Category Archives: Cybersecurity

A Bug in Chrome Gives Bad Actors License to Play ‘20 Questions’ with Your Private Data

In a 2013 interview with The Telegraph, Eric Schmidt, then CEO of Google was quoted as saying: “You have to fight for your privacy or lose it.”

Five years later, with the ‘Cambridge Analytica’ data breach scandal fresh in our memory, Eric Schmidt’s statement rings as a self-evident truth. Similarly clear today is the nature of the “fight”: a grapple for transparency and corporate accountability that can only be won through individual vigilance.

With this in mind, in this post, we’ll share with you details of a new browser bug we uncovered, which has the potential to affect the majority of web users. With it, bad actors could play a ‘guessing game’ to uncover private data stored on Facebook, Google, and likely many other web platforms.

The bug in question affects all browsers running the Blink engine — used to power Google Chrome –, exposing users who aren’t running the latest version of Chrome. Currently, over 58 percent of the entire internet population uses Google Chrome.

Once the vulnerability was identified, Google patched it in the latest release of Chrome 68; and we strongly recommend that all Chrome users make sure that they’re running the latest version.

Mining Private Data

The bug in question makes use of the Audio/Video HTML tags to generate requests to a target resource.

By monitoring the progress events generated by these requests, it grants visibility into the requested resource’s actual size. As we found out, this information can then be used to “ask” a series of yes and no questions about the browser user, by abusing filtering functions available on social media platforms like Facebook.

For example, a bad actor can create sizeable Facebook posts for each possible age, using the Audience Restriction option, making Facebook reflect the user age through the response size.

The same method can be used to extract the user gender, likes, and many other user properties we were able to reflect through crafted posts or Facebook’s Graph Search endpoints.

Large response size would indicate that the restriction didn’t apply, while small ones would indicate that the content was restricted. Meaning, for instance, that the user is from a disallowed age or gender. With several scripts running at once — each testing a different and unique restriction –, the bad actor can relatively quickly mine a good amount of private data about the user.

In a more serious scenario, the attack script would be running on a site that requires some kind of email registration — an e-commerce or a SaaS site, for instance –. In this case, the above-mentioned practices would allow the bad actor to correlate the private data with the login email address for even more extensive and intrusive profiling.

Attack Flow

When a user visits the bad-actor site, the site injects multiple hidden video or audio tags that request a number Facebook posts the attacker previously published and restricted using different techniques. The attacker can then analyze each request to indicate, for example, the user’s exact age, as it’s saved on Facebook, regardless of their privacy settings.

Discovering the Bug

A few months ago I was researching the Cross-Origin Resource Sharing (CORS) mechanism by checking cross-origin communications of different HTML tags. During my research, I noticed an interesting behavior in the video and audio tags. It seems that setting the ‘preload’ attribute to ‘metadata’ changed the number of times the ‘onprogress’ event was being called in a way that seemed to be related to the requested resource size.

To check my hypothesis, I created a simple NodeJS HTTP server that generates a response in the size of a given parameter. I then used this server endpoint as the resource for the JavaScript shown above.

The script creates a hidden audio element that:

  • Requests a given resource
  • Track the number of times the `onprogress` event was triggered
  • Returns the value of the counter once the audio parsing fails

I started experimenting, requesting different response sizes while looking for a correlation between the size and the number of times the `onprogress` event was triggered by the browser.

As you can see in the graph below, when response size is zero only one `onprogress` event is called, for a response of around 100KB the event is called twice, and the number of events continues to increase, allowing me to estimate the size of most web pages.

From this, we see that the number of `onprogress` events correlates with the size of the response, hence we can indicate whether the restriction criteria was met.

Conclusion

Once we confirmed the vulnerability we reported it to Google with a proof of concept, and the Chrome team responded by patching the vulnerability in Chrome’s 68 release.

We’re delighted to have contributed to protecting the privacy of the entire user community, as we continuously do for our community.

Chaos and confusion reign with existing firewall infrastructure

Many organizations are still struggling to master basic firewall hygiene, promising increased complexity and risk associated with network security policy management for those planning to adopt hybrid cloud models and next-gen architectures, according to Firemon’s 2018 State of the Firewall report. The majority of respondents believe the firewall is still an important part of their overall security architecture, with 94% saying firewalls are as critical as always or more critical than ever. The same percentage … More

The post Chaos and confusion reign with existing firewall infrastructure appeared first on Help Net Security.

DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors. While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks … More

The post DDoS attackers increasingly strike outside of normal business hours appeared first on Help Net Security.

Global Perspectives on Cyber Resilience From Marsh & McLennan’s 2018 Cyber Handbook

The demands of cybersecurity and cyber resilience are expanding at a clipping pace as attackers adapt to new defenses. To help navigate the shifting terrain, Marsh & McLennan released its “MMC Cyber Handbook 2018: Perspectives on the Next Wave of Cyber,” which presents a global perspective on cyberthreats.

According to the report, we have reached an inflection point regarding our global ability to address cybersecurity risks for three main reasons:

  1. Cyberattacks, malware and business disruptions are growing more and more sophisticated, which made 2017 a banner year for security incidents.

  2. We are increasingly dependent on technology and connected devices, which has raised the profile of cybersecurity and resilience in most organizations — not to mention security budgets.

  3. Governments, regulators, law enforcement and auditors are just beginning to effectively coordinate cyber risk strategies and share intelligence about the evolving and increasingly interconnected nature of the threat landscape.

Key Takeaways From the Report

The “MMC Cyber Handbook” is not your typical security report. It juxtaposes security statistics with short articles on topics such as the General Data Protection Regulation (GDPR), the many high-profile ransomware (such as WannaCry and NotPetya) and distributed denial-of-service (DDoS) attacks (such as the Mirai botnet) that befell organizations in 2017, and the need for improved cybersecurity across regions, sectors and even departments.

A few statistics stand out for their relevance to everyday internet users:

  • The average number of identities exposed per breach reached 927,000 in 2016, compared to 466,000 in 2015 and 805,000 in 2014. 2016 was also the first year to see 15 breaches with more than 10 million identities exposed — up from 13 in 2015 and 11 in 2014.

  • The number of ransomware families hit 101 in 2016, more than three times the number of families observed in each of 2014 and 2015. In 2016, the average ransomware amount was over $1,000, about three times as much as the previous year.

  • In 2016, the average number of cloud apps used per organization reached a staggering 928 apps, up from 841 the year before.

  • The energy, healthcare and retail sectors saw the highest numbers of cyberattacks in the past year, with reported attacks from 26, 25 and 25 percent of companies, respectively. Manufacturing came in fourth with 22 percent. Organizations in the power and utilities sector also found themselves in attackers’ sights, with 14 percent reporting cyberattacks.

  • In terms of managing, responding to and recovering from a cyber incident, only 19 percent of respondents said they were highly confident, 62 percent said they felt fairly confident and 14 percent said they were not at all confident. Meanwhile, 6 percent reported that they didn’t know.

Why Experts Are Forecasting a Cyber Hurricane

In case anyone still doubted the increasingly systemic nature of cyber risks, the report noted that conditions have evolved beyond data breach fatigue into what U.S. military officials dubbed “a potential ‘Cyber Pearl Harbor'” and one report author described as “early versions of cyber hurricanes.” This digital perfect storm is due to our increased dependence on technology, combined with the high number of vulnerabilities and continuing growth and specialization of the cybercrime market.

As the high-profile incidents of 2017 and 2018 have shown, a cyber incident can quickly spread beyond its initial vector of entry and wreak havoc with both IT and operational technology, seriously impacting an organization’s business activity. The report noted that this is especially concerning for manufacturing and logistics organizations, which are particularly susceptible to cyber risks due to the nature of their businesses — with little slack, lots of outsourced parts and dependence on just-in-time inventories.

How the Financial Sector Is Leading by Example

While the financial sector is often a leader in terms of improving cybersecurity, the report noted that the margin for error is getting smaller due to recent regulatory changes, including those from the New York Department of Financial Services (NYDFS) and the Office of the Comptroller of the Currency (OCC), as well as the 2017 updates to both the Federal Financial Institutions Examination Council (FFIEC)’s “Information Security Handbook” and its Cybersecurity Assessment Tool.

In its spring 2018 “Semiannual Risk Perspective” report, the OCC urged the banking sector to be aware of the evolving nature of cyberthreats and warned of bad actors that seek to exploit personnel, processes and technology.

“Failure to maintain proper cybersecurity controls can lead to material negative effects on banks, consumers, and national and economic security,” the report noted. The authors went on to advise banks to “have a well-established and tested response plan in case a cyber incident occurs.”

The OCC clearly stated its intention to pay close attention to cybersecurity and resilience in its “Fiscal Year 2018 Bank Supervision Operating Plan,” noting that examiners would “review banks’ programs to determine to what extent they assess the evolving cyber threat environment and banks’ cyber resilience.” Coupled with GDPR and similar regulatory guidelines, the Cyber Handbook’s advice regarding broader coordination will come in handy to help security professionals consolidate data protection policies across sectors.

How Can Companies Across All Sectors Improve Cyber Resilience?

In the handbook’s mini-article, “Limiting Cyberattacks With a System Wide Safe Mode,” author Claus Herbolzheimer advised organizations to consider moving toward decentralized cybersecurity architectures that can automatically disconnect from an infected system or network to prevent further attacks or disruptions. The goal of such a mechanism is to reduce harm without completely shutting down and maintain a minimum level of healthy activity that can be sustained without further damage or compromise.

All in all, the “MMC Cyber Handbook” covers a lot of new ground, especially in terms of its global perspective on the evolving threat landscape. The bottom line is that as attackers grow increasingly sophisticated and their tactics more advanced, defenders will need to innovate and share intelligence on a global scale and across industries to keep their systems, data and personnel safe.

Never miss a new episode of the SecurityIntelligence podcast! Subscribe now on Soundcloud

The post Global Perspectives on Cyber Resilience From Marsh & McLennan’s 2018 Cyber Handbook appeared first on Security Intelligence.

Watch: An Account Takeover Attack Using Credential Stuffing, and How to Protect Against It [Video]

As cryptocurrencies continue to grow in diversity, so too do the threats they face, specifically those targeting the cryptocurrency exchange. Now, more than ever, cryptocurrency exchanges are facing security threats in the form of volumetric and application layer DDoS and account takeover (ATO) attacks.

Although the success of cryptocurrency exchanges makes them especially attractive to cybercriminals, attacks of late are taking exchanges by surprise, and they are often not scaled or have not built a secure enough environment to fend off threats.

First things first, what is credential stuffing?

Glad you asked; credential stuffing or credential abuse is the deliberate theft and use of stolen usernames and passwords to access sensitive or high-value data for personal gain, espionage, or other malicious intent. When we say theft, these credentials could also have been ‘bought’ following a data breach, because, you know… cybercrime.

Anyway, in the following two – short – clips, Imperva Security Engineer Jonathan Gruber and Enterprise Security Expert Tal Stern demonstrate a successful account takeover attack using the Hydra credential stuffing tool:

And show us how Imperva users can create tailored Incaprules that specifically block future credential stuffing attacks:

If you’d like to see Jonathan and Tal’s full demo, check it out on BrightTALK here.

Hundreds of Instagram users report similarly hacked accounts

A number of people have reported having their Instagram accounts hacked this month, Mashable reports, and many of these hacks appear to have taken the same approach. Users suddenly find themselves logged out of their accounts and when they try to log back in, they discover that their handle, profile image, contact info and bios have all been changed. Often the profile image has been changed to a Disney or Pixar character and the email address connected to the account is changed to one with a .ru Russian domain, according to Mashable. Some even had their two-factor authentication turned off by hackers.

Via: CNET

Source: Mashable

How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in part 2, we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.

In the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Helping enable a mobile workforce at a healthcare network

Sutter Health is a not-for-profit network of healthcare professionals and hospitals serving Northern California. CTO Wes Wrights main goal is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of 65,000 mobile devices and modernizing IT was not trivial for them. They deployed Microsoft Intune to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:

  • Manage and secure any mobile device used by the workforce to access company data.
  • Manage and secure the mobile apps used by their workforce.
  • Protect company information even after it is accessed.
  • Ensure devices and apps are compliant with company security policies.

With services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.

Figure 1. The Intune architecture diagram.

Enhancing productivity through security at a power company

Wrtsil is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. Joachim Kjellman, solutions manager at Wrtsil was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, Wrtsil can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:

  • Provide seamless access.
  • Facilitate collaboration.
  • Unlock IT efficiencies.
  • Enhance security and compliance.

Figure 2. Azure AD overview.

Azure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.

Securing an entire IT environment at a transportation firm

Throughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. HS1 Limited operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. Shawn Marcellin, IT and facilities manager at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to Microsoft 365 E5. Marcellin adopted Microsoft 365 E5 for its advanced security features, including Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence. Identity management through Microsoft Azure Active Directory Premium P2 was another advantage of his choosing Microsoft 365 E5protecting data with Microsoft Cloud App Security and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.

Figure 3. The entire Microsoft 365 Security reference architecture.

To learn more about how Microsoft security solutions fit together, read Cybersecurity Reference Architecture: Security for a Hybrid Enterprise.

Digging deeper

These are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the Microsoft Secure site and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more customer stories to learn how organizations leverage Microsoft 365 Security.

To get started envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance Form.

Thanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:

Microsoft Secure: How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in part 2, we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.

In the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Helping enable a mobile workforce at a healthcare network

Sutter Health is a not-for-profit network of healthcare professionals and hospitals serving Northern California. CTO Wes Wrights main goal is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of 65,000 mobile devices and modernizing IT was not trivial for them. They deployed Microsoft Intune to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:

  • Manage and secure any mobile device used by the workforce to access company data.
  • Manage and secure the mobile apps used by their workforce.
  • Protect company information even after it is accessed.
  • Ensure devices and apps are compliant with company security policies.

With services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.

Figure 1. The Intune architecture diagram.

Enhancing productivity through security at a power company

Wrtsil is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. Joachim Kjellman, solutions manager at Wrtsil was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, Wrtsil can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:

  • Provide seamless access.
  • Facilitate collaboration.
  • Unlock IT efficiencies.
  • Enhance security and compliance.

Figure 2. Azure AD overview.

Azure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.

Securing an entire IT environment at a transportation firm

Throughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. HS1 Limited operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. Shawn Marcellin, IT and facilities manager at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to Microsoft 365 E5. Marcellin adopted Microsoft 365 E5 for its advanced security features, including Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence. Identity management through Microsoft Azure Active Directory Premium P2 was another advantage of his choosing Microsoft 365 E5protecting data with Microsoft Cloud App Security and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.

Figure 3. The entire Microsoft 365 Security reference architecture.

To learn more about how Microsoft security solutions fit together, read Cybersecurity Reference Architecture: Security for a Hybrid Enterprise.

Digging deeper

These are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the Microsoft Secure site and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more customer stories to learn how organizations leverage Microsoft 365 Security.

To get started envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance Form.

Thanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:



Microsoft Secure

Connecting the dots to North Korea as a threat adversary

Reports of malware campaigns invariably focus on two critical conclusions: attribution and who was the intended target of the attack. It is challenging to draw swift conclusions on the former, due to the use of false flags designed to divert attention from the true source of the attack. Those swift conclusions are modified as more information becomes available, and it is much later before we achieve transparency on the campaign. Whilst this is a challenge … More

The post Connecting the dots to North Korea as a threat adversary appeared first on Help Net Security.

Three A’s of SaaS adoption, and why every company goes through them

I’ve noticed that as more and more companies turn to SaaS applications to power their business, they all experience the same journey along the way, more or less. Everyone goes through what I call “the 3 A’s of SaaS adoption”: aggravation, acceptance, and adoption. Companies go through distinct stages of SaaS adoption. As your SaaS environment matures, needs shift and challenges evolve. But if you know what to expect at each stage and what’s coming … More

The post Three A’s of SaaS adoption, and why every company goes through them appeared first on Help Net Security.

10,644 vulnerabilities disclosed in the first half of 2018

There have been 10,644 vulnerabilities disclosed through June 30th, according to Risk Based Security’s 2018 Mid Year VulnDB QuickView report. This is the highest number of disclosed vulnerabilities at the mid-year point on record. The 10,644 vulnerabilities cataloged during the first half of 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by well over 3,000. The newly released 2018 mid-year report from Risk Based … More

The post 10,644 vulnerabilities disclosed in the first half of 2018 appeared first on Help Net Security.

How a Fascination With Machinery Led Irina Nicolae to AI Research

Machine learning researcher Irina Nicolae is here to dispel a common misconception: You don’t have to be a math whiz to end up working in technology.

Growing up in Bucharest, Romania, Irina had relatively little interest in numerics. She was, however, captivated by machinery and how different parts fit together to perform a task. It was this fascination that eventually led her to programming.

Today, Irina is turning her longtime passion into action in her role as a research scientist at IBM Security. She is studying one of today’s most pressing cybersecurity problems: What can be done to keep artificial intelligence (AI) safe from attacks? (And she still gets excited to see the models at work.)

Turning Theoretical Concepts Into Practical Applications

Although Irina only graduated five years ago, she has found herself at the forefront of IBM’s efforts to battle adversarial AI threats. After studying computer science and engineering in her native Bucharest and at the National School of Computer Science and Applied Mathematics in France, she joined the IBM Research team in Dublin to dive headfirst into the most cutting-edge security technology.

Her personal interests range from adversarial AI to Mahalanobis distance and Rademacher complexity (which she researched for her Ph.D.). So, it’s not surprising to hear her say she would have stayed in academia had she not brought her research skills to the corporate world.

At IBM, Irina gets to see her research applied to real-world technology — and she loves that her work is guided by practical applications instead of theoretics.

“To me, it’s the relevance to the modern world,” she said of her role. “On the one hand, it’s a very interesting research problem because we don’t have the full answer. The problem itself has some very interesting properties that make it challenging and fun to analyze.

“On the other hand, to me, it has huge practical impact because, so far, we haven’t seen so many AIs out there — but we’re seeing more and more of them today. As soon as more decision processes are based on these AIs, of course, people are going to try to attack them for profit.”

Irina Nicolae turned her fascination with machinery into a career in AI research.

AI Research: The Importance of Vulnerabilities

For Irina, researching the vulnerabilities in AI and machine learning is crucial. To demonstrate why, she raised the example of neural networks.

“We’ve known about neural networks for the last 30 years, but they were forgotten for a while by the community because they weren’t performing well enough, and have only regained traction in recent years,” Irina explained. “Now, imagine if we couldn’t use AI and deep learning in applications because of security vulnerabilities — if people said this technology has amazing performance, but it’s unreliable because it can always be attacked. To me, there’s this risk of AI, deep learning and machine learning being forgotten again by the community because they are unreliable or, even worse, being used in spite of the risks.”

That’s why Irina is in Dublin, working within a team of five to probe vulnerabilities in AI and machine learning so that we can all use it safely. The same security concerns that affect any other computer-based system also apply to AI, Irina said.

To protect against these threats, security teams need insights specific to the medium at hand. While Irina said this is a “very active research field,” she also noted that researchers have thus far been more successful in attacking AI to exploit vulnerabilities rather than defend them effectively.

Building Defenses Against the Unknown

The next step is building defenses.

“The problem currently is none of the existing defense methods actually solve the problem. All of them are partial answers. Most will only work in certain conditions, against certain attacks, only if the attack is not too strong, only if the attacker doesn’t have full access to the system, etc.” Irina explained. “What we’re looking into is to solve the problem of what would be a good defense for AI against all types of attacks. We want to remove the vulnerabilities that we’re aware of and build a defense against the still-unknown ones.”

Naturally, Irina wants to see AI and machine learning succeed so they can become a bigger part of our daily lives and free security teams to focus on more pressing tasks and big-picture strategies. It plays to her long-time interest in machinery and how it’s all put together.

As she continues her research, Irina gets to indulge her love of complex problems and take satisfaction in the fact that was once a childhood fascination is today helping make the modern world a safer place to live.

Meet IBM X-Force incident command leader Mike Barcomb

The post How a Fascination With Machinery Led Irina Nicolae to AI Research appeared first on Security Intelligence.

Is Captcha dying? What will protect us in future?

You may not know what CAPTCHA is, but you’ve certainly used it many times before. That distorted text that needs to be retyped before you can submit a form on a website? That is CAPTCHA in action.

CAPTCHA is actually a very important tool for protecting websites against bots and automated hacking tools. Malicious apps are very good at completing forms automatically, but not so good at decoding the text hidden in images. And it was this principle that led to the creation of CAPTCHA tests in the first place.

Are you a human?

Bots have been a major problem for website owners for many years. To help separate real people from bots, technologists invented the Completely Automated Public Turing Test to tell Computers and Humans Apart – CAPTCHA. Humans can read the text hidden in the pictures, computers cannot.

Recently the CAPTCHA test has changed somewhat. Now you are presented with nine small pictures and you must click all that match a specific instruction; all the pictures that contain a storefront for instance. The basic principle remains the same though – bots cannot accurately analyse the picture, so they cannot fool the system.

Computers can pass the test

The problem is that computers are getting smarter. Artificial Intelligence and machine learning technologies means that bots can teach themselves how to analyse images and identify the letters hidden in them. They can even accurately identify elements in images, allowing them to circumvent newer CAPTCHA systems.

What next?

Unfortunately, this means that CAPTCHA no longer offers protection against bots. It also means that websites still using CAPTCHA are at risk of hacking.

Web technology specialists are looking at other ways of detecting whether you are human or not. One solution proposed by Amazon is the use of a test that humans will fail – like counting how many times the letter ‘e’ appears in a long sentence. Bots will not fail these tests – but people often will.

Google have developed another alternative they call ‘Invisible reCaptcha’. The system uses AI to detect how you interact with the webpage, tracking mouse movements and click times for instance. Because a bot does not make these “human” motions, the system can identify and block them – without you even knowing that it is there.

We need a working replacement

By keeping bots away from their websites, site operators ensure that their mailing lists are accurate, competitions are not cheated, goods and tickets are not sold to illegal touts and re-sellers, and that your data is not stolen. So a working CAPTCHA system is actually benefits you too.

If a suitable CAPTCHA replacement cannot be identified, it may be that website owners are forced to use an alternative system that verifies identities. Social logins – like Facebook and Google – are a useful option, but they can also be exploited by bots.

It may be that the fight against bots becomes a race between Artificial Intelligence systems; the good guy site operators battling hackers with ever smarter computer systems that can train themselves to spot a human. Ironically, we can expect to see less human input into the decision making process in future.

Download Panda Mobile Security

The post Is Captcha dying? What will protect us in future? appeared first on Panda Security Mediacenter.

Cybersecurity threats: How to discover, remediate, and mitigate

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Protect your data in files, apps, and devices.

Constantly evolving threats to your company data can cause even the most conscientious employee to unknowingly open infected files or click on malicious web links. Security breaches are inevitable. You need to discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches.

Many common types of threats target attack vectors such as email, network endpoints, and user credentials. In this blog, we explain how Microsoft 365 threat protection solutions interoperate threat detection across these attack vectors (Figure 1).

Figure 1. Threat detection interoperates across Microsoft 365.

Protect identities: Azure Active Directory (Azure AD) and Azure Advanced Threat Protection (Azure ATP)

Azure ATP provides end-to-end network security by protecting user identities and credentials in stored in Azure Active Directory. To prevent identity credential attacks, Azure AD conditional access detects risk events, such as users with leaked credentials, sign-ins from anonymous IP addresses, impossible travel to atypical locations, infected devices, and IP addresses with suspicious activity or unfamiliar locations.

Azure ATP detects suspicious activities across the network attack surface, such as:

  • Reconnaissance work, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist.
  • Lateral movement cycles, during which attackers invest time and effort in spreading their attack deeper inside your network.
  • Domain dominance (persistence), during which attackers capture the information, allowing them to resume their campaign using various sets of entry points, credentials, and techniques.

These services that protect specific parts of the attack surface can also share signals to alert services protecting other surfaces of the enterprise.

Azure ATP detects these suspicious activities and surfaces the information, including a clear view of who, what, when, and how, in the Azure ATP workspace portal, which can be accessed by signing in to your Azure AD user account.

Protect email: Microsoft Office 365 Advanced Threat Protection (Office 365 ATP)

Threat protection for Office 365 begins with Microsoft Exchange Online Protection, which provides protection against all known malicious links and malware. Office 365 ATP builds on this protection by offering holistic and ongoing protection across your Office 365 environment, including email and business apps, by securing user mailboxes, business-critical files, and online storage against malware campaigns in real-time.

Office 365 ATP Safe Links helps protect your environment by offering time-of-click protection from malicious links. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. Office 365 ATP and Exchange Online Protection can be configured in the Office 365 admin center.

Protect endpoints: Windows Defender Advanced Threat Protection (Windows Defender ATP)

For endpoint attacks, Windows Defender ATP provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristic solutions. These endpoint sensors collect and process behavioral signals from the operating system, which are then translated into insights, detections, and recommended responses to advanced threats. Windows Defender ATP offers dedicated protection updates based on machine learning, human and automated big-data analyses, and in-depth threat resistance research to identify attacker tools, techniques, and procedures, and to generate alerts when these are observed in collected sensor data.

Microsoft Device Guard is a feature of Windows 10 that provides increased security against malware and zero-day attacks by blocking anything other than trusted apps. Device Guard is managed in Microsoft System Center Configuration Manager (ConfigMgr).

Deployment tips from the experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are several proven tips to put it all into action.

Consider the key attack vectors. Devices, email, network, and identity credentials are the most common areas for cybersecurity attacks. To help secure these vectors:

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches coming soon!

More blog posts from this series:

Enhanced Infrastructure DDoS Protection Analytics: Targeted Visibility for Greater Accuracy

We’ve rolled out enhanced infrastructure protection analytics which shows top traffic patterns for traffic flowing through our Incapsula Infrastructure DDoS Protection service.

Imperva clients can now view network statistics categorized by source or destination IPs and ports, or by packet size for protected network ranges. This new addition to our data analytics helps our clients get in-depth visibility into their network usage during peacetime and when under a DDoS attack. Ultimately it will simplify forensics and help us provide a more accurate DDoS attack mitigation service. Check out the demo video to see how it works.

The Previous Dashboard

The prior infrastructure protection dashboard provided general attack traffic information, displaying rates of bits/packets in a time series chart as well as graphs showing passed/blocked traffic. The data on blocked traffic was based on pre-defined attack vectors.

From engaging with our clients, we learned that they wanted to be able to dive even deeper and to understand the mechanics of each and every attack.

Enhanced Metrics

The new infrastructure protection analytics take a big leap forward in terms of visibility, adding additional capabilities to our already stellar real-time dashboard and 15-second bucket historical view increments.

You can view statistics for your monitored IP ranges, examine emerging attacks in near real-time, or analyze historical attack data from the previous 90 days. This way you can look at behavior over time and better understand traffic patterns affecting the network – broken down by traffic type and showing peaks over a period of time. You can also get insight into bandwidth volume, packet rates, and PoP utilization.

Infrastructure protection clients can access the new infrastructure protection analytics through the infrastructure dashboard.

Example Use Case in Action

Until now, statistics were provided at the range level. When mitigation for the range took place, there wasn’t the depth of visibility to determine the exact resource that was under attack.

For a given range, we were able to display the size of the attack and the different attack vectors:

But other than the fact that we mitigated a lot of UDP traffic, it was impossible to dig deeper into the attack.

Now, with enhanced analytics, top Destination IPs can provide details of the servers that were targeted. We can clearly see that the attack was targeting specific servers rather than spread out on the full /24 range:

The top Source IPs show that the attack is distributed and that the top 10 source IPs make up a small portion of the full bandwidth (shown on the dotted line); hence, many more hosts were involved in the attack:

The top Destination Ports show that the attack was targeting a specific service (UDP Port 80):

And the top Source Ports reveal the true face of the attack – this is the infamous memcached attack, which earlier this year took down GitHub in the biggest DDoS attack to date:

We know that memcached has a very large amplification ratio, which means lots of very large packets, as can be seen in the packet size histogram:

Therefore, from a simplistic vector view, you can see how it’s possible to complete a full profiling of an attack, and how if your ranges are hosting multiple services, you can pinpoint the exact targeted service.

But that’s not all.

All this wealth of data is available for your clean traffic as well, since all data passing through the Incapsula service receives the same treatment. Profiling your network has never been easier.

The Importance of More Visibility

Visibility is crucial for network admins and security teams. With enhanced visibility, our clients can easily identify false positives, e.g. if traffic is blocked because of DDoS – or, say perhaps a new digital service has been introduced and suddenly many of your end users start using it.

Specific characteristics of an attack unveil actionable details. As an additional example, in the case of highly distributed traffic, that will usually mean a spoofed attack. And if a specific host is responsible for an attack, our clients can choose to modify the Access Control List (ACL) for that specific host.

Consider the benefits for the following users:

Network Admin

If you’re a network admin, you can now view clean analytics for your traffic without setting up alternative Netflow-based tools which consume router resources.

SOC Manager

Say you’re in charge of a very large network with hundreds of prefixes. Enhanced analytics provide you with better attack visibility when any one of your networks is attacked. If you receive an alert, you can determine which asset is being attacked and which IPS and ports are involved.

Head of IT Security

You can get a historical view of targeted services by destination IP and port.

How it Works

Dedicated hardware is deployed in each of our PoPs to perform the stream processing required in order to collect statistics at network speed. Probabilistic data structures are used in conjunction with deterministic counting in order to provide reliable top statistics. Analytics data is based on a 1:40 sampling resolution for DDoS traffic and a 1:1 sampling ratio for clean traffic, and data is collected in 15-second buckets.

Data is then sent for aggregation in a new, near real-time data store we call Watermill, which supports an end-to-end latency of less than 2 minutes.

If technical implementation details are your thing, we will be publishing a more technical blog post to go into even more detail, so stay tuned!

Customization

The views are customizable into table or graph format. You can customize the layout and choose to view the highest peak or average values for the selected time period. See the documentation for more information.

View Customization:

  • Dense View: All panes are packed together.
  • Aligned View: Bandwidth and packets-per-second graphs are aligned in two columns.

Data Customization:

  • Table View: See the distribution of blocked traffic for the highest values during the selected time period. Values over 10% are displayed in bold, which puts an emphasis on what’s important. For example, there may be a long tail of IPs/ports which may not be significant.
    • Peak View: Provides an indication for momentary spikes, i.e. an IP spiked at a single data point but went silent for the rest of the time range.
    • Average View: May eliminate peaks but provides a better metric for behavior over time.
  • Graph View: Drills down into the network behavior over time; supports up to 15-second granularity.

Going Forward

Infrastructure DDoS Analytics is available at no additional cost for all existing Infrastructure Protection clients. This expanded capability is just another way we’re continuing to focus on our goal of providing more in-depth visibility to our clients, so they have an easier job securing their enterprises.

Check out the new dashboard and let us know what you think!

Back to School: Cybersecurity in the Classroom

It’s hard to believe that summer is coming to an end and that back-to-school time is around the corner. For some kids, that means cyberbullies are traded in for school bullies and social engagement will turn into in-person interactions. But for others — dubbed Extreme Internet Users — the screen stays. When it comes time to go back to the classroom, the six hours or more a day these kids spent online during summer may be curtailed in favor of educational screen time instead.

Every year around this time, I reflect on how much has changed for children, especially when it comes to mobile devices in the classroom. This trend has become increasingly popular and, on the rise, as technology has improved, education adapts to rapid changes, and our world becomes more interconnected. Either these devices are given to kids or their classrooms by their school, or parents are encouraged to purchase one for their child to help support internet research and to digitize note-taking and homework.

Regardless of whether you’re a technophile or technophobe when it comes to leveraging screens in education, one thing is for sure – their presence in learning environments is here to stay. And with this shift, security is of the utmost importance.

Since January 2016, there have been 353 cybersecurity incidents in the United States related to K-12 public schools and districts. These attacks range include phishing, ransomware, DoS attacks and breaches that have exposed personal data. However, the question – what motivates cybercriminals to target schools? – still persists. The answer is complex, because what cybercriminals could exploit depends on what they want to accomplish.  Extorting school faculty, hacking private student data, disrupting school operations, or disabling, compromising, or re-directing school technology assets are all regular tools of the trade when it comes to hacking schools.

You may not be able to control how your child’s school thinks about cybersecurity, but you can take matters into your own hands. There are steps you can take to make sure your child is ready to face the school year head-on, including protecting their devices and their data.

  • Start a cybersecurity conversation. Talk with school faculty about what is being done in terms of a comprehensive cybersecurity plan for your child’s school. It’s worth starting the conversation to understand where the gaps are and what is being done to patch them.
  • Install security software on all devices. Don’t stop at the laptop, all devices need to be protected with comprehensive security software, including mobile devices and tablets.
  • Make sure all device software is up-to-date. This is one of the easiest and best ways to secure your devices against threats.
  • Teach your child how to connect securely on public Wi-Fi networks. Public Wi-Fi networks are notoriously used as backdoors by hackers trying to gain access to personal information. If Wi-Fi is absolutely necessary, ensure the network is password protected. However, if you want a secure encrypted connection, consider using a virtual private network (VPN).
  • Designate a specific date and time for regular data back-ups. If ransomware hits, you won’t have to pay to get your child’s information back. You can back up that personal data to a physical external hard drive or use an online backup service, such as Dropbox or Google Drive. That way you can access your files even if your device gets compromised.
  • Understand your child’s school bring your own device (BYOD) policy. Each school is different when it comes to BYOD and understanding your child’s school policy will save you a headache down the road. Some schools buy devices for students to rent, with parents having to pay for any incidentals, and some ask parents to buy the devices outright. Take the time to understand your child’s school policy before accidents happen.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Back to School: Cybersecurity in the Classroom appeared first on McAfee Blogs.

Security’s bane: The false positive

Nothing makes security look worse than the false negative – when we miss an attack and damage is suffered. As security professionals, it’s something we all obsess a lot about. However, the number two thing that makes us look bad is the false positive. We experience this all the time in the physical world. A few months ago, I went to buy a new stove. My credit card was declined because of the large purchase … More

The post Security’s bane: The false positive appeared first on Help Net Security.

McAfee Blogs: 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals

The author thanks Shaun Nordeck, MD, for his assistance with this report.

With the explosion of growth in technology and its influence on our lives, we have become increasingly dependent on it. The medical field is no exception: Medical professionals trust technology to provide them with accurate information and base life-changing decisions on this data. McAfee’s Advanced Threat Research team is exploring these devices to increase awareness about their security.

Some medical devices, such as pacemakers and insulin pumps, have already been examined for security concerns. To help select an appropriate target for our research, we spoke with a doctor. In our conversations we learned just how important the accuracy of a patient’s vital signs is to medical professionals. “Vital signs are integral to clinical decision making” explained Dr. Shaun Nordeck. Bedside patient monitors and related systems are key components that provide medical professionals with the vital signs they need to make decisions; these systems are now the focal point of this research.

Exploring the attack surface

Most patient monitoring systems comprise at minimum of two basic components: a bedside monitor and a central monitoring station. These devices are wired or wirelessly networked over TCP/IP. The central monitoring station collects vitals from multiple bedside monitors so that a single medical professional can observe multiple patients.

With the help of eBay, we purchased both a patient monitor and a compatible central monitoring station at a reasonable cost. The patient monitor monitored heartbeat, oxygen level, and blood pressure. It has both wired and wireless networking and appeared to store patient information. The central monitoring station ran Windows XP Embedded, with two Ethernet ports, and ran in a limited kiosk mode at start-up. Both units were produced around 2004; several local hospitals confirmed that these models are still in use.

The two devices offer a range of potential attack surfaces. The central monitoring station operates fundamentally like a desktop computer running Windows XP, which has been extensively researched by the security community. The application running on the central monitoring station is old; if we found a vulnerability, it would likely be tied to the legacy operating system. The patient monitor’s firmware could be evaluated for vulnerabilities; however, this would affect only one of the two devices in the system and is the hardest vector to exploit. This leaves the communication between the two devices as the most interesting attack vector since if the communication could be compromised, an attack could possibly be device independent, affecting both devices by a remote attack. Given this possibility, we chose networking as the first target for this research. Dr. Nordeck confirmed that if the information passing to the central monitoring system could be modified in real time, this would be a meaningful and valid concern to medical professionals. Thus the primary question of our research became “Is it possible in real time to modify a patient’s vitals being transmitted over the network?”

Setup

When performing a vulnerability assessment of any device, it is best to first operate the device as originally designed. Tracking vital signs is the essence of the patient monitor, so we looked for a way to accurately simulate those signs for testing. Many hardware simulators are on the market and vary drastically in cost. The cheapest and easiest vital sign to simulate turned out to be a heartbeat. For less than $100 we purchased an electrocardiogram (ECG) simulator on eBay. The following image illustrates our test network:

In our test bed, the patient monitor (left), central monitoring station (right), and a research computer (top) were attached to a standard switch. The research computer was configured on a monitor port of the switch to sniff the traffic between the central monitoring device and the patient monitor. The ECG simulator was attached to the patient monitor.

Reconnaissance

With the network configured, we turned to Wireshark to watch the devices in action. The first test was to boot only the central monitor station and observe any network traffic.

In the preceding screenshot a few basic observations stand out. First, we can see that the central station is sending User Datagram Protocol (UDP) broadcast packets every 10 seconds with a source and destination port of 7000. We can also see clear-text ASCII in the payload, which provides the device name. After collecting and observing these packets for several minutes, we can assume this is standard behavior. Because the central station is running on a Window XP embedded machine, we can attempt to verify this information by doing some quick reverse engineering of the binaries used by the application. After putting several libraries into Interactive Disassembler Pro, it is apparent that the symbols and debugging information has been left behind. With a little cleanup and work from the decompilers, we see the following code:

This loop calls a function that broadcasts Rwhat, a protocol used by some medical devices. We also can see a function called to get the amount of time to wait between packets, with the result plugged into the Windows sleep function. This code block confirms what we saw with Wireshark and gives us confidence the communication is consistent.

Having gained basic knowledge of the central monitoring station, the next step was to perform the same test on the patient monitor. With the central station powered down, we booted the patient monitor and watched the network traffic using Wireshark.

We can make similar observations about the patient monitor’s broadcast packets, including the 10-second time delay and patient data in plaintext. In these packets we see that the source port is incrementing but the destination port, 7000, is the same as the central monitoring station’s.  After reviewing many of these packets, we find that offset 0x34 of the payload has a counter that increments by 0xA, or 10, with each packet. Without potentially damaging the patient monitor, there is no good way to extract the firmware to review its code. However, the central monitoring station must have code to receive these packets. With a bit of digging through the central station’s binaries, we found the section parsing the broadcast packets from the patient monitor.

The first line of code parses the payload of the packet plus 12 bytes. If we count in 12 bytes from the payload on the Wireshark capture, we can see the start of the patient data in clear text. The next function called is parse_logical_name, whose second parameter is an upper limit for the string being passed. This field has a maximum length of 0x20, or 32, bytes. The subsequent code handles whether this information is empty and stores the data in the format logical_name. This review again helps confirm what we see in real time with Wireshark.

Now that we understand the devices’ separate network traffic, we can look at how they interact. Using our network setup and starting the ECG simulator we can see the central monitor station and the patient monitor come to life.

With everything working, we again use Wireshark to examine the traffic. We find a new set of packets.

In the preceding screen capture we see the patient monitor at IP address 126.4.153.150 is sending the same-size data packets to the central monitoring station at address 126.1.1.1. The source port does not change.

Through these basic tests we learn a great deal:

  • The two devices are speaking over unencrypted UDP
  • The payload contains counters and patient information
  • The broadcast address does not require the devices to know each other’s address beforehand
  • When the data is sent distinct packets contain the waveform

Attacking the protocol

Our reconnaissance tells us we may have the right conditions for a replay attack. Such an attack would not satisfy our goal of modifying data in real time across the network; however, it would provide more insight about the requirements and may prove useful in reaching our goal.

After capturing the packets from the simulated heartbeat, we attempted to replay the captures using Python’s Scapy library. We did this with the patient monitor turned off and the central monitoring station listening for information. After several attempts, this test was unsuccessful. This failure shows the system expects more than just a device sending data packets to a specific IP address.

