Infosec Island Latest Articles https://v2.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 #NCSAM: Third-Party Risk Management is Everyone’s Business https://www.infosecisland.com/blogview/24992-NCSAM-Third-Party-Risk-Management-is-Everyones-Business.html https://www.infosecisland.com/blogview/24992-NCSAM-Third-Party-Risk-Management-is-Everyones-Business.html Tue, 17 Oct 2017 07:20:00 -0500 One of the weekly themes for National Cyber Security Awareness Month is “Cybersecurity in the Workplace is Everyone’s Business.”

And we couldn’t agree more. Cybersecurity is a shared responsibility that extends not just to a company’s employees, but even to the vendors, partners and suppliers that make up a company’s ecosystem. The average Fortune 500 company works with as many as 20,000 different vendors, most of whom have access to critical data and systems. As these digital ecosystems become larger and increasingly interdependent, the exposure to third-party cyber risk has emerged as one of the biggest threats resulting from these close relationships.

Third-party risk is only going to get more difficult, but collaboration – the pooling of information, resources and knowledge – represents the industry’s best chance to effectively mitigate this growing threat. The PwC Global State of Information Security Survey 2016 found that 65 percent of organizations are formally collaborating with partners to improve security and reduce risks.

Overall, organizations need to put more emphasis on understanding the cyber risks their third parties pose. What risks does each third party bring to your company? Do they have access to your network? What would the impact be if they were to be breached? One of the key ways to do this is by engaging with your third parties, and assessing them based of the appropriate level of risk they pose and collaborating with them on a prioritized mitigation strategy.

It’s unlikely that the pressure facing businesses to become more efficient will lessen, which means larger digital ecosystems and more cyber risks to businesses. The only way to protect your organization from suffering a data breach as a result of a third party is to put more emphasis on understanding the cyber risks your third parties pose and working together to mitigate them.

Learn more about NCSAM at: https://www.dhs.gov/national-cyber-security-awareness-month.

Help spread the word by joining in the online conversation using the #NCSAM hashtag!

About the author: As Head of Business Development, Scott is responsible for implementing CyberGRX’s go-to-market and growth strategy. Previous to CyberGRX, he led sales & marketing at SecurityScorecard, Lookingglass, iSIGHT Partners and iDefense, now a unit of VeriSign.

Copyright 2010 Respective Author at Infosec Island]]>
Oracle CPU Preview: What to Expect in the October 2017 Critical Patch Update https://www.infosecisland.com/blogview/24991-Oracle-CPU-Preview-What-to-Expect-in-the-October-2017-Critical-Patch-Update.html https://www.infosecisland.com/blogview/24991-Oracle-CPU-Preview-What-to-Expect-in-the-October-2017-Critical-Patch-Update.html Tue, 17 Oct 2017 05:12:00 -0500 The recent media attention focused on patching software could get a shot of rocket fuel on Tuesday with the release of the next Oracle Critical Patch Update (CPU). In a pre-release statement, Oracle has revealed that the October CPU is likely to see nearly two dozen fixes to Java SE, the most common language used for web applications. New security fixes for the widely used Oracle Database Server are also expected along with patches related to hundreds of other Oracle products.

Most of the Java related flaws can be exploited without needing user credentials, with the highest vulnerability score expected to be 9.6 on a 10.0 scale. The CPU could also include the first patches related to the latest version of Java - Java 9 - which was released in September.

Oracle is also expected to include advanced encryption capabilities included in Java 9 (JCE Unlimited Strength Policy Files) for previous Java versions 8 – 6.

The October CPU comes on the heels of a September out-of-cycle Security Alert from Oracle addressing flaws exploited in the Equifax attack. The Alert followed the announcement of vulnerabilities in the Struts 2 framework by Apache that were deemed too critical to wait for distribution in the quarterly patch update.

IBM also issued an out-of-cycle patch to address flaws in IBM’s Java related products in the wake of the Equifax breach.

The Equifax attack has put a spotlight on the vital importance of rapidly applying security patches as well as the continuing struggle of security teams to keep pace with the increasing pace and size of patches. So far in 2017, NIST’s National Vulnerability Database has catalogued 11,525 new software flaws and has tracked more than 95,000 known vulnerabilities.

Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, 17 October.   

About the author: James E. Lee is the Executive Vice President and Chief Marketing Officer at Waratek Inc., a pioneer in the next generation of application security solutions.

