately launched an incident to determine the source of the redirects and determined that a plugin for WordPress was responsible for issuing the redirects. We've disabled the plugin responsible for this issue,” the security incident notice said.

“Our applications including the Mailgun Dashboard, APIs, and customer data stored on our platform were not impacted by this issue.”

In a massive attack on WordPress sites, bad actors exploited a cross-site scripting (XSS) vulnerability in the WordPress plugin called Yuzo Related Posts plugin to inject JavaScript, redirecting visitors to various malicious tech support scams, spam ad pages, malware software updates and more.

“While unfortunate, this is not new and will be a problem that always persist,” said Chris Morales, head of security analytics at Vectra. “The best advice I can give at this time is that users need to pay careful attention to the sites they do visit at any given time and be careful what information they are providing.”

The problem with the Yuzo plugin was reportedly worsened because the web developer who discovered the vulnerability published the proof-of-concept code rather than reporting the issue to the plugin author, who posted that he will soon send an improved version of the plugin for all users.

“Vulnerabilities in WordPress plugins has been a long-standing problem. The plug-in directory is very much like the Google Play store, where vetting of apps is a major weakness,” said Chris Orr, systems engineer at Tripwire.

“Lack of notification by the plug-in developer is also an issue to contend with. It is recommended that WordPress users either automatically update the platform and their apps or pay close attention to the ones they use and how they behave and keep an eye out for vulnerabilities.”

Notification from the developer, though, was somewhat complicated by the lack of care taken to properly disclose the vulnerability, according to Oscar Tovar, application security specialist at WhiteHat Security.

“Proper, responsible vulnerability disclosures are something that should be carried with the utmost of care. The failure to do so can have widespread and serious repercussions. In this case, it was unfortunate that the zero-day was released to the public instead of the plugin author. If the author had been alerted with the vulnerability’s proof of concept, things would have played out completely differently.

“This incident can serve as a valuable example of how serious publishing a zero-day into the wild can be and hopefully prevent the same error from happening again in the future. The risks of deviating from a responsible disclosure are simply too great.”

Source: Information Security Magazine

Matrix Compromised Through Known Jenkins Flaws

Matrix Compromised Through Known Jenkins Flaws

Matrix users are encouraged to change their passwords after an unauthorized actor gained access to the servers hosting Matrix.org. Those using IRC bridging are also encouraged to change their NickServ passwords.

An open network for secure, interoperable, decentralized, real-time communication over IP, Matrix is used across instant messaging, VoIP/WebRTC signaling and internet of things (IoT) communication, according to the company’s website.

On April 9, 2019, security researcher Jaikey Sarraf alerted Matrix to existing vulnerabilities in Jenkins, which Matrix said it used for continuous integration. “The version of Jenkins we were using had a vulnerability (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002) which allowed an attacker to hijack credentials (forwarded ssh keys), giving access to our production infrastructure.”

When Matrix identified that machines had been compromised, the company removed Jenkins and reportedly denied the attacker access to the compromised machines.

Matrix updated the security incident notice today, stating: “At around 5am UTC on Apr 12, the attacker used a cloudflare API key to repoint DNS for matrix.org to a defacement website (https://github.com/matrixnotorg/matrixnotorg.github.io). The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement. We are currently double checking that all compromised secrets have been rotated.

“The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again.”

Noting that no home servers besides Matrix.org have been affected, the company said, “The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins).”

All users were logged out of Matrix.org, and “the matrix.org home server has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. Modular.im home servers have not been affected by this outage,” the security incident notice stated.

The investigation remains ongoing, but thus far there has been no evidence that large quantities of data were downloaded, though “the attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised.”

Source: Information Security Magazine

Russia Plans to Cut Users Off From Global Internet

Russia Plans to Cut Users Off From Global Internet

Russian lawmakers have approved a bill which could allow the government to cut access to foreign servers, in a move critics believe could see the nation attempt to ape China’s fearsome censorship apparatus.

Passed in its second reading by an overwhelming 320 votes to 15, the legislation could become law by November 1, according to reports.

The government has claimed it could help enhance national security by helping Russia preempt any online attack or disruption from foreign powers.

Its supporters cite a US report unveiled by Donald Trump last year that blamed Russia for being a top cyber threat, giving the superpower a motive to use its offensive capabilities.

However, others believe the “sovereign internet” bill smacks more of an attempt by the authorities to try and mimic the Great Firewall — China’s censorship infrastructure which effectively cuts its 800 million netizens from the global internet, allowing only highly filtered traffic through.