We examined more closely the packets that are sent before the data packets. We learned that even though the packets are sent with UDP, some sort of handshake is performed between the two devices. The next diagram describes this handshake. 

 

In this fanciful dialog, CMS is the central monitoring system; PM is the patient monitor.

To understand what is happening during the handshake, we can relate each phase of this handshake to that of a TCP three-way handshake. (This is only an analogy; the device is not actually performing a TCP three-way handshake.)

The central monitoring station first sends a packet to port 2000 to the patient monitor. This can be considered the “SYN” packet. The patient monitor responds to the central station; notice it responds to the source port of the initial request. This can be considered the “SYN,ACK.” The central station sends the final “ACK,” essentially completing a three-way (or three-step) handshake. Directly following this step, the patient monitor sends another packet to the initial port of the “SYN” packet. The central monitor responds to the patient monitor on port 2000 with a new source port. Immediately following, we see the data packets being sent to the new source port, 3627, named in the previous exchange.

This exam provides insight into why the replay attack did not work. The central station defines for each connection which ports will be open for the incoming data; we need to consider this when attempting a replay attack. Modifying our previous Scapy scripts to account for the handshake, we retested the replay attack. With the new handshake code in place, the test still failed. Taking another look at the “SYN,ACK” packets provides a potential reason for the failure.

At offset 0x3D is a counter that needs to be incremented each time one of these packets is sent. In this case the patient monitor’s source IP address is embedded in the payload at offsets 0x2A and 0x30. This embedded IP address is not as important for this attack because during the replay our scripts can become the patient monitor’s IP; however, this will become more important later. The newly discovered counter needs to be accounted for and incremented.

Emulating a patient monitor

By taking these new findings into account our replay attack becomes successful. If we can observe a certain ECG pattern, we can play it back to the central monitoring station without the patient monitor on the network. Thus we can emulate the function of the patient monitor with any device. The following video demonstrates this emulation using a Raspberry Pi. We set our Scapy scripts to load after booting the Pi, which mimics the idle function of the patient monitor. When the central monitor requests information about the patient’s vitals, the Pi provides the station with an 80-beats-per-minute wave form. This also works with the other vital signs.

Impact of emulation

Although we have not yet reached our goal of real-time modification, we must consider the implications of this type of attack. If someone were to unplug the monitor of a stable patient and replace it with a device that continued to report the same stable vitals, would that cause any harm? Probably not immediately. But what if the stable patient suddenly became unstable? The central station would normally sound an alarm to alert medical personal, who could take appropriate action. However, if the monitor had been replaced, would anyone know help was needed? The patient monitor also normally sounds alarms that might be heard in and outside of the patient’s room, yet if the monitor was replaced, those alarms would be absent.

In hospitals, nurses and other personal generally make periodic checks even of stable patients. So any deception might not last long, but it might not need to. What if someone were trying to kidnap a patient? A kidnapper would alert fewer people than would be expected.

Switching from a real patient monitor to an emulator would cause a short loss in communication from the patient’s room to the central monitoring station. Is this enough to make the scenario unrealistic or not a threat? We asked Dr. Nordeck if a short loss in connection could be part of a reasonable scenario. “A momentary disconnection of the ECG would likely go unnoticed as this happens often due to patient movement or changing clothes and, as long as it is reconnected, will be unlikely to cause an alert,” he said.

Modifying vitals in real time

Although emulating the patient monitor is interesting, it did not accomplish our goal of making real-time modifications. Using what we learned while testing emulation, could we perform real-time injection? To answer this question, we must first understand the difference between emulation and real-time injection.

Emulation requires a deeper understanding of how the initial connection, the handshake, between the two devices occurred. When considering real-time modification, this handshake has already taken place. But an attacker would not know which port the data packets are being sent too, nor any of the other ports used in the data stream. Plus, because the real patient monitor is still online, it will constantly send data to the central monitoring station.

One way to account for these factors is to use Address Resolution Protocol (ARP) spoofing. If the patient monitor is ARP spoofed, then the attacker, instead of the central monitoring station, would receive the data packets. This step would allow the attacker to determine which ports are in use and stop the patient monitor’s data from getting to the central monitoring station. Because we have already shown that emulation works, the attacker simply has to send replacement data to the central station while appearing as the patient monitor.

For example, consider the following original packet coming from the patient monitor:

The patient monitor sends a packet with the patient’s heartbeat stored at offset 0x71 in the payload. The patient monitor in this screen capture is at IP address 126.4.153.150. An attacker can ARP spoof the patient monitor with a Kali virtual machine.

The ARP packets indicate that the central station, IP address 126.1.1.1, is at MAC address 00:0c:29:a1:6e:bf, which is actually the Kali virtual machine. Wireshark recognizes two MACs with the same IP address assigned and highlights them, showing the ARP spoof.

Next the attacker from the virtual machine at address 126.4.153.153 sends false information to the central monitoring station, still at address 126.1.1.1. In this example, offset 0x71 has been changed to 0x78, or 120. (The attacker could choose any value; the following demo videos use the heartbeat value 180 because it is more alarming.) Also notice the IP address stored in the payload, which we discovered during the reconnaissance phase. It still indicates this data is coming from the original patient monitor address, which is different from the IP address on the packet’s IP header. Due to this implementation, there is no need for the attacker to spoof their IP address for the attack to be successful.

Two videos show this modification happening in real time:

 

Impact of real-time modification

Although the monitor in the patient’s room is not directly affected, real-time modification is impactful because medical professionals use these central stations to make critical decisions on a large number of patients—instead of visiting each room individually. As long as the changes are believable, they will not always be verified.

Dr. Nordeck explains the impact of this attack: “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots. The hospital could also suffer resource consumption.” Dr. Nordeck explained that short changes to a heartbeat would generally trigger the nurse or technician monitoring the central station to page a doctor. The doctor would typically ask for a printout from the central station to review the rhythm. The doctor might also order an additional test, such as an EKG, to verify the rhythm. An EKG, however, would not likely capture an abnormal rhythm if it is intermittent, but the test might reveal an underlying cause for intermittent arrythmia. Should the rhythm recur intermittently throughout the day, the doctor might make treatment decisions based on this erroneous printout.

The American Heart Association and American College of Cardiology publish guidelines that hospitals are to follow, including for “intermittent cardiac rhythms,” seen in this chart:

A decision tree for treating an intermittent heart rate. Source: American Heart Association.

The first decision point in this tree asks if the patient is hemodynamically stable (whether the blood pressure is normal). This attack does not affect the bedside monitor. A nurse might retake the patient’s blood pressure, which would be normal. The next decision point following the “Yes” path is a diagnosis of focal atrial tachycardia. Regardless of the medical terms and answers, the patient is issued medication. In the case of a network attack, this is medication the patient does not need and could cause harm.

Conclusion

This research from McAfee’s Advanced Threat Research team shows it is possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and central monitoring station. For this attack to be viable, an attacker would need to be on the same network as the devices and have knowledge of the networking protocol. Any modifications made to patient data would need to be believable to medical professionals for there to be any impact.

During our research we did not modify the patient monitor, which always showed the true data; but we have proven the impact of an attack can be meaningful. Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays—any of which could incur unnecessary expenses.

Both product vendors and medical facilities can take measures to drastically reduce the threat of this type of attack. Vendors can encrypt network traffic between the devices and add authentication. These two steps would drastically increase the difficulty of this type of attack. Vendors also typically recommend that medical equipment is run on a completely isolated network with very strict network-access controls. If medical facilities follow these recommendations, attackers would require physical access to the network, greatly helping to reduce the attack surface.

One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Through responsible disclosure we aim to assist and encourage the industry toward a more comprehensive security posture. As part of our policy, we reported this research to the vendor whose products we tested and will continue to work with other vendors to help secure their products.

The post 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals appeared first on McAfee Blogs.



McAfee Blogs

80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals

The author thanks Shaun Nordeck, MD, for his assistance with this report.

With the explosion of growth in technology and its influence on our lives, we have become increasingly dependent on it. The medical field is no exception: Medical professionals trust technology to provide them with accurate information and base life-changing decisions on this data. McAfee’s Advanced Threat Research team is exploring these devices to increase awareness about their security.

Some medical devices, such as pacemakers and insulin pumps, have already been examined for security concerns. To help select an appropriate target for our research, we spoke with a doctor. In our conversations we learned just how important the accuracy of a patient’s vital signs is to medical professionals. “Vital signs are integral to clinical decision making” explained Dr. Shaun Nordeck. Bedside patient monitors and related systems are key components that provide medical professionals with the vital signs they need to make decisions; these systems are now the focal point of this research.

Exploring the attack surface

Most patient monitoring systems comprise at minimum of two basic components: a bedside monitor and a central monitoring station. These devices are wired or wirelessly networked over TCP/IP. The central monitoring station collects vitals from multiple bedside monitors so that a single medical professional can observe multiple patients.

With the help of eBay, we purchased both a patient monitor and a compatible central monitoring station at a reasonable cost. The patient monitor monitored heartbeat, oxygen level, and blood pressure. It has both wired and wireless networking and appeared to store patient information. The central monitoring station ran Windows XP Embedded, with two Ethernet ports, and ran in a limited kiosk mode at start-up. Both units were produced around 2004; several local hospitals confirmed that these models are still in use.

The two devices offer a range of potential attack surfaces. The central monitoring station operates fundamentally like a desktop computer running Windows XP, which has been extensively researched by the security community. The application running on the central monitoring station is old; if we found a vulnerability, it would likely be tied to the legacy operating system. The patient monitor’s firmware could be evaluated for vulnerabilities; however, this would affect only one of the two devices in the system and is the hardest vector to exploit. This leaves the communication between the two devices as the most interesting attack vector since if the communication could be compromised, an attack could possibly be device independent, affecting both devices by a remote attack. Given this possibility, we chose networking as the first target for this research. Dr. Nordeck confirmed that if the information passing to the central monitoring system could be modified in real time, this would be a meaningful and valid concern to medical professionals. Thus the primary question of our research became “Is it possible in real time to modify a patient’s vitals being transmitted over the network?”

Setup

When performing a vulnerability assessment of any device, it is best to first operate the device as originally designed. Tracking vital signs is the essence of the patient monitor, so we looked for a way to accurately simulate those signs for testing. Many hardware simulators are on the market and vary drastically in cost. The cheapest and easiest vital sign to simulate turned out to be a heartbeat. For less than $100 we purchased an electrocardiogram (ECG) simulator on eBay. The following image illustrates our test network:

In our test bed, the patient monitor (left), central monitoring station (right), and a research computer (top) were attached to a standard switch. The research computer was configured on a monitor port of the switch to sniff the traffic between the central monitoring device and the patient monitor. The ECG simulator was attached to the patient monitor.

Reconnaissance

With the network configured, we turned to Wireshark to watch the devices in action. The first test was to boot only the central monitor station and observe any network traffic.

In the preceding screenshot a few basic observations stand out. First, we can see that the central station is sending User Datagram Protocol (UDP) broadcast packets every 10 seconds with a source and destination port of 7000. We can also see clear-text ASCII in the payload, which provides the device name. After collecting and observing these packets for several minutes, we can assume this is standard behavior. Because the central station is running on a Window XP embedded machine, we can attempt to verify this information by doing some quick reverse engineering of the binaries used by the application. After putting several libraries into Interactive Disassembler Pro, it is apparent that the symbols and debugging information has been left behind. With a little cleanup and work from the decompilers, we see the following code:

This loop calls a function that broadcasts Rwhat, a protocol used by some medical devices. We also can see a function called to get the amount of time to wait between packets, with the result plugged into the Windows sleep function. This code block confirms what we saw with Wireshark and gives us confidence the communication is consistent.

Having gained basic knowledge of the central monitoring station, the next step was to perform the same test on the patient monitor. With the central station powered down, we booted the patient monitor and watched the network traffic using Wireshark.

We can make similar observations about the patient monitor’s broadcast packets, including the 10-second time delay and patient data in plaintext. In these packets we see that the source port is incrementing but the destination port, 7000, is the same as the central monitoring station’s.  After reviewing many of these packets, we find that offset 0x34 of the payload has a counter that increments by 0xA, or 10, with each packet. Without potentially damaging the patient monitor, there is no good way to extract the firmware to review its code. However, the central monitoring station must have code to receive these packets. With a bit of digging through the central station’s binaries, we found the section parsing the broadcast packets from the patient monitor.

The first line of code parses the payload of the packet plus 12 bytes. If we count in 12 bytes from the payload on the Wireshark capture, we can see the start of the patient data in clear text. The next function called is parse_logical_name, whose second parameter is an upper limit for the string being passed. This field has a maximum length of 0x20, or 32, bytes. The subsequent code handles whether this information is empty and stores the data in the format logical_name. This review again helps confirm what we see in real time with Wireshark.

Now that we understand the devices’ separate network traffic, we can look at how they interact. Using our network setup and starting the ECG simulator we can see the central monitor station and the patient monitor come to life.

With everything working, we again use Wireshark to examine the traffic. We find a new set of packets.

In the preceding screen capture we see the patient monitor at IP address 126.4.153.150 is sending the same-size data packets to the central monitoring station at address 126.1.1.1. The source port does not change.

Through these basic tests we learn a great deal:

  • The two devices are speaking over unencrypted UDP
  • The payload contains counters and patient information
  • The broadcast address does not require the devices to know each other’s address beforehand
  • When the data is sent distinct packets contain the waveform

Attacking the protocol

Our reconnaissance tells us we may have the right conditions for a replay attack. Such an attack would not satisfy our goal of modifying data in real time across the network; however, it would provide more insight about the requirements and may prove useful in reaching our goal.

After capturing the packets from the simulated heartbeat, we attempted to replay the captures using Python’s Scapy library. We did this with the patient monitor turned off and the central monitoring station listening for information. After several attempts, this test was unsuccessful. This failure shows the system expects more than just a device sending data packets to a specific IP address.

We examined more closely the packets that are sent before the data packets. We learned that even though the packets are sent with UDP, some sort of handshake is performed between the two devices. The next diagram describes this handshake. 

 

In this fanciful dialog, CMS is the central monitoring system; PM is the patient monitor.

To understand what is happening during the handshake, we can relate each phase of this handshake to that of a TCP three-way handshake. (This is only an analogy; the device is not actually performing a TCP three-way handshake.)

The central monitoring station first sends a packet to port 2000 to the patient monitor. This can be considered the “SYN” packet. The patient monitor responds to the central station; notice it responds to the source port of the initial request. This can be considered the “SYN,ACK.” The central station sends the final “ACK,” essentially completing a three-way (or three-step) handshake. Directly following this step, the patient monitor sends another packet to the initial port of the “SYN” packet. The central monitor responds to the patient monitor on port 2000 with a new source port. Immediately following, we see the data packets being sent to the new source port, 3627, named in the previous exchange.

This exam provides insight into why the replay attack did not work. The central station defines for each connection which ports will be open for the incoming data; we need to consider this when attempting a replay attack. Modifying our previous Scapy scripts to account for the handshake, we retested the replay attack. With the new handshake code in place, the test still failed. Taking another look at the “SYN,ACK” packets provides a potential reason for the failure.

At offset 0x3D is a counter that needs to be incremented each time one of these packets is sent. In this case the patient monitor’s source IP address is embedded in the payload at offsets 0x2A and 0x30. This embedded IP address is not as important for this attack because during the replay our scripts can become the patient monitor’s IP; however, this will become more important later. The newly discovered counter needs to be accounted for and incremented.

Emulating a patient monitor

By taking these new findings into account our replay attack becomes successful. If we can observe a certain ECG pattern, we can play it back to the central monitoring station without the patient monitor on the network. Thus we can emulate the function of the patient monitor with any device. The following video demonstrates this emulation using a Raspberry Pi. We set our Scapy scripts to load after booting the Pi, which mimics the idle function of the patient monitor. When the central monitor requests information about the patient’s vitals, the Pi provides the station with an 80-beats-per-minute wave form. This also works with the other vital signs.

Impact of emulation

Although we have not yet reached our goal of real-time modification, we must consider the implications of this type of attack. If someone were to unplug the monitor of a stable patient and replace it with a device that continued to report the same stable vitals, would that cause any harm? Probably not immediately. But what if the stable patient suddenly became unstable? The central station would normally sound an alarm to alert medical personal, who could take appropriate action. However, if the monitor had been replaced, would anyone know help was needed? The patient monitor also normally sounds alarms that might be heard in and outside of the patient’s room, yet if the monitor was replaced, those alarms would be absent.

In hospitals, nurses and other personal generally make periodic checks even of stable patients. So any deception might not last long, but it might not need to. What if someone were trying to kidnap a patient? A kidnapper would alert fewer people than would be expected.

Switching from a real patient monitor to an emulator would cause a short loss in communication from the patient’s room to the central monitoring station. Is this enough to make the scenario unrealistic or not a threat? We asked Dr. Nordeck if a short loss in connection could be part of a reasonable scenario. “A momentary disconnection of the ECG would likely go unnoticed as this happens often due to patient movement or changing clothes and, as long as it is reconnected, will be unlikely to cause an alert,” he said.

Modifying vitals in real time

Although emulating the patient monitor is interesting, it did not accomplish our goal of making real-time modifications. Using what we learned while testing emulation, could we perform real-time injection? To answer this question, we must first understand the difference between emulation and real-time injection.

Emulation requires a deeper understanding of how the initial connection, the handshake, between the two devices occurred. When considering real-time modification, this handshake has already taken place. But an attacker would not know which port the data packets are being sent too, nor any of the other ports used in the data stream. Plus, because the real patient monitor is still online, it will constantly send data to the central monitoring station.

One way to account for these factors is to use Address Resolution Protocol (ARP) spoofing. If the patient monitor is ARP spoofed, then the attacker, instead of the central monitoring station, would receive the data packets. This step would allow the attacker to determine which ports are in use and stop the patient monitor’s data from getting to the central monitoring station. Because we have already shown that emulation works, the attacker simply has to send replacement data to the central station while appearing as the patient monitor.

For example, consider the following original packet coming from the patient monitor:

The patient monitor sends a packet with the patient’s heartbeat stored at offset 0x71 in the payload. The patient monitor in this screen capture is at IP address 126.4.153.150. An attacker can ARP spoof the patient monitor with a Kali virtual machine.

The ARP packets indicate that the central station, IP address 126.1.1.1, is at MAC address 00:0c:29:a1:6e:bf, which is actually the Kali virtual machine. Wireshark recognizes two MACs with the same IP address assigned and highlights them, showing the ARP spoof.

Next the attacker from the virtual machine at address 126.4.153.153 sends false information to the central monitoring station, still at address 126.1.1.1. In this example, offset 0x71 has been changed to 0x78, or 120. (The attacker could choose any value; the following demo videos use the heartbeat value 180 because it is more alarming.) Also notice the IP address stored in the payload, which we discovered during the reconnaissance phase. It still indicates this data is coming from the original patient monitor address, which is different from the IP address on the packet’s IP header. Due to this implementation, there is no need for the attacker to spoof their IP address for the attack to be successful.

Two videos show this modification happening in real time:

 

Impact of real-time modification

Although the monitor in the patient’s room is not directly affected, real-time modification is impactful because medical professionals use these central stations to make critical decisions on a large number of patients—instead of visiting each room individually. As long as the changes are believable, they will not always be verified.

Dr. Nordeck explains the impact of this attack: “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots. The hospital could also suffer resource consumption.” Dr. Nordeck explained that short changes to a heartbeat would generally trigger the nurse or technician monitoring the central station to page a doctor. The doctor would typically ask for a printout from the central station to review the rhythm. The doctor might also order an additional test, such as an EKG, to verify the rhythm. An EKG, however, would not likely capture an abnormal rhythm if it is intermittent, but the test might reveal an underlying cause for intermittent arrythmia. Should the rhythm recur intermittently throughout the day, the doctor might make treatment decisions based on this erroneous printout.

The American Heart Association and American College of Cardiology publish guidelines that hospitals are to follow, including for “intermittent cardiac rhythms,” seen in this chart:

A decision tree for treating an intermittent heart rate. Source: American Heart Association.

The first decision point in this tree asks if the patient is hemodynamically stable (whether the blood pressure is normal). This attack does not affect the bedside monitor. A nurse might retake the patient’s blood pressure, which would be normal. The next decision point following the “Yes” path is a diagnosis of focal atrial tachycardia. Regardless of the medical terms and answers, the patient is issued medication. In the case of a network attack, this is medication the patient does not need and could cause harm.

Conclusion

This research from McAfee’s Advanced Threat Research team shows it is possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and central monitoring station. For this attack to be viable, an attacker would need to be on the same network as the devices and have knowledge of the networking protocol. Any modifications made to patient data would need to be believable to medical professionals for there to be any impact.

During our research we did not modify the patient monitor, which always showed the true data; but we have proven the impact of an attack can be meaningful. Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays—any of which could incur unnecessary expenses.

Both product vendors and medical facilities can take measures to drastically reduce the threat of this type of attack. Vendors can encrypt network traffic between the devices and add authentication. These two steps would drastically increase the difficulty of this type of attack. Vendors also typically recommend that medical equipment is run on a completely isolated network with very strict network-access controls. If medical facilities follow these recommendations, attackers would require physical access to the network, greatly helping to reduce the attack surface.

One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Through responsible disclosure we aim to assist and encourage the industry toward a more comprehensive security posture. As part of our policy, we reported this research to the vendor whose products we tested and will continue to work with other vendors to help secure their products.

The post 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals appeared first on McAfee Blogs.

Identity Is the New Perimeter — But Where’s Its Firewall?

First, it was the firewall that shielded the perimeter of our networks from outside intrusion. Firewalls are still a necessary tool in any cybersecurity system, but as more data access came from beyond the internal network, the perimeter shifted to endpoints.

With cloud computing, mobile devices, the Internet of Things (IoT) and the like, much of our information is stored and accessed far away from the original network perimeter. Protecting that data became cybersecurity’s battle cry, and endpoints became the new perimeter.

Now, there is yet another shift. Thanks to digital transformation, identity is the new perimeter.

Identity Is the New Perimeter: Turning Focus

The idea of identity as the new perimeter (and how to secure it) was a primary talking point at Identiverse 2018 earlier this summer. The running theme was that the industry has reached an intersection of people, devices and applications that requires security based on identity.

The world’s digital ecosystem is in a constant state of evolution, said Andre Durand, CEO and founder of security company Ping Identity, in his keynote address. Security professionals rely on identity to meet the challenges of this environment. Durand said identity will be the catalyst of the digital transformation across all industry verticals.

It makes sense: The digital transformation is pushing security professionals to rethink their internal technologies and strategies. As more is accomplished through digital means, they have to develop new ways to identify and verify users — human or machine. Digital identity becomes the doorman, determining access to data and network infrastructure.

Hence, identity is the new perimeter — or, at least, the newest layer of the perimeter.

Accelerate digital growth by establishing digital identity trust

Network Access and Blurred Boundaries

The ability to authenticate identities was easier back when everyone in a single organization shared the same infrastructure. Now, of course, boundaries are more blurred and fluid than ever as devices with network access have multiplied and technologies intersect in the digital atmosphere, Durand said.

This perimeter fluidity is one of the forces shaping identity and identity security. Security professionals can’t put things into neat little piles and expect easy verification of each pile. Multifactor authentication (MFA) is necessary today for identity proofing — and forget passwords as one of those layers. Protecting the identity perimeter requires more sophisticated authentication tools and biometrics integration.

Strong authentication factors help build a circle of trusted identities, but the perimeter needs layers of trust. Think of it this way: Phone calls are one way people attempt to infiltrate personal perimeters. Calls that come from anonymous or unknown numbers are often filtered to voicemail to verify their legitimacy. Calls recognized to be high risk — like a repeated spam phone number — get blocked or reported. But the calls that come from a known identity, such as a number from your contact list, get a positive response.

Digital identity is similar. We must be able to verify trust in the identity before we allow it into our access perimeter.

Building Trust Is Harder Than It Seems

On the surface, the trust level seems obvious. Your IT team should be able to validate known identities and their levels of access. Your security team should be able to spot higher risk identities trying to penetrate.

The problem is threat actors are very good at tricking us into handing over our digital identities.

It’s become much cheaper for malicious actors to practice their trade than it was even a few years ago, which is one reason why security incidents are more frequent today. They are also much smarter about technology and human behavior. They don’t need to use sophisticated attacks to outmaneuver us. Instead, they know that each person is a port into the network and have figured out — often through social engineering and phishing emails — how to breach our identities. From there they can access endpoints and networks using verified authentications.

Your system trusts the identity because it is known — even if you’re not the one using it.

All successful exploits were facilitated by a failure in core identity controls, Richard Bird, client director at Optiv, told the audience at Identiverse 2018. It’s a people problem, but it’s treated like a tech problem.

“Identity-centric security is the only way to win in a world where every information security organization is already out-manned, out-gunned and outmaneuvered by the enemy,” Bird said. “Only re-establishing the core principle of identity as security in your organization will give you a fighting chance.”

If identity is the new perimeter, security must be built in. This could be through identity and access management (IAM) or with privileged account management (PAM) — approaches that give you a first layer of control. You can’t depend on a circle of trust if you don’t have that perimeter strongly guarded.

Everything in security eventually comes back to identity, according to Bird. Defending the identity perimeter must be the first layer in your security system because if you can protect identity, you have a better shot at protecting the endpoints and network.

The post Identity Is the New Perimeter — But Where’s Its Firewall? appeared first on Security Intelligence.

Enterprises as modern software factories: Infusing security throughout the app dev process

The DevOps methodology is ready to take the next step in its evolution. The first instance incorporated an operational approach to application development to create in-house, custom apps in a fast-paced, iterative environment. The next step must now insert security at each point of the model. It’s well known that using a modern software factory approach, like DevOps, can improve an enterprise’s overall speed and agility. The focus is on innovation and producing applications that … More

The post Enterprises as modern software factories: Infusing security throughout the app dev process appeared first on Help Net Security.

The future of OT security in critical infrastructure

Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations. While current advances in OT/ICS cyber security are impressive, new approaches are needed to gain defensive advantage over already-capable cyber adversaries, to keep up with new OT/ICS technologies, and to serve business risk management needs in increasingly-demanding, competitive environments. In all these cases, progress only comes when both IT and OT stakeholders can (1) correctly assess current and … More

The post The future of OT security in critical infrastructure appeared first on Help Net Security.

Protecting the protector: Hardening machine learning defenses against adversarial attacks

Harnessing the power of machine learning and artificial intelligence has enabled Windows Defender Advanced Threat Protection (Windows Defender ATP) next-generation protection to stop new malware attacks before they can get started often within milliseconds. These predictive technologies are central to scaling protection and delivering effective threat prevention in the face of unrelenting attacker activity.

Consider this: On a recent typical day, 2.6 million people encountered newly discovered malware in 232 different countries (Figure 1). These attacks were comprised of 1.7 million distinct, first-seen malware and 60% of these campaigns were finished within the hour.

Figure 1. A single day of malware attacks: 2.6M people from 232 countries encountering malware

While intelligent, cloud-based approaches represent a sea change in the fight against malware, attackers are not sitting idly by and letting advanced ML and AI systems eat their Bitcoin-funded lunch. If they can find a way to defeat machine learning models at the heart of next-gen AV solutions, even for a moment, theyll gain the breathing room to launch a successful campaign.

Today at Black Hat USA 2018, in our talk Protecting the Protector: Hardening Machine Learning Defenses Against Adversarial Attacks, we presented a series of lessons learned from our experience investigating attackers attempting to defeat our ML and AI protections. We share these lessons in this blog post; we use a case study to demonstrate how these same lessons have hardened Microsofts defensive solutions in the real world. We hope these lessons will help provide defensive strategies on deploying ML in the fight against emerging threats.

Lesson: Use a multi-layered approach

In our layered ML approach, defeating one layer does not mean evading detection, as there are still opportunities to detect the attack at the next layer, albeit with an increase in time to detect. To prevent detection of first-seen malware, an attacker would need to find a way to defeat each of the first three layers in our ML-based protection stack.

Figure 2. Layered ML protection

Even if the first three layers were circumvented, leading to patient zero being infected by the malware, the next layers can still uncover the threat and start protecting other users as soon as these layers reach a malware verdict.

Lesson: Leverage the power of the cloud

ML models trained on the backend and shipped to the client are the first (and fastest) layer in our ML-based stack. They come with some drawbacks, not least of which is that an attacker can take the model and apply pressure until it gives up its secrets. This is a very old trick in the malware authors playbook: iteratively tweak prospective threats and keep scanning it until its no longer detected, then unleash it.

Figure 3. Client vs. cloud models

With models hosted in the cloud, it becomes more challenging to brute-force the model. Because the only way to understand what the models may be doing is to keep sending requests to the cloud protection system, such attempts to game the system are out in the open and can be detected and mitigated in the cloud.

Lesson: Use a diverse set of models

In addition to having multiple layers of ML-based protection, within each layer we run numerous individual ML models trained to recognize new and emerging threats. Each model has its own focus, or area of expertise. Some may focus on a specific file type (for example, PE files, VBA macros, JavaScript, etc.) while others may focus on attributes of a potential threat (for example, behavioral signals, fuzzy hash/distance to known malware, etc.). Different models use different ML algorithms and train on their own unique set of features.

Figure 4. Diversity of machine learning models

Each stand-alone model gives its own independent verdict about the likelihood that a potential threat is malware. The diversity, in addition to providing a robust and multi-faceted look at potential threats, offers stronger protection against attackers finding some underlying weakness in any single algorithm or feature set.

Lesson: Use stacked ensemble models

Another effective approach weve found to add resilience against adversarial attacks is to use ensemble models. While individual models provide a prediction scoped to a particular area of expertise, we can treat those individual predictions as features to additional ensemble machine learning models, combining the results from our diverse set of base classifiers to create even stronger predictions that are more resilient to attacks.

In particular, weve found that logistic stacking, where we include the individual probability scores from each base classifier in the ensemble feature set provides increased effectiveness of malware prediction.

Figure 5. Ensemble machine learning model with individual model probabilities as feature inputs

As discussed in detail in our Black Hat talk, experimental verification and real-world performance shows this approach helps us resist adversarial attacks. In June, the ensemble models represented nearly 12% of our total malware blocks from cloud protection, which translates into tens of thousands of computers protected by these new models every day.

Figure 6. Blocks by ensemble models vs. other cloud blocks

Case study: Ensemble models vs. regional banking Trojan

“The idea of ensemble learning is to build a prediction model by combining the strengths of a collection of simpler base models.”
— Trevor Hastie, Robert Tibshirani, Jerome Friedman

One of the key advantages of ensemble models is the ability to make a high-fidelity prediction from a series of lower-fidelity inputs. This can sometimes seem a little spooky and counter-intuitive to researchers, but uses cases weve studied show this approach can catch malware that the singular models cannot. Thats what happened in early June when a new banking trojan (detected by Windows Defender ATP as TrojanDownloader:VBS/Bancos) targeting users in Brazil was unleashed.

The attack

The attack started with spam e-mail sent to users in Brazil, directing them to download an important document with a name like Doc062108.zip inside of which was a document that is really a highly obfuscated .vbs script.

Figure 7. Initial infection chain

Figure 8. Obfuscated malicious .vbs script

While the script contains several Base64-encoded Brazilian poems, its true purpose is to:

  • Check to make sure its running on a machine in Brazil
  • Check with its command-and-control server to see if the computer has already been infected
  • Download other malicious components, including a Google Chrome extension
  • Modify the shortcut to Google Chrome to run a different malicious .vbs file

Now whenever the user launches Chrome, this new .vbs malware instead runs.

Figure 9. Modified shortcut to Google Chrome

This new .vbs file runs a .bat file that:

  • Kills any running instances of Google Chrome
  • Copies the malicious Chrome extension into %UserProfile%\Chrome
  • Launches Google Chrome with the load-extension= parameter pointing to the malicious extension

Figure 10. Malicious .bat file that loads the malicious Chrome extension

With the .bat files work done, the users Chrome instance is now running the malicious extension.

Figure 11. The installed Chrome extension

The extension itself runs malicious JavaScript (.js) files on every web page visited.

Figure 12. Inside the malicious Chrome extension

The .js files are highly obfuscated to avoid detection:

Figure 13. Obfuscated .js file

Decoding the hex at the start of the script, we can start to see some clues that this is a banking trojan:

Figure 14. Clues in script show its true intention

The .js files detect whether the website visited is a Brazilian banking site. If it is, the POST to the site is intercepted and sent to the attackers C&C to gather the users login credentials, credit card info, and other info before being passed on to the actual banking site. This activity is happening behind the scenes; to the user, theyre just going about their normal routine with their bank.

Ensemble models and the malicious JavaScript

As the attack got under way, our cloud protection service received thousands of queries about the malicious .js files, triggered by a client-side ML model that considered these files suspicious. The files were highly polymorphic, with every potential victim receiving a unique, slightly altered version of the threat:
Figure 15. Polymorphic malware

The interesting part of the story are these malicious JavaScript files. How did our ML models perform detecting these highly obfuscated scripts as malware? Lets look at one of instances. At the time of the query, we received metadata about the file. Heres a snippet:

Report time 2018-06-14 01:16:03Z
SHA-256 1f47ec030da1b7943840661e32d0cb7a59d822e400063cd17dc5afa302ab6a52
Client file type model SUSPICIOUS
File name vNSAml.js
File size 28074
Extension .js
Is PE file FALSE
File age 0
File prevalence 0
Path C:\Users\<user>\Chrome\1.9.6\vNSAml.js
Process name xcopy.exe

Figure 16 File metadata sent during query to cloud protection service

Based on the process name, this query was sent when the .bat file copied the .js files into the %UserProfile%\Chrome directory.

Individual metadata-based classifiers evaluated the metadata and provided their probability scores. Ensemble models then used these probabilities, along with other features, to reach their own probability scores:

Model Probability that file is malware
Fuzzy hash 1 0.01
Fuzzy hash 2 0.06
ResearcherExpertise 0.64
Ensemble 1 0.85
Ensemble 2 0.91

Figure 17. Probability scores by individual classifiers

In this case, the second ensemble model had a strong enough score for the cloud to issue a blocking decision. Even though none of the individual classifiers in this case had a particularly strong score, the ensemble model had learned from training on millions of clean and malicious files that this combination of scores, in conjunction with a few other non-ML based features, indicated the file had a very strong likelihood of being malware.

Figure 18. Ensemble models issue a blocking decision

As the queries on the malicious .js files rolled in, the cloud issued blocking decisions within a few hundred milliseconds using the ensemble models strong probability score, enabling Windows Defender ATPs antivirus capabilities to prevent the malicious .js from running and remove it. Here is a map overlay of the actual ensemble-based blocks of the malicious JavaScript files at the time:

Figure 19. Blocks by ensemble model of malicious JavaScript used in the attack

Ensemble ML models enabled Windows Defender ATPs next-gen protection to defend thousands of customers in Brazil targeted by the unscrupulous attackers from having a potentially bad day, while ensuring the frustrated malware authors didnt hit the big pay day they were hoping for. Bom dia.

 

Further reading on machine learning and artificial intelligence in Windows Defender ATP

Indicators of compromise (IoCs)

  • Doc062018.zip (SHA-256: 93f488e4bb25977443ff34b593652bea06e7914564af5721727b1acdd453ced9)
  • Doc062018-2.vbs (SHA-256: 7b1b7b239f2d692d5f7f1bffa5626e8408f318b545cd2ae30f44483377a30f81)
  • zobXhz.js 1f47(SHA-256: ec030da1b7943840661e32d0cb7a59d822e400063cd17dc5afa302ab6a52)

 

 

 

Randy Treit, Holly Stewart, Jugal Parikh
Windows Defender Research
with special thanks to Allan Sepillo and Samuel Wakasugui

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families

This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story. 

Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to have come from North Korea. But how can we know with certainty? And what connection does a DDoS and disk-wiping attack from July 4, 2009, have with WannaCry, one of the largest cyberattacks in the history of the cyber sphere?  

From the Mydoom variant Brambul to the more recent Fallchill, WannaCry, and the targeting of cryptocurrency exchanges, we see a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor.

Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal.

This post reflects months of research; in it we will highlight our code analysis illustrating key similarities between samples attributed to the Democratic People’s Republic of Korea, a shared networking infrastructure, and other revealing data hidden within the binaries. Together these puzzle pieces show the connections between the many attacks attributed to North Korea and categorize different tools used by specific teams of their cyber army.

Valuable context 

This article is too short to dig deeply into the history, politics, and economic changes of recent years. Nonetheless, we must highlight some events to put past and present cyber events into perspective.

The DPRK, like any country, wants to be as self-sufficient and independent as possible. However, for products such as oil, food, and foreign currency for trading, the country lacks resources and has to find ways of acquiring them. What can a nation do when legal international economics are denied? To survive, it must gain foreign currency for trading. One of the oldest ways to do this is to join the worlds of gambling (casinos) and drugs. In 2005, the United States wanted to shut down North Korean enterprises involved in illegal operations. They investigated a couple of banks in Asia that seemed to have ties with North Korea and operated as money laundering sites. One bank in particular is controlled by a billionaire gambling mogul who started a casino in Pyongyang and has close ties to Pyongyang. That bank, based in Macau, came back into the picture during an attack on the SWIFT financial system of a bank in Vietnam in 2015. The Macau bank was listed twice in the malware’s code as a recipient of stolen funds:

Figure 1: SWIFT code in malware.

Code reuse

There are many reasons to reuse malware code, which is very common in the world of cybercrime. If we take an average ransomware campaign, for example, once the campaign becomes less successful, actors often change some of basics such as using a different packer to bypass defenses. With targeted campaigns, an adversary must keep its tools undetected for as long as possible. By identifying reused code, we gain valuable insights about the “ancestral relations” to known threat actors or other campaigns. Our research was heavily focused on this type of analysis.

In our years of investigating cyber threats, we have seen the DPRK conduct multiple cyber campaigns. In North Korea, hackers’ skills determine which cyber units they work for. We are aware two major focuses of DPRK campaigns: one to raise money, and one to pursue nationalist aims. The first workforce gathers money for the nation, even if that means committing cybercrime to hack into financial institutions, hijack gambling sessions, or sell pirated and cracked software. Unit 180 is responsible for illegally gaining foreign currency using hacking techniques. The second workforce operates larger campaigns motivated by nationalism, gathering intelligence from other nations, and in some cases disrupting rival states and military targets. Most of these actions are executed by Unit 121.

We focused in our research on the larger-scale nationalism-motivated campaigns, in which we discovered many overlaps in code reuse. We are highly confident that nation-state–sponsored groups were active in these efforts.

Timeline 

We created a timeline of most of the malware samples and noticeable campaigns that we examined. We used primarily open-source blogs and papers to build this timeline and used the malware artifacts as a starting point of our research.

 

Figure 2: Timeline of malware and campaigns.

Analysis and observations

Similarities

During our research, we found many malware family names that are believed to be associated with North Korea’s cyber operations. To better understand this threat actor and the similarities between the campaigns, we have used Intezer’s code similarity detection engine to plot the links between a vast number of these malware families.

The following graph presents a high-level overview of these relations. Each node represents a malware family or a hacking tool (“Brambul,” “Fallchill,” etc.) and each line presents a code similarity between two families. A thicker line correlates to a stronger similarity. In defining similarities, we take into account only unique code connections, and disregard common code or libraries. This definition holds both for this graph and our entire research.

 

Figure 3: Code similarities between North Korean–associated malware families.

We can easily see a significant amount of code similarities between almost every one of the attacks associated with North Korea. Our research included thousands of samples, mostly unclassified or uncategorized. This graph was plotted using a data set of only several hundred samples, so there might be more connections than displayed here. 

Deep technical analysis 

During our research, we came across many code similarities between North Korean binaries that had not been seen before. Some of these attacks and malware have not been linked to one another, at least publicly. We will showcase four examples of reused code that has been seen only in malware attributed to North Korea.

  1. Common SMB module

The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject. These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.

Figure 4: Code overlap of a Mydoom sample.

In the next screenshots we highlight the exact code block that reflects the SMB module we found in campaigns other than WannaCry and Mydoom.