This would seem to fit with concerns in the Kremlin about Russia’s over-reliance on US tech companies, which could put it at a strategic disadvantage during any geopolitical crisis. Vladimir Putin has described the internet as a “CIA project.”

“This law creates a framework whereby ISPs will be required to funnel all internet traffic in and out of the country through well-known choke points (Internet Exchanges). This would make it easier for the authorities to expand internet censorship, and isolate the nation from the global internet [during] times of conflict,” explained Ameet Naik, technical marketing director at ThousandEyes.

“However, this would also force internet traffic through sub-optimal paths, and through performance-limiting filtering gateways. This would most likely degrade the user experience for Russian users browsing sites and apps outside the country, and provide an advantage to services hosted within the country, as we’ve seen happen in China.”

Russia and China have for years been seeking to impose their alternative view of internet governance at the UN and other forums. However, critics describe ‘internet sovereignty’ as little more than a byword for censorship and oppression of online freedoms.

Source: Information Security Magazine

England and Wales Police Get Dedicated Cybercrime Units

England and Wales Police Get Dedicated Cybercrime Units

Every England and Wales police force now has a dedicated cybercrime unit, thanks to a multimillion-pound government investment, it was revealed yesterday.

The announcement was made by the National Police Chief’s Council (NPCC) National Cybercrime Programme, and claimed that forces were able to access £7m in funds to fill the units with specialist officers and equipment.

Further investment by the Home Office and the National Cyber Security Programme is expected to continue into 2019/20 and 20/21.

The new units will be coordinated by the country’s Regional Organised Crime Units (ROCUs) to prevent duplication and offer support via National Cybercrime Units (NCCUs). The idea is that the new local units will form the last piece in the policing puzzle, completing a “Team Cyber UK” network of local, regional, national and international cybercrime law enforcement.

“In the past six years we have introduced a robust national and regional network of dedicated cybercrime units at national and regional level but we were still lacking a local response as part of the Team Cyber UK network,” explained chief constable Peter Goodman, the NPCC lead for cybercrime.

“Every police force now has a cybercrime unit, which will investigate and pursue offenders, help businesses and victims protect themselves from attack and work with partners to prevent vulnerable individuals from being drawn into committing cybercrime. These units will improve our response to cybercrime working closely with national and regional units. This is a great start and lays down a solid foundation for each force to build on.”

Before the initiative, less than a third (31%) of forces apparently had a dedicated cybercrime unit.

However, there will still be concerns over skills gaps among officers, reflecting a wider trend across the cybersecurity industry.

Back in 2016, then-home secretary Theresa May announced plans to bring in volunteers to help regular officers on cybercrime cases. The following year a thinktank called for the creation of a digital academy to train specialist cyber-police officers. However, neither plan seems to have got beyond the ideas stage.

“Police forces around the UK have struggled when it comes to investigating the tidal wave of cyber offences reported to Action Fraud since it formed,” argued Eset cybersecurity specialist, Jake Moore.

“An injection of money couldn’t come at a better time, as cyber offences become harder to detect and deter. I imagine much of this money will be put into offering prevention advice around the country to people most at risk, as to small and medium businesses with livelihoods on the line, prevention is better than cure.”

Source: Information Security Magazine

#ISCWest2019: The Future of Stadium Security

#ISCWest2019: The Future of Stadium Security

Kicking off the second day of the ISC West 2019 conference in Las Vegas, keynote speaker Russ Butler, VP of security for the San Francisco 49ers and Levi’s Stadium, talked about the evolution of the ever-changing stadium security landscape in his talk, “Stadium Security: As It Was, Where It Is and Where It Is Going.”

Butler has been planning and executing notable events with the NFL for six years, including Super Bowl 50, but his career began with London's Metropolitan Police in the 1980s.

To give context to his role, Butler took a stroll down memory lane, citing three significant events at stadiums in Europe where accidents resulted in dozens of fatalities. During that same time, though, stadiums in the US remained a much more settled environment, Butler said.

“Clearly the NFL is the most valuable sports league in the US, but it is also a microcosm of American culture, which makes it vulnerable to the attention of nefarious actors,”

Stadium security changed in the aftermath of September 11, 2001, notably the defining moment when everything changed. “The NFL was very quick to respond, to implement innovations and begin to consolidate and drive security change,” Butler said.

The federal government also reacted, instructing what qualified as anti-terrorism technology, according to Butler, in Best Practices Stadium Security (BPSS). The BPSS was then followed by the Department of Homeland Security’s Safety Act of 2002.