Figure 5: An SMB module common to several attacks.

A lot has been written about WannaCry. As we analyze the code against our databases, we can draw the following overview:

Figure 6: WannaCry code comparison overview.

For our research we compared the three major variants of WannaCry. An early release, called a beta, from February 2017, one from April, and the infamous one that hit the world in May.

  1. Common file mapping

The second example demonstrates code responsible for mapping a file and using the XOR key 0xDEADBEEF on the first four bytes of the file. This code has appeared in the malware families NavRAT and Gold Dragon, plus a certain DLL from the South Korean gambling hacking campaign. These three RATs are thought to be affiliated with North Korea’s Group 123. NavRAT and the gambling DLL share more code, making them closer variants.

Figure 7: Code overlap in a NavRAT sample.

Figure 8: File-mapping code 

  1. Unique net share

The third example, responsible for launching a cmd.exe with a net share, has been seen in 2009’s Brambul, also known as SierraBravo, as well as KorDllBot in 2011. These malware families are also attributed to the Lazarus group.

Figure 9: Code overlap of a SierraBravo (Brambul) sample.

Figure 10: A code block reused in the malware families Brambul/SierraBravo and KorDllBot.

  1. Operation Dark Hotel

In 2014, Kaspersky reported a more than seven-year campaign against Asian hotels, in which the adversaries used an arsenal of tools to break into the computers of hotel visitors. Zero days and control servers were used, along with the malware family Tapaoux, or DarkHotel, according to the report.

While we examined the DPRK samples, we noticed a hit with the Dark Hotel samples in our collections. By going through the code, we noticed several pieces of code overlap and reuse, for example, with samples from Operation Troy.

Figure 11: Code overlap in a Dark Hotel sample.

Identifying a group

By applying what we learned from our comparisons and code-block identifications, we uncovered possible new links between malware families and the groups using them.

With the different pieces of malware we have analyzed, we can illustrate the code reuse and sharing between the groups known to be affiliated with North Korea.

 

Figure 12: Groups and families linked by code reuse.

The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns.

The malware (NavRAT, gambling, and Gold Dragon) possibly created by Group 123 are connected to each other but are separate from those used by Lazarus. Although these are different units focusing on different areas, there seems to be a parallel structure in which they collaborate during certain campaigns.

MITRE ATT&CK

From our research of these malware samples, we can identify the following techniques used by the malware families:

When we zoom in on the Discovery category in the MITRE model, for example, we notice that the techniques are typical for first-stage dropper malware. The adversary drops these samples on victims’ machines and collects information on where they landed in the victims’ networks and which user/access rights they gained.

In 2018, we saw examples of campaigns in which attackers used PowerShell to download and execute these droppers. Once information has been sent to a control server, the adversary determines the next steps, which often include installing a remote access tool to enable lateral movement on the network and pursue the goals of the campaign.

Final words

Security vendors and researchers often use different names when speaking about the same malware, group, or attack. This habit makes it challenging to group all the malware and campaigns. By taking a scientific approach, such as looking for code reuse, we can categorize our findings. We believe our research will help the security community organize the current “mess” we face in relation to North Korean malware and campaigns.

We clearly saw a lot of code reuse over the many years of cyber campaigns we examined. This indicates the North Koreans have groups with different skills and tools that execute their focused parts of cyber operations while also working in parallel when large campaigns require a mix of skills and tools.

We found our months of research, data gathering, and analysis very satisfying. By combining our skills, data, and technology, we were able to draw connections and reveal links that we had not seen before. The cybersecurity industry would greatly benefit from more collaboration and sharing of information, and we hope that this effort between McAfee and Intezer will inspire the community to work together more often.

The authors thank Costin Raiu for providing them with samples they did not have in their collections.

Sources

Glenn Simpson, Gordon Fairclough, and Jay Solomon, “U.S. Probes Banks’ North Korea Ties.” Wall Street Journal, last updated September 8, 2005.

Christiaan Beek, “Attacks on SWIFT Banking system benefit from insider knowledge.” https://securingtomorrow.mcafee.com/mcafee-labs/attacks-swift-banking-system-benefit-insider-knowledge/

Atif Mushtaq, “DDOS Madness Continued…” https://www.fireeye.com/blog/threat-research/2009/07/ddos-madness-climax.html

Ryan Sherstobitoff and Jessica Saavedra-Morales, “Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems.” https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ 

Alex Drozhzhin, “Darkhotel: a spy campaign in luxury Asian hotels.” https://www.kaspersky.com/blog/darkhotel-apt/6613/ 

Warren Mercer, Paul Rascagneres, and Jungsoo An, “NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea.” https://blog.talosintelligence.com/2018/05/navrat.html 

Sergei Shevchenko and Adrian Nish, “Cyber Heist Attribution.https://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html

Mydoom code reuse report. https://analyze.intezer.com/#/analyses/113ba80f-1680-43d7-b287-cc62f3740fad

NavRAT code reuse report. https://analyze.intezer.com/#/analyses/4f19fd5a-a898-4fdf-96c9-d3a4aad817cb

SierraBravo code reuse report. https://analyze.intezer.com/#/analyses/8da8104e-56e4-49fd-ba24-82978bc1610c

Dark Hotel code reuse report. https://analyze.intezer.com/#/analyses/c034e0fe-7825-4f6d-b092-7c5ee693aff4

Kang Jang-ho, “A foreign currency earned with a virtual currency … What is the life of a North Korean hacker?” http://m.mtn.co.kr/news/news_view.php?mmn_idx=2018062517065863930#_enliple

Awesome work by the team responsible for the “Operation Blockbuster” report. https://www.operationblockbuster.com/resources/

The post Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families appeared first on McAfee Blogs.

The security issues 3D printing should solve before going mainstream

It’s always fun when you can mix your personal hobbies and interests with your profession, and often the passion you carry for the things you love can lead to valuable and productive insights for your vocation as well. Let’s hope that theory proves true as this 20-year information security professional, and recent 3D printing enthusiast, considers the potential cybersecurity risks with additive manufacturing. If I threw you for a second there with my “fancy words,” … More

The post The security issues 3D printing should solve before going mainstream appeared first on Help Net Security.

Reviewing election cybersecurity in this week’s primary states

Since learning of Russia's attempts to hack into the elections systems of 21 states during the 2016 US presidential race, legislators have been on high alert. Cybersecurity experts have warned it's likely the Kremlin will attack again, and already it's been caught attempting to infiltrate legislators' computers and use phony social media accounts to influence the outcome of 2018 state primaries.

Four states are holding elections on Tuesday -- Kansas, Michigan, Missouri and Washington -- and some lawmakers are doing more than others to protect their systems against cyber attacks. Here's a breakdown of each state's approach to elections cybersecurity, as of August 2018:

Crypto Pump and Dumps Have Generated $825 Million in Activity This Year: WSJ

Price manipulation involving ‘pump and dump’ schemes are alive and well in the cryptocurrency market. According to new research by The Wall Street Journal, organized cryptocurrency groups have generated at least $825 million in trading activity over the past six months. Pump Groups Thrive in Nascent Crypto Market In a comprehensive review of trading data […]

The post Crypto Pump and Dumps Have Generated $825 Million in Activity This Year: WSJ appeared first on Hacked: Hacking Finance.

Protecting the modern workplace from a wide range of undesirable software

Security is a fundamental component of the trusted and productive Windows experience that we deliver to customers through modern platforms like Windows 10 and Windows 10 in S mode. As we build intelligent security technologies that protect the modern workplace, we aim to always ensure that customers have control over their devices and experiences.

To protect our customers from the latest threats, massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph are processed by security analysts and intelligent systems that identify malicious and other undesirable software. Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. This classification of threats is reflected in the protection delivered by the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified endpoint security platform.

Malware: Malicious software and unwanted software

Among the big classifications of threats, customers may be most familiar with malicious software. Malicious software might steal personal information, lock devices until a ransom is paid, use devices to send spam, or download other malicious software. Examples of these types of threats are keyloggers and ransomware. Malware can get into devices through various infection vectors, including exploits, which completely undermine users choice and control of their devices. Windows Defender ATP’s next generation protections detect and block these malicious programs using local machine learning models, behavior-based detection, generics and heuristics, and cloud-based machine learning models and data analytics.

Some threats, on the other hand, are classified as unwanted software. These are applications that dont keep customers in control of devices through informed choices and accessible controls. Examples of unwanted behavior include modifying browsing experience without using supported browser extensibility models, using alarming and coercive messages to scare customers into buying premium versions of software, and not providing a clear and straightforward way to install, uninstall or disable applications. Like malicious software, unwanted software threats are malware.

Using a model that leverages predictive technologies, machine learning, applied science, and artificial intelligence powers Windows Defender ATP to detect and stop malware at first sight, as reflected in consistently high scores in independent antivirus tests.

Potentially unwanted applications

Some applications do not exhibit malicious behavior but can adversely impact the performance or use of devices. We classify these as potentially unwanted applications (PUA). For example, we noted the increased presence of legitimate cryptocurrency miners in enterprise environments. While some forms of cryptocurrency miners are not malicious, they may not be authorized in enterprise networks because they consume computing resources.

Unlike malicious software and unwanted software, potentially unwanted applications are not malware. Enterprise security administrators can use the PUA protection feature to block these potentially unwanted applications from downloading and installing on endpoints. PUA protection is enabled by default in Windows Defender ATP when managed through System Center Configuration Manager.

In March 2018, we started surfacing PUA protection definitions on VirusTotal. We have also updated our evaluation criteria page to describe the specific categories and descriptions of software that we classify as PUA. These are:

Browser advertising software: Software that displays advertisements or promotions or prompts the user to complete surveys for other products or services in software other than itself. This includes, for example, software that inserts advertisements in browser webpages.

Torrent software: Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Customer protection is our top priority. Windows Defender Advanced Threat Protection (Windows Defender ATP) incorporates next-generation protection, attack surface reduction, endpoint detection and response, and automated investigation and remediation, and advanced hunting capabilities. We adjust, expand, and update our evaluation criteria based on customer feedback as well as new and emerging trends in the threat landscape. We encourage customers to help us identify new threats and other undesirable software by submitting programs that exhibit behaviors outlined in the evaluation criteria.

 

 

Michael Johnson

Windows Defender Research

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Cyber hygiene training is infrequent and inconsistent

Finn Partners Research released findings from its Cybersecurity at Work study that examined the level of cyber risk that employees pose to their organizations. The in-depth study, which surveyed 500 full-time office employees across the US, found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize. This security slip-up is significant due to the installation of malware on their devices and … More

The post Cyber hygiene training is infrequent and inconsistent appeared first on Help Net Security.

How to Manage App Security Amid Expanding Shadow IT

Information security is all about protecting data, so an effective cybersecurity policy has to include app security provisions that protect data generated on user endpoints. That’s easier said than done, however; after all, to secure applications, you have to know what applications your employees are using.

Employees rely on apps for almost every type of task, and they aren’t all using the same types of devices to access these apps. Thanks to the rise of bring-your-own-device (BYOD), the overall mobile workforce and, perhaps most significantly, the growing blur between professional and personal devices, it’s common to use apps and hardware that aren’t authorized by the IT department.

This unauthorized use is known as shadow IT, and it’s a nightmare for those in charge of security. You can’t protect what you don’t know — and endpoint users are unwittingly putting company data at risk every day.

Identifying App Security Perps

According to June 2018 research from Nintex, an intelligent process automation platform, almost two-thirds of employees find that they have broken IT processes within their company. As problems and concerns linger, employees have turned to shadow IT devices to address their own problems.

However, the most surprising finding in this survey may be that the worst culprit of shadow IT use is your own IT staff. That’s right: Sixty percent of the people who are charged to protect your company from rogue application use are those creating app security risks.

Resolving IT Issues

Perhaps because of its overall workload, IT departments are often slow respond to software and application problems. When issues remain unaddressed, employees take matters into their own hands: Forty percent of Nintex’s respondents said they have engaged in shadow IT as a “direct result” of outstanding IT problems.

The benefit of having a strong internal IT staff is that they are your front line for testing new technologies and apps. Unfortunately, technology proficiency doesn’t equal security proficiency, so as they introduce unauthorized devices and apps to the network, they may not immediately recognize the risks or vulnerabilities attached.

Nor is it always current employees that are a threat. One of the most commonly broken IT processes involves the information access of former employees, something that one in five survey respondents cited as an issue in their company. If those former employees engaged in shadow IT, they may still have corporate data stored on their devices or apps. Because they were using unsanctioned endpoints, neither IT nor leadership has any idea what might be out there, unprotected and at risk of becoming breached.

Why do network and application questions and concerns linger? Often, IT staff are the victims of a broken system. Their own bosses may be dropping the ball when it comes to accountability. We expect our IT staff to oversee any system problems because the “computer guys” are the company face of technology solutions.

However, these same computer guys may face obstacles the rest of the company doesn’t see — budget restraints, tasks unrelated to their formal job duties, understaffing and more. More accountability for unresolved IT issues needs to be directed by those in C-level positions, including more input from the chief information security officer (CISO) to better address app security and shadow IT threats. The CISO should be the voice of security reason within the company, including the dangers of using unauthorized software.

Protecting From Shadow IT

The use of unauthorized apps and devices opens an organization to any number of problems, from basic process efficiency to serious security threats. Unsanctioned devices and software can jam bandwidth, decreasing employee productivity. It can lead to data breaches or theft, which could cost millions of dollars in lost business or fines should an organization fail to satisfy the General Data Protection Regulation (GDPR) compliance from the European Union (EU) or other industry and government regulations. This can also result in the loss of certifications and licenses.

Addressing shadow IT and device security should start at the top. Leadership should take more responsibility for network security and provide IT the support it needs to respond more quickly to broken processes. The use of unsanctioned software and devices should be monitored by someone outside of IT — such as a C-level executive like the chief information officer (CIO) or CISO, security team or managed service provider — and IT should then be encouraged to set an example by endorsing and enforcing authorized device and app use. This way, the ownership of proprietary data security will trickle down and calcify into the entire organizational structure, rather than straining uphill toward success.

At the same time, IT deserves the leeway to introduce new technologies into the company through authorized policy. With that line between personal and business devices increasingly unclear, it is easy for shadow IT to sneak past the network checkpoints. But by not having a plan in place and not requiring quicker response times, shadow IT can end up causing a lot of damage.

The post How to Manage App Security Amid Expanding Shadow IT appeared first on Security Intelligence.

Cyberwarzone: An analysis on the Emotet Trojan and Mealybug [2018]

Mealybug, the group behind Emotet has changed their business model from maintaining the malware to distributer of the malware. This cybercrime as a service has obtained the interest of other threat actor groups. Mealybug is a threat actor group which surfaced in the year 2014. Characteristics Emotet Trojan The Emotet Trojan has the functionality to […]

Source



Cyberwarzone

Intensifying DDoS attacks: ​Choosing your defensive strategy

One of the biggest misconception regarding DDoS attacks is that they are a once-in-a-lifetime event for organizations, says Josh Shaul, VP of Web Security at Akamai. “Over the last six months, our State of the Internet Report found that companies suffered 41 DDoS attacks on average over the last six months,” he points out. The rise and rise of DDoS attacks As Arbor Networks CTO Darren Anstee recently pointed out, DDoS attacks have become a … More

The post Intensifying DDoS attacks: ​Choosing your defensive strategy appeared first on Help Net Security.

Employees who witness compliance violations twice as likely to leave company

Twenty-nine percent of employees observed at least one compliance violation at work in 2016 or 2017, according to a survey by Gartner. The survey, which sampled more than 5,000 employees at all levels, found that these workers are twice as likely to leave their organization. Fifty-nine percent of the sampled employees who observed a compliance violation were actively looking for a new job, compared with 29 percent who did not witness bad behavior. “While attrition … More

The post Employees who witness compliance violations twice as likely to leave company appeared first on Help Net Security.

Rise in email impersonation attacks makes companies re-assess their security efforts

Most companies believe they’ve experienced serious data breaches driven by email impersonation in the past 12 months – but are not doing nearly enough to prevent future impersonation attacks, according to a new study conducted by the Ponemon Institute. “With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO of Valimail. “While traditional approaches are good for filtering malicious … More

The post Rise in email impersonation attacks makes companies re-assess their security efforts appeared first on Help Net Security.

How the US Military Can Better Keep Hackers

Interesting commentary:

The military is an impossible place for hackers thanks to antiquated career management, forced time away from technical positions, lack of mission, non-technical mid- and senior-level leadership, and staggering pay gaps, among other issues.

It is possible the military needs a cyber corps in the future, but by accelerating promotions, offering graduate school to newly commissioned officers, easing limited lateral entry for exceptional private-sector talent, and shortening the private/public pay gap, the military can better accommodate its most technical members now.

The model the author uses is military doctors.

DNC-led Def Con event tests election websites against child hackers

At the Def Con hacker conference next week, the Democratic National Committee is co-sponsoring a contest that will pit child hackers against replicas of state government websites, Wired reports. Kids between the ages of eight and 16 will try to break into replicas of the websites secretaries of state use to post election results, and the one that devises the best defensive strategy will win $500 from the DNC. Another $2,000 will be awarded to whoever can penetrate a site's defenses. The University of Chicago and a non-profit called r00tz Asylum that offers cybersecurity lessons for children are also sponsoring the event.

Source: Wired

Attending Black Hat USA 2018? Here’s what to expect from Microsoft.

Black Hat USA 2018 brings together professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. This is an exciting time as our Microsoft researchers, partners, and security experts will showcase the latest collaborations in defense strategies for cybersecurity, highlight solutions for security vulnerabilities in applications, and bring together an ecosystem of intelligent security solutions. Our objective is to arm business, government, and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products.

Security researchers play an essential role in Microsofts security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at Black Hat USA, the Microsoft Security Response Center (MSRC) highlights the contributions of these researchers through the list of Top 100 security researchers reporting to Microsoft (either directly or through a third party) during the previous 12 months. While one criterion for the ranking is volume of fixed reports a researcher has made, the severity and impact of the reports is very important to the ranking also. Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry.

In addition to unveiling the Top 100 and showcasing Microsoft security solutions at Booth #652, there are a number of featured Microsoft speakers and sessions:

Join us at these sessions during the week of August 4-9, 2018 in Las Vegas and continue the discussion with us in Booth #652, where we will have product demonstrations, theatre presentations, and an opportunity to learn more about our Top 100 and meet with some of Microsofts security experts and partners.

Protect your data in files, apps, and devices

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Enable your users to work securely from anywhere, anytime, across all of their devices.

Most companies focus their security solutions around users, devices, and apps, but often overlook the data that they are trying to protect. In this blog, we dig into some of the most challenging data protection scenarios our customers encounter.

How can I make sure company data is safe when employees use their own devices for work?

To help ensure your organizations data is safe on employee-owned devices, Microsoft 365 security solutions give you control and protection throughout the data lifecycle. With interoperating solutions for identity and access management, endpoint protection, information protection, and mobile device management (MDM), Microsoft 365 helps you protect your data against the complicated risks of a mobile landscape.

To build a comprehensive strategy for information protection, start by managing employee identities with Azure Active Directory (Azure AD). Azure AD gives you visibility and control over user identities, allowing you to manage what users can access. It allows your users the ability to securely sign in to business apps and access appropriate company data on their own devices.

Your employees use mobile devices for both personal and work tasks throughout the day, moving quickly among apps and files and potentially mixing up work and personal data. You want to make sure users can be productive while you prevent data loss. You also want to have the ability to protect company data even when accessed from devices that arent managed by you.

You can use Microsoft Intune app protection policies (Figure 1) to help protect your companys data. Because Intune app protection policies can be used independent of any MDM solution, you can use it to protect your companys data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department. These policies enable you to provide parameters for how your users interact with or use data in their Intune-managed apps, for example by restricting copy-and-paste and save-as functions.

Figure 1. Intune App Protection policies allow you to restrict access to company resources.

Conditional access in Azure AD (Figure 2) lets you assign conditions that must be met in order for users to gain access. By setting conditional access policies, you can apply the right access controls under the required conditions. Configure conditional access policies to address risks based on user sign-in, network location, unmanaged devices, and client applications.

Figure 2. Conditional access lets you assign conditions that must be met in order for users to gain access.

Protect against accidental data leaks by using Windows Information Protection (WIP) to help secure business data when it leaves your employees’ devices. WIP can be configured through Intune and it allows you to restrict copy-and-paste functions, prevent unauthorized apps from accessing business data, and discriminate between corporate and personal data on the device so it can be wiped if necessary.

How can I make it easier for employees to meet my companys strict compliance requirements for data access and sharing?

Classify and protect documents and emails by applying labels with Azure Information Protection. Labels can be applied automatically by administrators who define rules and conditions manually by users, or by a combination where users are given recommendations. The classification is identifiable regardless of where the data is stored or with whom its shared. For example, you can configure a report document so that it can be accessed only by people in your organization, and control whether that document can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and also prevent them from being forwarded or prevent the use of the Reply All option.

How can I protect data when an employee loses their device?

If your employees use their own devices to access or store company information, you can remotely wipe data from managed business apps, like Word and SharePoint, with Intune. Company-owned devices can be managed through Intune MDM, giving you the flexibility to wipe an entire device (factory reset) or just wipe company data.

Deployment tips from our experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are three proven tips to put it all into action.

Keep your identities safe. Manage employee identities with Azure AD for visibility over user identities and control over what users can access. Configure conditional access policies to apply the right access controls to address access risks.

Manage the devices in your environment with Intune. Enable Intune to be your mobile management strategy to manage the apps that employees use to do business. You can control the apps employees can access, and you can wipe a device when someone leaves the company.

Keep your company data safe. Restrict access to company resources using Intune app protection policies to help protect your companys data. Deploy Azure Information Protection and set up your data classification, labels, and automatic policies to control access by labeling, classifying, and encrypting documents according to their level of security. Then use WIP to protect against accidental data leaks.

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Protect your data in files, apps, and devices, within and across organizations coming soon!

More blog posts from this series:

How to Maximize Your Cybersecurity Investment

One of the most interesting conversation starters for a consultant is when a client tells you, “We want to be as secure as a bank.” Assuming the organization isn’t in the business of providing financial services, a good consultant will always reply with, “Why?”

It sounds reasonable to aim for bank-level security, right? We know that banks secure a lot of personal and financial information, and they typically develop increasingly sophisticated ways to manage cybersecurity investment and risks.

But here’s the rub: Most organizations will struggle to justify the same level of security spending as a banking institution.

Develop Your Cybersecurity Road Map

Security practitioners use a variety of tools to assess the current and target states of an organization’s cybersecurity position. Often, we use risk as a starting point: What’s your current risk — and what residual risk is your organization prepared to accept? The difference between these two states will drive your cybersecurity road map.

Other times, we assess capability: How well-developed and consistent are your cybersecurity practices, and how well do they enable the security outcomes your organization expects? Look at the intersection of business goals, technical constraints and availability of resources.

Maturity assessments help you understand your company’s gaps in these areas. Sometimes, it can reveal cybersecurity investment in capacities that don’t support business goals — so it’s better to redirect these resources to initiatives that will have a more significant impact on risk mitigation.

Whichever method you use, one of the outcomes will be to develop a business case for your security road map. A major challenge for organizations is to think of cybersecurity in a strategic rather than reactive manner.

This adjustment can be tackled by asking the following questions:

  • How do you formulate a target cybersecurity state for your organization?
  • How can the case for change be developed cost-effectively?
  • Which business benefits justify the cost?

Once you know the answers to these questions, you’ll begin to understand where your organization’s priorities lie, which will help guide your investment decisions.

Use Industry Benchmarking Wisely

Industry benchmarks are reasonable starting points to define your cybersecurity target state, but you should always take them with a grain of salt. A business case for cybersecurity investment that amounts to “because everyone else does it” is not a valuable or actionable directive. That said, benchmarks can help identify potential security gaps in your organization. Use them to initiate security conversations with management, but always consider your organization’s unique business needs and objectives.

To understand the potential difficulties of benchmarking, consider two retail outlets: One that runs a standalone e-commerce shop, and a traditional brick-and-mortar shop with a cursory web presence for contact information. Even if these businesses are in the same industry, their cybersecurity needs are very different.

The e-commerce retailer has to meet electronic payment compliance requirements and poses a much more attractive target to hackers, requiring a more substantial investment in network security. Meanwhile, the brick-and-mortar shop should consider heavier investments in physical security — such as loss prevention associates — at each location. In that regard, an industry benchmark centered primarily around online businesses wouldn’t make sense for a traditional shop and vice versa.

Identify Risks With Heat Maps

If you can’t rely on benchmarks, how can your organization identify the security areas it needs to improve? Threat risk assessment offers a risk-based methodology that helps you understand the risk profile of your critical assets. By generating risk heat maps, you can model the level and types of security controls to meet your level of acceptable risk best.

A heat map will provide a picture of where your greatest cybersecurity risks are. With a standards-based threat- and risk-modeling approach, you can pinpoint the business assets that will benefit most from your cybersecurity investment — and those that won’t.

The advantages are twofold: You can show leadership the impact of not addressing cybersecurity risks, and you can provide a justification for cybersecurity investment.

In particular, there are several business objectives that cybersecurity controls should always support, depending on the organization:

  • Avoid fines for data breaches.
  • Don’t cause an essential service outage to the surrounding region.
  • Ensure life support systems are always available.
  • Protect product formulas or recipes.
  • Protect your organization’s brand.

Whether you start with a capability assessment or a threat-risk assessment, your organization will eventually have to address both risk and capability, since they’re different dimensions of your cybersecurity posture.

If you’re struggling to understand what your cybersecurity target state should be, go back to basics. Look at what you need to secure, and why. Talk to business owners and technology leads in your organization about what you need to protect, and the result will be much more meaningful.

For most organizations, trying to be as secure as a bank makes no sense. Instead, you’ll get more out of your cybersecurity investment and more support for change by aligning your road map to your organization’s business needs — and that means protecting your critical assets, monitoring your threats and keeping track of changes to your risk profile.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

The post How to Maximize Your Cybersecurity Investment appeared first on Security Intelligence.

Industrial cybersecurity: Protecting OT from IT

A powerful technique for protecting OT from IT, or to enforce whatever separation is required to ensure the integrity of industrial control infrastructure, involves controlling the direction of traffic into or out of an ICS enclave. At first glance, it might seem counterintuitive to restrict bidirectional traffic between OT devices and management systems, but closer inspection reveals that across IT/OT interfaces, almost all data flows are from OT to IT systems, and hardware unidirectional flow … More

The post Industrial cybersecurity: Protecting OT from IT appeared first on Help Net Security.

Do your users understand your cybersecurity policy?

ObserveIT surveyed more than 1,000 full-time employees ages 18-65+ at organizations with more than 500 employees on their understanding and awareness of cybersecurity programs. The results show the majority (65 percent) of respondents reported they understand the definition of an insider threat. Cause of insider threats The data indicates 64 percent of respondents agree careless employees or contractors are the most common cause of insider threats. This directly correlates with recent data from the Ponemon … More

The post Do your users understand your cybersecurity policy? appeared first on Help Net Security.

10m customers affected by Dixons Carphone hacking

When Dixons Carphone approached the UK Information Commissioner’s Office to report a suspected data breach in June, it was believed that around 1.2 million customers were affected. But with the assistance of the National Cyber Security Centre, investigations have revealed the incident to be ten times worse than thought.

Extensive forensic analysis has found that more than 10 million customer accounts have been compromised. Hackers appear to have accessed a vast amount of personal data including names, postal and delivery addresses and email addresses.

No sign of fraud. Yet.

When speaking to the press, Dixons Carphone management has been keen to stress that there is no sign of sensitive financial data like credit details being stolen. They also point out that there have not been any reports of fraud associated with the hacking as yet.

But with so many customer records having been exposed, there is always a risk that they will be used for fraudulent purposes at some point in the future. It is also important to note that although criminals would prefer to steal credit card details, they can still begin the process of identity theft using names and address data.

The actual hacking took place last year, so it seems unlikely that the criminals plan to use the data they accessed.

100,000 shoppers at risk

Dixons Carphone has also been keen to downplay another aspect of the ongoing data security investigation. A second, possibly unrelated, breach of the corporate payment processing system resulted in more than 5.9 million payment card details being stolen.

Analysis of the breach reveals that the vast majority (5.8m) of the exposed cards are protected by Chip and PIN technologies, making them virtually impossible to clone. A further 105,000 older cards are not as well protected and may still be used fraudulently.

There is also no sign that these card details were successfully exported from the Dixons Carphone systems – just that they have been accessed illegally by an unknown third party.

Will there be a massive GDPR fine?

The General Data Protection Regulation recently came into force, specifying potentially huge fines for any business that fails to properly protect personal information. If the breach is sufficiently extreme, these fines could reach €20m or more.

Because these incidents took place before GDPR came into force, Dixons Carphone are facing a maximum fine of £500,000. Still a significant penalty, but nowhere near as devastating.

I’m a Dixons Carphone customer – am I safe?

Dixons Carphone has made it quite clear that the security failings which led to the breach have now been addressed. They have also added new security measures to further strengthen their defences against future attack.

Will they fall victim to hackers again? It’s hard to know for sure. The embarrassment caused by this incident will help to ensure that Dixons Carphone treat customer data with greater care in future however.

Why not check your own PC security defences now? Download a free trial of Panda Dome to keep the hackers away from your personal data.

Download Panda Mobile Security

The post 10m customers affected by Dixons Carphone hacking appeared first on Panda Security Mediacenter.

Three men arrested for stealing over 15 million payment cards

US officials announced today that three alleged leaders of the cybercrime group known alternatively as Fin7, Carbanak and the Navigator Group have been arrested in Germany, Poland and Spain and charged with 26 felony counts. The charges include conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. The Department of Justice alleges that Fin7 members have targeted more than 100 US companies, hacked thousands of computer systems and stolen 15 million credit and debit card numbers. The group is said to have breached networks in 47 states and Washington, DC and hacked 6,500 point-of-sale terminals at over 3,600 business locations.

Source: Department of Justice

Top 10 list of dark web activities that indicate a breach

Research analysts at Terbium Labs released a list of the most common activities seen on the dark web that indicate a breach, or other unwanted incident, has taken place. Despite increased security budgets and better defenses, organizations are losing the battle against cyber attacks. According to the 2018 Cost of Data Breach Study: Global Overview by Ponemon Institute and IBM Security, data breaches continue to be costlier and result in more consumer records being lost … More

The post Top 10 list of dark web activities that indicate a breach appeared first on Help Net Security.

Three security trends to watch for at Black Hat USA 2018

Thus far in 2018, organizations and individuals worldwide have experienced a large number of high profile cyber attacks, with criminals stealing billions of dollars as well as personal information from hundreds of millions of people. Black Hat USA, an annual cybersecurity conference taking place in August, is a great opportunity for practitioners to get a glimpse into both emerging attack vectors and the latest technologies designed to protect against these attacks. As a cybersecurity investor … More

The post Three security trends to watch for at Black Hat USA 2018 appeared first on Help Net Security.

Digital trust: Security pros, business execs and consumers see it differently

An extensive global survey of consumers, cybersecurity professionals and business executives about their views on digital trust conducted by analyst firm Frost & Sullivan, highlights how consumers perceive and trust organizations to protect their digital data. It also includes data about how business leaders and cybersecurity professionals at organizations view their responsibilities of data stewardship, the licensing of consumer data to third parties and the technologies they are implementing to protect data and customer privacy. … More

The post Digital trust: Security pros, business execs and consumers see it differently appeared first on Help Net Security.

Insights into consumer attitudes to biometric payments

Biometric payments are poised for significant growth, but substantial consumer security concerns could put its future at risk according to a new report from Transaction Network Services (TNS). 18 to 24 year olds willing to make a biometric payment in the future using the different biometric identifiers given The report reveals that 15% of adults have made a biometric payment in the last year, including a quarter of 18 to 24 year olds. Mark Collins, … More

The post Insights into consumer attitudes to biometric payments appeared first on Help Net Security.

How Self-Assessment Can Help You Avoid a Data Breach

Each new data breach that makes headlines causes companies to grow more and more concerned about cybersecurity. In response, businesses are upping their investments in cybersecurity with the hopes of shielding their systems from cybercriminals, protecting their data and keeping their names out of the news.

The Challenge of Cybersecurity

For many organizations, this effort starts with security assessments that involve rationalizing current security investments and prioritizing new investments to secure their businesses. Companies today invest considerable resources in many different security solutions, but often struggle to have a clear idea of what would constitute their ideal security approach. Chief information security officers (CISOs) may be left wondering which areas to prioritize and how their cybersecurity measures compare to those of their peers.

And it’s hard to blame them. CISOs must secure modern enterprise networks and multi-cloud-based infrastructures, protect against targeted threats aimed toward mobile devices and endpoints, guard critical business data and more — all while ensuring employees and end users can access the applications and services they need to run their businesses securely and efficiently. With over 500 cybersecurity vendors out there, the landscape of solutions is complex and often noisy.

Stakes Are High for CISOs

What happens if CISOs don’t get it right? Wasted resources represent the best-case scenario: CISOs may overinvest in some areas of cybersecurity (often indicated by too many tools and insufficient skill) while leaving their blind spots vulnerable. At worst, the company’s name ends up in the next breach headline. Substantial financial penalties can follow: The global average cost of a data breach is a staggering $3.86 million.

So, the stakes are high. Not only will a breach compromise a company’s brand and reputation, but it can jeopardize its viability as well.

Accurate Self-Assessment Is Key

But there is some good news: There are resources available to help CISOs assess the maturity of their cybersecurity posture so they can get a better picture of where they stand and where to focus.

One such assessment tool, designed by IBM and underpinned by in-depth client engagements, helps companies assess their own readiness for a digital transformation. A user can complete the free assessment in about 15 minutes, and then use the findings to identify their strengths and weaknesses across 10 essential security dimensions, benchmark their results against industry peers and get helpful information tailored to the areas in which they have the highest need for improvement. The industry peer benchmark lets CISOs know exactly how they stack up against their peers.

With a clearer idea of how their overall security systems are performing relative to their industries, companies can avoid a data breach, allowing them to steer through the complexity and noise — and focus on making the headlines with good news. Try this self-assessment and take advantage of the available insights from the in-depth IBM Security client engagements worldwide.

Complete the self-assessment now

The post How Self-Assessment Can Help You Avoid a Data Breach appeared first on Security Intelligence.

Android and Apple users affected by a Bluetooth vulnerability

Few days ago The United States Computer Emergency Readiness Team (US-CERT) issued a statement informing the masses about a Bluetooth vulnerability. The fault has been seen on equipment using Qualcomm and Intel chipsets, and Broadcom devices, meaning that almost every Android and Apple user in the world could have become a victim of cybercrime. The vulnerability affects Bluetooth firmware and operating system software drivers, and it allows remote attackers to exploit it to obtain sensitive information.

Attackers within Bluetooth range of two connected devices have been able to utilize a man-in-the-middle network position allowing them to log all information exchanged between the connected devices. The vulnerability lets hackers decrypt, monitor, and even interfere with the traffic sent between the two devices. Millions of devices have been susceptible to being penetrated. A missing validation in the encryption method used in Bluetooth is named as the main reason for the vulnerability – hackers have been able to obtain the keys required to unmask information that is supposed to be encrypted.

Luckily, obtaining the keys is not possible 100% of the time, and even if the OS of one of the connected smart devices is fully up-to-date, hackers are not able to interfere with the connection. In a statement, Bluetooth SIG highlighted that for an attack to be effective, the hacker would not only need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure, but the hacker would also need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. Not a relatively easy task!

All affected vendors have issued patches to address the vulnerability. If you’ve been delaying the software update on your phone or a tablet, now is the perfect time to charge up your smart devices and leave them to perform the updates.

We remind you that Bluetooth exploits are not something unseen and such exploits could be used against you. The best way to avoid becoming a victim of cybercrime is to have quality antivirus software installed on all your smart devices, and to make sure all your devices are running the latest versions of their operations systems. Lastly, turn off your Bluetooth when you are not using it – you will decrease the chances of getting hacked, and you will increase your device battery life.

The post Android and Apple users affected by a Bluetooth vulnerability appeared first on Panda Security Mediacenter.

Achieving compliance: GDPR, CCPA and beyond

AB 375, or the California Consumer Privacy Act (CCPA) of 2018, was signed into law by California Governor, Jerry Brownon, on June 28, 2018 and is recognized as one of the toughest privacy laws in the U.S. The statute requires companies to disclose to California residents what information is being collected on them and how it will be used. Companies have 18-months to prepare for this new law to go into effect; it’s set to … More

The post Achieving compliance: GDPR, CCPA and beyond appeared first on Help Net Security.

How Microsoft 365 Security integrates with your broader IT ecosystem—part 2

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

In part 1 of our blog series, we shared the Microsoft 365 Security strategy for integrating with the broader security community. Today, we cover the services Microsoft 365 Security offers customers to protect assets beyond the Microsoft ecosystem. These are only some examples among a broad and rich set of capabilities helping customers leveraging tools beyond Microsofts services.

Securing the cloud application ecosystem

Microsoft Cloud App Security is Microsofts Cloud Access Security Broker (CASB), which has been fully integrated with Microsoft 365 Security services since Microsofts acquisition of Adallom. Cloud App Security gives visibility into cloud apps and services, provides sophisticated analytics to identify and mitigate cyberthreats, and enables control over how data travels. The service integrates with Azure Active Directory and Azure Information Protection to enrich insights, strengthen security, and automate security operations.

Cloud App Security is designed to:

  • Discover Shadow IT and assess associated risks.
  • Protect data assets when they travel outside of your organization.
  • Provide real-time monitoring and control of user sessions.
  • Detect threats and anomalies.
  • Provide configuration of remediation actions.

Cloud App Security is available for over 16,000 cloud apps and leverages more than 70 parametersincluding regulatory certifications, industry standards, and best practicesto assign a risk score to each app.

Figure 1. Cloud App Security dashboard.

Protecting the worlds endpoints

Windows Defender Advanced Threat Protection (ATP) is Microsofts unified endpoint security platform protecting endpoints from cyberthreats.

Windows Defender ATP is built-in and cloud-powered to:

  • Eliminate risky or unnecessary surface areas.
  • Restrict dangerous code from running.
  • Protect against file-based and file-less malware.
  • Detect and respond to advanced attacks.
  • Automatically investigate alerts and remediate complex threats in minutes.
  • Gain real-time visibility and identify ways to improve your security posture.
  • Empower SecOps to actively hunt for evasive breach activity.

Many customers want to benefit from the advanced security offered by Windows Defender ATP while having the flexibility to use various operating systems. In fact, many organizations today encourage employees to bring their own devicesproviding individuals freedom of choice, but also increasing complexity for IT. Through several partnerships and cross-platform integrations (Figure 2), Windows Defender ATP reduces the complexity of securing these endpoints, providing a single pane of glass for endpoint security visibility across the entire install base.

Figure 2. Windows Defender ATP industry partners.

These partnerships enable Windows Defender ATP to protect, detect, and respond to security threats on macOS, Linux, iOS, and Android devices.

Share encrypted email with anyone on any device

Data protection is fundamental for all organizations. Email encryption is one of the most basic, yet powerful capabilities employed to protect data.

Office 365 Message Encryption comes standard in Office 365 E3 and E5 licenses enabling organizations to:

  • Protect sensitive data.
  • Control data through automatic polices or ad-hoc end user controls in Outlook (desktop and web).
  • Help meet compliance obligations for sensitive data.

For organizations that collaborate on sensitive emails with customers using consumer email services such as Gmail (Figure 3) or Yahoo, users can sign in using their Gmail or Yahoo identities, and open and read messages (including email attachments) encrypted with Office 365 Message Encryption. Once signed in, recipients can use the Office 365 Message Encryption web portal to read and collaborate on encrypted emails.

Figure 3. Office 365 encrypted email opened by a Gmail user.

The experience is completely seamless for Office 365 users, who can view and collaborate on encrypted messages in their Outlook client on any endpoint including desktop, Mac, web, iOS, or Android (Figure 4). For users not using Outlook for mobile, admins can enable other Exchange ActiveSync (EAS) mobile email clients, like the native Mail app on iOS, to receive and respond to encrypted emails.

Figure 4. Office 365 Message Encryption experience in the Outlook mobile.

Digging deeper

These are only a few examples of Microsoft 365 Security services extending protection beyond the Microsoft ecosystem. You will be surprised to see the number of security offerings designed to help protect your organization, no matter which IT solutions you have in place. To get started with envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance form.

In part 3 of our series, we will highlight real-world examples of Microsoft 365 Security protecting an organizations extended IT environment. Meanwhile, learn more about the depth and breadth ofMicrosoft 365 Securityand start trials of our advanced solutions, which include:

Phishing, Part 1: On the Lookout

Cybersecurity has gone mainstream, thanks in part to the hacking of the 2016 Presidential election. But how many of us know how the attackers in this case actually achieved their ends? The truth is, that one of the oldest, but most effective weapons in the cybercriminal’s arsenal, undoubtedly used in those attacks, is a threat still facing all of us today: phishing.

Phishing can be the first stage in a sophisticated information-stealing attack on a large organization. But the same techniques are used by cybercriminals the world over to steal your personal information for ID theft and to spread dangerous malware. With this in mind, Trend Micro has put together a handy two-part guide giving you the lowdown on phishing attacks—what they’re designed to do, what they look like, and how you can avoid getting caught by the hoax.

Why do cybercriminals phish?

Phishing is fundamentally a confidence trick. It’s an attempt by hackers to get their hands on your online log-ins, your financial information, or other sensitive details they can use to impersonate you for monetary gain. They do this by persuading you they’re someone else—typically a familiar organization you work with. They might want to steal your bank log-ins, your Apple ID, even your Uber account credentials. ID theft is particularly dangerous, since it can open up a world of credit or purchases for them. Or they might try to trick you into downloading ransomware, crypto-mining software, banking Trojans, adware or even info-stealing malware, to help them generate profits. Phishing represents a potential cornucopia for them, of ill-gotten gain.

How do they phish?

The bad guys have a wealth of techniques at their disposal, but they mostly boil down to one thing: social engineering. Fundamentally, this is the art of persuasion. As mentioned, it could mean spoofing an email to appear as if it came from your bank, asking you to update your details with them. Or perhaps it’s a ‘security alert’ that appears to have been sent by Apple or Microsoft. Or maybe it’s a required software update from Adobe, typically around Adobe Flash. Or it might even be a too-good-to-miss offer or piece of outrageous gossip to click on social media.

It’s all about getting you to click on that malicious link, open that malware-laden attachment, or submit your log-ins and personal details. Sometimes you’re taken to a separate website to submit those details, also spoofed to appear legitimate. The idea is to first target the user, rather than attack the machine directly. That being the case, if you improve your awareness of the characteristics of phishing, you can minimize the effectiveness of the phishers.

Phishing types

Here a few common generic phishing attacks:

  • Email: This is still the primary channel for phishing. More than 85 percent of the online threats Trend Micro blocked last year were emails such as those containing malicious content. But users must also beware of scammers using IM (instant messaging), or SMS (the short message service) on their mobile phones.
  • Social media: This is an increasingly popular channel for phishing, as users tend to be more trusting of posts and messages sent by their ‘friends’. Phishers know this and can hack your friends accounts to increase their chances of success. Malicious URLs can be found in Facebook Live comments, Twitter DMs and LinkedIn InMail. Fake promotions and competitions are also rife on social media, as are messages designed to trick you into clicking on some ‘unbelievable’ content.
  • Gaming: Attackers may look to send you a message spoofed to appear as if sent from an online gaming provider. They often contain extra inducement to click through or provide details, such as by offering a prize or bonus points. Stolen account details are then sold on the black market.
  • Tech support: These warning emails are spoofed to come from popular online providers like PayPal, Amazon, eBay, Microsoft, etc. They typically claim to have spotted ‘unusual activity’ on your account and want you to provide more details or to click on a link to sort it out. You might even get an unsolicited email or phone call claiming there’s something wrong with your computer and urging you to pay for tech support to resolve the issue. Sometimes these scammers end up installing remote access software and malware on your machine in the process of ‘cleaning it’.

The scammers are getting smarter

The bad news is that the phishers are refining their tactics all the time. Mobile phishing attacks are increasingly popular as users tend to be distracted and therefore more likely to click through in malicious SMS messages. Phishers are also increasingly likely to use popular events in the news to trick you into clicking, as with a major data breach like Yahoo or Uber, which you may have been caught up in.

Another tactic designed to increase the chances of phishing success is to use to spoof the domains of legitimate sites by using internationalized domain name text. Then too, you need to beware of new “angler” attacks, which typically involve the creation of fake social media profiles resembling brands’ support accounts. Criminals will search for users contacting those companies and hijack the conversation with phishing links.

So what can you do to protect yourself from phishing attacks?

Stay tuned for Phishing, Part 2: Staying Safe, where we’ll brief you on ways to stay safe from phishing attacks.

The post Phishing, Part 1: On the Lookout appeared first on .

CEO guidance: Handling dynamic change in the cybersecurity industry

In a little over 18 months since SonicWall split from Dell, the company has become operationally and financially independent. “In fact, while achieving independence, we are thriving, surpassing financial objectives for six straight quarters as of Q1 2018,” the company’s CEO Bill Conner proudly states. “Looking back, I’ve been fortunate to have seen the ‘ins’ and ‘outs’ of various departments within service providers, software and security companies. These experiences and opportunities have enabled me to … More

The post CEO guidance: Handling dynamic change in the cybersecurity industry appeared first on Help Net Security.

Six best practices to follow in access control

Finding the right access control for your organization is best done in stages. In this way, you’ll be able to foresee costs and activities that you must tackle both on short-term and long-term basis, and keep your staff and business assets consistently safe. Access control best practices include activities where you need to pay attention to how much you will spend upfront for which product, who will be your preferred vendor, how will you set … More

The post Six best practices to follow in access control appeared first on Help Net Security.

Building a sound security strategy for an energy sector company

As more and more attacks against companies working in the energy sector become public, it is becoming increasingly clear that those systems are far from impermeable. And it’s not just state-sponsored attackers that are looking for a way in: opportunistic cyber crooks wielding crypto-miners and ransomware don’t care where the target computer is located or what systems they will disrupt. It’s no wonder, then, that 70 percent of energy security professionals are concerned that a … More

The post Building a sound security strategy for an energy sector company appeared first on Help Net Security.

How rogue data puts organisations at risk of GDPR noncompliance

The GDPR compliance deadline came in by force on 25th May 2018 and applies to all organisations processing and holding the personal information of data subjects. This includes contacts such as customers, partners and patients. Much has been written about the immense efforts of organisations to improve their data privacy procedures in order to comply with GDPR, but there is a largely undiscussed oversight lurking just under the surface which, if left unaddressed, still leaves … More

The post How rogue data puts organisations at risk of GDPR noncompliance appeared first on Help Net Security.

Risks grow, yet security is still an afterthought in many IoT strategies

Trend Micro released survey findings that show businesses are most concerned about losing customer trust in the event of an Internet of Things related cyber attack, however they remain unprepared. The survey, which was issued to 1,150 IT and security decision makers across the globe, indicates major discrepancy between the investment in IoT systems and security to protect them. As the growing number of connected devices opens businesses up to additional cyber threats, close to … More

The post Risks grow, yet security is still an afterthought in many IoT strategies appeared first on Help Net Security.

A Quick-Start Introduction to Database Security: An Operational Approach

The recent SingHealth data breach incident exposed 1.5 million patients’ records. In the aftermath, the Cyber Security Agency of Singapore published a set of security measures aimed at improving the protection of Personally Identifiable Information (PII) data.

The recommended security measures covered several facets of IT security domains:

  • Data governance and data management lifecycle
  • Identity access management around user rights review
  • Tightened controls around least privileged access and execution rights
  • Up-to-date software patching practices
  • Encryption of key sensitive data
  • Monitoring of all data access and timely detection of “suspicious database queries”

Adherence to these best practices often requires a carefully thought out, long-term security strategy and operational risk management plan. This involves human process orchestration, multiple security controls and, most importantly, support from senior management members of the organization.

There’s no silver bullet process or single solution that solves all of the above points. The adoption of these best practices usually involves several security detection/correction/deterrent/prevention controls such as two-factor authentication, strict enforcement of access control lists, regular user rights review, DLP implementation, data encryption, privileged access management, centralized log monitoring and regular data access review.

In this article, we’ll focus on database security, which can be daunting for some security teams, mainly due to lack of technical familiarity and database system performance concerns. This topic is relevant for any industry vertical faced with operational risks around database servers.

We’ll briefly discuss an overview of the challenges and possible approaches we could adopt to better deal with the operational risks surrounding data security. Some of the opinions are collections of challenges gathered from clients that I have worked with across Southeast-Asia (ASEAN) over the last few years.

Data is often stored in data warehouses, database servers (RDBMS) and file servers. For simplicity sake, we refer to the above-mentioned storage mediums as “databases” in this article.

Haven’t security folks been implementing these best-practices and guidelines all along?

Over the years, in order to implement technical controls that satisfy the above guidelines and more, organizations spent significant resources in beefing up their next-gen firewalls/IPS, unified threat management systems, identity access management software, application access management software, data leakage prevention (DLP) technologies, SIEM, etc.

If we take a step back to look at these security investments, the end-game objective is crystal clear. The sole purpose is to protect the organization’s “crown jewel” – i.e. critical data. Data is deemed the organization’s crown jewel because it is a critical asset which the business requires to function properly and remain profitable.

Despite the straightforward end-game objective, the irony is that databases are often neglected, not adequately protected and data access activities are not thoroughly reviewed. The reason is not due to the lack of due diligence, negligence nor laziness. Rather, the underlying reasons are often due to manpower and skill set issues.

Below list is some of the common hurdles that I have come to understand from security teams across Southeast-Asia while working with them on the domain of database security:

  • How do we determine which SQL query is considered “suspicious”? There are a few thousand lines of SQL queries in our weekly CSV log report and they all look the same to me.
  • We have this user who directly accessed data on the database server which shouldn’t happen as his user ID doesn’t even exist on that server. I spent 3 days going in circles with this investigation and I was later told by the DBA that there is a database link established between the primary node and that secondary node. This explained the behavior that we saw. We wasted 3 days on this and we thought to ourselves, “If only my Oracle DB knowledge was better, this would have been accelerated.”
  • My database administrators do not allow us to enable native auditing on all our database servers due to performance impact concerning CPU, disk I/O and storage capacity. They only allow us to natively log all login/logout attempts and activities with SQL exceptions. Therefore, we do not have 100% visibility in the SQL transactions executed on my database servers. We have no answer to this question as well: “What if a suspicious query is run and did not trigger any SQL exception? How do we manage this inherent risk?”
  • We enabled native auditing and send all the database logs to a SIEM which parses them into readable meta-data. However, we still run into operational issues when we try to review some SQL statements. For example, a privileged user executed “select * from psx64;” which looks suspicious. Is psx64 a table, a view or a synonym? Are there sensitive app data inside this object? Our database/apps colleagues are not available today to run this through with me. We are not able to make a timely assessment on this query and we just gave up after some time.
  • There are easily a few thousand lines of SQL queries we need to review in the log report file for a database server. We just cannot make sense of the queries at all. We can’t cope, and our team members are mentally burnt out from doing audit review for just a single database server.
  • There are so many database service IDs used by our different applications. We do not know what the normal data access behavior for each of the IDs is. We simply have no way to review for suspicious activities if the service IDs are abused maliciously.
  • We have 5000 employees and the IT security team has only 10 staff. We have difficulties learning, profiling and documenting the “normal behavior” for every single one of our employees. It is impossible to answer the question, “Can we be alerted if someone accesses more data today than he/she did over the last 12 months?”
  • We understand network security very well, but database security is a big scary unknown variable to me. We do not dare to implement risk controls on the database servers, fearing that may negatively impact its operations. We chose to ignore the potential data risk simply because we cannot cope with the extra workload as well.
  • We operate the following data stores: CIFS file servers, MS SQL, Oracle, MySQL, DB/2 on Windows, DB/2 on z/OS, DB/2 on AS/400, Cloudera, SAP HANA. Recently some of our less-critical data were migrated to AWS RDS. Each of these data platforms speaks a different language and we have operational difficulties even maintaining a simple security policy, let’s say “track all database configuration changes”. We ended up focusing to protect only the platforms that we are more familiar with.

What can we do to overcome these database security hurdles?

The bright side of the situation is that many organizations have matured/are maturing in terms of security monitoring and knowing what they want to achieve realistically.

This section discusses some of the practical steps which some organizations are adopting or have adopted. While there will always be residual data risks which might arise from compromised, careless or malicious users or misconfiguration oversight; implementing the below concepts beats having no risk controls in place at all.

Step 1: Gain 100% visibility on data access

We cannot protect what we do not see. We will need to audit capture 100% of all database accesses for forensics, audit review and non-repudiation purposes.

We need to take note enabling native auditing feature on most database systems will cause degradation of database system performance.

To overcome this, consider adopting an independent database audit and protection solution which does not require native auditing to be enabled and still provide you with 100% data access visibility. More on this is discussed in Step 3 below.

Step 2: Prioritize your security monitoring focus

While database servers are our important crown jewels, bear in mind that they are just one of the many classes of asset in the organization’s asset inventory list which security teams need to review and protect during a typical business-as-usual day.

There is always a hard limit on how much a human analyst can process when it comes to reading raw audit data or meta-data – which often does not present the data context behind a SQL query.

Therefore, we need to prioritize our risk management effort.

Regardless of asset type, security monitoring and audit review process generally focus on getting answers to the below 3 basic questions:

  1. Exactly WHO is accessing my assets?
  2. Is the access OK?
  3. How do I respond QUICKLY if it’s not ok?

To deal with these 3 basic questions, one of the CIOs that I worked with shared this interesting analogy with me:

“Ants love to eat sweet stuff like cakes. In my organization, my data is the cake and there are many internal/external ants who’d love to eat my cake. I have set up perimeter defenses and other pesticide controls which kills off the malicious ants when they are spotted near the cake.

However, every now and then, the ants mutate and change in colors and structures and my defenses have to play the catch-up game to identify them when that happens. I thought to myself, why don’t I put a cover over my cake? This cake cover should understand how my cake looks like and how it’s usually being consumed.”

I should not have to worry about the mutation of these ants anymore. Now I just have to monitor the surface of this cake cover to spot for ants breaching it OR any previously-unknown ants crawling out of my cake from the cover.”

The question then becomes, “How do we build this intelligent cake cover that is data-aware and application-aware?”

I find the following operational approaches useful when dealing with this question. It might not be the most comprehensive set of approaches, but it serves as a good starting point.

Before we even begin talking about solutions and tools, the below approaches should be inculcated in the organization’s security review processes. Without these fundamental beliefs, even the best tools on this planet will not be able to help us in any way.

  1. Focus on top critical database assets based on the business impact analysis (BIA) – No one is able to cover all the risks affecting every single asset, not even for the biggest organizations which have abundant resources and tools deployed. Focus your already-limited amount of time and effort on assets which will have the biggest negative impact on the business if they get compromised. Impact can be categorized as operational, financial, reputation, etc. If you have not done a BIA, I highly encourage you to do so. Without a BIA, you will never be able to determine the right asset to place your focus on.
  2. Focus on access to sensitive data – Classify and maintain a data dictionary of all your sensitive data in the database. This habit also needs to be inculcated in the procedure runbook for the development of every new application. Given the short amount of daily working time, a key part of the data access review should focus on “Who is touching my sensitive data and what are they doing with it?” It would not make sense to spend an excessive amount of time reviewing access to data which has a relatively low business impact. With this in mind, craft out governance policies and controls that revolve around sensitive data access control and review. This makes the whole security audit process much more manageable and focused.
  3. Focus on what your privileged users are doing – Privileged users have the most powerful rights to the data. Focus on reviewing what they are doing. Are they using unauthorized tools to query the data? Are they touching any of our sensitive data directly without going through the application or jump host? If yes, what did they do to the data?
  4. Avoid generating only log reports with 60k lines of raw logs. Rely on chart-based reports as the first approach. – No human analyst is able to crunch through a report with 60k of raw logs in time and perform a proper database audit log review. Always generate high-level chart-driven reports which illustrate the situational awareness overview of key databases. These chart-based reports should be designed to empower a security analyst to quickly review the data access activities for any DB within 10 minutes. The chart-based reports should minimally describe the source database IDs, shared user accounts (if any), IPs and applications connecting to the database and breakdown of operation types on the database per user. The charts-driven report will enable an analyst to easily spot abnormal events such as “Hey, why is there a Microsoft Office 2010 source app connecting to my payroll database?” From here, the analyst will then finally open up the 60k lines of raw log report to look for the exact log entries which involve “Microsoft Office 2010” accessing the payroll database. More investigation and data pivoting can take place from there on, making the 60k lines of raw log report more useful than aimlessly crunching through it line by line. This approach helps to keep one’s sanity and be effective in review database access activities.

Step 3: Invest in an independent database audit and protection tool that supports the concepts in Step 2

By now, it is apparent that it is technically impossible to rely solely on human effort to focus on sensitive data access and privileged users’ activities on the database. Solutions and tools should be considered to accelerate and automate this journey as much as possible.

Independent database audit and protection solutions typically collect audit data from the database servers without having to enable native auditing on the database server. This improves and conserves database server performance and also reduce resistance from database administrators when it comes to database security monitoring.

These solutions collect database activities using a couple of methods which should have minimal impact on the database servers’ performances:

  • Sniffing off the SPAN/TAP port of a switch or network aggregation TAP for database traffic
  • Deployment of lightweight agents to collect either local access database activities OR all database activities

Ideally, the adopted tool should support the following key operational concepts:

  • Present low-level SQL language into a human-understandable language – Instead of having to understand the 1001 SQL commands across different types of database flavors, the tool should provide the capability to group related SQL commands into human-readable commands groups such as “Backup Operations”, “Database Code Changes Operations”, “Data Object Management”, “Privileges Manipulation”, “Users & Privileges Authorization”, “Object Creation”, etc. This removes the requirement for the security administrator to be a database expert before he/she can protect databases. Instead of having to list down the different exact types of backup commands and procedures for different databases flavors, this will now allow you to simply create a security audit policy to say, “Alert me whenever any of my DB2/MS SQL/Oracle databases have “Backup Operations” from an unauthorized source application.”
  • Support the “Define Once and Comply Many Times” approach for audit and compliance manageability – Compliance regulations and auditors generally do not care what flavors of databases are being run in our environments. They are more concerned with the process of how we systematically deal with the risks across all our data assets and the security controls in place to mitigate/reduce those risks. The manpower, time and money incurred to satisfy these audit requirements are also known as the cost of compliance. The audit and security tool should support the capability of defining a required security audit policy only once and applying it uniformly across the entire heterogeneous database environment. This is based on the governance, risk and compliance best practice of “Define Once and Comply Many Times” which aims to drive down the cost of compliance. With this approach, you do not have to worry about the relevance of your current security audit policies when you spin up a new database server or introduce a new database flavor in the future or migrate to a public cloud-based database two years from now.
  • Ability to automatically build a baseline of database service ID behaviors – applications typically access databases via a database service ID account. Service IDs are one class of resources which needs to be regularly reviewed as they hold access to sensitive data. Applications data access behaviors typically do not deviate often as they are programmed to access data in a certain fashion. As such, it is technically possible to “profile” the data access behavior of database service IDs and document it in an access matrix format. This behavior profile dictates the authorized characteristics of the database service ID from which it can originate. This includes the list of source IP addresses, list of machine names, list of source applications, list of permitted data manipulation language queries (select, insert, update, delete) against a specified set of tables, databases accessed, etc. In the event a service ID’s behavior is found to deviate from the norm, the solution can alert the administrator to it instead of having the administrator hunt for deviations/anomalies amidst the hundreds of database service IDs data access activities logs. This helps in identifying service ID account abuses arising from lateral movement exploits. Most security teams would not have an idea how every service ID in the environment behave and it is unfeasible to manually build a profile for every service ID. Good news is that some database audit and protection solutions in the market today have the ability to automatically build a profile of service IDs – reducing manpower effort in the process.

Step 4: Explore machine learning and analytics to deal with the insanity

Security audit data review is a tedious process even with the right auditing tools and processes in place. Human effort is always involved in the audit data review process.

It is also easier to review service ID accounts activities because their behaviors are deterministic (as explained in the preceding section Step 3). The behaviors of human account IDs are the hardest to review because it involves understanding the dynamic behaviors of each employee and their data access patterns. Their access patterns may change with their workload, their mood and job requirements as they move from one department to another. Unlike behavior profiling of DB service ID accounts, human behavior is not something which can easily be documented in an access matrix.

As such, there will always be gaps or suspicious access activity missed no matter how diligently we review the data access activities on a regular basis. We are still limited by our human processing ability and capacity after all.

As machine learning technology development picks up in pace in recent years, this could possibly help to plug some of these gaps left behind by human review effort.

Machine learning security detection technology should aid us in tackling the fuzzy-logic question of “suspicious data access activities”:

  • Are there critical data access violations which I have missed out during my security review process?
  • Is there any sensitive data which I have not identified in Step 2? Therefore, I am not monitoring it?
  • Are any of my human users accessing more data than they should be?
  • Are any of the above taking place outside of an employee’s normal working hours?

The key to a successful machine learning security detection technology relies on:

  1. The quality of the ingested data (garbage in, garbage out concept)
  2. A proper understanding of the data context (what do each of the data points mean in different scenarios?)
  3. The data models specifically built to solve certain use cases

The market is generally moving towards solutions that already have built-in data models. This reduces the need to hire specialty services to build data models whenever a new security use case is required.

Some of the supervised and unsupervised machine learning solutions in the market today provide these data models out-of-the-box for our considerations:

  • Lateral movement
  • Endpoint takeover
  • Service ID account abuse (humans using service IDs instead of applications)
  • Suspicious direct access to production data (bypassing the authorized source applications)
  • Excessive data access
  • Sensitive data objects prediction
  • Profiling and prediction of human user IDs and service IDs

Once again to recap, we are really just trying to answer the below 3 seemingly simple questions:

Database security is a big domain of knowledge that truly requires operational working knowledge of applications, service IDs, ACLs, database systems and the overarching governance, risk and compliance concepts around them. It is not a topic that could be easily comprehensively described and explained in an article like this. But rather, this article attempts to serve as a useful starting point for folks who are seriously considering database security.

Business leaders concerned about security, data backup is a key opportunity

New research from Kaseya shows how IT groups at SMBs are faring as IT management demands grow in both number and complexity. The survey, based on input from nearly 1,300 global respondents, revealed a number of emerging trends, indicating that change is afoot in the IT operations landscape. Security remains top concern for second year in a row This year’s data highlights that for most IT organizations the biggest concern continues to come from the … More

The post Business leaders concerned about security, data backup is a key opportunity appeared first on Help Net Security.

The primary email security challenge enterprises face is trust

Only 34 percent of users without email security responsibility recall seeing email-based attacks in their inboxes, compared to 85 percent of email security professionals, according to GreatHorn. Throughout June 2018, 295 business professionals from both technical and non-technical job roles were surveyed to gain a better understanding of the current state of enterprise email security, threat prevalence, remediation frequency, and importance within the wider security landscape. The data shows a perception gap around email security, … More

The post The primary email security challenge enterprises face is trust appeared first on Help Net Security.

Fortnite Scammers Approaching $1m in Annual Takings

When something seems too good to be true, it probably is. It’s a hard lesson to learn and, in this case, one that’s being taught by scammers. The perpetrators are abusing the fact that online players of  Battle Royale games may be very eager to get free in-game currency and items, and are willing to go to pretty risky lengths to get hold of them.

We found that campaigns specifically targeting Fortnite gamers are advanced in both their ‘marketing appeal’ and their user interface and are on the rise… in line with Fortnite’s growing popularity. Scammers are tempting gamers by promising in-game currency (Fortnite V-Bucks) ‘for free’ when, in reality, the gamers aren’t getting anything; while the scammers are making bank by misleading gamers into action-oriented advertisements like signing up for services or installing additional software.

Scammers are eager to get money from unsuspecting gamers. This is nothing new and has happened in the past with gaming hits like the popular MMORPG WoW (World Of Warcraft), where scammers were making money by selling accounts and artifacts; CS: GO (Counter-Strike: Global Offensive) where scammers were and still are selling skins, and many more. In the last few months, we’ve seen a lot of criminal activities aimed at Battle Royale gamers, who’ve spent more than $1 billion through in-game purchases, as these types of games continue to grow in popularity.

What are Battle Royale games?

In case you just woke up from a coma and have never heard of the Battle Royale genre; they’re incredibly popular online survival games (mostly first-person shooters), where you get dropped into an open-world map, and in order to survive you have to scavenge for weapons and ammo and kill everybody else. Well, that’s the short description anyway.

The longer version, according to Wikipedia is:

A Battle Royale game, also spelled battle royal, is a video game genre that blends the survival, exploration and scavenging elements of a survival game with last-man-standing gameplay. Battle Royale games challenge a large number of players, starting with minimal equipment, to search for weapons and armor and eliminate all other opponents while avoiding being trapped outside of a shrinking “safe area”, with the winner being the last competitor in the game. The name for the genre is taken from the 2000 Japanese film Battle Royale, which presents a similar theme of a last-man-standing competition in a shrinking play zone.

So, who’s at risk?

Ideal targets for these types of scams include players of ‘freemium’ games, where you can play for free, but some premium additions (such as virtual money or skins) can be bought with real-world currency. Everyone wants the premium kit, but no one wants to pay for it.

We focused our research on Fortnite scams, since this game is hugely popular in the freemium game category, especially among teenagers. This demographic makes for a soft target, given that young people are often constrained financially on account of being, well… young.

How does the campaign work?

The scam’s aim is to lead users to V-Bucks generators — a utility that supposedly creates free V-Bucks from thin air — and eventually trick them into clicking on ads. In order to hide their intentions and prevent site owners from deleting the spam they post, attackers use a variety of obfuscation methods. Many of the URLs linking to the scam contain URL redirections which make it look as if the URL leads to a legitimate well-known site, and the pages that advertise the generator are hosted on innocent online services.

The generator’s landing page is usually pretty well-designed, filled with images and animations making it look legit. After all, who’d take the time to build a beautiful generator that doesn’t work? The generator usually prompts for a username and then asks how many V-Bucks you would like to get for free. Then, a small terminal appears on screen, streaming commands that imitate hacking into the Fortnite Database and adding V-Bucks to your user.

After a handful of commands, all of which execute successfully, an error occurs, and human verification is needed to solve it.

Attempting to verify will lead you to a survey site with a survey pool. These surveys are basically ads — some of them lead to legitimate businesses and others lead to scam sites — but none of them can be completed in any way, and your Fortnite user won’t get any richer.

Show me the money!

Pay Per Click Advertising is an advertising model in which an advertiser pays a site owner for each ad click. The entire scam revolves around leading users to the survey pools, promising free V-Bucks to motivate them to click on all the ads, and with each click, the site owner receives a payment. Basing our calculations on a few hit sites, we estimate that one group of attackers has made over $93,000 in the last month from this scam alone, according to data taken from SimilarWeb.

Safety first

For gamers: if someone offers you in-game currency for free, chances are it’s a trap. Just don’t go there. In this case, the ‘damage’ varies between simply wasting your time clicking, to falling into a more serious trap that may harm your computer.

For site owners: make sure you’re protected against application attacks, including comment spams and other bot attacks.

SCADA vulnerabilities in ICS architectures

A major challenge in industrial control system architecture involves the dual nature of its underlying technologies. That is, a typical ICS component must have the capability to exchange information with both IT and OT systems across designated network or system interfaces. This is different from traditional industrial devices like heat pumps, actuators, and motors that were previously only accessed and controlled by OT systems, usually either analog or electro-mechanical. So, today the existence of two … More

The post SCADA vulnerabilities in ICS architectures appeared first on Help Net Security.

CactusTorch Fileless Threat Abuses .NET to Infect Victims

McAfee Labs has noticed a significant shift by some actors toward using trusted Windows executables, rather than external malware, to attack systems. One of the most popular techniques is a “fileless” attack. Because these attacks are launched through reputable executables, they are hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network.

One fileless threat, CactusTorch, uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive; hence traditional file scanners fail to detect these attacks.

In 2018 we have seen rapid growth in the use of CactusTorch, which can execute custom shellcode on Windows systems. The following chart shows the rise of CactusTorch variants in the wild.

Source: McAfee Labs.

The DotNetToJScript tool kit

Compiling the DotNetToJScript tool gives us the .NET executable DotNetToJScript.exe, which accepts the path of a .NET assembly and outputs a JavaScript file.

 

Figure 1: Using DotNetToJScript.exe to create a malicious JavaScript file.

The DotNetToJScript tool kit is never shipped with malware. The only component created is the output JavaScript file, which is executed on the target system by the script host (wscript.exe). For our analysis, we ran some basic deobfuscation and found CactusTorch, which had been hidden by some online tools:

Figure 2: CactusTorch code.

Before we dive into this code, we need to understand .NET and its COM exposure. When we install the .NET framework on any system, several .NET libraries are exposed via Microsoft’s Component Object Model (COM).

Figure 3: COM exposing the .NET library System.Security.Cryptography.FromBase64Transform.

If we look at the exposed interfaces, we can see IDispatch, which allows the COM object to be accessed from the script host or a browser.

Figure 4: Exposed interfaces in a .NET library.

To execute malicious code using the DotNetToJScript vector, an attack uses the following COM objects:

  • Text.ASCIIEncoding
  • Security.Cryptography.FromBase64Transform
  • IO.MemoryStream
  • Runtime.Serialization.Formatters.Binary.BinaryFormatter
  • Collections.ArrayList

Now, let’s return to the JavaScript code we saw in Figure 2. The function base64ToStream()converts the Base64-encoded serialized object to a stream. Before we can fully understand the logic behind the JavaScript code, we need to examine the functionality of the Base64-encoded serialized object. Thus our next step is to reverse engineer the embedded serialized object and recreate the class definition. Once that was done, the class definition looks like the following code, which is responsible for executing the malicious shellcode. (Special thanks to Casey Smith, @subTee, for important pointers regarding this step).

Figure 5: The class definition of the embedded serialized object.

Now we have the open-source component of CactusTorch, and the JavaScript code in Figure 2 makes sense. We can see how the malicious shellcode is executed on the targeted system. In Figure 2, line 29 the code invokes the flame(x,x) function with two arguments: the executable to launch and the shellcode.

The .NET assembly embedded in the CactusTorch script runs the following steps to execute the malicious shellcode:

  • Launches a new suspended process using CreateProcessA (to host the shellcode)
  • Allocates some memory with VirtualAllocEx() with an EXECUTE_READWRITE privilege
  • Writes the shellcode in the target’s process memory with WriteProcessMemory()
  • Creates a new thread to execute the shellcode using CreateRemoteThread()

Conclusion

Fileless malware takes advantage of the trust factor between security software and genuine, signed Windows applications. Because this type of attack is launched through reputable, trusted executables, these attacks are hard to detect. McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) customers are protected from this class of fileless attack through Signature ID 6118.

 

Acknowledgements

The author thanks the following colleagues for their help with this analysis:

  • Abhishek Karnik
  • Deepak Setty
  • Oliver Devane
  • Shruti Suman

References

MITRE ATT&CK techniques

  • Drive-by compromise
  • Scripting using Windows Script Host
  • Decode information
  • Command-line interface
  • Process injection

Hashes

  • 4CF9863C8D60F7A977E9DBE4DB270819
  • 5EEFBB10D0169D586640DA8C42DD54BE
  • 69A2B582ED453A90CC06345886F03833
  • 74172E8B1F9B7F9DB600C57E07368B8F
  • 86C47B9E0F43150FEFF5968CF4882EBB
  • 89F87F60137E9081F40E7D9AD5FA8DEF
  • 8A33BF71E8740BDDE23425BBC6259D8F
  • 8DCCC9539A499D375A069131F3E06610
  • 924B7FB00E930082CE5B96835FDE69A1
  • B60E085150D53FCE271CD481435C6E1E
  • BC7923B43D4C83D077153202D84EA603
  • C1A7315FB68043277EE57BDBD2950503
  • D2095F2C1D8C25AF2C2C7AF7F4DD4908
  • D5A07C27A8BBCCD0234C81D7B1843FD4
  • E0573E624953A403A2335EEC7FFB1D83
  • E1677A25A047097E679676A459C63A42
  • F0BC5DFD755B7765537B6A934CA6DBDC
  • F6526E6B943A6C17A2CC96DD122B211E
  • CDB73CC7D00A2ABB42A76F7DFABA94E1
  • D4EB24F9EB1244A5BEAA19CF69434127

 

The post CactusTorch Fileless Threat Abuses .NET to Infect Victims appeared first on McAfee Blogs.

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.
    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.
  • Build secure software updaters as part of the software development lifecycle.
    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.
  • Develop an incident response process for supply chain attacks.
    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.

 

 

Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team

 

 

Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Securing healthcare organizations: The challenges CISOs face

Healthcare organizations are ideal targets for criminals looking to steal personal and other sensitive information, as the industry is lagging behind when it comes to cybersecurity. Healthcare breaches involving ransomware increase year-over-year, but this is just one of the problems information security professionals in the healthcare need to face, minimize or, better yet, head off. Challenges specific to the healthcare industry To be sure, healthcare CISOs’ work is not easy: one of the biggest challenges … More

The post Securing healthcare organizations: The challenges CISOs face appeared first on Help Net Security.

ERP applications under attack: How criminals target the crown jewels

Business-critical applications running the biggest organizations in the world are under attack, according to research from Digital Shadows and Onapsis. The report shows a rise in cyberattacks on widely-used enterprise resource planning (ERP) applications such as SAP and Oracle — which currently have a combined 9,000 known security vulnerabilities. The report also highlights an increase in attacks on these systems by nation-state actors, cybercriminals and hacktivists that include both hacking and DDoS attempts to compromise … More

The post ERP applications under attack: How criminals target the crown jewels appeared first on Help Net Security.

Do we trust privacy technology too much?

The Internet has become absolutely vital to maintaining relationships in the modern world. As well as our social network of friends from across the globe, we also rely on a collection of apps and online services to stay in touch with our loved ones who we see every day.

This has some interesting implications on what we say online. We are very careful to regulate what we say, depending on the potential audience. We are unlikely to share our deepest secrets publicly on our Facebook timeline where anyone can see them for instance. But we may use a private Facebook Messenger chat session to discuss deeply personal issues with a trusted friend.

The illusion of privacy

Some apps – like Facebook Messenger and Snapchat – claim to offer enhanced privacy protections. Snapchat promise that messages sent using the app are automatically deleted in 10 seconds.

As a result, users are tempted to share more sensitive information than they would using a standard messaging app. But there is a problem.

Take Snapchat for example. Photos and messages really are deleted after 10 seconds – from the recipient’s phone. But that doesn’t mean that the picture is gone forever. By taking a screenshot, or using another app, the recipient can keep a copy of the picture – and you have no control at all over what they do with it.

The app may feel private, and the app developer may promise that your data is secure, but nothing can completely protect your privacy. This is the “illusion of privacy” and it can cause serious problems when you take these promises at face value.

Hiding and seeking online

Security experts call this desire for privacy online “hiding”. Many apps contain features specifically designed to help us hide – and all too often they overpromise on how protected we really are. Because for every “hiding” app, there is another designed for “seeking”, helping to circumvent those safeguards and uncover the information we want to keep hidden.

Often it is the human factor that is the greatest threat to our privacy. The hiding technology works in principle, but it does not take into account what other people do, or their actions to expose us.

This is a serious problem because our trust in privacy technology can be used against us. If the system is secure and we trust it, we are more likely to share extremely sensitive information using it. When this trust is broken by a seeking app used by an untrustworthy contact, the fall-out can be incredibly severe.

Taking a default position of mistrust

In order to better protect our privacy, we must each take greater responsibility for what we share online. Tech companies know that people are concerned about their privacy, and they make many bold statements about how they will protect us.

But the truth is none of these safeguards is foolproof. It may be that if you want to share an unpopular opinion or some personal photographs, social media apps and services are not the tools to use.

To learn more about protecting your privacy, download a free trial of Panda Dome today.

Download Panda FREE VPN

The post Do we trust privacy technology too much? appeared first on Panda Security Mediacenter.

How the Federal Government Is Working to Improve Its Cybersecurity Workforce

On the heels of last month’s White House reorganization plan, the state of cybersecurity careers within the government is changing. In part, this plan aims to address several pressing issues in the job category within the context of government employment and to attract top talent to otherwise staling roles. Over the past few years, government […]… Read More

The post How the Federal Government Is Working to Improve Its Cybersecurity Workforce appeared first on The State of Security.

10 Key Findings From the Ponemon Institute Value of Artificial Intelligence in Cybersecurity Study

A day seldom passes without any exposure to the term artificial intelligence (AI). But when our survey team conceptualized this topic, we were stunned to learn that there wasn’t much publicly available information that documented end users’ perspectives on the impact of AI on organizations’ cybersecurity efforts.

So, we’re pleased to share our comprehensive findings — and help answer the critical question: What value does AI bring to cybersecurity?

The Ponemon Institute 2018 Artificial Intelligence (AI) in Cyber-Security Study, sponsored by IBM Security, includes detailed and high-level cybersecurity discoveries, as well as a comprehensive look at the impact of AI technologies on application security testing. Here are our top 10 key findings from the study.

1. AI Could Help Cut Costs

For organizations across a wide variety of industries and geographies, the estimated average cost of addressing potential cyber exploits without AI is $3 million. Companies who are using AI, by contrast, spent an average of $814,873 on the same threats. Thus, a company can potentially save an average of $2.5 million in operating costs by utilizing AI technology.

2. AI May Minimize Data Breaches

When asked about the estimated likelihood of a data breach affecting more than 10,000 sensitive customer or consumer records at their organizations, 40 percent of respondents estimated that the probability was greater than 20 percent if they didn’t leverage AI technologies. However, a mere 2 percent of respondents estimated that the likelihood was greater than 20 percent when AI technologies were leveraged.

Download the complete study: Artificial Intelligence (AI) in Cyber-Security

3. Organizations Plan to Increase AI Investment

Organizations expect to increase their investment in AI. As AI technology matures, investments will grow, according to 61 percent of respondents.

4. AI May Improve Productivity

Sixty percent of respondents were positive about the ability of AI-based security technologies to improve the productivity of their IT security personnel.

5. AI-Based Technologies Provide Deeper Security

Sixty percent of respondents stated that AI-based technologies provided deeper security than what humans alone could offer. However, only 34 percent of respondents said that the use of AI would decrease the workload of their IT security personnel.

6. AI Supports Identification and Authentication Technologies

AI provided the most support for technologies that identified and authenticated users. Sixty-five percent of respondents stated that AI supported technologies that identified and authenticated their users, and 54 percent of respondents noted that AI was utilized with technologies that provided security intelligence about network traffic and entities.

7. Speed Is the Most Significant Benefit of AI

Sixty-nine percent of respondents stated that the most significant benefit of AI was the ability to increase their speed in analyzing threats. This was followed by 64 percent of respondents who said the most significant advantage was the acceleration in the containment of infected endpoints and devices and hosts.

8. Human Supervision Is Still Required

Human supervision is still required when dealing with alerts. Respondents estimated that an average of 45 percent of alerts could be handled by AI without human supervision. On average, 41 percent of previously “undetectable” zero-day exploits can be detected because of AI.

Download the complete study: Artificial Intelligence (AI) in Cyber-Security

9. AI Helps Identify Application Security Vulnerabilities

Sixty percent of respondents stated that AI identified their application security vulnerabilities — and a firm majority (59 percent) of respondents noted that AI increased the effectiveness of their organizations’ application security activities.

10. AI Saves Investigation and Detection Time

Respondents estimated that investigating and detecting application vulnerabilities took, on average, 195.88 labor hours per week when not facilitated by AI, but took, on average, 70.48 labor hours per week when facilitated by AI — saving organizations 125.40 labor hours per week on average.