Levi's Stadium has a safety act designation, which was awarded in June 2016, though it was backdated to 2014. “It’s a very broad program but an indication of where security is going,” Butler said. “We will continue to innovate and collaborate with government and seek various security solutions to provide an environment in which the highest levels of safety can be delivered.”

Though stadiums alone can’t ensure that high level of safety, particularly when it comes to drones, because legislation poses challenges. “The legislative situation we have makes it incredibly challenging from a mitigation standpoint to do anything other than track and monitor,” Butler said. “It’s unfortunate that right now the legislative issues that exist mean that we simply don’t have active mitigation measures.”

Without the ability to differentiate between friend or foe, stadiums can do little to strengthen defenses against malicious actors in the sky. While most drones are hobby fliers, the ability to respond to drone threats is something the industry needs to address.

Source: Information Security Magazine

#ISCWest2019: Challenges of AI in Physical Security

#ISCWest2019: Challenges of AI in Physical Security

As more enterprise technologies and security solutions tout the use of artificial intelligence (AI) and machine learning, panelists at the 2019 ISC West conference in Las Vegas asked where the physical security industry is in its overall acceptance, trust in and implementation of AI solutions.

Industry experts discussed what the near-term future of AI looks like in the security industry while recognizing almost unanimously that the promises of AI have not yet been met. All agreed, though, that in the future of AI will be very useful in physical security.

The four person panel, led by Scott Dunn, senior director of business development, solutions and services, Axis Communications AB addressed some misconceptions about AI and its application in video analytics.

“The way the algorithms and technology is deployed and leverages GPUs and accelerator technology is dramatically different than what it was,” said Ken Mills, general manager of IoT, surveillance and security at Dell EMC.

Included in the discussion were the results from an SIA MegaTrends survey, which asked approximately 1,000 security professionals about the ways in which they could benefit from using AI. More than half (51%) of respondents said that it would enhance the features, functions and performance of their products, while 36% believed AI would optimize internal business operations or free up workers to be more creative about automated tasks. In addition, 35% of respondents felt the use of AI would help them make better decisions.

As for the panelists, Jeff Hanagriff, public safety liaison/technology coordinator for the City of Houston, said that in its infancy AI could not keep up with the demands of public safety. “I’m dealing with decision-makers that used to send a firefighter to respond, but now they want to see in the command center, they want to see the camera to see what is going on, so it is helping them to make better decisions.”

AI has also benefited the New York Police Department (NYPD), according to Michael Joy, senior offering manager, IDEMIA National Security Solutions. There are lots of things that generate alerts, and AI helps to compile all of the data collected from the 18,000 cameras across the city. “No one can look at that; it’s not feasible to even try.”

Though when it comes to relying solely on AI to make decisions, Joy said, “we are not there yet.”

Source: Information Security Magazine

#ISCWest2019: Biometrics Are Going Mainstream

#ISCWest2019: Biometrics Are Going Mainstream

As the physical security industry confronts the challenges of convergence, the use of biometrics will help to secure workstations, virtual desktops, turnstiles, front doors, mobile devices and more, according to a panel of industry experts at the 2019 ISC West conference in Las Vegas.

“They all need to be secured while keeping convenience and efficiency front and center,” said Peter O’Neill, president of FindBiometrics and Mobile ID World, divisions of Topickz Inc.

“To solve the united physical and information security puzzle – and it is a puzzle – we need strong, irrefutable identity technology. Key cards and tokens, passwords and USBs, they don’t cut it anymore. Not only do they present security vulnerabilities and administrative strain, keys are lost, stolen and shared."

It’s well known that compromised passwords have led to some of the largest data breaches on record, and with the prevalence of account takeover attacks (ATOs), weak and reused passwords continue to pose threats to physical and enterprise security.

“Face, finger, voice, iris, behavioral and other types of biometrics are versatile identity technologies that enhance security and privacy,” O’Neill said.

According to the panelists, passwords are increasingly ineffective, which has paved a path for biometrics to be used in enterprises and governments. According to panelist Robert Mungovan, vice president and general manager at Aware, Inc., “Biometrics is going mainstream, and it is going that way through mobile phones. The convergence of physical security and data security is going to happen through mobile phones.”

One question that often comes up when talking about biometrics, according to Rob Douglas, founder and CEO of BioConnect, is which biometric will win. “What we realized is that there is never going to be an answer to that question, but rather, how do you create a world where you can consume all of them? Where you can consume any type of biometric on any type of device, and plug it into a platform that your enterprise can consume.”