If we further estimate that security analysts work an average of 40 hours per week, that’s an estimated saving of more than three full-time equivalents (FTEs) per week.

Download the Ponemon Institute Study to Learn More

Our study is chock-full of compelling results about the impact of AI on cybersecurity. Click here to download your complimentary copy now.

Finally, make plans to register and attend our webinar on this compelling topic on Aug. 2. After our live session, the webinar will be available on demand for your listening and sharing pleasure.

The post 10 Key Findings From the Ponemon Institute Value of Artificial Intelligence in Cybersecurity Study appeared first on Security Intelligence.

72% of CEOs admit they’ve taken intellectual property from a former employer

In a clear demonstration that top executives defy data security best practices and company policy, 72 percent of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer. 93 percent of CEOs say they keep a copy of their work on a personal device, outside the relative safety of company servers or cloud applications. Yet, 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset … More

The post 72% of CEOs admit they’ve taken intellectual property from a former employer appeared first on Help Net Security.

Adopting a Zero Trust approach is the best strategy to control access

A new study conducted by Forrester Consulting found that organizations powering Zero Trust Security with next-gen access solutions reported twice the confidence to accelerate new business models and customer experiences. The study of 311 IT decision-makers in North America and the UK finds that 67 percent of all enterprise resources are exposed to access-related risk, and that a Zero Trust Security approach is the best strategy to control access to enterprise resources. Organizations using next-gen … More

The post Adopting a Zero Trust approach is the best strategy to control access appeared first on Help Net Security.

Google Employees Successfully Using Security Keys To Protect Against Phishing

Ensuring adequate protection against phishing attacks is a pain in the neck even for the smartest security systems. However, Google

Google Employees Successfully Using Security Keys To Protect Against Phishing on Latest Hacking News.

The Data Breach ‘Kill Chain’: Early Detection is Key

Today, organizations rely heavily on data, with a big portion of that data made up of sensitive information. As organizations become the custodians of more and more sensitive information, the frequency of data breaches increases accordingly. In some cases, the origin of a data breach is outside of the organization, with hackers succeeding in evading organizations by compromising accounts; while in other cases, data breaches involve internal actors – malicious employees or contractors who intend to harm the organization and who may have legitimate credentials.

According to the 2018 Verizon Data Breach Investigations Report (DBIR), the top asset involved in data breaches is the database server (see figure 1). This is not surprising since large volumes of sensitive data are stored in databases, which is why database security is such a crucial factor.

The thing is, rather than trying to prevent a data breach, a more realistic goal would be to detect a breach at an early stage. The reason why early breach detection is more practical than breach prevention is that often times, malicious users are already inside the organization, abusing their legitimate permissions to access sensitive data. To quickly detect a potential data breach, we need to be able to identify “early signs” of a breach. The alternative is months or even years of trying to detect a data breach.

Figure 1: Top varieties assets within confirmed data breaches (n=2,023), 2018 DBIR, Verizon

 

The data breach kill chain

Back in 2011, Lockheed Martin defined The Cyber Kill Chain as a model for the identification and prevention of cyber intrusion attacks. It defines the steps taken by an attacker during a typical cyber-attack (Figure 2).

The seven steps of the cyber kill chain are as follow:

  1. Reconnaissance – Get as much information as possible about the target, choose your target.

    Figure 2: The Cyber Kill Chain, Lockheed Martin

  2. Weaponization – Choose the best tool for the task.
  3. Delivery – Launch an attack using weaponized bundle on the target.
  4. Exploitation – Exploiting the vulnerability to execute code in the victim’s system.
  5. Installation – Install weapon access point
  6. Command and Control (C&C) – Enable sending remote commands for persistent access to a target network.
  7. Actions on Objective – Take action. For example: data destruction, exfiltration or encryption.

We’ve adjusted the cyber kill chain to suit data breaches specifically, presenting an instance where the attacker is already inside the organization/already has access (figure 3).

Figure 3: The Data Breach Kill Chain

Having been recruited or accidentally infected — compromised by an external hacker –, the attacker continues to the reconnaissance stage; this stage is similar to the reconnaissance stage in the original cyber kill chain, and the goal is to gain as much information about the data or the assets that hold the data (think permissions, structure etc.) as possible. After choosing the target and getting enough information, the attacker will try to obtain access to the data – in the exploitation stage. This could be achieved by escalating its privileges. Once access is granted, an attacker will try to acquire sensitive data. This stage could be a large file download or specific access to sensitive data. The last step will be exfiltrating the data from the organization.

Protect data in your databases: Defense-in-depth

The principle of defense-in-depth is that layered security improves your overall security posture. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system.

To better protect data in your databases, you need to identify suspicious activity at every step of the potential attack chain. That way, if we fail to detect the attack at a specific step, we’ll still have the chance to catch it in the following steps. It’s always best to uncover an attack as early as possible, preferably before malicious or compromised individuals obtain access to the data.

Imperva CounterBreach looks for suspicious database activities in each step of the kill chain to detect a data breach and uncover risky security practices that are likely to be exploited by attackers. For example, we look at specific events happening at different stages of the attack chain, such as failed logins, broad access to databases, service account abuse, and accessing business-critical data.

In the latest version of Imperva CounterBreach – V2.3 – a new algorithm that detects reconnaissance attacks was added. The algorithm uncovers suspicious system table access before any data gets exfiltrated. 

Reconnaissance Stage: Suspicious system table scan

System tables store the metadata of the database. Those tables contain information about all the objects, data types, constraints, configuration options, available resources, information about valid users and their permissions and more. We expect attackers to access system tables as part of the reconnaissance stage of the attack in order to explore the databases in the organization, or even change database permissions. The challenge in detecting reconnaissance attacks using system tables access, with a minimum amount of false positive alerts, rests in the fact that legitimate users access system tables on a regular basis to perform their ad hoc tasks.

To perform this task successfully, Imperva CounterBreach combines machine learning logic with domain knowledge and correlates a host of sources and hints to form a holistic picture. Imperva CounterBreach distinguishes between access to sensitive system tables and access to non-sensitive system tables. This classification is taken from our database activity monitoring solution and is based on research conducted in the Imperva Defence Center.

Imperva CounterBreach utilizes a host of profiling cycles to study everyday access patterns to the different classes of system tables (as shown in figure 4). These cycles include:

Figure 4: Learning Cycles

  • User normal activity – Learn how users typically behave and access system tables
  • Database normal activity – Learn how users inside the organization access system tables in a certain database
  • Organization normal activity – Learn how sensitive system tables are accessed across the entire domain
  • Community normal activity – Use data of system tables access patterns from different customers, to have a knowledge of global normal system table activity

We also make use of other hints to identify legitimate access to sensitive tables, separating a legitimate user like DBA, from an attacker. Imperva Counterbreach identifies a malicious user by analyzing the number of databases they try to access system tables from, the number of failed logins to databases in the organization in the same time frame, and more.

Figure 5 shows a real example of 11 different interactive users from one of our customers. These 11 users comprise 10 DBAs and an attacker (‘E’ in the figure) who attacked the organization on the 16th and 17th. Different colors represent different users and the x-axes represent the different days. The top graph shows the number of databases each user accessed sensitive system tables in which are not normally used by his profiling circles. The bottom graph shows the number of databases that the user failed to log into in each day.

We can see that the attacker accessed new system tables in several databases on the days of the attack. Combining that information with the fact that they also failed to log into some databases on the days of the attack indicates a suspicious activity.

Figure 5: Distinguish between legitimate system table access done by DBAs and system table access done by an attacker

Summary

Attackers will continue to attempt to steal sensitive data from organizations, this is a given. Our goal is to detect potential breaches as early as possible before any actual harm is done or any sensitive data is exposed. Uncovering suspicious system table access is a critical step to catching attackers in the reconnaissance stage where they still try to find their way in. If an attack was not detected in the reconnaissance stage, Imperva CounterBreach can still identify anomalies along the data breach attack chain, using the defense-in-depth approach. With domain knowledge expertise and machine learning algorithms, this approach allows you to detect threats at all stages of a data breach.

Be like a Moomin: How to establish trust between competitors so we can fight cybercrime

Image of a Moomin keychain sitting on a hotel desk.Do you know the Moomins? They’re a tight-knit, happy, collaborative cartoon family. I’d never heard of them until I was lucky enough to spend a few days at the Microsoft offices in Helsinki, Finland.

The Moomin keychain in the photo was a gift from the Finnish CISO. As I did a little research into Moomin lore, I discovered a family of wonderful trolls who work with each other, their friends, and acquaintances to overcome adversity. In the first book, The Moomins and the Great Flood, the Moomins become separated. With the landscape flooded, they are unable to find their village, Moominpappa, until they befriend a stork who offers to help them with a winged ride, giving them an aerial vantage point.

The collaborative problem-solving approach of the Moomins fits right into the overall story of trust I frequently heard during my Finland trip. The country has one of the most trusted police and governments in the world. This may partly be due to the fact that trust in the government has been historically high inNordic countries. In 2015, Finland was the second least corrupt country according to theTransparency International organization.

In the online world, Finland has one of thefastest internet speeds in the worldrunningonsome of theleast malware infected pipes. How are they doing this? With tools, such as theCERT-FI Autoreporter system, which help admins find and respond to breaches faster and empowers admins to take actions to protect their networks. This level of engaged partnership in the overall health of the country’s network is valued. The cybersecurity professionals I spoke with are very focused on maintaining this trust and continue toidentifyand buildopportunities for collaboration between the public and private sectors.

Theres some great learning in there for the international cybersecurity community. Its no secret that cyber-adversaries are selectively collaborating to help make themselves more effective. Operating in dark web exchanges and via encrypted messenger, they share exploits, malcode, and successful attack techniques. But if, as the saying goes, theres no honor amongst thieves, how has an international collective of attackers figured out a model for collaboration that in some ways rivals the trust and collaboration between organizations and countries?

Arguably, their collaboration use case is substantively different from large multinational corporations and governments. The value of an exploit generally degrades the longer it is in the wild. This means that part of the cybercriminal financial model is highly dependent on the speed of dissemination. If they hold onto an exploit for too long, they risk having a valueless asset. Finding and monetizing a SQL injection vulnerability is a fairly straightforward and rapid activity. This is in high contrast to large organizations doing business around the globe that must spend a significant amount of time planning and executing their business strategies. Not to mention the fact that, by definition, criminals dont operate under any governmental laws, have any employee protection rules, or pay employee taxes.

On the legal side of cybersecurity, we need to plan for long-term success and adhere to a long list of mandates and regulations. And because were not in the business of selling exploits, sharing with others how one company defends against them could be seen as giving away part of a competitive edge. When it comes to governments, the hurdles to collaborative trust can be much higherespecially when some of those governments are in virtual trade wars with each other.

Despite the hurdles, we can move forward with cyber-collaborationwithout losing our collective competitive edgeby following these three steps:

  1. Agree on the rulesWho shares what and when? And whats the quid pro quo? Asymmetric sharing becomes lopsided and abandoned. Also, how will the information be protected and, as needed, anonymized?
  2. Leverage whats thereISACs are already up and running, with their own rules. There are also industry consortiums like Cloud Security Alliance (CSA) and vendor associations like the Microsoft Intelligent Security Association.
  3. Enforce the rulesIf members of an association dont play fair, it wont be long before members who are following the rules feel cheated. Voluntary trust is good, but there needs to be an enforcement mechanism to ensure fairness. Organizations that dont follow the rules risk getting cut out.

Much like the stork in the story helped the Moomins get an aerial vantage point of the landscape to help find their way to Moominpappa, so too can a collaborative and open sharing approachsubject to the rules, processes, and parameters defined in the steps abovegive you a different perspective of the landscape that your business needs to traverse from a security standpoint.

But keep in mind that, in the story, the stork doesnt do all the worktheres action required on the part of the Moomins too. They need to find the stork in the first place. In our world, this means a systematic effort to reach out to and engage with information-sharing partners and active cultivation of these relationships. Likewise, knowing how to employ that information is also critical. To this end, threat intelligence tools that enhance visibility and detective controls, such as SIM and IDS, help you understand the current state of your environment to better utilize information you receive from information-sharing partners.

Lastly, the Moomins need to know about their village (Moominpappa) to be able to recognize it from a distance. Even if the stork provides them with a better view, they still need to recognize the village from the air, which anybody whos been in an airplane can attest isnt always easy. By analogy, this means that the better security teams understand the normative state of their own networks and infrastructure, the better equipped they are to leverage data they learn through sharing and gathered from visibility-enhancing tools.

Were not living in a cartoon world of Moomins, but that doesnt mean we cant take a valuable lesson from them about trust and collaboration.

Quantum Leaps and Bounds: Why Quantum Computing Will Have a Positive Impact on Cybersecurity

Earlier this year, our chief technology officer (CTO) of data security, Walid Rjaibi, outlined his perspective on the risks that quantum computers might pose to cybersecurity, particularly concerning common algorithms used in encryption. He astutely observed, however, that the risks are only one part of the story.

Quantum computing also has the potential to revolutionize our cybersecurity capabilities.

How Will Quantum Computing Enhance Cybersecurity?

According to a new IBM Institute for Business Value (IBV) paper, the two most notable areas of cybersecurity that quantum computing promises to enhance are machine learning and quantum number generation.

Machine learning is already a widely used and understood term in the cybersecurity world. We use machine learning capabilities today in security information and event management (SIEM), data protection, incident response and other solutions to improve behavior anomaly detection, classification and prediction capabilities. Given their improved speed and power, quantum computers have the potential to enhance the efficacy of machine learning when used for cybersecurity pursuits.

Random number generation is a key component of cryptography (pun intended). Classical random number generation can be split into two categories: pseudo-random number generators (PRNGs) and true random number generators (TRNGs). TRNGs are more suitable for generating strong encryption keys (you can read more about why in the IBV paper). Quantum random number generators (QRNGs) would be a special subset of TRNGs, which exploit the inherent randomness of quantum physics to generate even more random sequences of numbers, thus stronger encryption keys.

Download the complete IBM IBV paper: Preparing Cybersecurity Now for a Quantum World

Cybersecurity: Why the Sky Isn’t Falling

As you may have learned at Think 2018, despite the risks quantum computing may pose to cybersecurity, the sky is not falling. There are many measures organizations can take to safeguard their critical data today and in the future.

For example, doubling the key size of existing symmetric encryption algorithms can help companies prepare for how the cybersecurity landscape may change when large-scale quantum computers become available. Beyond that, the improvements quantum computing could potentially bring to cybersecurity will also contribute to stronger protection capabilities.

To learn more about the cybersecurity implications of quantum computing and how you can prepare for the future, download our recent paper from the IBM IBV, “Wielding a Double-Edged Sword: Preparing Cybersecurity Now for a Quantum World.”

The post Quantum Leaps and Bounds: Why Quantum Computing Will Have a Positive Impact on Cybersecurity appeared first on Security Intelligence.

Security concerns around the rapidly growing use of the Industrial Internet of Things

Organisations hold disparate and unrealistic views on protecting the Industrial Internet of Things (IIoT), in which endpoints are considered to be the most vulnerable aspects, despite confusion over what actually constitutes an endpoint. These are the key findings of the 2018 SANS Industrial IoT Security Survey report, which examines the security concerns around the rapidly growing use of IIoT. IIoT is the subset of the Internet of Things that focuses specifically on the industrial application … More

The post Security concerns around the rapidly growing use of the Industrial Internet of Things appeared first on Help Net Security.

Are Fake Apps Taking Over Your Phone?

It seems some malicious app developers have taken the phrase “fake it ‘til you make it” to heart, as fake apps have become a rampant problem for Android and iPhone users alike. Even legitimate sources, such as Google Play and Apple’s App Store, have been infiltrated with illegitimate applications, despite their own due diligence in combating this phenomenon.

After downloading a fake app, cybercriminals leverage ransomware or malware through ads to run in the background of your device to do damage, making it difficult to notice something’s off. But while you’re minding your own business, your personal data –such as usernames, photos, passwords, and credit card information– can be compromised.

Malicious apps have become more challenging to detect, and even more difficult to delete from a device without causing further damage. The trend of fake apps shows no sign of slowing down either, as bad actors have become more brazen with the apps they work to imitate. From Nordstrom to Fortnite to WhatsApp, it seems no business or industry is off limits.

Luckily, cybercriminals have yet to figure out a sure-fire way to get their fake apps onto our devices. By paying extra attention to detail, you can learn to identify a fake app before downloading it. Here’s how:

  • Check for typos and poor grammar. Double check the app developer name, product title, and description for typos and grammatical errors. Malicious developers often spoof real developer IDs, even just by a single letter, to seem legitimate. If there are promises of discounts, or the description just feels off, those signals should be taken as red flags.
  • Look at the download statistics. If you’re attempting to download a popular app like WhatsApp, but it has an inexplicably low number of downloads, that’s a fairly good indicator that an app is most likely fraudulent.
  • Read what others are saying. When it comes to fake apps, user reviews are your ally. Breezing through a few can provide vital information as to whether an app is authentic or not, so don’t be afraid to crowdsource those insights when you can.

If you do find yourself having accidentally downloaded a fake app, there are steps you can take to rid your phone of it. Here’s what to do:

  • Delete the app immediately or as soon as you notice anything suspicious. If you can’t find it, but you’re still having issues, the app could still be on your device. That’s because, in the interest of self-preservation, fake apps can try and protect themselves from disposal by making their icon and title disappear. If that happens, go to your installed apps page(s) and look for blank spaces, as it may be hiding there.
  • Check the permissions. After installation, check the app’s permissions. Fake apps usually give long lists of frivolous requests in an effort to get access to more data.
  • Clear the app’s cache and data. If you do find the app you want to delete, this is the first step you must take in order to get the app completely off your phone.
  • Take it into your provider. If you’re still having issues after you’ve deleted an app, consider taking your device into your provider to run a diagnostic test.
  • Factory reset. As a last resort, if you can’t find the app because it has “disappeared,” or traces of the app and malware linger, the best way to ensure it is completely gone is to wipe the data, factory reset your device, and start over. This is why it is vital to have backups of your devices.

Even as this ever-growing trend of malicious developers spoofing legitimate applications to gain access to victims’ personal information continues, we can deter their advances simply by paying closer attention to detail. Remember to be vigilant about being aware of the signs to avoid fake apps at all costs.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Are Fake Apps Taking Over Your Phone? appeared first on McAfee Blogs.

The evolution of email fraud: Risks and protection tips

Marc Chouinard is Email Security Operations Lead at Vircom, an email security vendor based in Montreal, Canada. He has established a reputation as a no-nonsense leader in understanding and acting against threats on a daily basis, and in this interview he talks about email fraud, BEC scams, and the evolution of email threats. What should large organizations be aware of when it comes to email fraud? What are some of the most overlooked aspects of … More

The post The evolution of email fraud: Risks and protection tips appeared first on Help Net Security.

Securing the supply chain: Organizations need best practices in proactive security

CrowdStrike announced the results of its global supply chain survey, Securing the Supply Chain, produced by research firm Vanson Bourne. The study surveyed 1,300 senior IT decision-makers and IT security professionals in the US, Canada, UK, Mexico, Australia, Germany, Japan, and Singapore across major industry sectors. Thinking about your organization’s IT security over the next 12 months, which of the following types of cyberattack are causing concern in your organization? The survey concludes that although … More

The post Securing the supply chain: Organizations need best practices in proactive security appeared first on Help Net Security.

Privacy pros gaining control of technology decision-making over IT

TrustArc and IAPP announced the results of new research that examined how privacy technology is bought and deployed to address privacy and data protection challenges. Surveying privacy professionals worldwide, the findings of the survey show that privacy management technology usage is on the rise across all regions and that privacy teams have significant influence on purchasing decisions for eight of the ten technology categories surveyed. “This global survey is critical in our efforts to better … More

The post Privacy pros gaining control of technology decision-making over IT appeared first on Help Net Security.

Quantum computing revenue to hit $15 billion in 2028 due to AI, R&D, cybersecurity

Total revenue generated from quantum computing services will exceed $15 billion by 2028, forecasts ABI Research. The demand for quantum computing services will be driven by some process hungry research and development projects as well as by the emergence of several applications including advanced artificial intelligence algorithms, next-generation encryption, traffic routing and scheduling, protein synthesis, and/or the design of advanced chemicals and materials. These applications require a new processing paradigm that classical computers, bound by … More

The post Quantum computing revenue to hit $15 billion in 2028 due to AI, R&D, cybersecurity appeared first on Help Net Security.

Will you be able to buy a 5G smartphone for Christmas?

Santa Claus may not be the only one coming to town this year – last week one of the biggest wireless carriers in the US added a few more names to their list of cities named to get mobile 5G network by the end of 2018. AT&T confirmed in a statement that the new wireless technology would drastically increase the mobile wireless internet speeds and enhance their first-responders broadband platform. The list so far includes cities from all sizes such as Dallas, Atlanta, Waco, Charlotte, Raleigh, and Oklahoma.

AT&T wants to be the first major US carrier to introduce 5G to their customers and aims to bring its technology to at least a dozen cities by the end of 2018. AT&T hopes that the new 5G network will attract investors to those communities, have a positive impact on jobs creation and drive overall economic growth.

T-Mobile is in the game too; they announced plans to build 5G infrastructure in 30 US cities by the end of 2018. However, even though that the network might be ready for usage soon, they will likely start offering it to its customers at some point next year. Verizon wireless is also catching up on the 5G implementation game but not for their wireless service offering – they are planning on strengthening their position in the broadband market first, by introducing 5G broadband service. They have plans to launch the latest technology to at least four cities in the US, starting with Los Angeles.

How is this going to affect you?

Faster speeds

In an interview for Venture Beat published back in May 2018, Qualcomm spokesperson stated that the 5G speeds would go anywhere from 1 to 4.5Gbps. Having in mind 4G LTE is often referred as offering a 1 Gbps connection, it is safe to say so we can expect the new 5G speeds to make your internet about 2 to 4 times faster than what you have right now. Rapid internet speeds mean that live streaming of ultra-high definition 8k video may come sooner than later.

New phones

The users wanting to experience fasters speeds to their fullest will have to purchase 5G compatible cellphones. All major mobile device manufacturers are actively working on developing the first 5G phones for the US market. While some of them are expected to release brand new 5G compatible devices later this year, the majority of the cell phone manufacturers will leave it for 2019.

Different billing

US wireless carriers will most likely introduce different options for unlimited internet depending on your speed of choice. Verizon Wireless currently offers genuinely unlimited 3G internet speeds to people who cap their LTE data usage. As an example, if you are on an 8GB monthly data plan and you end up using all your data allowance, Verizon Wireless would automatically throttle your speed to unlimited 3G. Downgrading to 3G will make your internet access unlimited but essentially decrease your internet speeds nearly ten times.

Increased data consumption

Moving to a 5G network will undoubtedly increase the amounts of wireless data that you are using. Ultra high-res video will most likely become a standard, and your data consumption will start reaching new highs prompting you to upgrade to higher data plans. This would undoubtedly have an impact on your wireless bill.

Security

The fasters speeds of the advanced 5G technology will not only help wireless carriers meet the ever-growing data consumption demands of their user base but will increase the productivity of first responders and law enforcement. Companies in the cloud computing and AI industries will only benefit from the new technology as they will strengthen the stability of their offerings, and even increase their service portfolios.

What will happen to LTE/4G?

The rollout of 5G does not necessarily mean that your carrier would immediately terminate the existence of their 4G network. Wireless carriers will keep the network up and running as a backup for areas where 5G isn’t available, similar to the way 3G is being used nowadays in the US.

The new technology will inevitably have an impact on everyone in the US. Mixed reality will enter more industries, AI and cloud computing companies will use the technology to grow, and 5G will bring the detail in ultra-high definition video. AT&T’s readiness to deploy 5G by the end of the year is a sign that we may soon see 5G smartphones hit the retail network! However, with great power comes great responsibility, the faster speeds may give more power to cybercriminals too – stealing 1TB of data would not take as long as it does right now. When 5G hits the market protecting all your connected devices will be as important as it is right now!

Download Panda Mobile Security

The post Will you be able to buy a 5G smartphone for Christmas? appeared first on Panda Security Mediacenter.

Vulnerability research and responsible disclosure: Advice from an industry veteran

“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab. Any member … More

The post Vulnerability research and responsible disclosure: Advice from an industry veteran appeared first on Help Net Security.

How SOAR can increase the value of your security team

Over the past few years, the cybersecurity industry has rapidly transformed. The exploding number and growing complexity of cyberattacks has forced organizations to spend billions of dollars annually on cybersecurity measures in an effort to keep pace with increasingly sophisticated threats and rising threat levels. However, for many companies, recent research from ESG shows that cybersecurity represents the most significant area where organizations have a troublesome shortage of skills and tools as 51 percent claimed … More

The post How SOAR can increase the value of your security team appeared first on Help Net Security.

Exploring the dynamics of the attacker economy

Global software companies are increasingly turning to attackers for help identifying security vulnerabilities in their offerings – and they’re not the only ones. Conservative government agencies are even beginning to welcome bug bounty hunters. Just recently, the U.S. Department of Defense (DoD) announced its search for a commercial bug bounty company that conducts crowdsourced vulnerability discovery and disclosure. Despite the growing number of organizations and government agencies that are embracing bug bounty hunters, questions still … More

The post Exploring the dynamics of the attacker economy appeared first on Help Net Security.

Ecuador Will Imminently Withdraw Asylum for Julian Assange and Hand Him Over to the UK. What Comes Next?

Ecuador’s President Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 2018 Global Disabilities Summit (Moreno has been confined to a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.

Moreno’s itinerary also notably includes a trip to Madrid, where he will meet with Spanish officials still seething over Assange’s denunciation of human rights abuses perpetrated by Spain’s central government against protesters marching for Catalonia independence. Almost three months ago, Ecuador blocked Assange from accessing the internet, and Assange has not been able to communicate with the outside world ever since. The primary factor in Ecuador’s decision to silence him was Spanish anger over Assange’s tweets about Catalonia.

Presidential decree signed on July 17 by Ecuadorian President Lenin Moreno, outlining his trip to London and Madrid

A source close to the Ecuadorian Foreign Ministry and the President’s office, unauthorized to speak publicly, has confirmed to the Intercept that Moreno is close to finalizing, if he has not already finalized, an agreement to hand over Assange to the UK within the next several weeks. The withdrawal of asylum and physical ejection of Assange could come as early as this week. On Friday, RT reported that Ecuador was preparing to enter into such an agreement.

The consequences of such an agreement depend in part on the concessions Ecuador extracts in exchange for withdrawing Assange’s asylum. But as former Ecuadorian President Rafael Correa told the Intercept in an interview in May, Moreno’s government has returned Ecuador to a highly “subservient” and “submissive” posture toward western governments.

It is thus highly unlikely that Moreno – who has shown himself willing to submit to threats and coercion from the UK, Spain and the U.S. – will obtain a guarantee that the U.K. not extradite Assange to the U.S., where top Trump officials have vowed to prosecute Assange and destroy WikiLeaks.

The central oddity of Assange’s case – that he has been effectively imprisoned for eight years despite never having been charged with, let alone convicted of, any crime – is virtually certain to be prolonged once Ecuador hands him over to the U.K. Even under the best-case scenario, it appears highly likely that Assange will continue to be imprisoned by British authorities.

The only known criminal proceeding Assange currently faces is a pending 2012 arrest warrant for “failure to surrender” – basically a minor bail violation charge that arose when he obtained asylum from Ecuador rather than complying with bail conditions by returning to court for a hearing on his attempt to resist extradition to Sweden.

That charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence. In 2010, Assange was imprisoned in Wandsworth Prison, kept in isolation, for 10 days until he was released on bail; he was then under house arrest for 550 days at the home of a supporter.

Assange’s lawyer, Jen Robinson, told the Intercept that he would argue that all of that prison time already served should count toward (and thus completely fulfill) any prison term imposed on the “failure to surrender” charge, though British prosecutors would almost certainly contest that claim. Assange would also argue that he had a reasonable, valid basis for seeking asylum rather than submitting to UK authorities: namely, well-grounded fear that he would be extradited to the U.S. for prosecution for the act of publishing documents.

Beyond that minor charge, British prosecutors could argue that Assange’s evading of legal process in the UK was so protracted, intentional and malicious that it rose beyond mere “failure to surrender” to “contempt of court,” which carries a prison term of up to two years. Just on those charges alone, then, Assange faces a high risk of detention for another year or even longer in a British prison.

Currently, that is the only known criminal proceeding Assange faces. In May, 2017, Swedish prosecutors announced they were closing their investigation into the sexual assault allegations due to the futility of proceeding in light of Assange’s asylum and the time that has elapsed.

The far more important question that will determine Assange’s future is what the U.S. Government intends to do. The Obama administration was eager to prosecute Assange and WikiLeaks for publishing hundreds of thousands of classified documents, but ultimately concluded that there was no way to do so without either also prosecuting newspapers such as the New York Times and the Guardian which published the same documents, or create precedents that would enable the criminal prosecution of media outlets in the future.

Indeed, it is technically a crime under U.S. law for anyone – including a media outlet – to publish certain types of classified information. Under U.S. law, for instance, it was a felony for the Washington Post’s David Ignatius to report on the contents of telephone calls, intercepted by the NSA, between then National Security Adviser nominee Michael Flynn and Russian Ambassador Sergey Kislyak, even though such reporting was clearly in the public interest since it proved Flynn lied when he denied such contacts.

That the Washington Post and Ignatius – and not merely their sources – violated U.S. criminal law by revealing the contents of intercepted communications with a Russian official is made clear by the text of 18 § 798 of the U.S. Code, which provides (emphasis added):

Whoever knowingly and willfully communicates … or otherwise makes available to an unauthorized person, or publishes … any classified information … obtained by the processes of communication intelligence from the communications of any foreign government … shall be fined under this title or imprisoned not more than ten years, or both.”

But the U.S. Justice Department has never wanted to indict and prosecute anyone for the crime of publishing such material, contenting themselves instead to prosecuting the government sources who leak it. Their reluctance has been due to two reasons: first, media outlets would argue that any attempts to criminalize the mere publication of classified or stolen documents is barred by the press freedom guarantee of the First Amendment, a proposition the DOJ has never wanted to test; second, no DOJ has wanted as part of its legacy the creation of a precedent that allows the U.S. Government to criminally prosecute journalists and media outlets for reporting classified documents.

But the Trump administration has made clear that they have no such concerns. Quite the contrary: last April, Trump’s then-CIA Director Mike Pompeo, now his Secretary of State, delivered a deranged, rambling, highly threatening broadside against WikiLeaks. Without citing any evidence, Pompeo decreed that WikiLeaks is “a non-state hostile intelligence service often abetted by state actors like Russia,” and thus declared: “we have to recognize that we can no longer allow Assange and his colleagues the latitude to use free speech values against us.”

The long-time right-wing Congressman, now one of Trump’s most loyal and favored cabinet officials, also explicitly rejected any First Amendment concerns about prosecuting Assange, arguing that while WikiLeaks “pretended that America’s First Amendment freedoms shield them from justice . . . they may have believed that, but they are wrong.”

Pompeo then issued this bold threat: “To give them the space to crush us with misappropriated secrets is a perversion of what our great Constitution stands for. It ends now.”

Trump’s Attorney General Jeff Sessions has similarly vowed not only to continue and expand the Obama DOJ’s crackdown on sources, but also to consider the prosecution of media outlets that publish classified information. It would be incredibly shrewd for Sessions to lay the foundation for doing so by prosecuting Assange first, safe in the knowledge that journalists themselves – consumed with hatred for Assange due to personal reasons, professional jealousies, and anger over the role they believed he played in 2016 in helping Hillary Clinton lose – would unite behind the Trump DOJ and in support of its efforts to imprison Assange.

During the Obama years, it was a mainstream view among media outlets that prosecuting Assange would be a serious danger to press freedoms. Even the Washington Post Editorial Page, which vehemently condemned WikiLeaks, warned in 2010 that any such prosecution would “criminalize the exchange of information and put at risk” all media outlets. When Pompeo and Sessions last year issued their threats to prosecute Assange, former Obama DOJ spokesperson Matthew Miller insisted that no such prosecution could ever succeed:

For years, the Obama DOJ searched for evidence that Assange actively assisted Chelsea Manning or other sources in the hacking or stealing of documents – in order to prosecute them for more than merely publishing documents – and found no such evidence. But even that theory – that a publisher of classified documents can be prosecuted for assisting a source – would be a severe threat to press freedom, since journalists frequently work in some form of collaboration with sources who remove or disclose classified information. And nobody has ever presented evidence that WikiLeaks conspired with whomever hacked the DNC and Podesta email inboxes to effectuate that hacking.

But there seems little question that, as Sessions surely knows, large numbers of U.S. journalists – along with many, perhaps most, Democrats – would actually support the Trump DOJ in prosecuting Assange for publishing documents. After all, the DNC sued WikiLeaks in April for publishing documents – a serious, obvious threat to press freedom – and few objected.

And it was Democratic Senators such as Dianne Feinstein who, during the Obama years, were urging the prosecution of WikiLeaks, with the support of numerous GOP Senators. There is no doubt that, after 2016, support among both journalists and Democrats for imprisoning Assange for publishing documents would be higher than ever.

If the U.S. did indict Assange for alleged crimes relating to the publication of documents, or if they have already obtained a sealed indictment, and then uses that indictment to request that the U.K. extradite him to the U.S. to stand trial, that alone would ensure that Assange remains in prison in the U.K. for years to come.

Assange would, of course, resist any such extradition on the ground that publishing documents is not a cognizable crime and that the U.S is seeking his extradition for political charges that, by treaty, cannot serve as the basis for extradition. But it would take at least a year, and probably closer to three years, for U.K. courts to decide these extradition questions. And while all of that lingers, Assange would almost certainly be in prison, given that it is inconceivable that a British judge would release Assange on bail given what happened the last time he was released.

All of this means that it is highly likely that Assange – under his best-case scenario – faces at least another year in prison, and will end up having spent a decade in prison despite never having been charged with, let alone convicted of, any crime. He has essentially been punished – imprisoned – by process.

And while it is often argued that Assange has only himself to blame, it is beyond doubt, given the Grand Jury convened by the Obama DOJ and now the threats of Pompeo and Sessions, that the fear that led Assange to seek asylum in the first place – being extradited to the U.S. and politically persecuted for political crimes – was well-grounded.

Assange, his lawyers and his supporters always said that he would immediately board a plane to Stockholm if he were guaranteed that doing so would not be used to extradite him to the U.S., and for years offered to be questioned by Swedish investigators inside the embassy in London, something Swedish prosecutors only did years later. Citing those facts, a United Nations panel ruled in 2016 that the actions of the U.K. government constituted “arbitrary detention” and a violation of Assange’s fundamental human rights.

But if, as seems quite likely, the Trump administration finally announces that it intends to prosecute Assange for publishing classified U.S. Government documents, we will be faced with the bizarre spectacle of U.S. journalists – who have spent the last two years melodramatically expressing grave concern over press freedom due to insulting tweets from Donald Trump about Wolf Blitzer and Chuck Todd or his mean treatment of Jim Acosta – possibly cheering for a precedent that would be the gravest press freedom threat in decades.

That precedent would be one that could easily be used to put them in a prison cell alongside Assange for the new “crime” of publishing any documents that the U.S. Government has decreed should not be published. When it comes to press freedom threats, such an indictment would not be in the same universe as name-calling tweets by Trump directed at various TV personalities.

When it came to denouncing due process denials and the use of torture at Guantanamo, it was not difficult for journalists to set aside their personal dislike for Al Qaeda sympathizers to denounce the dangers of those human rights and legal abuses. When it comes to free speech assaults, journalists are able to set aside their personal contempt for a person’s opinions to oppose the precedent that the government can punish people for expressing noxious ideas.

It should not be this difficult for journalists to set aside their personal emotions about Assange to recognize the profound dangers – not just to press freedoms but to themselves – if the U.S. Government succeeds in keeping Assange imprisoned for years to come, all due to its attempts to prosecute him for publishing classified or stolen documents. That seems the highly likely scenario once Ecuador hands over Assange to the U.K.

The post Ecuador Will Imminently Withdraw Asylum for Julian Assange and Hand Him Over to the UK. What Comes Next? appeared first on The Intercept.

March-April 2018 test results: More insights into industry AV tests

In a previous post, in the spirit of our commitment to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions, we shared insights and context into the results of AV-TESTs January-February 2018 test cycle. We released a transparency report to help our customers and the broader security community to stay informed and understand independent test results better.

In the continued spirit of these principles, wed like to share Windows Defender AVs scores in the March-April 2018 test. In this new iteration of the transparency report, we continue to investigate the relationship of independent test results and the real-world protection of antivirus solutions. We hope that you find the report insightful.

Download the complete transparency report on March-April 2018 AV-TEST results

 

Below is a summary of the transparency report:

Protection: Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). With the latest results, Windows Defender AV has achieved 100% on 9 of the 12 most recent tests (combined “Real World” and “Prevalent malware”).
Usability (false positives):Windows Defender AV maintained its previous score of 5.5/6.0. Based on telemetry, most samples that Windows Defender AV incorrectly classified as malware (false positive) had very low prevalence and are not commonly used in business context. This means that it is unlikely for these false positives to affect enterprise customers.
Performance: Windows Defender AV maintained its previous score of 5.5/6.0 and continued to outperform the industry in most areas. These results reflect the investments we made in optimizing Windows Defender AV performance for high-frequency actions.

 

The report aims to help customers evaluate the extent to which test results are reflective of the quality of protection in the real world. At the same time, insights from the report continue to drive further improvements in the intelligent security services that Microsoft provides for customers.

Windows Defender AV and the rest of the built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. In real customer environments, this unified security platform provides intelligent protection, detection, investigation, and response capabilities that are not currently reflected in independent tests. We tested the two malware samples that Windows Defender AV missed in the March-April 2018 test and proved that for both missed samples, at least three other components of Windows Defender ATP would detect or block the malware in a true attack scenario. You can find these details and more in the transparency report.

Download the complete transparency report on March-April 2018 AV-TEST results

 

The Windows Defender ATP security platform incorporates attack surface reduction, next-generation protection, endpoint detection and response, and advanced hunting capabilities. To see these capabilities for yourself, sign up for a 90-day trial of Windows Defender ATP, or enable Preview features on existing tenants.

 

 

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Six Tips for Recruiting and Retaining Women in Security Roles

There’s a shortage of women in security roles — and this is just one of the many challenges the cybersecurity industry is facing. There will also be 3.5 million unfilled cybersecurity positions by 2021, according to a 2017 report from Cybersecurity Ventures.

There’s a significant underrepresentation of women in the security field. Forrester published a study in February 2018, Best Practices: Recruiting And Retaining Women In Cybersecurity, which found that women represent just 11 percent of cybersecurity professionals worldwide.

So, how can industry leaders recruit and retain women to fill these crucial positions?

What Problems Do Women Face in Cybersecurity?

One reason organizations continue to struggle to fill roles with female candidates is an ongoing problem with sexism and discrimination, stressed Claire O’Malley, analyst and co-author of the 2018 Forrester study, in a Forrester blog post.

Other research from the field backs up this assertion. The Frost & Sullivan white paper, 2017 Global Information Security Workforce Study: Women in Cybersecurity, asked nearly 20,000 information security professionals around the world about discrimination and inclusion and found that 51 percent of women (and 15 percent of men) had experienced one or more forms of discrimination. These types of discrimination included unexplained denial of or delay in career advancement, exaggerated highlighting of mistakes or errors and tokenism.

How to Recruit and Retain Women in Security

Forrester Research offered suggestions for recruiting and retaining women in the security industry. The report provided actionable tips for organizations seeking to add more women to their ranks by creating an inclusive culture.

“The industry is making enormous strides, but with women occupying only 11 percent of cybersecurity positions, the playing field is still not close to level,” said O’Malley in her blog post. “The industry needs to change its recruiting and retainment efforts to better the workplace for women and all employees as it fills the millions of open jobs.”

As recruitment continues to lose pace with workforce demand, companies will have to deliberately change gears into taking more proactive steps to lift the roadblocks to equal representation.