Source: Information Security Magazine

WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Julian Assange, editor of whistleblowing website WikiLeaks, has been arrested by the Metropolitan Police for failing to surrender to a court.

According to a statement by the Metropolitan Police, Assange was arrested at the Embassy of Ecuador in Knightsbridge where he has been resident since June 19 2012. The warrant was issued on June 29 2012.

statement from the Home Office confirmed that Assange was “arrested in relation to a provisional extradition request from the United States of America” where he is accused of computer related offences.

He will remain in custody at a central London police station before being presented before Westminster Magistrates' Court as soon as it is possible. 

The Met Police said that it had a duty to execute the warrant, on behalf of Westminster Magistrates' Court, and was invited into the embassy by the Ambassador, following the Ecuadorian government's withdrawal of asylum.

Before 2012, WikiLeaks released classified cables which contained classified and confidential documents and conversations. It had also released footage from a Baghdad airstrike in 2007 when Iraqi journalists were killed, and later in 2016 it released emails and other documents from the Democratic National Committee and from Hillary Clinton's campaign manager.

In 2017, it began releasing the “Vault7 and Vault 8” CIA tools and later released source code for the tools.

In the indictment, issued by the US District Court for the Eastern District of Alexandria, Virginia, alleged that Assange knew that Chelsea Manning “was providing WikiLeaks with classified records containing national defense information of the United States” and was “knowingly receiving such classified records from Manning for the purpose of publicly disclosing them on the Wikileaks website.” Manning, whose remaining sentence was commuted by President Obama in 2017, used a US DoD computer to download the cables that were later released.

The indictment alleges that in March 2010, Assange engaged with Manning to assist in cracking a password stored on US Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet), a US government network used for classified documents and communications. Manning, who had access to the computers in connection with her duties as an intelligence analyst, was using the computers to download classified records to transmit to WikiLeaks.

Cracking the password would have allowed Manning to log on to the computers under a username that did not belong to her.

The charges read that Assange “knowingly access[ed] a computer without authorization and exceeding authorized access, to obtain information that has been determined by the United States Government pursuant to an Executive Order and statute to require protection against unauthorized disclosure for reasons of national defense classified up to the ‘secret’ level, with reason to believe that such information so obtained could be used to the injury of the United States and the advantage of any foreign nation.” 

The “purpose and object of the conspiracy” was to “facilitate Manning’s acquisition and transmission of classified information related to the national defense of the United States so that WikiLeaks could publicly disseminate the information on its website.”

Speaking on Twitter, WikiLeaks claimed that Ecuador has illegally “terminated Assange's political asylum in violation of international law” and that Assange was arrested inside the Ecuadorian embassy.

“Julian Assange did not 'walk out of the embassy'. The Ecuadorian ambassador invited British police into the embassy and he was immediately arrested.”

According to BBC News, Ecuador's president Lenin Moreno said it withdrew Mr Assange's asylum after his repeated violations to international conventions.

Home Secretary Sajid Javid, said: “Nearly seven years after entering the Ecuadorean Embassy, I can confirm Julian Assange is now in police custody and rightly facing justice in the UK. I would like to thank Ecuador for its cooperation and the Metropolitan Police for its professionalism. No one is above the law.”

Source: Information Security Magazine

Triton Group Found Inside Second CNI Facility

Triton Group Found Inside Second CNI Facility

A sophisticated Russian hacking group linked to an attempt to blow up a Saudi oil plant has been discovered inside a second critical infrastructure (CNI) facility, security researchers have warned.

The Triton group has been active since 2014, and uses dozens of custom and commodity tools to gain access to and maintain persistence inside IT and OT networks of CNI firms, according to FireEye.

The security vendor didn’t elaborate on the location or even type of CNI firm targeted in this second attack, although it emphasized that campaigns can require months or even years of careful planning, to install malware like Triton, hide it and maintain persistence until the time is right to strike.

“This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security,” FireEye explained.

“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”

Obfuscation techniques used by the gang included: renaming files to look legitimate; using regular admin tools like RDP and PsExec/WinRM; using encrypted “SSH-based tunnels” to transfer tools and remote execution; and routine deletion of attack tools, execution logs, files staged for exfiltration, and so on.

The aim was to deliver the Triton malware on the SIS workstation, although it’s not clear if the ultimate goal was destruction or sabotage, as per the last major reported incident involving the group.

FireEye urged ICS managers to use the detection rules and other information in its report to hunt for presence of the group inside their facilities.

It’s claimed that the only thing preventing a major explosion at the Saudi petrochemical plant was a bug in the attackers’ code.

Source: Information Security Magazine