With these hurdles in mind, Forrester recommends:

  1. Partnering with educational institutions: Partner with colleges and universities with high female enrollment. Seek candidates from schools with known partnerships with professional development programs, such as Women in Science and Engineering.
  2. Looking internally for change-seekers: Look internally to women who may be eager for a career change. You may not find what you’re looking for if you’re only looking externally to fill a role. Internal female employees who show the aptitude and attitude to take on new challenges may be worth considering when hiring.
  3. Seeing beyond STEM: Think beyond science, technology, engineering and mathematics (STEM) backgrounds when recruiting. With so many security roles to fill, it only makes sense to consider non-traditional candidates with other backgrounds that go beyond the usual computer science and engineering degrees.
  4. Making HR an ally: Work with human resources (HR) on your diversity efforts. Develop a plan with human resources to help them understand your diversity goals and ensure you’re on the same page.
  5. Establishing mentoring programs: Develop mentoring programs within your organization. Strong employees are more likely to stay if they feel they have the support and mentoring that deepens their connections to the organization.
  6. Prioritizing event recruitment: Make an effort to get to and recruit from industry events where there is significant female attendance.

To date, the pace of change has been too slow, according to Joyce Brocaglia, CEO of cyber executive search firm Alta Associates and founder of the Executive Women’s Forum.

“Diversity of thought isn’t something the cybersecurity industry can be successful without,” Brocaglia said to Slate. “Why would you eliminate the brilliance of 50 percent of the population?”

The post Six Tips for Recruiting and Retaining Women in Security Roles appeared first on Security Intelligence.

Dealing with a system launch: It requires more than just testing

Rolling out new IT systems or software can be a challenge and fraught with issues from day one – and the recent IT crisis with TSB has shown how damaging these can be if managed poorly. A lack of pre-launch tests has been raised as a potential cause of immediate failures, but it would be simplistic to suggest that this would completely eliminate the problems that companies encounter following a system launch. A successful launch … More

The post Dealing with a system launch: It requires more than just testing appeared first on Help Net Security.

Cybersecurity no longer top risk for telecom industry

Telecommunications executives have relegated disruption from new technologies to third place in their risk top 5: the number one risk identified by 60 telecom companies surveyed right now is exchange rate volatility, according to phone companies and internet providers. This latest edition of the BDO 2018 Telecommunications Risk Factor Survey ranks the 5 most significant risks facing telecoms companies as follows: Exchange rate/foreign currency changes Increased competition The fast arrival of new technologies Access to … More

The post Cybersecurity no longer top risk for telecom industry appeared first on Help Net Security.

‘IT system issue’ caused cancellation of British Airways cancelled flights at Heathrow

British Airways canceled flights at Heathrow due to an ‘IT system issue,’ the incident occurred on Wednesday and affected thousands of passengers.

The problem had severe repercussions on the air traffic, many passengers also had their flights delayed.

“On one of the busiest days of the summer, British Airways cancelled dozens of flights to and from Heathrow, affecting at least 7,000 passengers

Problems began for BA when the control tower was closed for around 35 minutes on Wednesday afternoon when a fire alarm was triggered. Landings and take-offs were stopped.” reported the British Independent,

“Then an IT issue emerged which caused further disruption for BA and other airlines. Hundreds of flights were delayed, and some evening outbound departures were canceled. Around 3,000 British Airways passengers were stranded overnight abroad.”

The IT problem affected 7,000 passengers and more than 3,000 were forced to spend the night abroad attempting to fly back to London.

Officially the problem was originated by the IT supplier Amadeus that caused disruption to the flights, below the official statement of British Airways on its Twitter account. Reportedly, the British Airways passengers stranded at the airport were advised to ‘look for overnight accommodation or seek alternative travel arrangements’.

It seems that the IT problems affected also online-check in service of the company.

British Airways

“We are aware that British Airways is currently experiencing an issue which is impacting their ability to provide boarding passes to some passengers. We will be working with the airline to support their efforts to resolve the issue as quickly as possible.” stated a spokesperson for Heathrow. 

The problems began a few hours after a fire alarm at Heathrow’s air traffic control tower was triggered causing delays for several airlines. According to the airport, this event is not related to the British Airways issue, while airline glitch has “impacted operation of the airfield for a short while”.

“The vast majority of customers affected by the supplier system issue and the temporary closure of Heathrow airport’s air traffic control tower are now on route to their destinations.”

“The supplier, Amadeus, resolved their system issue last night, and our schedule is now operating as normal.” said a spokesperson for British Airways.”

“We have apologised to our customers for disruption to their travel plans.”

British Airways experienced another technical problem at its IT systems in May 2017.

Pierluigi Paganini

(Security Affairs – British Airways, cybersecurity)

The post ‘IT system issue’ caused cancellation of British Airways cancelled flights at Heathrow appeared first on Security Affairs.

Imperva Cloud Security Now Available Through UK Government’s GCloud 10 Digital Marketplace

Building on the success of Imperva listing our market-leading, single stack Incapsula cloud platform for DDOS protection; CDN; load balancing and WAF on the GCloud 9 framework, Imperva has now added more products to the GCloud 10 portfolio.

As the UK pushes for even greater digital adoption on a national scale, it constantly adds to and updates GCloud 10; a hotlist of preferred products and services for companies that seek to do business with government… simply put, partnering with Imperva now ticks an important box on the UK government’s procurement checklist.

Imperva SecureSphere data protection solutions protect databases from attack, reduce risk and streamlines compliance by enabling organizations to leverage common infrastructure, both in AWS, Azure, hybrid and on-prem.

Imperva SecureSphere Web Application Firewall (WAF) for AWS & Azure provides the industry’s leading WAF technology to protect web apps. It combines multiple defenses to accurately pinpoint and block attacks without blocking your citizens and partners.

Check us out on the Digital Marketplace if you’d like to learn more.

How hackers exploit critical infrastructure

The traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking activity would be increasingly targeted in this direction. It also stands to reason that the salient aspects of hacking – namely, remote access, … More

The post How hackers exploit critical infrastructure appeared first on Help Net Security.

Retail data breaches continue to reach new highs

Thales announced the results of its 2018 Thales Data Threat Report, Retail Edition. According to U.S. retail respondents, 75% of retailers have experienced a breach in the past compared to 52% last year, exceeding the global average. U.S retail is also more inclined to store sensitive data in the cloud as widespread digital transformation is underway, yet only 26% report implementing encryption – trailing the global average. Year-over-year breach rate takes a turn for the … More

The post Retail data breaches continue to reach new highs appeared first on Help Net Security.

Inside look at lifecycle of stolen credentials and extent of data breach damage

Shape Security released its Credential Spill Report, shedding light on the extent to which the consumer banking, retail, airline and hospitality industries are impacted by credential stuffing attacks and account takeover. The report analyzes attacks that took place in 2017 and reveals 2.3 billion account credentials were compromised as a result of 51 independent credential spill incidents. Credential stuffing collectively costs U.S. businesses over $5 billion a year. When usernames and passwords are exposed, or … More

The post Inside look at lifecycle of stolen credentials and extent of data breach damage appeared first on Help Net Security.

Attention all passengers: Airport networks are putting you at risk!

Coronet released a report identifying San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as America’s most cyber insecure airports. The purpose of the report is to inform business travelers of how insecure airport Wi-Fi can inadvertently put the integrity and confidentiality of their essential cloud-based work apps (G-Suite, Dropbox, Office 365, etc.) at risk, and to educate all other flyers on the dangers of connecting … More

The post Attention all passengers: Airport networks are putting you at risk! appeared first on Help Net Security.

How Will Healthcare Cybersecurity Issues Impact Acquisitions?

We’ve all heard the stories about botnets and ransomware triggering nightmares for hospitals and healthcare facilities. From an operational standpoint, managing security risk couldn’t be more critical.

But healthcare is a hot industry — and many companies in the space are attracting purchasing interest from even larger organizations. These same healthcare cybersecurity vulnerabilities represent a massive stumbling block on the road to acquisition.

Healthcare Cybersecurity Surprises

A May 2018 study from consulting firm West Monroe Partners revealed that 58 percent of buyers discovered a cybersecurity problem at an acquired healthcare company after the deal was done. What’s more, 49 percent of buyers reported dissatisfaction with the cyber due diligence process during the deal.

The study uncovered several recurring themes, including a lack of robust cybersecurity infrastructure (30 percent), vulnerability to insider breaches (26 percent) and a lack of personnel with in-depth knowledge about cybersecurity issues (24 percent).

Cybersecurity clearly isn’t getting the resources it requires.

Inadequate cybersecurity resources are not a unique concern for the healthcare industry, however. Implementing best practices for internal security is a common challenge among growing and established industries. So, what gives?

Protecting Data: A Matter of Priority

Sean Curran, senior director of security and infrastructure at West Monroe Partners, said healthcare is not alone — all industries are struggling with resources.

“With healthcare, in particular, the challenges are more pervasive,” Curran said. “We like to think of it this way: If I have a budget, would I rather spend the money on keeping people alive and providing care or spend it on protecting data?”

For some small companies, Curran found that just keeping up with all the regulatory controls inherent within the industry is a monumental task.

“Perhaps they are assessing themselves with rose-colored glasses,” Curran said. “They think they are doing the right thing, but when you run a business as a small entity, every dime you make you want to put it into the business and don’t want to spend on security. They are only looking at how they run the business today and not five to seven years from now.”

Cyber Due Diligence

For healthcare companies going through mergers and acquisitions, the proper due diligence process can make or break a deal. Brad Haller, director of mergers and acquisitions at West Monroe Partners, compares due diligence to getting a home inspection: Before buying a house, an inspector must come in to ensure the foundation is stable, the windows are tight and everything is generally safe.

“Due diligence allows an investor to have the proper data with which to make an informed bid, and can determine how much they are willing to pay for the business,” Haller said.

The necessary due diligence for healthcare is also equally critical for other industries. According to Haller, the firm was surprised at the survey’s numbers — mainly that dissatisfaction with cybersecurity was the top issue. To the acquiring businesses, he noted, it’s challenging to assess the security of a company based on contracts and a few phone calls.

“To understand the security posture of a business, you need to do things like a threat hunt, have deep conversations with the privacy officer, the CISO [chief information security officer] … it’s part of diligence,” Haller said. “Companies may not want to show that they have vulnerabilities.”

Changes for Healthcare; Takeaways for the Enterprise

As big tech continues to establish its presence in the industry, many of these cybersecurity issues are sure to improve — but challenges remain. Curran stressed that perhaps the biggest problem in healthcare is something we hardly even think about: a doctor’s password.

Think about it: A doctor doesn’t want to change his or her password every 30 days with a complicated process. What’s more, a July 2017 study from Healthcare Informatics Research revealed that 74 percent of medical professionals admitted to sharing access credentials with others.

“That’s not going to change if you’re owned by big tech,” Curran said. “If that doctor doesn’t want to play by the security rules, they will win out, and security will take a back seat. To them, if security is in the way, they may not be able to access critical data or a critical situation.”

When faced with a challenge like this, big tech may be in a better position to get creative about solving these problems. However, until this changes in a cost-effective manner, Curran warned, we will not likely see significant change.

If companies who know they are being purchased still have security issues, what does that say about the enterprise in general? Perhaps it’s worse than we expected.

Sellers can take proactive steps in due diligence to ensure a smoother acquisition process, including:

  • Perform a thorough threat hunt.
  • Conduct security training and enforce best practices for employees at all levels.
  • Deploy cybersecurity technologies across your digital infrastructure.
  • Be open and honest with your buyers, and recognize that you won’t get the price you want if you’re not forthright.

What do you need to do? Look in the mirror. Be open and honest about where you stand and where you need to be. Perhaps that self-awareness is the catalyst to begin properly mitigating risk.

The post How Will Healthcare Cybersecurity Issues Impact Acquisitions? appeared first on Security Intelligence.

The Trickster Hackers – Backdoor Obfuscation and Evasion Techniques

A backdoor is a method for bypassing the normal authentication or encryption of a system. Sometimes developers construct backdoors to their own programs for various reasons. For example, to provide easy maintenance, developers introduce a backdoor that enables them to restore the manufacturer’s default password.

On the other side, very often attackers inject backdoors into vulnerable servers to take over the server, execute attacks and upload malicious payloads. A backdoor paves the way for hackers to launch further attacks. For example, attackers may inject backdoors that allow them to execute code on the infected server, or upload files. This code and files will contain the actual attack, which may contain different kinds of payloads like stealing data from an internal database or run cryptomining malware.

In this blog, we’ll discuss some of the attackers’ methods to inject backdoors while evading detection. We’ll show examples of real backdoors found in our data, and how they use different evasion and obfuscation techniques, some of them quite complex.

Types of Backdoors

There are several kinds of backdoors, written in different programming languages. For example, a backdoor written in PHP is designed to work on servers running on PHP, contrary to backdoors written in ASP that are designed to run on .net servers.

The purpose of the backdoor may vary, from a web shell which allows the attacker to run operating system commands on the infected machine to specially crafted backdoors which allow the attacker to upload and execute files.

There are many open source backdoors publicly available on sites like GitHub. Hackers can choose to inject a known backdoor, but then they risk being easily detected. More sophisticated hackers create their own backdoors or obfuscate the known backdoor they inject using different evasion techniques.

Common Security Controls

Security controls may try to block backdoors using a couple of different methods. One of them is to block the initial injection of the backdoor during an HTTP request, which is usually injected to a server using a known vulnerability. Another method is to analyze the content of the backdoor during the HTTP response, to find whether it contains code that is considered malicious.

This should come as no surprise, as attackers work hard to hide their real intentions when injecting these backdoors. Hackers usually make use of several evasion techniques, including obfuscating known functions and parameter names and using the encoding of the malicious code. In the next sections, we’ll show backdoors written in PHP where attackers used different techniques in order to avoid detection by security controls.

PHP evasion techniques

There are many methods that can be used in order for attackers to evade detection. The overall motivation, however, is to mask known functions or PHP keywords. Some of the known functions and keywords include:

Character reordering

In this example, the visual output of this page is the well-known “404 Not Found” message (line 2), which may suggest an error. However, there is an embedded backdoor code (lines 3-13) in this page. The keyword “_POST” is written in plain site; however, the attacker used a simple method to hide it:

Figure 1: Backdoor hiding the “_POST” keyword

In line 1, the backdoor code turns off all error reporting to avoid detection in case of an error. In line 3, the “default” parameter is defined as what seems to be like a random combination of characters. In line 4, the “about” parameter is defined when the code reorders these characters and turns them to upper case to build the keyword “_POST”.  This keyword is used in lines 5-12 to check if the HTTP request to this page was done via the POST method and whether it contained the “lequ” parameter.

If so, the backdoor uses the “eval” function to run the code that was sent in the parameter “lequ”. Thus, the backdoor reads the value from a parameter in a post request without ever using the keyword “$_POST”.

String concatenation

Another popular method used by attackers to obfuscate known keywords, is string concatenation, as in the following example:

Figure 2: Backdoor using string concatenation to hide known functions

Contrary to the previous backdoor, where known functions were written into backdoor itself without obfuscation, the only visible command in this code snippet is the “chr” function (line 1). This function takes a number between 0 and 255 and returns the correlated ascii character.

Adding a dot at the end of a character or a string is the PHP way to concatenate it to the next string. Using this functionality, attackers can concatenate several characters or strings to create a keyword that represents a known function, thus hiding it from detection.

Finally, this function is executed with the “@” sign at the beginning, that surpasses the printing of error notices. The purpose of this backdoor is to create a function that evaluates the code that is given in the first parameter of a post request. Using this backdoor, an attacker can trick detection systems and send the arbitrary code to the infected server using POST requests, where the code will be executed.

Deprecated functionality

Although some functions or functionality have been deprecated in previous versions of PHP, we still see attacks trying to abuse this functionality in current backdoors, as in this example:

Figure 3: Backdoor using the deprecated functionality of preg_replace

This one-line code snippet might seem simple, but it actually uses a couple of evasion techniques and can cause a lot of damage as a backdoor. First, the “str_rot13” function takes a string and shifts every letter 13 places in the alphabet. The output of this function on ‘riny’ is the well-known function ‘eval’. Next, the “preg_replace” function takes a regular expression, a replacement string, and subject string. It then searches for every occurrence of the regular expression in the subject and replaces it with the replacement string. The output string in the above example will be:

Meaning, evaluate the expression in the parameter ‘rose’ from the post request.

Notice the ‘/e’ tag inside the ‘preg_replace’. This is a deprecated tag that tells the program to execute output of the ‘preg_replace’ function. The PHP manual states the following warning about this modifier: “Caution Use of this modifier is discouraged, as it can easily introduce security vulnerabilities“. This modifier was deprecated in PHP 5.5.0 and removed as of PHP 7.0.0. So why worry about a deprecated functionality which was removed since the new version of PHP? Look at the following survey taken from W3Techs:

Figure 4: Percentages of websites using various versions of PHP (W3Techs.com, 3 July 2018)

According to this survey, more than 80% of the websites written in PHP use a version in which the deprecated ‘e’ modifier of the ‘preg_replace’ function is used. Thus the vast majority of websites written in PHP are vulnerable to attacks using this deprecated modifier.

As another mean to evade detection, the code will be evaluated with the ‘@’ sign as seen in the previous example, which surpasses error messages.

Multi-Step PHP evasion techniques

There are evasion methods where attackers obfuscated their code using a combination of multiple techniques.

Reverse string, concatenation, compression, and encoding

Figure 5: Backdoor using reverse string, base64 encoding and gzinflate compression to hide the code

In this example, the attacker used a combination of methods to hide the code. First, the attacker used the aforementioned “preg_replace” function with the “/e” modifier that evaluates the code. In the second argument, we can see the attack payload being split to several strings and concatenated with the “.” operator. We can also see the attacker used the “strrev” function to reverse the order of the concatenated string “lave”, which turns into “eval”. After concatenation, we get the following payload:

Here, the code isn’t only encoded with base64 encoding, it is also compressed with the “deflate” data format. After decoding and decompression we get the following payload:

Which means evaluate the code that is sent in the “error” parameter, either in GET or POST requests.

String replacement, concatenation, and encoding

Figure 6: Backdoor using string replacement to hide function names, and base64 encoding

In this example, the attackers hid function names inside variables and obfuscated the backdoor itself using base64 encoding. The only visible known keyword is “str_replace”, in line 2, and it is used only once.

Let’s go over the code to see how it works. First, in line 2, the parameter “tsdg” is given the value “str_replace”, by taking the string “bsbtbrb_rbebpblacbe” and removing all the letters ‘b’ using the str_replace function. Here the attacker obfuscated a known PHP function by creating a string that includes the designated function including additional letters.  Then, these letters are removed using the str_replace function.

Next, using this same method, in lines 6 and 7, the parameters “zjzy” is given the value “base64_decode” and the parameter “liiy” is given the value “create_function”. Notice how instead of using the str_replace function directly, the parameter “tsdg” is used in order to evade detection.

Next, there are four other parameters in lines 1, 3, 4, 5 that contain a base64 encoded text. In line 8, the values of these four parameters are concatenated in a specific order to form a long string encoded in base64. The parameter “iuwt” in line 8 will contain the following line of code:

This code will create a function that removes all the “hd” from the base64 encoded text and then decode it. In line 9, this function is executed and the base64 encoded text is decoded to:

Figure 7: The decoded base64 text. How the backdoor really look like

This is the backdoor itself. This backdoor will execute code sent to the compromised server through the cookie. In line 6, the value sent through the cookie is changed using the preg_replace function and two regular expressions. The altered text is then base64 decoded and is executed, running an arbitrary code that the attacker sent.

The evasion techniques in this backdoor are more complex than what we saw in the previous section. Here, on top of using parameters instead of PHP functions, the backdoor itself is decoded in base64. Additionally, to avoid a simple base64 decoding mechanism, the base64 text is split into four parts, and the characters “hd” are added at random places to prevent the text from being decoded as is.

The O and 0 Catch

In the next backdoor the evasion techniques are even more sophisticated, requiring more steps to be made in order to find the actual backdoor:

Figure 8: Backdoor using a couple of evasion techniques. All the parameter names are made of O’s and 0’s

Again, the only two visible known functions are “urldecode”, which is used in line 1 to decode a URL, and “eval” which is used in line 7. The decoded URL is just gibberish but used in later steps for character concatenation as seen in previous evasion methods.

All the parameter names are made of a combination of zeroes and capital O’s. Since these two characters are visually similar, it makes it extremely hard to read and understand the code. Each such parameter is assigned with a string using character concatenation from the previously decoded URL. The parameter values are:

Line 3‘strtr’

Line 4‘substr’

Line 5‘52’

Line 2+6 – concatenated together to form ‘base64_decode

Finally, in line 7, a long text encoded in base64 is being decoded and then executed using the previously defined ‘base64_decode’ parameter. The decoded text is:

Figure 9: The base64 decoded text. The code is still unreadable as there are parameters made of O’s and 0’s

This is not the backdoor itself but just another step of evasion. Here, the previously defined parameters of the O’s and 0’s are being used once more.

Line 1 contains another long text encoded in base64, but this time the decoding is more complex and cannot just be decoded as is. Replacing the parameters in line 2 with their values gives the following line of code:

Figure 10: The same code as before, replacing the parameters with their values

Where the remaining O’s and 0’s parameter is the encoded base64 text from line 1. This command takes the portion of the encoded text with the offset of 104, it then creates a map to the first 52 characters from the second 52 characters of the encoded text and replaces them character to character using the strtr function. Then, the manipulated text is being base64 decoded and executed using the eval function. It is impossible to decode the text without using the above-mentioned map. Finally, the text is decoded to the actual backdoor:

Figure 11: The backdoor itself after base64 decoding. The real intentions of the attacker are revealed

Now the attacker’s real intentions are revealed. The purpose of this backdoor is to create a new HTML form containing an “input” tag which enables the attacker to upload a file. Then, the attacker can upload a file of his choice and the backdoor moves it to a directory specified by the attacker inside the compromised server. The backdoor also indicated whether the file was move successfully to the desired folder by printing an appropriate message.

Summary of evasion techniques

As seen in the examples above, attackers are doing their best to hide their malicious code and evade detection. Some of the techniques we saw in our data that attackers are using are:

  • Hiding known PHP function using string manipulations (replacement, concatenation, reverse, shift and split)
  • Using obscure parameter names, like random characters or combinations of the characters O and 0 which are visually similar
  • Encoding the backdoor, or part of its code with base64 encoding
  • Using compression as a mean to hide the backdoor code
  • Obfuscating base64 encoded text by manipulating the text in order to avoid simple decoding
  • Obfuscating requests sent to the backdoor after it was uploaded by using the “preg_replace” function on the input

Suggestions for Mitigation

There are a couple of infection points where a backdoor attack can be mitigated.

First, at the upload point of the backdoor. This is the best spot to stop the backdoor as it happens before it is even uploaded to the compromised server. Usually, the upload of a backdoor is done using a known vulnerability, most of the times by exploiting a or an unauthorized file upload. Organizations using servers vulnerable to RCE vulnerabilities are advised to use the latest vendor patch. An alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.

Second, while uploading the backdoor, the uploaded code itself can be checked for malicious content. Checking the code can be complicated as attackers obfuscate their code so it could not be understood, and usually, there is not much clear code when looking at the code as is. Using static security rules and signatures may result in limited success. Instead, Other dynamic rules include profiling the normal behavior of the application and alerting any deviations from the profiled behavior.

Third, if the backdoor was already uploaded on an infected server, it is possible to block the communication between the attacker and the backdoor. This method stops the backdoor from working and alerts the server admin, so the backdoor can be removed.

Learn more about how to protect your web applications from vulnerabilities with Imperva WAF solutions, and about Imperva Incapsula backdoor shell protection.

 

Jumpstart your Microsoft Graph Security API integration with the new JavaScript sample app

The Microsoft Graph Security API, which launched this spring, is a unified REST API for integrating data and intelligence from Microsoft products, services, and partners. Using Microsoft Graph, developers can easily build applications that consolidate and correlate security alerts from multiple sources, unlock contextual data to inform investigations, and automate security operations for greater efficiency.

We just launched a new sample app that makes it easier than ever for developers to get started. Similar to the Python sample and C# sample, currently available, the new JavaScript sample app provides ready-to-run code to:

  • Display a list of all security alerts for a tenant. Filter by top alerts, category, provider, and severity, or alerts related to a particular user or device.
  • View rich alert details in JSON.
  • Show additional information from Microsoft Graph about a user or device.
  • Update the status of an alert, provide feedback, and add comments.
  • Subscribe to notifications of all new and updated alerts that meet your filters.

Get started with the JavaScript sample app today!

Drupal, Phishing and A New Cryptomining Botnet

It’s a well-known fact that security solutions must quickly adapt to new attack methods. There are several ways to achieve this goal, regularly applying security patches and updates, relying on threat intelligence and more.

At Imperva, we use pattern anomaly detection as one of the tools to identify emerging threats and build new defenses. Our security researchers analyze the detected patterns from time to time, and this is how we learned about the existence of the Ash botnet.

The pattern that arose from our anomaly detection engine was http://xxx.xxx.xxx.xxx/a.sh. The pattern indicates a resource name, from multiple remote servers, that is being used as a payload in numerous attacks including the now infamous Drupalgeddon2 exploit

It’s not so often that we get to see the full life-cycle of a botnet, from creation to demise. When we do get the opportunity, however, it gives us a unique perspective on how botnets operate and how to stop them.

Detecting the botnet

By common payload

While investigating attempts to attack our customers — close to 1000 Imperva-protected sites were attacked but successfully guarded by the Imperva Incapsula WAF. It turned out that the payload was being delivered from a group of several hundred IPs belonging to a large group of sites protected by Incapsula, over a period spanning more than 30 days. The specificity and distinctiveness of this payload, as well as the fact that it was being delivered by the same hacking tool, strongly suggests that all these IPs were part of a single botnet.

Payload description

The initial a.sh file bash script is a simple downloader bash script. It downloads a compressed archive, extracts and runs one executable file named “i”. The archive contains 21 different files – text, bash script, executable, static libraries, and Python. “i” is a 64 bit ELF executable file which surprisingly isn’t detected by any of the virus detection engines in Virus Total.

The purpose of “i” is twofold: propagation of the malware and crypto-mining. The propagation is done through a central C&C server using both known vulnerabilities (Drupalgedon) and phishing emails. A detailed analysis is available here. The crypto-mining part is achieved by running four (!) different types of crypto-mining software, xmrig, jce_cn_cpu_miner, xmr_stack, and luk-cpu.

Out of these miners, we were able to track two wallets that currently hold ~200 XMR which is the equivalent of 28K$:

  • 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD
  • 45Pw3bWFJXQiR1hN97huM6BbNPpnYdPytWnTUbkEm6KS9MExU7Gtr3nBsVoZA746qhCEwqVsFuPdwfXVtZwXxHQ6LDyfBaL

By other common behavioral patterns

Identifying behavioral correlations over time between different attackers is a powerful way to single out botnets. A similar payload used by multiple IPs, as found here, is an easily detectable common behavior pattern; however, when the payload is not known or is not consistent or distinctive enough, more subtle behavior correlations can be used.

One such pattern is the sites visited by source IPs as a function of time. By defining a measure that reflects whether or not two different IPs visited similar sets of sites at the same time, one can cluster attacking IPs into groups representing potential botnets.

It turns out that such behavioral correlations are present here too, allowing us to calibrate the similarity measure used in our clustering method. The combination of both methods allowed us to successfully identify additional botnets in our data.

Botnet structure and life-cycle

Attack distribution

Interestingly, the attack was led by a single “master” IP, which on peak days was responsible for the majority of attacks on hundreds of target sites while the remaining multitude of “minion” IPs each performed a much smaller portion of the attack, typically attacking about a dozen sites per day. Another noteworthy feature was that the master IP changed four times during the analyzed 60-day period such that there was always exactly one IP taking this role at any given time, as shown in the figure below, where each colored curve represents a different IP.

The master IPs are likely to have belonged to a machine or machines owned by the attacker while the remaining IPs probably belonged to infected application servers that joined the attack in turn, making up the minion botnet.

Amusingly, the master IP active between May 8- 22 (red curve), suddenly became idle between the dates May 15-18,  the onset of the FIFA World Cup, which may imply that the attacker is a football fan, and in keeping with the hypothesis that the activity of the master IP is not initiated by a bot but by a human, being the actual attacker’s machine.

Creation

As you can see from the above graph, the peak of the attack, starting around the 20th of May, was preceded by a period in which only one IP was attacking – using the same payloads. The same sites that would later be attacked by the other IPs in the network. The hacking tool used by this IP was different from that used during the peak days of the attack.

The period during which only this IP was active in the network can be seen as one of reconnaissance activity by the attacker, who was probably looking for vulnerable points in the sites which the botnet later targeted.

Duration

Apart from the master IPs, each of which attacked multiple sites daily over long durations, most IPs dropped out of the botnet after a few days, with 998 of 2034 (close to 50%) being observed for up to two days:

There is more than one possible factor that may explain the brief appearance of most of the IPs:

  • Fast detection and removal of the infection from many infected machines
  • Sparing usage of the infected IP by the attacker to avoid their being detected

Volatility

The participation of IPs in the botnet’s activity had an interesting dynamic. The IP turnover rate in the botnet was relatively high: as shown in the graph below. On average, approximately 25% of IPs that were active (marked in orange) in the botnet on a given day were not active (marked in blue) on the next day, being replaced by a similar number of new IPs.

We can see that the overall activity of the Ash botnet dramatically declined between June 15-18.  We couldn’t find a technical explanation for this phenomenon. However, it is important to note that those were the opening days of the FIFA World Cup event. It is not unlikely that the botnet operators took a break from their nefarious activity to enjoy a few soccer matches 🙂   

Taken as a whole, the total activity of the botnet peaked between May 20- 28 and started declining thenceforth.

In the figure below we can see each attacked site marked in a different color and the number of IPs attacking it.

The victim’s perspective

If a site happened to be compromised, it would have started mining cryptocurrencies for the attacker. This can potentially lead to denial of service if the attacker utilizes all of the CPU power for mining. Additionally, a compromised server would continue to spread malware to more victims, potentially gaining a bad reputation for the server and the possibility of it being blacklisted by security vendors.

The many-to-many relation between attacked sites and attacking IPs of the Ash botnet leads to a commonly encountered situation where, from the attacked site’s perspective, it’s difficult to recognize that a high-volume attack is taking place, since each IP delivers a handful of requests per day to each site and then moves on to the next site.

The figure below shows the number of requests sent by a single attacking IP to a single application in a single day. As can be seen, in the vast majority of cases (84%), a single attacking IP performed a single request to a single site in the same day.

Thus, by simply decorrelating the attacking IPs from their targets, the attacker can avoid detection by the site based on volumetric measures per source IP.

Such an asymmetry between the complexity of the attacker’s and defender’s respective tasks is typical of the cybersecurity domain.

Mitigation

As mentioned in the previous section, unless the payload is blocked by existing security rules – which is not the case in zero-day attacks – the victim has a hard time detecting such a distributed attack campaign. A wider perspective encompassing multiple target sites – like that of a cloud-based security provider – is required.

From such a viewpoint, behavioral correlations between IPs across different target sites become evident, and it can serve to identify synchronized attacks such as those performed by the Ash botnet. Moreover, in subsequent attacks by the botnet, mitigation can be achieved by blocking requests from IPs belonging to the botnet whenever synchronic and correlated activity is detected among the botnet’s IPs. Additionally, we recommend that you:

  1. Stay up to date with the latest security patches
  2. Deploy a security solution that has a global view to detect and block such malicious activities that are not visible from a single application point of view

Note that up-front blocking of all requests from the IPs that participated in the attack would jeopardize legitimate activity originating from machines belonging to legitimate users which have been unknowingly infected. Hence, additional indications for blocking, such as detection of an automated tool, should be used to separate legitimate from malicious activity originating from the same IPs.

Do you have what it takes to become a Chief Scientist in the infosec industry?

Igor Baikalov, Chief Scientist at security analytics firm Securonix, is a trained scientist: he spent over 16 year working on various aspects of Structural Biology, developing new methods for determining the structure of basic building blocks of life: proteins, DNA, and their interactions. “A lot of this work had to do with processing and interpreting massive amounts of data and writing tons of code to do that – something I realized I was pretty good … More

The post Do you have what it takes to become a Chief Scientist in the infosec industry? appeared first on Help Net Security.

How to use the cloud to improve your technology training

Anyone who has tried to hire an IT expert knows that the shortage of qualified people is real. We’re not just talking about IT security jobs, either. Almost every area of tech faces a skills shortage that threatens to sap productivity and presents challenges to IT departments of all sizes. Informal on-the-job training has been the norm for most IT teams. However, the rise of cyberthreats and the pace at which they arise leaves companies … More

The post How to use the cloud to improve your technology training appeared first on Help Net Security.

Only 65% of organizations have a cybersecurity expert

Despite 95 percent of CIOs expecting cyberthreats to increase over the next three years, only 65 percent of their organizations currently have a cybersecurity expert, according to a survey from Gartner. The survey also reveals that skills challenges continue to plague organizations that undergo digitalization, with digital security staffing shortages considered a top inhibitor to innovation. Gartner’s 2018 CIO Agenda Survey gathered data from 3,160 CIO respondents in 98 countries and across major industries, representing … More

The post Only 65% of organizations have a cybersecurity expert appeared first on Help Net Security.

Digital Strategy Isn’t Meeting Security Needs — Here’s What to Do

We are in the midst of a digital transformation. And yet, IT departments are struggling to develop a digital strategy that addresses data privacy and cybersecurity. In a world where the General Data Protection Regulation (GDPR) is now in effect, the lack of such a strategy could end up coming back to haunt your organization and its leadership.

The Greatest Challenge Facing Digital Strategy Leadership

According to a June 2018 Harvey Nash/KPMG CIO Survey, the greatest challenge facing security and information technology leadership is the ability to deliver dynamic data while simultaneously providing a high level of security and privacy.

Only 32 percent of organizations have a company-wide digital strategy, the same survey found, and of those, 78 percent admit that the strategy in place is moderately effective at best. These insights imply that all of the data transmitted through organizations, including the personal information of customers, isn’t getting the level of protection necessary or satisfying GDPR compliance.

Jumping Into the Digital Transformation Too Fast

Let’s face it, most companies are failing or falling behind when it comes to cybersecurity — and the ongoing digital transformation is only exacerbating the situation. The Harvey Nash/KPMG survey states IT departments are doing fine when it comes to traditional technologies, but it also recognizes the increasing complexity that digital technologies bring to organizations.

Understanding these technologies is part of the problem — not only how they work, but also how they’ll best improve the nature of the business. It might be tempting to apply the latest and greatest available technology, whether you need it or not.

IT staff are often risk-takers — they like new technology and want to use it right away. Where they run into trouble is bringing in the latest technology without a real strategy to implement it both wisely and securely. Just because IT wants to update its technology doesn’t mean the company is ready for it.

Too Much Data, Not Enough Security

Understanding how a technology’s abilities intersect (or don’t) with a business’s needs makes the difference between a successful transformation and digital nightmare. Whether the technology is a boon or bust for the company, there is one thing it is guaranteed to do: generate more data — which will require layers of security. Without an effective digital strategy, understanding and protecting that data becomes problematic.

If the data were stored in one location, it might be easier to manage. But with increasing diversity of technologies, from the Internet of Things (IoT) and cloud computing to blockchain and virtual reality (VR), databases for one company are stored in thousands of endpoints. This reality is leading to increased risk of data breaches.

“[W]ith the emergence of these transformative technologies the perimeter has become dynamic and ever-changing,” wrote Peter Galvin, chief strategy and marketing officer at Thales eSecurity. “[W]hile protecting the perimeter is still important, it simply is not enough to prevent sensitive data from being stolen.”

Getting Leadership on Board

A strong digital strategy will provide the layers of security and privacy needed in the digital transformation, but this requires cooperation from all levels of leadership. Just as IT departments have a responsibility to be more business-aware and recognize how new technologies fit (or don’t fit) into corporate strategies, boards of directors must be more realistic about creating digital strategies that will meet today’s and tomorrow’s privacy concerns.

In the past, the fallout from data breaches and other security incidents fell directly on C-suite employees: Chief executive officers (CEOs), chief information officers (CIOs) and chief information security officers (CISOs) have been held accountable by directors. However, the responsibility often falls on the board to approve budgets, support cybersecurity funding and efforts and create corporate strategies.

Thanks to GDPR — and rising security and privacy threats — boards may finally be getting the message. The Harvey Nash/KPMG survey found that boardrooms are increasingly prioritizing security. In fact, security has received the most significant increase in business priority over the past year.

And according to Board Effect, more boards are expanding to bring cybersecurity experts directly to the table as full members.

“Cybersecurity experts on the board have the proper expertise to advise the board about the best tools, processes and resources to keep hackers at bay,” the publication stated. “In addition, cybersecurity experts are the prime resource people for identifying new developments in IT as technology advances.”

This shift is promising for security professionals. With a digital perspective integrated directly into board decisions, IT departments should gain the leverage necessary to lobby for tools and support they need to meet the digital transformation with an adequate strategy to keep data secure.

Read the study from Ponemon Institute: Bridging the Digital Transformation Divide

The post Digital Strategy Isn’t Meeting Security Needs — Here’s What to Do appeared first on Security Intelligence.

How to Navigate Business Ethics in a Data-Hungry Digital World

In this data-hungry world, high-profile breaches continue to make headlines. As global corporations and technology giants continue to collect enormous amounts of personal information, legislators and consumers are starting to ask pointed questions about business ethics.

Even when companies aren’t directly profiting from sharing their users’ personal information, they often fail to protect what they have. Consumers have begun to realize that what they read, who they engage with, what they buy — and even the pictures they share online — are all data monetized.

The critical question: Do the businesses who profit from the use of this personal data have integrity? If not, what needs to change to achieve ethical business practices?

How to Define Business Ethics in a Digital World

In general, ethics is a gray area. As different entities emerge — and the players evolve — ideas about right and wrong shift. Therefore, the goal for businesses must be to find a starting point, explained Jason Tan, CEO and co-founder of machine learning company Sift Science, to SecurityIntelligence.

“Each business needs to define for itself a clear North Star of what is right and what is wrong,” Tan said. “That doesn’t have to get into the nitty-gritty of what is right and wrong — but establish a baseline of what they want for a cultural mindset so that everyone is guided by the principle of doing the right thing as much as possible.”

Unfortunately, the “right thing” is often unclear. Since the General Data Protection Regulation (GDPR) went into effect, consumers’ inboxes have been flooded with emails updating them about privacy policy changes.

There’s a greater issue, however: Even when it comes to privacy policy and terms of service agreements, “users enter into legal agreements that are often difficult or impossible for the everyday person to understand,” Tan said.

While that’s not unethical, per se, it does err on the side of what is not right for the users.

“We think of business ethics as the set of values that a company uses to make decisions with an eye to all of its different stakeholder groups — employees, customers, value chain partners, investors, the communities in which it operates — and the impact the decision might have upon them,” said Erica Salmon Byrne, executive vice president at the Ethisphere Institute, to SecurityIntelligence.

Navigate Changes in Technology With a Moral Compass

Rapid changes in technology have impacted the speed with which businesses need to react, especially since the effects of their decisions have an increasingly global reach. Ethical companies know who they are and what matters to them. Therefore, in times of crisis, they can rely on this moral compass to direct their responses.

To be an ethical company, organizations must recognize risks in the actions of their employees and the behaviors of the company itself. Examples include how they work with personal data, other company information or trade secrets.

Businesses can mandate ethics with a moral compass that won’t compromise the personal information used to make business-critical decisions by clearly conveying what their expectations are and why they matter.

“Provide context to show how those expectations pertain to the area the employee is working in, provide trustworthy avenues to raise concerns and monitor and follow-up where possible,” Bryne said. “… but at the end of the day, your controls are only as good as your people.”

Find True North

Another step toward moral practice: Draft a more ethical version of your user agreements that are clear, transparent and accessible. This strategy will help your users understand the rights they are transferring — which is a whole branch of communication that hasn’t been developed.

“The norm for users is to never even look at the terms of service,” Tan said. “As a society, we want instant gratification quickly and effectively — so it is on the businesses to be thinking about how to make all this legalese more accessible to the everyday person to help them clearly understand what is happening.”

All of these ideas are lofty — but mean little unless they are put to action. While some technology giants continue to seek redemption for their reported misuse of personal data, many companies pride themselves on their business ethics. As governments continue to respond to heightened concerns about protecting privacy, there will likely be more regulations that attempt to legislate the ethical behavior of businesses.

Bryne warned that in the midst of trying to comply with regulations, it’s often easy to forget what those regulations are trying to achieve.

“If the company has clear values, ties their policies and procedures to those values, takes the time to engage employees on the values and expectations and offers avenues to ask questions that employees feel secure in using, it will go a very long way towards mitigating the risk of improperly using or protecting data and lots of other risks too,” Bryne said.

Download the 2018 Cost of a Data Breach Study from Ponemon Institute

The post How to Navigate Business Ethics in a Data-Hungry Digital World appeared first on Security Intelligence.

Taking the First Steps Down the Security Posture Path with AWWA

What does a human need to survive? Typically, the first two items are food and water followed by a place live. Most of us take for granted that our water supply is always safe and drinkable. As such a vital resource, one would think that the critical infrastructure that purifies and monitors water must be […]… Read More

The post Taking the First Steps Down the Security Posture Path with AWWA appeared first on The State of Security.

The State of Security: Taking the First Steps Down the Security Posture Path with AWWA

What does a human need to survive? Typically, the first two items are food and water followed by a place live. Most of us take for granted that our water supply is always safe and drinkable. As such a vital resource, one would think that the critical infrastructure that purifies and monitors water must be […]… Read More

The post Taking the First Steps Down the Security Posture Path with AWWA appeared first on The State of Security.



The State of Security

Many infosec professionals reuse passwords across multiple accounts

Lastline announced the results of a survey conducted at Infosecurity Europe 2018, which suggests that 45 percent of infosec professionals reuse passwords across multiple user accounts – a basic piece of online hygiene that the infosec community has been attempting to educate the general public about for the best part of a decade. The research also suggested that 20 percent of security professionals surveyed had used unprotected public WiFi in the past, and 47 percent … More

The post Many infosec professionals reuse passwords across multiple accounts appeared first on Help Net Security.

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protection, threat protection, identity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

China Publishes the Draft Regulations on the Classified Protection of Cybersecurity

On June 27, 2018, the Ministry of Public Security of the People’s Republic of China published the Draft Regulations on the Classified Protection of Cybersecurity (网络安全等级保护条例(征求意见稿)) (“Draft Regulation”) and is seeking comments from the public by July 27, 2018.

Pursuant to Article 21 of the Cybersecurity Law, the Draft Regulation establishes the classified protection of cybersecurity. The classified protection of information security scheme was previously implemented under the Administrative Measures for the Classified Protection of Information Security. The Draft Regulation extends targets of security protection from just computer systems to anything related to construction, operation, maintenance and use of networks, such as cloud computing, big data, artificial intelligence, Internet of Things, project control systems and mobile Internet, except those set up by individuals and families for personal use.

The obligations of network operators include, but are not limited to, (1) grade confirmation and filing; (2) security construction and ratification; (3) grade assessment; (4) self-inspection; (5) protection of network infrastructure, network operation, and data and information; (6) effective handling of network safety accidents; and (7) guarding against network crimes, all of which vary across the classified levels where the network operators are graded.

Network Operator Compliance

  • Classified Levels. The network operator must ascertain its security level in the planning and design phase. The network is classified by five levels for the degree of security protection as shown below.

Explanation of terms such as “object” and “degree of injury” can be found in Draft Information Security Technology-Guidelines for Grading of Classified Cybersecurity Protection, which closed for public comment on March 5, 2018.

  • Grading Review. The considerations for classified level grading include network functions, scope of services, types of service recipients and types of data being processed. For networks graded at Level 2 or above, the operator is required to conduct an expert review and then obtain approval from any relevant industry regulator. Cross provincial or national uniform connected networks must be graded and organized for review by the industry regulator.
  • Grading Filing. After grading review, any networks graded at Level 2 or above must file with a public security authority at or above county level, after confirmation of the classified level. The filing certificate should be issued after satisfactory review by the relevant public security authority. The timeline for the relevant public security authority to review such applications is not defined in the Draft Regulation, and is within the authority’s discretion.
  • General Obligations of Cybersecurity Protection. Most of the general cybersecurity obligations are stated in the Cybersecurity Law, and the Draft Regulation stipulates additional obligations, such as:
    • In the event of detection, blocking or elimination of illegal activity, network operators must prevent illegal activity from spreading and preventthe destruction or loss of evidence of crimes.
    • File network records.
    • Report online events to the local public security authority with jurisdiction within 24 hours. To prevent divulging state secrets, reports should be made to the local secrecy administration with jurisdiction at the same time.
  • Special Obligations of Security Protection. The networks graded at Level 3 or above require a higher standard for their network operators, which will bear general liability and special liability, including:
    • designating the department of cybersecurity and forming a level-by-level examination system for any change of network, access, operation and maintenance provider;
    • reviewing the plan or strategy developed by professional technical personnel;
    • conducting a background check on key cybersecurity personnel, and confirming those personnel have relevant professional certificates;
    • managing the security of of service providers;
    • dynamically monitoring the network and establishing a connection with the public security authority at the same level;
    • implementing redundancy, back-up and recovery measures for important network equipment, communications links and systems; and
    • establishing a classified assessment scheme, conducting such assessments, rectifying the results, and reporting the information to relevant authorities.
  • Online Testing Before Operation. Network operators at Level 2 or above must test the security of new networks before operation. Assessments must be performed at least once a year. For new networks at Level 3 or above, the classified assessment must be conducted by a cybersecurity classified assessment entity before operation and annually thereafter. Based on the results, the network operators must rectify the risks and report to the public security authority with its filing records.
  • Procurement. The network products used for the “important part” of the network must be evaluated by a professional assessment entity. If a product has an impact on national security, it must be checked by state cyberspace authorities and relevant departments of State Counsel. The Draft Regulation does not clearly define what the “important part” of a network means.
  • Maintenance. Maintenance of networks graded at Level 3 or above must be conducted in China. If business needs require cross-border maintenance, cybersecurity evaluations and risk control measures must take place before performance of such cross-border maintenance. Maintenance records must be kept for public security’s inspection.
  • Protection of Data and Information Security. Network operators must protect the security of their data and information in the process of collection, storage, transmission, use, supply and destruction, and keep recovery and backup files in a different place. Personal information protection requirements in the Draft Regulation are similar to those found under the Cybersecurity Law.
  • Protection of Encrypted Networks. The networks relating to state secrets are governed by encryption protection. Networks graded at Level 3 or above must be password protected and operators must entrust relevant entities to test the security of the password application. Upon passing evaluation, the networks can run online and must be evaluated once a year. The results of the evaluation must be filed with (1) the public security authority with its filing record and (2) the cryptography management authority where the operator is located.

Powers of the Competent Authorities

In addition to regular supervision and inspection, the Draft Regulation gives the competent authorities more powerful measures to handle investigations and emergencies. During an investigation, when necessary, the competent authorities may order the operator to block information transmission, shut down the network temporarily and backup relevant data. In case of an emergency, the competent authorities may order the operator to disconnect the network and shut down servers.

Penalties for Violations

The Cybersecurity Law includes liability provisions for violations of security protection, technical maintenance, and data security and personal information protection, as well as enforcement of the Draft Regulation. The penalties include rectification orders, fines, relevant business suspension, business closing or website shut-down pending rectification, and revocation of relevant business permits and/or licenses.

Telefonica Data Breach Exposed Millions Of Consumer Records Online

While some hackers have their work cut out for them looking for their possible victims, some companies provide them with

Telefonica Data Breach Exposed Millions Of Consumer Records Online on Latest Hacking News.

Rain Capital: Venture fund seeks to back cybersecurity companies led by women and minorities

A new venture fund that will focus on providing capital, strategy, critical resources and unique insights to early-stage cybersecurity companies in Silicon Valley has been officially launched last month. Headed by security technologist Dr. Chenxi Wang and with Amena Zhang, a VC with a strong track record of funding successful startups in Asia, as operating partner, Rain Capital has one other goal in mind: to boost funding to companies led by women and minorities. “Two … More

The post Rain Capital: Venture fund seeks to back cybersecurity companies led by women and minorities appeared first on Help Net Security.

Zero login: Fixing the flaws in authentication

Passwords, birth certificates, national insurance numbers and passports – as well as the various other means of authentication, that we have relied upon for the past century or more to prove who we are to others – can no longer be trusted in today’s digital age. That’s because the mishandling of these types of personally identifiable information (PII) documents from birth, along with a string of major digital data breaches that have taken place in … More

The post Zero login: Fixing the flaws in authentication appeared first on Help Net Security.

Family Tech Check: 5 Ways to Help Kids Balance Tech Over Summer Break

It’s mind-blowing to think that when you become a parent, you have just 18 summers with your child before he or she steps out of the mini-van and into adulthood. So at the mid-summer point, it’s a great time to ask: How balanced is your child’s screen time?

Don’t panic, it’s normal for screen time to spike over the summer months, which is why kids not only know how to balance their screen time but why it’s important.

Besides impacting family time and relationships, there are other potential risks that can result from excessive screen time such as obesity, depression, technology addiction, and anxiety. Too, there are risks such as privacy, cyberbullying, inappropriate content, and predators. So, while summer brings fun, it also requires parents to be even more diligent — and creative — when it comes to helping kids achieve some degree of balance with their tech.

A Small, Powerful Step

Kids are connected. Forever. There’s no going backward. Not all changes take a huge effort. Small changes matter.

Try this one small but powerful change. Turn your phone over whenever anyone in your family enters a room or begins talking to you. The simple act of turning our screens face down and looking at the person speaking strengthened our family dynamic. Try it — you might experience some of the same results we did. The kids may stick around and talk longer. Your spouse may feel more respected. And, most importantly, you won’t miss the priceless smiles, expressions, laughter, and body language that comes with eye contact and being fully present with the people who mean the most.

Another small step is agreeing to screen free zones (this includes TV) such as the dinner table, restaurants, and during family outings. Again, this one small step might open up a fresh, fun family dynamic.

If you feel your summer slip sliding away and need to seriously pull in the tech reigns, these five tips may help.

5 Ways to Help Curb Summer Tech

  1. Create summer ground rules. Include your kids in this process and come up with a challenge rather than a list of rules. Ground rules for summer might look different from the rest of the year, depending on your family’s schedule. Establishing a plan for chores, exercise, reading and waking up, puts expectations in place. To keep the tech in check, consider a tech exchange. For every hour of screen time, require your child to do something else productive. Keep it fun: Set up a reward system for completed chores.
  2. Get intentional with time. Carving out time to be together in our tech-driven world requires intentionality. Try sitting down together and making a summer bucket list for the remainder of the summer. Try your hand at fishing, canoeing, or hiking some new trails together. Board games, crafts, puzzles, a family project are also ways to make great memories.
  3. Keep up with monitoring.  Just because it’s summer doesn’t mean you can ease up on monitoring online activity goes by the wayside. Keep up with your child’s favorite apps and understand how he or she is using them. During summer especially, know the friends your kids connect with online. Review privacy and location settings. Note: Kids — especially teens — want their friends to know what they are doing and where they are at all times in hopes of finding something to do over the summer. This practice isn’t always a good idea since location-based apps can open your family up to risks.
  4. Consider a tech curfew. Establish a “devices off” rule starting an hour before lights out. This won’t be a favorite move, but then again, parenting well isn’t always fun. More and more studies show the physical toll excessive technology use can take on teens. Just because your child is in bed at night does not mean he or she is asleep. The ability to face time, text, watch movies, or YouTube videos can zap kids of valuable sleep.
  5. Maintain a balanced perspective. Kids and tech are intertwined today, which makes it nearly impossible to separate the two. Sure the risks exist, but there’s the upside of tech that brings values that echo throughout every generation: Friendship, connection, and affirmation. Checking social media and sharing one’s thoughts and life online is a regular part of growing up today. Keep this in mind as you work together to find the balance that works best for your family.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Family Tech Check: 5 Ways to Help Kids Balance Tech Over Summer Break appeared first on McAfee Blogs.

Review: The Absolute Platform with Persistence Technology

Absolute is a long-time player in the endpoint security arena, specializing in endpoint visibility and control. Regarded as an industry leader in IT asset management for more than two decades, Absolute recently revamped its solution to leverage its patented Persistence technology. The Software-as-a-Service platform is made possible through innovative endpoint technology and go-to-market partnerships with more than 25 original equipment manufacturers (OEMs) and top PC vendors. Absolute’s patented technology is built into the firmware of … More

The post Review: The Absolute Platform with Persistence Technology appeared first on Help Net Security.

As Seen on TV: Important Lessons for Winning the Fight Against Cybercrime

In recent years, we’ve seen ample evidence of our collective cybersecurity failures. But we still haven’t learned the most important lessons.

To start, there is no silver bullet — no single technological fix. What’s more, while cybercriminals have been coordinating in organized groups, we have been trying to fight cybercrime in silos. If we are going to beat back the advances of cybercrime, we need better collaboration within the cybersecurity industry, with shared intelligence across public and private sectors.

We must focus more on responding to the inevitable “boom moments” after a breach occurs, not just what comes “left of the boom,” the prevention and detection of threats. Furthermore, we need a drastic elevation of cybersecurity skills and awareness.

On that last point, we need to raise the level of cybersecurity awareness — not just to protect our businesses, but among the general population. Our families and friends must understand what we’re up against and become knowledgeable of security hygiene to deny cybercrime organizations the victims they need to finance their operations.

That’s why I’m so proud that IBM Security teamed up with Atomic Entertainment and Science Channel to create a documentary special that explains, in provocative detail, what we’re up against.

Go Behind the Scenes of the Fight Against Cybercrime

Dark Web: Fighting Cybercrime” — airing on Science Channel at 5 p.m. EST on Thursday, July 19 and available afterward on-demand — brings to a mass audience a close encounter with the dark corners of the internet and offers insights into the history of cybercrime and where it’s headed. Better yet, the film goes behind the scenes of the fight against cybercrime, bringing you right inside a security operations center (SOC) to witness a simulation of a cyberattack and the challenges of responding in the moment to stop the “bleeding” and mitigate further damage.

Take a peek inside the dark world of cybercrime

I’ve been a part of hundreds of these simulations in our IBM Security X-Force Command Centers, and I have seen many accomplished and smart executives grappling with a kind of pressure few have experienced before.

When you watch the Science Channel special, you’ll see why practice runs are essential for security teams and business leaders to understand how to respond to an attack. While first responders and military service members train rigorously to deal with threats, the same can’t be said about organizations under threat of cyberattacks.

Just think about the training and preparation a military pilot goes through — hundreds of hours in simulators and in classroom training. But business leaders today are taught to be deliberate in their decisions, to pause and collect all the data before acting. That’s about the worst thing you can do when there’s a breach. After the boom, you need to act right away to prevent a bad situation from becoming worse.

Learn How to Keep Calm in the Face of a Cyberattack

Many of the people who go through the simulations in our command centers can become flustered and discouraged, despite being highly capable leaders. When the CEO who normally acts with confidence when making business decisions is suddenly thrust into the unknown of a cyberattack, the fight-or-flight adrenaline makes decision-making extremely difficult, and he or she starts to make mistakes.

It’s like trying to learn a new sport: You are bound to fail at first, but it’s by failing that you learn. And it’s far better to strike out or miss a tackle in practice than in a real game.

For many of our clients, it’s very apparent that rehearsing these situations is essential to honing their crisis leadership. By experiencing a simulated cyberattack, teams build muscle memory of what to do and with whom to communicate. By incorporating what they’ve learned, leaders can go back to their organizations and script their responses to automate as much of the decision-making process as possible. You can act faster and more effectively when the rules are written down, processes are established and everyone understands their job.

As the Science Channel special demonstrates, there’s a common thread among successful teams in our cyber ranges, and that’s the calm and collected leadership of people with backgrounds in the military or first responder jobs.

We need more of these disciplined and quick-acting men and women in cybersecurity. But the traditional way of recruiting cybersecurity staff — finding experienced professionals with a background in cybersecurity, college degrees and information security certifications — can overlook nontraditional candidates who can nonetheless do the job. At IBM Security, we’ve advocated and put into practice a “new collar” approach to recruiting professionals. It means looking beyond credentials to find individuals with the skills, aptitude and attributes to adapt to new cybersecurity roles.

Why I’m Optimistic About the Future of Cybersecurity

Unfortunately, there’s a lot of pessimism right now about the acceleration of threats, mounting breaches and exploding costs of incorporating a wide array of disparate and disconnected security technologies into IT environments. Yet, I am optimistic, because we do not have to fight alone.

By collaborating across organizations and within the security industry, we can limit the spread of threats through shared insights and intelligence. Together, the cybersecurity industry and our partners can simplify security by integrating our solutions, because complexity is the enemy of security.

We also have a new partner that can help turn the tide in the fight against cybercrime: artificial intelligence (AI). By advancing the security applications of AI, we create a force multiplier, because automating tasks and limiting false positives frees up human analysts to make critical decisions faster.

Finally, it bears repeating that we must create more allies in this fight by educating our employees and the general public about threats to their online privacy and security. I think “Dark Web: Fighting Cybercrime” does a standout job of doing just that.

Whether you’re a security professional, business executive or concerned citizen of our digital world, you’ll gain valuable perspective from this fascinating documentary. Check out the trailer below to get a taste of the action, and watch “Dark Web: Fighting Cybercrime” on Science Channel at 5 p.m. EST on Thursday, July 19, and later on-demand. Get your friends and family members to watch too — after all, we’re all in this fight together.

Take a peek inside the dark world of cybercrime

The post As Seen on TV: Important Lessons for Winning the Fight Against Cybercrime appeared first on Security Intelligence.

George Gerchow, CSO at Sumo Logic: Our DevSecOps strategy

Sumo Logic was founded in 2010 by experts in log management, scalable systems, big data, and security. Today, their purpose-built, cloud-native service analyzes more than 100 petabytes of data, more than 16 million searches, and delivers 10s of millions of insights daily – positioning Sumo among the most powerful machine data analytics services in the world. In this podcast, George Gerchow, CSO with Sumo Logic, talks about their DevSecOps strategy. Here’s a transcript of the … More

The post George Gerchow, CSO at Sumo Logic: Our DevSecOps strategy appeared first on Help Net Security.

Magecart presents an unprecedented threat: Here’s what you can do

Recently we learned that the previously disclosed Ticketmaster UK breach from a few weeks ago was not a one-off event but instead part of a widespread website digital credit card skimming operation that impacted over 800 ecommerce sites around the world. On the surface, even an attack of this size isn’t necessarily out of the norm in today’s threat landscape of highly sophisticated actors. However, if we consider the true impact of this event it … More

The post Magecart presents an unprecedented threat: Here’s what you can do appeared first on Help Net Security.

Only 20% of companies have fully completed their GDPR implementations

Key findings from a survey conducted by Dimensional Research highlight that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation. EU (excluding UK) companies are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK. While many companies have significant work to do, 74% expect to be compliant by the end … More

The post Only 20% of companies have fully completed their GDPR implementations appeared first on Help Net Security.

How Can an ISAC Improve Cybersecurity and Resilience?

Sharing computer security threat information is now an established practice in IT. Whether automatically or manually, the primary motivator to pool resources is to improve your own capabilities and those of your peers for responding to security threats and incidents.

Another factor that can significantly improve your ability is sharing knowledge and experiences. As it happens, there are organizations designed explicitly for that: information sharing and analysis centers (ISACs).

What is an ISAC?

The first ISACs were formed in the U.S. in the late 1990s, and many more have been established to build and strengthen cooperation between organizations since then. It’s a central resource for gathering and facilitating exchanges of information on computer security threats, best practices and common approaches between the private and the public sectors.

Additionally, some ISACs will share common analysis capabilities. They can be seen as trusted entities that connect peers in their sectors and inform them of critical information for dealing with computer security incidents. An extension of ISACs are information sharing and analysis organizations (ISAOs), which focus primarily on protecting shared personal and proprietary information from disclosure.

There are three common types of ISACs:

  • Sector-based: These ISACs focus on organizations within the same sector — usually critical or vital sectors — and are mostly facilitated by the sector itself or by the government.
  • Country-based: These ISACs focus on cooperation and collaboration within a specific country and are most often governed by a computer security incident response team (CSIRT).
  • International: These ISACs connect key persons for computer security from organizations across national borders.

It’s important to note that ISACs can focus on one specific sector and also be internationally oriented. An excellent example of this setup is the European FI-ISAC for financial institutes.

The National Council of ISACs provides an overview of the different sector-based ISACs in the U.S., including the financial services sector (FS-ISAC), information technology sector (IT-ISAC), water and wastewater utility management sector (WaterISAC) and oil and natural gas sector (ONG-ISAC). The European Union Agency for Network and Information Security (ENISA) provides ISACs across sectors in the E.U., including the energy sector (EE-ISAC), financial institutes sector (FI-ISAC) and aviation sector (ECCSA).

Who Creates ISACs?

The initiative to create ISACs can come from the government or as an initiative from private partners within the same sector. For the latter, the government can sometimes play the role of a facilitator.

You don’t have to wait for others to establish ISACs. If you feel there’s a strong need for more collaboration with your sector peers, then you should reach out to them. You can ask your national CSIRT or cyber-competence center for support or rely on existing resources from ENISA.

Why Would You Join an ISAC?

Joining an ISAC comes at a cost: It requires either financial or human resources from your organization. This means there must be a strong motivation to join an existing group or to potentially lead the establishment of a new one.

There are a few fundamental driving forces to join or establish one:

  • Share knowledge about incidents and threats: Information sharing helps you to raise awareness among your constituency, fine-tune your detection techniques and improve your capabilities for responding to incidents.
  • Increase your maturity level: By having access to shared experiences from your peers and understanding which approaches work or fail, you can improve your own security maturity level more quickly. Being part of a group enables you to validate your ideas and experiences with other organizations within the same sector.
  • Network and develop contacts: Especially in the case of larger incidents, it is essential to exchange information. Your CSIRT can coordinate this, but some incidents require that you reach out directly to a security counterpart in another organization in the same sector. These meetings would allow you to get to know these people in person.
  • Join forces: Not every organization can keep a fully staffed forensic- or threat-intelligence team. If the ISACs provide shared analysis capabilities, members can benefit without having to deploy these capabilities on their own.

An essential factor for successful ISACs is equal participation from all members. This means that you cannot (or shouldn’t) join if you aren’t willing (or allowed) to actively contribute. This also requires that you have some form of support (or mandate) from your organizational management to discuss the security incidents your organization has experienced.

Note that the shared information is almost always subject to the Traffic Light Protocol (TLP). This is a set of designations, indicated by four colors, that are used to ensure that sensitive information is only shared with the appropriate audience.

What Drives ISACs?

There are some key elements that you need to start one or ensure that it remains fully operational.

Trust

The core element of successful ISACs is trust. If the members of the group don’t trust each other, then it will be challenging to exchange sensitive information on security incidents.

Besides the more formal aspects of development within ISACs, it’s important that participants get to know each other. This bonding can happen during meetings — but don’t underestimate the power of organizing social events or joint workshops. Building trust is sometimes more easily accomplished in a less formal environment.

Attendance and Committed Resources

Success will be a challenge if the composition of the group is imbalanced between technical, management and non-IT people. You can only participate and interact with other members if the discussed topics are of interest to you.

Before joining, make sure you know the foreseen level of attendance. Some groups also provide individual tracks for different target audiences.

Governance and Collaboration Models

Bringing together a group of people and providing the right services requires some form of governance. The exact model will be dependent on the size of the group, the focus of its members and its objectives.

One way to govern is making use of a secretariat. The secretariat is ideally a permanent body and can be an external or a government organization. Having a secretariat ensures that members can focus on the content — and not on the administrative part of running the group. The secretariat will often play the role of the facilitator by arranging meetings and preparing the agenda.

A volunteer-run ISAC can, in some cases, be more flexible, but special care must be taken to ensure that the tasks are performed equally by all participants and not by a limited number of participants.

Terms of Reference

Regardless of the collaboration model’s structure or flexibility, it’s necessary that all members have a solid understanding of the common rules for participation and working procedures of the group.

A document formally approved by the group members, such as a terms of reference, can describe these rules and provide guidance on the collaboration. This document should also outline how new members can be introduced or vetted and explain how the group can review the membership of existing participants.

Funding

Joining comes at a cost for your organization, but further funding will be needed to organize meetings and workshops and provide documentation. Similarly, as with the governance model, the funding will depend on the type of group.

The funding may come from voluntary contributions or mandatory fees, but you can also request support from governments. Private sponsoring or imbalanced mandatory fee models (i.e., gold, silver and bronze members) should be avoided.

Tooling

The tooling that will probably be used the most by ISACs are email and teleconference infrastructure. Once it’s more established, the group can also make use of additional programs for collaboration and threat sharing, such as a Threat Information Platform (TIP) like MISP. Due to the nature of information being exchanged, it’s important that the participants honor the TLP codes and apply email encryption, such as Pretty Good Privacy (PGP), when necessary.

Joint Research and Analysis

Besides the sharing of knowledge and experiences, ISACs can also provide joint research and analysis services. A joint research project where the individual participants solve a problem together would greatly improve the level of trust between the different members.

Here are some common areas for such projects:

  • Sector-targeted malware analysis
  • Tuning of intrusion detection rules
  • Analysis of malicious campaigns and threat actors
  • Organizational approaches for dealing with the Internet of Things (IoT)

Results and Regular Review

It’s important the group publishes its results — preferably on a regular basis. These publications allow participants to demonstrate value to their management and justify further investments in participation.

These publications can cover the incidents discussed (stripped of confidential information), as well as the results of joint research and analysis.

The post How Can an ISAC Improve Cybersecurity and Resilience? appeared first on Security Intelligence.

Security Fundamentals for Federal Agencies

Cybersecurity experts are urging government agencies to protect their data with up-to-date, foundational security controls, and agencies are listening. But how can they determine where exactly to focus their efforts to maximize efficiency and ensure a strong security stance? A new whitepaper from Tripwire details the four key components federal agencies need in order to […]… Read More

The post Security Fundamentals for Federal Agencies appeared first on The State of Security.

An overview of the OT/ICS landscape for cyber professionals

Most cyber security professionals take for granted the information technology or IT nature of their work. That is, when designing cyber protections for some target infrastructure, it is generally presumed that protections are required for software running on computers and networks. The question of whether some system is digital or even computerized would seem to have been last relevant to ask in 1970. We all presume that everything is software on CPUs. The problem is … More

The post An overview of the OT/ICS landscape for cyber professionals appeared first on Help Net Security.

Want to avoid GDPR fines? Adjust your IT procurement methods

Gartner said many organizations are still not compliant with GDPR legislation even though it has been in force since May 2018. This is because they have not properly audited data handling within their supplier relationships. Sourcing and vendor management (SVM) leaders should, therefore, review all IT contracts to minimise potential financial and reputation risks. “SVM leaders are the first line of defense for organizations whose partners and suppliers process the data of EU residents on … More

The post Want to avoid GDPR fines? Adjust your IT procurement methods appeared first on Help Net Security.

IoT security spend to reach $6 billion by 2023

A new study from Juniper Research found that spending on IoT cybersecurity solutions is set to reach over $6 billion globally by 2023. It highlighted rapid growth, with spending by product and service providers (in consumer markets) and end-customers (in industrial and public services markets) to rise nearly 300% over the forecast period. Marked differences across markets Juniper claimed that there are major differences in the way in which IoT business risk is perceived and … More

The post IoT security spend to reach $6 billion by 2023 appeared first on Help Net Security.

Building an Effective API Security Strategy: Easy If You Have the Right Tools

In their approach to application programming interface (API) security, organizations exposing web APIs must balance ease of access with control. Like the bank robber attacking banks because “that’s where the money is,” the use of APIs to provide access to applications and to business-critical data has naturally led to API security incidents. These have occurred particularly in the form of data breaches.

Some of the key challenges organizations currently face include:

  • An increase in attacks and data breaches involving poorly protected application programming interfaces (APIs)
  • Ineffectiveness of protecting web APIs with traditional application security solutions alone
  • New APIs are being added and consumed by organizations on an ongoing basis, meaning that API security is not a one-time exercise.
  • Modern application architecture trends — including mobile devices, microservice design patterns, and hybrid on-premises/cloud usage — complicate API security since there is rarely a single “gateway” at which protection can be enforced.

API gateways, combined with web application firewalls and other application security infrastructure where necessary, are used to implement API security. However, a purely edge-based web application security defense strategy is not fully ready for the new challenges posed by APIs. The widespread use of internal APIs, combined with mobile access and increased reliance on cloud APIs, mean that defending from the edge is insufficient. New hybrid approaches highlight the fact that organizations should take a holistic view of API security.

The best practices described in this research explain how an organization should use API security to enable its integration and digital business initiatives.

Interested? Get access to the Gartner API Security Strategy here.

Handling Social Media Stress – Pointers to Share with Your Teens

The lion’s share of modern day communication happens online and for that, thanks to the hundreds of apps available. Whether it is news or videos, blogging or education, social media or gaming, entertainment or social movements – a lot is happening online, all the time.

In fact, social media apps have become the new ‘hangout’ zones for virtual citizens. After all, we live in a connected world and enjoy being online. But that may not be always good for tweens and teens as they are still too young to process all the information download happening. This may lead to stress.

Stress is not uncommon in our physical lives. We get stressed by our education, career, relationships and the environment. The same happens in the digital world. In the physical world, our responses to stress are primarily venting, having face-to-face spats or ignoring the issue. Not so in the digital world. In the virtual space, stress may arise from different causes and the repercussions may take on a viral form.

Why do children get stressed by social media? The common causes are:

  • Peer pressure: THE most important reason for children being online is to connect with their friends. And to keep this friendship alive and kicking, they often blindly copy the group leaders, even if they are not comfortable with what they are doing
  • FOMO (Fear of Missing Out): Teens, especially girls, have a competitive spirit when it comes to online presence and don’t want to be ‘the last to know’ so, they end up spending a lot of time online
  • Keeping up with the Jones’: The same competitive spirit leads kids to spend hours posing and selecting the perfect pics to share online or seek approval from strangers. This is risky, as negative comments online can harm self-confidence
  • Excessive sharing: When kids share a lot of their private information on social media, they leave themselves vulnerable to hacking, as well as opening themselves up to contact from inappropriate individuals online
  • Cyberbullying: Most kids have witnessed or experienced some forms of cyberbullying and often end up as either perpetrators or victims or mute spectators. In all cases, this is a disturbing occurrence
  • Lack of screen time limits: Lack of digital balance can have psychological effects and so digital usage rules are a must
  • Lack of empathy: When children are not taught to respect others and their traditions, they do not develop empathy and may end up bullying those with differing views and lifestyles
  • Exposure to inappropriate content or people: The wrong connections and information are a big source of stress
  • Online spats: Differences crop up, leading to squabbles and heated exchanges. It gets complex when this is done in a public forum and strangers join in
  • Disturbing global news: The slew of violent news often creates negative tension in the minds of youngsters, leaving them feeling confused and belligerent

Parenting plays a major role in helping children learn how to tackle social media stress.  As parents, you know your children the best. Yes, even teens.

Observe them and if you note any change in their social media habits or general behaviour, talk to them. The earlier you start having frank one-to-one conversations, the easier will it be for you later. But before that, you may need to modify your own response to stress and learn to control your reactions. That way you will teach them a very important lesson without having to use a single word.

Help your kids fight social media stress:

  • Accept differences: People are different and will have different opinions. Accept the differences and respect their values
  • Be discerning: Life isn’t a bed of roses for anyone, so don’t let profiles fool you. Don’t judge someone by their bio and pictures
  • Practice tact: When things get bitter, the decent thing to do is to agree to disagree and walk away. If you don’t react, it doesn’t mean you are the weak one; it means you are smart enough not to get provoked. However, if the meanness gets out of hand, be the strong one and report and block account
  • Practice digital balance: Limit screen time and have good friends in the real world who will always stand by you
  • Be aware: The world will have both good and bad and growing up means learning to understand and accept this. Maturity is being able to stay true to values. Wisdom is knowing which is bad and avoiding it

Say goodbye to stress and lead a healthier and happier life online. Apply your values from your physical life in the digital one and practice STOP.THINK. CONNECT. And don’t forget! Use McAfee Total Protection on all connected devices to protect what you value the most.

The post Handling Social Media Stress – Pointers to Share with Your Teens appeared first on McAfee Blogs.

Nozomi Networks and IBM Team Up to Answer Demand for Integrated IT/OT Cybersecurity

Across the manufacturing, oil/gas, chemical and utilities industries, operational technology (OT) attacks are on the rise. Governments, as well as energy and utility organizations, around the world are sharpening their focus on cybersecurity — and with good reason.

Attacks on critical infrastructures, such as fuel, electricity and drinking water supply, could potentially cause damage far beyond the obvious economic impact.

Incidents like the notorious shutdown of several nuclear centrifuges by Stuxnet malware in 2010; the Shamoon attacks against Gulf state organizations in November 2016 and January 2017; and multiple attacks against Ukrainian energy facilities in 2015 and 2016 are proof that the stakes are higher than ever for companies operating industrial control systems (ICSs).

Growing Threat; Stagnant Response

Despite the high-profile risks, a new IBM Institute of Business Value (IBV) report noted that many companies are still vulnerable today. The study, commissioned by Oxford Economics to understand how organizations protect themselves from OT risks, found that companies spend an average of 7 percent of their IT budgets on deployment and maintenance and only 1 percent on securing infrastructure. This is why governments are mandating more control over these environments through new regulations.

To improve cyber resiliency, security leaders need real-time visibility into their OT environments and assets, as well as cyberthreats, risks and process anomalies.

IBM, in partnership with Nozomi Networks, automates the hard work of taking inventory and visualizing and monitoring ICS tools while delivering the real-time visibility and threat detection organizations need to ensure high cyber resiliency and reliability.

Nozomi Networks QRadar Solution Now Available on IBM X-Force App Exchange

The new Nozomi Networks QRadar solution is now available for download on the IBM X-Force App Exchange. It provides deep visibility into OT networks and assets and real-time monitoring of security threats and risks.

The live streaming app displays events detected by Nozomi Networks SCADAguardian. The dashboard header provides important details at a glance, highlighting the number of events with a magnitude of 7-plus, the most-used protocol and the most-seen event name.

Graphical charts provide details on event source and destination IP, while the most recent events are displayed in a live-streaming list. The dashboard also supports drill-down for deeper event investigation.

Nozomi Networks QRadar Solution

Nozomi Networks QRadar app

The Nozomi Networks QRadar app shows important event details captured by SCADAguardian, including the number of OT events with a magnitude of 7-plus, the most-used protocol, event source and destination IP.

Nozomi Networks QRadar app supports drill-down on events by source and destination for fast and easy investigation into what’s going on inside the OT network.

Integrated Cybersecurity Solution on Display at RSA 2018 Asia Pacific & Japan

Nozomi Networks is also collaborating with IBM at the RSA Conference in Singapore in July 2018. Through a pre-conference workshop and an integrated IBM/Nozomi Networks IT/OT cybersecurity demo, RSA attendees will be able to see the solution’s deep industrial network visibility, nonintrusive monitoring, continuous threat detection and intelligent threat hunting capabilities firsthand.

These features include:

  • Live demos of IBM QRadar’s integration with Nozomi Networks SCADAguardian: The IBM-certified integration supports utilities, oil/gas, manufacturing and other industrial environments with advanced IT and OT security monitoring capabilities, including easy access to deep network visibility, nonintrusive monitoring, continuous threat detection and intelligent ICS threat hunting.
  • Enhanced security services for IT/OT convergence: Attendees will learn how Nozomi Networks and IBM Security services are joining forces to provide best-in-class, value-added IT and OT security solutions.
  • Nozomi Networks on the IBM X-Force App Exchange: Nozomi Networks SCADAguardian is now certified by IBM and available via the IBM X-Force App Exchange. The app makes it easy to seamlessly incorporate real-time operational visibility and industrial network monitoring in a comprehensive IT/OT cybersecurity program.
  • A one-stop solution adding OT visibility and cybersecurity: QRadar combines Nozomi Networks solutions and IBM’s IT/OT risk-management portfolio for robust automated security assistance.

The post Nozomi Networks and IBM Team Up to Answer Demand for Integrated IT/OT Cybersecurity appeared first on Security Intelligence.

A WordPress SPAMbot Wants You to Bet on the 2018 FIFA World Cup

Our researchers recently picked up on a spike in SPAM activity directed at sites powered by WordPress, which, naturally, led them to take a closer look.

Turns out the attack was launched by a botnet and implemented in the form of comment SPAM – meaningless, generic text generated from a template and posted in the comment sections of blogs, news articles etc; linking to pay-per-click commercial or suspicious sites looking to scam you or phish for your passwords.

Sifting through the comments we began to see a pattern – the linked sites offered betting services on 2018 FIFA World Cup matches.

How did they do it?

The SPAMbots mainly targeted WordPress sites using the “Spray and Pray” technique – attempting to post a comment to the same URI across different sites, regardless of whether the site is vulnerable or if it even has a comment section.

The payload used by the SPAMbot is a simple list of parameters whose values vary between each request. The following payload, for example:

Under the right circumstances, the text above can be resolved to produce the following comment:

Of course, this comment didn’t appear on any Imperva protected website, we blocked them all; we found it in an online search.

The comments used by the botnet have been around for more than half a decade, tracing back to 2013 when a gist was published with the comment SPAM template. Searching any part of the non-varying text in the template yields tens of thousands of results, showing how widespread it is.

Our analysis found that the top 10 links advertised by the botnet lead to World Cup betting sites. Interestingly, eight of the top advertised sites contained links to the same betting site, hinting that they might be connected in a way.

We found that the botnet advertised over 1000 unique URLs, most of them appear multiple times. In many cases, the botnet used different techniques such as URL redirection and URL-shortening services to mask the true destination of the advertised link.

SPAMbot activity

We tracked down the botnet consisting of more than 1200 unique IPs, with up to 700 daily unique IPs, and monitored their behavior:

In the weeks before the World Cup, the botnet has emphasized other, non-SPAM attacks, including unsuccessful attempts to invoke Remote Code Execution (RCE) via PHP and to abuse Unrestricted File Upload to WordPress sites.
Once the matches began, the botnets rapidly decreased their violent behavior and increased their comment SPAM activity, peaking at the quarter-finals and semi-finals, possibly indicating that the botnet owner shifted his activity towards, what might be, a more valuable channel at the moment – World Cup betting sites.

A possible explanation is that the botnet is for hire. The malicious activity we’ve seen at first was either paid for or simply the botnet’s attempt to grow itself. Then, it was hired by these betting sites to advertise them and increase their SEO.

Stop SPAM and carry on

Although comment SPAM has been with us for more than a decade — and doesn’t seem like it’s going away anytime soon — there are numerous solutions ranging from dedicated plugins that block comments that look SPAMmy, to WAF services.

Imperva utilizes multiple SPAM protection tools, including:

  • Identification of SPAMming IPs
  • Classification of SPAM tools and botnets
  • Detection of URLs advertised in comment SPAM

Defending against cyber threats requires an in-depth understanding of the cybersecurity landscape coupled with experience dealing with known threats and the dexterity to identify and defend against new ones. So, find a solution that fits your needs and protects your website; make sure not to miss the next World Cup match, and try not to bet on it through a suspicious site you sourced from a blog post comment…

Why It’s Time to Cross Out the Checklist Approach to Vendor Security

It’s such a great feeling to check a box on your vendor security checklist. You establish a relationship with a third party — check! You meet another regulatory requirement — check! Once you’ve marked down every item and an audit turns up a clean report, the sales deal is done.

All parties involved can then go merrily on their way… until a malicious actor uncovers a security flaw that was overlooked amid all the handshakes and paperwork that went into the deal.

This security approach is especially prevalent in vendor management: One side says all is well — and the other takes this claim at face value without vetting it. This approach is not good for security, and it’s certainly not good for business.

Navigate Common Vendor Security Roadblocks

The most common (and dangerous) approach to vendor security happens when a company asks a third party for a copy of its latest vulnerability assessment or security operations center (SOC) audit report. Many people go through the motions to obtain these reports and check the box without considering how both documented and undocumented issues truly impact security.

In some cases, people are willing to look the other way or make dangerous assumptions — they’ve got to keep the business going, after all. Then, there’s the reality beyond the report. Clean reports, especially around SOC audits, are common. If there are any findings, it’s often an administrative issue related to user account management or data backups, but nothing of real substance that’s going to facilitate an incident or breach.

It’s also common for vendors to provide more in-depth vulnerability and penetration testing reports that are clean (or, at least, have minimal areas of concern). These reports are often based on network vulnerability scans that do not look at the entire IT environment — not an in-depth web application analysis.

When presented with these reports, it’s easy to overlook things like missing patches on workstations, SQL injections on web applications and misconfigured guest wireless networks. Instead of acknowledging these patch-management and security-awareness gaps, many business leaders just move on to the next big thing and sweep security under the rug.

When Talking Security, Don’t Beat Around the Bush

When it comes to security, there’s often a lack of ongoing involvement and oversight. It’s obviously important to keep the business running, but too many decision-makers assume security controls are sufficient to counter cyberattacks simply because someone else told them so.

It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity.

It’s similar to a doctor giving a patient a clean bill of health even though he or she is masking symptoms with medication. Although the bloodwork may look good, the patient is bound to have long-term health problems unless he or she makes better lifestyle choices. Many security programs follow the same path — especially when it comes to vendor management — and it’s a recipe for an unsustainable outlay of data breaches.

Part of the challenge is that people are sometimes afraid to ask questions. They want to appear professional and nice, and this often causes them to gloss over uncomfortable subjects — namely, security. It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity. This seems simple on the surface, but when organizational politics and high-value business deals are involved, everything gets more complicated.

Adopt a Trust-But-Verify Approach to Vendor Management

Vendor management is a hot topic today — and one that many enterprises struggle with. It doesn’t have to be terribly complicated, but it does have to be near the top of your information security program priorities. While it’s important to do right by your vendors, it’s more crucial to do what’s best for your business. That means looking beyond the paperwork, basic vulnerability checks and blind faith that the company is secure simply because someone else said so.

The best way to handle vendor security is through the old-school approach of trust but verify. Talk is cheap — and people are expedient, especially when big business deals are on the line. Try to step back and see through all the talk to truly understand what your vendors are doing.

When the going gets rough and the lawyers get involved, that’s the only defensible strategy.

Listen to the complete podcast series: Take Back Control of Your Cybersecurity now

The post Why It’s Time to Cross Out the Checklist Approach to Vendor Security appeared first on Security Intelligence.

Finding Connections in the Global Village

To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than 25 offices around the globe.

The global village can be a pretty great place to live. But it can still be a challenge working across distances or boundaries – whether they be cultural, logistical, linguistic, or whatever else. But it’s a challenge that F-Secure’s Jani Kallio has taken since he joined the company with F-Secure’s acquisition of cyber security firm nSense in 2015.

“At nSense I started building our Security & Risk Management consulting practice as the Global Practice Leader. But during the 2 years since we joined F-Secure, I left that responsibility and my great team of 15 consultants, and transitioned to a business development role,” explains Jani. “Now, one of my key tasks is to prepare expansion opportunities for our consulting business through M&A.”

And Jani’s favorite part of this is finding common ground between different people – what he calls “a common language”. It’s something he’s been doing while based in London, since F-Secure acquired Digital Assurance Consulting – a small but reputable penetration testing company . Part of that process was his relocation to the city with his wife and daughter in summer 2017.

It’s a skill Jani uses to help F-Secure consulting expand further. “The best part of my job is when I’m able to identify similarities in cultures and untapped potentials which we could address together for mutual benefit,” said Jani. “When trying to motivate entrepreneurs into selling their company, it’s all about people. I need to sell the idea of F-Secure as a new home. It’s actually kind a match making process and it doesn’t work if you are not able to sell a joint vision.”

The cyber security business is still all about security, and you have to know what it means to customers, but Jani thinks it might surprise some people how differently that is seen across industries.

“In a single day, I can be in talks about the technical details of a security vulnerability with a consultant, discounted cash flow variables with a M&A advisor, business strategies with a senior entrepreneur, and coverage of cyber insurance with a broker or underwriter. It is a privilege, really, to be involved in so many different fields with different people.”

In terms of career advice, Jani has a few suggestions on how people could progress in the cyber security business.

“Choose a team who you can learn from, preferably strong in other areas than your own background. Choose a boss who believes in you. Share what you know with the people around you. And never stop learning, because this world will never slow down to wait for you to catch up.“

And if you’re looking for a career that will take you to different countries, remember to find things you have in common with the people around you, because there are bound to be differences. Some of them are really small, an example Jani discovered from working in London.

“Londoners have lunch over their keyboards and eat a good 2 hours later than I’m used to. Most restaurants do not even serve proper lunch before 12:00 in Soho, which is one thing I’m still getting used to.”

After Jani’s interview, F-Secure announced the acquisition of MWR InfoSecurity, a privately held cyber security company with close to 400 employees and operating globally from its HQ in London and other offices in the UK, the US, South Africa and Singapore.

And check out our open positions if you want to join Jani and the hundreds of other great fellows fighting to keep internet users safe from online threats.

Brazil’s Senate Passes General Data Protection Law

This post has been updated. 

As reported by Mundie e Advogados, on July 10, 2018, Brazil’s Federal Senate approved a Data Protection Bill of Law (the “Bill”). The Bill, which is inspired by the EU General Data Protection Regulation (“GDPR”), is expected to be sent to the Brazilian President in the coming days.

As reported by Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados, the Bill establishes a comprehensive data protection regime in Brazil and imposes detailed rules for the collection, use, processing and storage of personal data, both electronic and physical.

Key requirements of the Bill include:

  • National Data Protection Authority. The Bill calls for the establishment of a national data protection authority which will be responsible for regulating data protection, supervising compliance with the Bill and enforcing sanctions.
  • Data Protection Officer. The Bill requires businesses to appoint a data protection officer.
  • Legal Basis for Data Processing. Similar to the GDPR, the Bill provides that the processing of personal data may only be carried out where there is a legal basis for the processing, which may include, among other bases, where the processing is (1) done with the consent of the data subject, (2) necessary for compliance with a legal or regulatory obligation, (3) necessary for the fulfillment of an agreement, or (4) necessary to meet the legitimate interest of the data controller or third parties. The legal basis for data processing must be registered and documented. Processing of sensitive data (including, among other data elements, health information, biometric information and genetic data) is subject to additional restrictions.
  • Consent Requirements. Where consent of the data subject is relied upon for processing personal data, consent must be provided in advance and must be free, informed and unequivocal, and provided for a specific purpose. Data subjects may revoke consent at any time.
  • Data Breach Notification. The Bill requires notification of data breaches to the data protection authority and, in some circumstances, to affected data subjects.
  • Privacy by Design and Privacy Impact Assessments. The Bill requires organizations to adopt data protection measures as part of the creation of new products or technologies. The data protection authority will be empowered to require a privacy impact assessment in certain circumstances.
  • Data Transfer Restrictions. The Bill places restrictions on cross-border transfers of personal data. Such transfers are allowed (1) to countries deemed by the data protection authority to provide an adequate level of data protection, and (2) where effectuated using standard contractual clauses or other mechanisms approved by the data protection authority.

Noncompliance with the Bill can result in fines of up to two percent of gross sales, limited to 50 million reias (approximately USD 12.9 million) per violation. The Bill will take effect 18 months after it is published in Brazil’s Federal Gazette.

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis

Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they might need for malware campaigns: encryption, hosting, antimalware evasion, spamming, and many others.

Hawkeye Keylogger is an info-stealing malware thats being sold as malware-as-a-service. Over the years, the malware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques. It was last used in a high-volume campaign in 2016.

This year marked the resurgence of Hawkeye. In April, malware authors started peddling a new version of the malware that they called Hawkeye Keylogger – Reborn v8. Not long after, on April 30, Office 365 Advanced Threat Protection (Office 365 ATP) detected a high-volume campaign that distributed the latest variants of this keylogger.

At the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the software and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%) industries are also among the top targets

Figure 1. Top industries targeted by the April 2018 Hawkeye campaign

Office 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect customers against threats like Hawkeye in real time. These automated systems include a robust detonation platform, heuristics, and machine learning models. Office 365 ATP uses intelligence from various sensors, including multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP).

Windows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments used in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters, while the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5 countries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in Windows Defender AV (TrojanDownloader:O97M/Donoff, Trojan:Win32/Tiggre!rfn, Trojan:Win32/Bluteal!rfn, VirTool:MSIL/NetInject.A) ensured these threats are blocked in customer environments.

Figure 2. Top countries that encountered malicious documents used in the Hawkeye campaign

As part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware campaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into malware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft Intelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent Security Graph, security technologies in Microsoft 365 share signals and detections, allowing these technologies to automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft 365.

Figure 3. Microsoft 365 threat protection against Hawkeye

Campaign overview

Despite its name, Hawkeye Keylogger – Reborn v8 is more than a common keylogger. Over time, its authors have integrated various modules that provide advanced functionalities like stealth and detection evasion, as well as credential theft and more.

Malware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like Tor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos on a website on the surface web (that has since been taken down). Even more interesting, based on underground forums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal underground business models expand and evolve.

Our investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for the operation since February, when they registered the domains they later used in the campaign.

Typical of malware campaigns, the cybercriminals undertook the following steps:

  • Built malware samples and malware configuration files using a malware builder they acquired from the underground
  • Built weaponized documents to be used a social engineering lure (possibly by using another tool bought in the underground)
  • Packed or obfuscated the samples (using a customized open-source packer)
  • Registered domains for delivery of malware
  • Launched a spam campaign (possibly using a paid spam service) to distribute the malware

Like other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control the attack.

Figure 4: Hawkeyes admin panel

Interestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This suggests that the cybercriminals behind this campaign may be the same group responsible for malware operations that delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following methods were used in these campaigns:

  • Multiple documents that create a complicated, multi-stage delivery chain
  • Redirections using shortened bit.ly links
  • Use of malicious macro, VBScript, and PowerShell scripts to run the malware; the Remcos campaign employed an exploit for CVE-2017-0199 but used the same domains
  • Consistent obfuscation technique across multiple samples

Point of entry

In late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO 5647 deadline 7th May carrying a Word document attachment named Scan Copy 001.doc. While the attachments file name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a .docx file name extension.

In total, the campaign used four different subject lines and five attachments.

Figure 5: Sample emails used in the Hawkeye campaign

Because the attachment contains malicious code, Microsoft Word opens with a security warning. The document uses a common social engineering lure: it displays a fake message and an instruction to Enable editing and Enable content.

Figure 6: The malicious document with social engineering lure

The document contains an embedded frame that connects to a remote location using a shortened URL.

Figure 7: frame in settings.rels.xml on the document

The frame loads an .rtf file from hxxp://bit[.]ly/Loadingwaitplez, which redirects to hxxp://stevemike-fireforce[.]info/work/doc/10.doc.

Figure 8: RTF loaded as a frame inside malicious document

The RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream named PACKAGE that contains the .xlsx contents.

The macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext.

Figure 9: Obfuscated macro entry point

De-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the System.Net.WebClient object to download the malware to the path C:\Users\Public\svchost32.exe and execute it.

The macro script then terminates both winword.exe and excel.exe. In specific scenarios where Microsoft Word overrides default settings and is running with administrator privileges, the macro can delete Windows Defender AVs malware definitions. It then changes the registry to disable Microsoft Offices security warnings and safety features.

In summary, the campaigns delivery comprises of multiple layers of components that aim to evade detection and possibly complicate analysis by researchers.

Figure 10: The campaigns delivery stages

The downloaded payload, svchost32.exe, is a .NET assembly named Millionare that is obfuscated using a custom version of ConfuserEx, a well-known open-source .NET obfuscator.

Figure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names

The obfuscation modifies the .NET assemblys metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector to show some namespaces or classes names as blank, or in some cases, display parts of the code backwards.

Figure 12: .NET Reflector presenting the code backwards due to obfuscation

Finally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in the portable executable (PE).

Figure 13: Loading the unpacked .NET assembly during run-time

Malware loader

The DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is loaded in memory using process hollowing, a code injection technique that involves spawning a new instance of a legitimate process and then hollowing it out, i.e., replacing the legitimate code with malware.

Figure 14: In-memory unpacking of the malware using process hollowing.

Unlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye malware injects its code into MSBuild.exe, RegAsm.exe, and VBC.exe, which are signed executables that ship with .NET framework. This is an attempt to masquerade as a legitimate process.

Figure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the malwares main payload into RegAsm.exe

Additionally, in the previous version, the process hollowing routine was written in C. In the new version, this routine is completely rewritten as a managed .NET that calls the native Windows API.

Figure 16: Process hollowing routine implemented in .NET using native API function calls

Malware functionalities

The new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated functions for information theft and evading detection and analysis.

Information theft

The main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks and window context, along with clipboard hooks and screenshot capability.

It has specific modules for extracting and stealing credentials from the following applications:

  • Beyluxe Messenger
  • Core FTP
  • FileZilla
  • Minecraft (replaced the RuneScape module in previous version)

Like many other malware campaigns, it uses the legitimate BrowserPassView and MailPassView tools to dump credentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as the webcam, if it exists.

Notably, the malware has a mechanism to visit certain URLs for click-based monetization.

Stealth and anti-analysis

On top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data streams that remove mark of the web (MOTW) from the malwares downloaded files.

This malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid detection by various sandboxes.
It prevents antivirus software from running using an interesting technique. It adds keys to the registry location HKLM\Software\Windows NT\Current Version\Image File Execution Options and sets the Debugger value for certain processes to rundll32.exe, which prevents execution. It targets the following processes related to antivirus and other security software:

  • AvastSvc.exe
  • AvastUI.exe
  • avcenter.exe
  • avconfig.exe
  • avgcsrvx.exe
  • avgidsagent.exe
  • avgnt.exe
  • avgrsx.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • avscan.exe
  • bdagent.exe
  • ccuac.exe
  • ComboFix.exe
  • egui.exe
  • hijackthis.exe
  • instup.exe
  • keyscrambler.exe
  • mbam.exe
  • mbamgui.exe
  • mbampt.exe
  • mbamscheduler.exe
  • mbamservice.exe
  • MpCmdRun.exe
  • MSASCui.exe
  • MsMpEng.exe
  • msseces.exe
  • rstrui.exe
  • spybotsd.exe
  • wireshark.exe
  • zlclient.exe

Further, it blocks access to certain domains that are usually associated with antivirus or security updates. It does this by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config file.

This malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does this by modifying registry keys for local group policy administrative templates. It also constantly checks active windows and renders action buttons unusable if the window title matches ProcessHacker, Process Explorer, or Taskmgr.

Meanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new values to certain registry keys, stops associated processes, and deletes related files.

Hawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox analysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual analysis by monitoring windows and exiting when it finds the following analysis tools:

  • Sandboxie
  • Winsock Packet Editor Pro
  • Wireshark

Defending mailboxes, endpoints, and networks against persistent malware campaigns

Hawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal underground. Malware services make malware accessible to even unsophisticated operators, while simultaneously making malware more durable with advanced techniques like in-memory unpacking and abuse of .NETs CLR engine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8, highlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a new version in the future.

Organizations should continue educating their employees about spotting and preventing social engineering attacks. After all, Hawkeyes complicated infection chain begins with a social engineering email and lure document. A security-aware workforce will go a long way in securing networks against attacks.

More importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can prevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks.

Our in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this development allow us to proactively build robust protections against both known and unknown threats.

Office 365 Advanced Threat Protection (Office 365 ATP) protects mailboxes as well as files, online storage, and applications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time, ensuring that emails that carry Hawkeye and other threats dont reach mailboxes and devices. Learn how to add Office 365 ATP to existing Exchange or Office 365 plans.

Windows Defender Antivirus (Windows Defender AV) provides an additional layer of protection by detecting malware delivered through email, as well as other infection vectors. Using local and cloud-based machine learning, Windows Defender AVs next-gen protection can block even new and unknown threats on Windows 10 and Windows 10 in S mode.

Additionally, endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) expose sophisticated and evasive malicious behavior, such as those used by Hawkeye. Sign up for free Windows Defender ATP trial.

Windows Defender ATPs rich detection libraries are powered by machine learning and allows security operations teams to detect and respond to anomalous attacks in the network. For example, machine learning detection algorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload:

Figure 16: Windows Defender ATP alert for Hawkeyes malicious PowerShell component

Windows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself:

Figure 17: Windows Defender ATP alert for Hawkeyes payload

These security technologies are part of the advanced threat protection solutions in Microsoft 365. Enhanced signal sharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph enables the automatic update of protections and orchestration of remediation across Microsoft 365.

 

 

Office 365 ATP Research

 

 

Indicators of Compromise (Ioc)

Email subject lines

  • {EXT} NEW ORDER ENQUIRY #65563879884210#
  • B/L COPY FOR SHIPMENT
  • Betreff: URGENT ENQ FOR Equipment
  • RFQ-GHFD456 ADCO 5647 deadline 7th May

Attachment file names

  • Betreff URGENT ENQ FOR Equipment.doc
  • BILL OF LADING.doc
  • NEW ORDER ENQUIRY #65563879884210#.doc
  • Scan Copy 001.doc
  • Swift Copy.doc

Domains

  • lokipanelhostingpanel[.]gq
  • stellarball[.]com
  • stemtopx[.]com
  • stevemike-fireforce[.]info

Shortened redirector links

  • hxxp://bit[.]ly/ASD8239ASdmkWi38AS (was also used in a Remcos campaign)
  • hxxp://bit[.l]y/loadingpleaswaitrr
  • hxxp://bit[.l]y/Loadingwaitplez

Files (SHA-256)

  • d97f1248061353b15d460eb1a4740d0d61d3f2fcb41aa86ca6b1d0ff6990210a – .eml
  • 23475b23275e1722f545c4403e4aeddf528426fd242e1e5e17726adb67a494e6 – .eml
  • 02070ca81e0415a8df4b468a6f96298460e8b1ab157a8560dcc120b984ba723b – .eml
  • 79712cc97a19ae7e7e2a4b259e1a098a8dd4bb066d409631fb453b5203c1e9fe – .eml
  • 452cc04c8fc7197d50b2333ecc6111b07827051be75eb4380d9f1811fa94cbc2 – .eml
  • 95511672dce0bd95e882d7c851447f16a3488fd19c380c82a30927bac875672a – .eml
  • 1b778e81ee303688c32117c6663494616cec4db13d0dee7694031d77f0487f39 – .eml
  • 12e9b955d76fd0e769335da2487db2e273e9af55203af5421fc6220f3b1f695e – .eml
  • 12f138e5e511f9c75e14b76e0ee1f3c748e842dfb200ac1bfa43d81058a25a28 – .eml
  • 9dfbd57361c36d5e4bda9d442371fbaa6c32ae0e746ebaf59d4ec34d0c429221 – .docx (stage 1)
  • f1b58fd2bc8695effcabe8df9389eaa8c1f51cf4ec38737e4fbc777874b6e752 – .rtf (stage 2)
  • 5ad6cf87dd42622115f33b53523d0a659308abbbe3b48c7400cc51fd081bf4dd – .doc
  • 7db8d0ff64709d864102c7d29a3803a1099851642374a473e492a3bc2f2a7bae – .rtf
  • 01538c304e4ed77239fc4e31fb14c47604a768a7f9a2a0e7368693255b408420 – .rtf
  • d7ea3b7497f00eec39f8950a7f7cf7c340cf9bf0f8c404e9e677e7bf31ffe7be – .vbs
  • ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8 – .exe (packed)
  • c73c58933a027725d42a38e92ad9fd3c9bbb1f8a23b3f97a0dd91e49c38a2a43 – .exe (unpacked)

*Updated 07/12/18 (Removed statement that Hawkeye Keylogger is also known as iSpy Keylogger

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

P = NP: Cloud data protection in vulnerable non-production environments

Data is the holy grail of your cloud workloads for attackers. Data breaches are the kind of breaches that make the news. With the recent European Union General Data Protection Regulations (GDPR), they will make even bigger headlines. From an enterprise point of view, the most challenging aspect of protecting data is knowing what it is and where it resides. Only when these two questions are answered can you drive data protection via organizational policies.

Most of your sensitive data is collected in production environmentsthe environments you know that you need to protect, and you usually do. But this is only part of the story. Even though best practices mandate that sensitive information be scrubbed before it transits in the organization, this cannot be ensured. It stands in contradiction to the growing adoption and improvements of the shift-left testing concept, as well as other business needs.

Shift-left testing is the movement of testing to earlier stages in the development lifecycle. Mature testing in early stages is appreciated as it helps developers find problems earlier and in a more cost-effective manner. It also helps quality assurance teams to reproduce bugs in the system and accelerates the debugging processes.

There are other business needs for pulling data to non-production environments. In the research and analytics space, data scientists and analysts prefer to use real data to do their research effectively, whether to offer models that improve the production systems, to perform forensic and log analysis, or to bring insight to product, strategy, and marketing teams, to name a few. In the customer service space, helpdesk personnel may need to pull sensitive records to allow them to perform their jobs efficiently.

For these purposes and others, production data is being pulled not only to the staging environment, but also to development and test environments, as well as research and analytics environments. Data may even reach personal or team playgrounds. Oftentimes, the reality is that organizations disperse data across various environments, making it hard to keep track of what and where.

The following schematic depicts the flow of code from development environments to staging and production environments, along with the flow of production data back to staging, development, and research environments to allow for mature testing and business improvement at earlier stages. The latter flow may even continue to leak outside the organizations IT.

From a security point of view, the data pull should be protected, and sensitive data should not be present in a non-production environment. Synthetic fake data generation should be applied when possible, and format-preserving masking should be applied when data needs to be more realistic. However, not using real data will always impose some loss of data properties and, in turn, the data will always lack some characteristics that may be crucial for testing, and certainly for research. Therefore, to enable advanced testing at earlier stages and allow for better analytics, real data will keep being pulled out of production environments, and the associated risk will be spread throughout the organizations data stores.

To address this risk, applying perimeter solutions is a good start. But if this is your answer to the risk, then you should think again! Are you sure that once an attacker gets a hold of your sensitive data, he cannot evade detection? Are you sure that you have no malicious insiders? What is a perimeter in the cloud?

Lets take a step back and rethink the basics of what is needed from a data protection solution: beyond basic security requirements, such as role-based access control, multifactor authentication, setting up firewalls, and encrypting data at rest and data in transit, advanced threat protection should be deployed. This comprises of:

  1. Visibility on where your sensitive data resides, what type of sensitive data it is, and who is accessing this data and how.
  2. Understanding the vulnerabilities of your data stores and being able to fix them.
  3. Detecting the threats and attempts made to infiltrate your data stores.

Any subset of these capabilities is going to leave weak spots in your organizations posture. For instance, if you have visibility regarding the whereabouts of sensitive data, but no knowledge of the vulnerabilities of your databases, can you be sure that any attempt to infiltrate/exfiltrate your database is detected? Test environments are commonly targeted for data breaches where real data is used for testing and development purposes, like the recent example of Shutterfly.

In addition, if you have a vulnerability in a non-production resource, most likely it exists in similar production resources as well. Finding this out gives a great deal of leverage in reconnaissance terms to attackers. They can probe and investigate non-production environments to find weak spots, then apply them to production environments, minimizing their contact with your production environments, and minimizing the probability of being caught by your threat detection solutionsin case the latter is only deployed on your production environments.

This establishes the following imperative: data protection must be an organization-wide solution, not only a production environment deployment! Hence, P = NP.

From a cloud workload protection perspective, you should build a vision of how to protect your data resources that considers your IT, DevOps, and research methodologies, as well as your data stewardship practices. Deriving a roadmap for this vision requires a solution that allows you to discover your organizations data resources, including any resources in your shadow IT infrastructure. The outcome of this methodic processwhether its manual, semi-automated, or fully automatedshould be a mapping of your data estate across all sorts of environments and an associated risk statement with each resource. This evaluation gives you a metric and can be used as a compass to secure your organization. The resources that were deemed eligible for advanced security should then be continuously monitored with advanced threat prevention solutions that keep you alerted with the vulnerabilities of your resources, the sensitivity of your data, and a real-time threat detection capability. Therefore, when we are asked by customers whether they should protect their non-production environments, our answer is: P = NP!

Azure Security Center is a great built-in tool with Azure that can help you protect all your environments. It helps you assess the security state of your cloud resources, both production and non-production environments and provides advanced threat protection against evolving threats. You can start a free trial for Azure and the Security Center, or if youre already using Azure, just open the Security Center blade to start using it today.

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

Thanks to my colleague Christiaan Beek for his advice and contributions.

While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.

RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. In the wrong hands, RDP can be used to devastating effect. The recent SamSam ransomware attacks on several American institutions demonstrate how RDP access serves as an entry point. Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment.

A screenshot of Blackpass.bz, one of the most popular RDP-shops, largely due to the variety of services offered.

Shops explained

Security maven Brian Krebs wrote the article “Really Dumb Passwords” in 2013. That short phrase encapsulates the vulnerability of RDP systems. Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as, Hydra, NLBrute or RDP Forcer to gain access. These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Five years later, RDP shops are even larger and easier to access.

The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russian business and the largest active shop we researched. We also looked at smaller shops found through forum searches and chats. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%. The goal of our research was not to create a definitive list of RDP shops; rather, we sought a better understanding of the general modus operandi, products offered, and potential victims.

The number of compromised systems claimed to be available for sale by several RDP shops. A single compromised system can appear on more than one shop’s list.

RDP access by cybercriminals

How do cybercriminals (mis)use RDP access? RDP was designed to be an efficient way to access a network. By leveraging RDP, an attacker need not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about antimalware defenses. Once attackers gain access, they are in the system. Scouring the criminal underground, we found the top uses of hacked RDP machines promoted by RDP shops.

False flags: Using RDP access to create misdirection is one of the most common applications. While preserving anonymity, an attacker can make it appear as if his illegal activity originates from the victim’s machine, effectively planting a false flag for investigators and security researchers. Attackers can plant this flag by compiling malicious code on the victim’s machine, purposely creating false debugging paths and changing compiler environment traces.

Spam: Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers. Some of the systems we found for sale are actively promoted for mass-mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by SpamHaus and other antispam organizations.

Account abuse, credential harvesting, and extortion: By accessing a system via RDP, attackers can obtain almost all data stored on a system. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.

Cryptomining: In the latest McAfee Labs Threats Report, we wrote about the increase in illegal cryptocurrency mining due to the rising market value of digital currencies. We found several criminal forums actively advertising Monero mining as a use for compromised RDP machines.

Monero mining via RDP advertised on a cybercriminal forum.

Ransomware: The large majority of ransomware is still spread by phishing emails and exploit kits. However, specialized criminal groups such as SamSam are known to use RDP to easily enter their victims’ networks almost undetected.

RDP shop overview

Systems for sale: The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.

Third-party resellers: When comparing “stock” among several RDP shops, we found that the same RDP machines were sold at different shops, indicating that these shops act as resellers.

Windows Embedded Standard: Windows Embedded Standard, now called Windows IOT, is used in a wide variety of systems that require a small footprint. These systems can range from thin clients to hotel kiosk systems, announcement boards, point-of-sale (POS) systems, and even parking meters among others.

Among the thousands of RDP-access systems offered, some configurations stood out. We found hundreds of identically configured Windows Embedded Standard machines for sale at UAS Shop and BlackPass; all these machines were in the Netherlands. This configuration was equipped with a 1-GHz VIA Eden processor. An open-source search of this configuration revealed that it is most commonly used in thin clients and some POS systems. The configurations are associated with several municipalities, housing associations, and health care institutions in the Netherlands.

Thin client and POS systems are often overlooked and not commonly updated, making them an ideal backdoor target for an attacker. Although these systems have a small physical footprint, the business impact of having such a system compromised should not be underestimated. As we’ve observed from previous breaching of retailers leveraging unpatched or vulnerable POS systems, the damage extends far beyond financial only, including customer perception and long-term brand reputation.  In regard to the current affected systems we discovered, McAfee has notified the identified victims and is working to learn further detail on why and how these identical Windows systems were compromised.

Government and health care institutions: We also came across multiple government systems being sold worldwide, including those linked to the United States, and dozens of connections linked to health care institutions, from hospitals and nursing homes to suppliers of medical equipment. In a March blog post, the Advanced Threat Research team showed the possible consequences of ill-secured medical data and what can happen when an attacker gains access to medical systems. It is very troublesome to see that RDP shops offer an easy way in.

Additional products for sale

Services offered by our researched RDP shops.

In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. The second-largest RDP shop we researched, BlackPass, offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.

For legal and ethical reasons, we did not purchase any of the products offered. Therefore, we cannot determine the quality of the services.

RDP ransomware attack scenario

Is it possible to find a high-value victim using an RDP shop? The Advanced Threat Research team put this theory to the test. By leveraging the vast amounts of connections offered by the RDP shops, we were able to quickly identify a victim that fits the profile of a high-value target in the United States.

We found a newly posted (on April 16) Windows Server 2008 R2 Standard machine on the UAS Shop. According to the shop details, it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system.

RDP access offered for sale.

UAS Shop hides the last two octets the of the IP addresses of the systems it offers for sale and charges a small fee for the complete address. (We did not pay for any services offered by UAS or any other shop.) To locate the system being sold, we used shodan.io to search for any open RDP ports at that specific organization using this query:

org:”City  XXX” port:”3389”

The results were far more alarming than we anticipated. The Shodan search narrowed 65,536 possible IPs to just three that matched our query. By obtaining a complete IP address we could now look up the WHOIS information, which revealed that all the addresses belonged to a major International airport. This is definitely not something you want to discover on a Russian underground RDP shop, but the story gets worse.

From bad to worse

Two of the IP addresses presented a screenshot of the accessible login screens.

A login screen that matches the configuration offered in the RDP shop.

A closer look at the screenshots shows that the Windows configuration (preceding screen) is identical to the system offered in the RDP shop. There are three user accounts available on this system, one of which is the administrator account. The names of the other accounts seemed unimportant at first but after performing several open-source searches we found that the accounts were associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz.

The login screen of a second system on the same network.

Looking at the other login account (preceding screen), we saw it is part of the domain with a very specific abbreviation. We performed the same kind of search on the other login account and found the domain is most likely associated with the airport’s automated transit system, the passenger transport system that connects terminals. It is troublesome that a system with such significant public impact might be openly accessible from the Internet.

Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.

Anonymization

To publish our findings, we have anonymized the data to prevent any disclosure of sensitive security information.

Basic forensic and security advice

Playing hide and seek

Besides selling countless connections, RDP shops offer tips on how to remain undetected when an attacker wants to use the freshly bought RDP access.

This screen from the UAS Shop’s FAQ section explains how to add several registry keys to hide user accounts.

The UAS Shop offers a zip file with a patch to allow multiuser RDP access, although it is not possible by default on some Windows versions. The zip file contains two .reg files that alter the Windows registry and a patch file that alters termsvrl.dll to allow concurrent remote desktop connections.

These alterations to the registry and files leave obvious traces on a system. Those indicators can be helpful when investigating misuse of RDP access.

In addition to checking for these signs, it is good practice to check the Windows event and security logs for unusual logon types and RDP use. The following screen, from the well-known SANS Digital Forensics and Incident Response poster, explains where the logs can be found.


Source: SANS DFIR Poster 2015.

Basic RDP security measures

Outside access to a network can be necessary, but it always comes with risk. We have summarized some basic RDP security measures:

  • Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
  • Do not allow RDP connections over the open Internet
  • Lock out users and block or timeout IPs that have too many failed login attempts
  • Regularly check event logs for unusual login attempts
  • Consider using an account-naming convention that does not reveal organizational information
  • Enumerate all systems on the network and list how they are connected and through which protocols. This also applies for Internet of Things and POS systems.

Conclusion

Remotely accessing systems is essential for system administrators to perform their duties. Yet they must take the time to set up remote access in a way that is secure and not easily exploitable. RPD shops are stockpiling addresses of vulnerable machines and have reduced the effort of selecting victims by hackers to a simple online purchase.

Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock. Just as we check the doors and windows when we leave our homes, organizations must regularly check which services are accessible from the outside and how they are secured. Protecting systems requires an integrated approach of defense in depth and proactive attitudes from every employee.

The post Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks appeared first on McAfee Blogs.

Time to Take a Good, Hard Look at Your Cybersecurity Health

What happens when your livelihood is at stake, thanks to someone stealing your identity or draining your account? The real-life possibilities are nerve-wracking, to say the least. The constant barrage of cyberthreats we face as consumers today is exhausting. Just this month, two major situations were revealed.  A Florida marketing firm, Exactis, had their database on a publicly accessible server. The information exposed ranged from phone numbers, home, and email addresses to the number, age, and gender of a customer’s children. As of now, social security numbers and credit card data have not been leaked. However, what makes this breach particularly anxiety-inducing is that now cybercriminals have the ability to improve the success rate of socially engineered attacks. For example, phishing attacks could become rampant through social media and email.

To add insult to injury, last week, researchers found a way to discover everything you type and read on your phone simply by studying the differing power levels of a smart battery. By implanting a micro-controller into a phone’s battery, they could record the power flowing in and out of the device. Then, with the use of AI, power flows were matched with specific keystrokes. Using this technique, the researchers proved that cybercriminals could record passwords, monitor website activity, access call records, and know the last time the camera was used. Smart batteries are attractive targets because they are not as secure as your phone. In fact, they expose all personal data. While the possibilities are stressful, the good news is that this attack remains theoretical.

The seemingly endless string of security events and the stress they cause can take a serious toll on our well-being. While we can’t prevent breaches from occurring, it’s important to remember that we can be prepared to take the right steps to minimize any damage when one hits. Whether we’re dealing with the repercussions of a data breach, or adapting to new vulnerabilities, developing positive security habits can help improve and maintain your digital health. Taking care of your mobile devices to ensure they remain secure – and therefore optimally functional – is like taking care of your own well-being; to maintain cybersecurity health, you have to perform basic upkeep.

To help you prepare in advance for the next data breach and ensure your device remains in good cybersecurity health, here are some habits you should consider picking up, stat:

  • Be aware of your surroundings. Mindfulness is a habit that can be developed, provides almost instant results, can support longevity, general awareness and well-being. We can learn a lot from mindfulness when it comes to cybersecurity. By taking a little bit of time to be aware of our surroundings, we can prevent vulnerabilities and potential threats simply by paying attention.
  • Set up alerts. Just like going to a doctor regularly for check-ups, you should “check-up” on your accounts. Not all data breaches expose financial data, but personal data that is leaked can still be used to access your financial accounts. Talk with your bank or financial planner about setting up a fraud alert on your cards to maintain control of your accounts.
  • Stay away from untrustworthy emails or messages. The mantra “no bad vibes” is surprisingly full of wisdom. Ridding your life of energy suckers and toxic people supports health – and the same goes for malicious messages. If you see a suspect item from an unknown source in your inbox or via a direct message or comment on social media, do not click on the message. If you do open it, be sure not to click on any links. To be safe, delete the email or message altogether.
  • Avoid public Wi-Fi when possible. Just as sleep is a panacea of sorts that helps to fight off bugs, giving your phone a break from public Wi-Fi is one of the best things you can do to ensure your cybersafety. The use of public Wi-Fi can offer cybercriminals a backdoor into your phone. By spoofing a legitimate website, they can gain access to your sensitive information. Give your device a much-needed break until you can use Wi-Fi you trust, you’ll save yourself a serious headache.
  • Switch up your passwords. It’s been said that variety is the spice of life, the secret to a happy relationship, and a way to stay engaged and aware in old age. The same is true when it comes to your passwords. When you mix it up, you keep cybercriminals guessing. Passwords are your data’s first defense against cybercriminals. Be sure to change them every so often and never use “1234” or “password.” If remembering a difficult password or remembering a multitude of them is hard, consider using a password manager.
  • Consider investing in identity theft protection. Vitamins are excellent supplements to a healthy diet, adding in additional nutrition when and where you need it — but not meant to be taken as the sole way to maintain health. Identity theft protection can be a supplement of sorts to your already positive security habits. With McAfee Identity Theft Protection, users can take proactive steps toward protecting their identities with personal and financial monitoring and recovery tools.

The power of habit actually dictates 40% of our day. As with your body and mind, the more you create healthy, positive habits, the easier it is to maintain health. The same is true for your security “health.” The more you express safe habits, the easier it will become and the safer you will be – both in the short and long term.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Time to Take a Good, Hard Look at Your Cybersecurity Health appeared first on McAfee Blogs.

WordPress Arbitrary File Deletion Vulnerability Plugged With Patch 4.9.7

On Jun 26 an arbitrary file deletion vulnerability in the WordPress core was publicly disclosed, the vulnerability could allow an authenticated attacker to delete any file and in some cases execute arbitrary code.

WordPress is a free, popular, and open-source content management system currently powering over 30% of the known web. WordPress’s massive popularity makes it a desirable target for cybercriminals.

Who were affected

The vulnerability was fixed in version 4.9.7 of WordPress, released on July 5. In order to successfully exploit this issue, the attacker would have needed to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins.

Vulnerability impact

Attackers can leverage the way the WordPress installation mechanism works, to gain arbitrary code execution on the hosting server by deleting the wp-config.php file, triggering the installation process and allowing the attacker to reconfigure the site and take over the admin account.

The vulnerability can also be used to disable some security restrictions through the deletion of .htaccess files that could be enforcing some kind of restrictions, or index.php files that prevent directory listing.

The attacker can also take down the site by deleting one of the WordPress core files, causing an internal error on every request.

Breakdown

wp-admin/post.php

The code above is used to modify the media posts metadata.

As seen in the code the “thumb” property is set to $_POST[‘thumb’] that can contain any value the attacker wants, next, the wp_update_attachment_metadata function takes the $newmeta object and store it as a serialized object.

The reason the vulnerability requires the attacker to have authenticated user privileges is due to the cross-site request forgery (CSRF) protection enforced through the check_admin_referer function.

wp-includes/post.php

The purpose of the code above is to delete the media file thumbnail when the attachment is deleted, the function failed to sanitize the previously set thumb value, resulting in a second-order arbitrary file deletion vulnerability.

Imperva customers protected

Imperva SecureSphere and Incapsula WAF customers are protected from this attack due to our zero-day and path traversal rules. We also published a new dedicated security rule to provide maximum protection against possible mutations of this attack.

Report: Gaming Addiction is a Real Thing. So What Can Parents Do Next?

It’s one of my biggest parenting regrets to date: About a decade ago, I failed to put limits around my teen’s passion for playing video games. He loved them, and I let him.

I convinced myself that my son’s video gaming provided him with an instant community where he daily climbed to the top of the scoreboard. A personal, consistent win for my first-born, more quiet child, right?

Looking back, I lied to myself at crucial moments along the way. I minimized his growing obsession by calling it a hobby. As he grew more engaged with gaming, he became more distant from our family. I ignored the fact that he was acquiring friends I didn’t know and forfeiting time outdoors for his preferred virtual landscape.

When our relationship hit several rough patches in later years, I failed to connect that friction back to his topheavy gaming habits. All the while, as a mom, I knew deep down (in my mom “knower”) I could have — should have — done more to limit his gaming.

New Findings

Not surprising, the World Health Organization (WHO) just recently classified a new form of addiction called “gaming disorder.” That designation means health professionals can now treat dangerous levels of video gaming as a legitimate addiction.

Thankfully, my son’s one-time excessive gaming didn’t reach the addiction level even though it was serious enough to negatively impact our family dynamic.

I can’t go back. However, if there’s a parent who can learn from my heartache in this area, I hope this post might help.

The Upside

We know gaming isn’t the enemy. In fact, gaming has been credited with hel