Copyright 2010 Respective Author at Infosec Island]]>
Surviving Fileless Malware: What You Need to Know about Understanding Threat Diversification https://www.infosecisland.com/blogview/24989-Surviving-Fileless-Malware-What-You-Need-to-Know-about-Understanding-Threat-Diversification.html https://www.infosecisland.com/blogview/24989-Surviving-Fileless-Malware-What-You-Need-to-Know-about-Understanding-Threat-Diversification.html Fri, 13 Oct 2017 11:50:00 -0500 Businesses and organizations that have adopted digitalization have not only become more agile, but they’ve also significantly optimized budgets while boosting competitiveness. Despite these advances in performance, the adoption of these new technologies has also increased the attack surface that cybercriminals can leverage to deploy threats and compromise the overall security posture of organizations.

The traditional threat landscape used to involve threats designed to either covertly run as independent applications on the victim’s machine, or compromise the integrity of existing applications and alter their behavior. Commonly referred to as file-based malware, traditional endpoint protection solutions have incorporated technologies designed to scan files written to disk before execution.

File-based vs. Fileless

Some of the most common attack techniques involve victims either downloading a malicious application whose purpose is to silently run in the background and track the user’s behavior or to exploit a vulnerability in a commonly installed piece of software so that it can covertly download additional components and execute them without the victim’s knowledge.

Traditional threats must make it onto the victim’s disk before executing the malicious code. Signature-based detection exists specifically for this reason, as it can uniquely identify a file that’s known to be malicious and prevent it from being written or executed on the machine. However, new mechanisms such as encryption, obfuscation, and polymorphism have rendered traditional detection technologies obsolete, as cybercriminals cannot only manipulate the way the file looks for each individual victim, but also make it difficult for security scanning engines to analyze the code within them.

Traditional file-based malware is usually designed to gain unauthorized access to the operating system and its binaries, normally creating or unpacking additional files and dependencies, such as .dll, .sys or .exe files, that have different functions. They could also install themselves as drivers or rootkits to take full control of the operating system if they could obtain the use of a valid digital certificate to avoid triggering any traditional file-based endpoint security technologies. One such piece of file-based malware was the highly advanced Stuxnet, designed to infiltrate a specific target while remaining persistent. It was digitally signed and had various modules that enabled it to covertly spread from one victim to another until it reached its intended target.

Fileless malware is completely different than file-based malware in terms of how the malicious code is executed and how it dodges traditional file-scanning technologies. As the term implies, fileless malware does not involve any file written on-disk for it to be executed. The malicious code may be executed directly within the memory of the victim’s computer, meaning that it will not be persistent after a system reboot. However, various techniques have been adopted by cybercriminals that combine fileless abilities with persistence. For example, malicious code placed within registry entries and executed each time Windows reboots, allows for both stealth and persistency.

The use of scripts, shellcode and even encoded binaries is not uncommon for fileless malware leveraging registry entries, as traditional endpoint security mechanisms usually lack the ability to scrutinize scripts. Because traditional endpoint security scanning tools and technologies mostly focus on static file analysis between known and unknown malware samples, fileless attacks can go unnoticed for a very long time.

The main difference between file-based and fileless malware is where and how its components are stored and executed. The latter is becoming increasingly popular as cybercriminals have managed to dodge file scanning technologies while maintaining persistency and stealth.

Delivery mechanisms

While both types of attacks rely on the same delivery mechanisms, such as infected email attachments or drive-by downloads exploiting vulnerabilities in browsers or commonly used software, fileless malware is usually script-based and can leverage existing legitimate applications to execute commands. For example, PowerShell scripts that are attached to booby-trapped Word documents can automatically be executed by PowerShell – a native Windows tool. The resulting commands could either send detailed information about the victim’s system to the attacker or download an obfuscated payload that the local traditional security solution can’t detect.

Other possible examples involve a malicious URL that, once clicked, redirects the user to websites that exploit a Java vulnerability to execute a PowerShell Script. Because the script itself is just a series of legitimate commands that may download and run a binary directly within memory, traditional file-scanning endpoint security mechanisms will not detect the threat.

These elusive threats are usually targeted at specific organizations and companies with the purpose of covert infiltration and data exfiltration.

Next-gen endpoint protection platforms

These next-gen endpoint protection platforms are usually the type of security solutions that combine layered security – which is to say file-based scanning and behavior monitoring – with machine learning technologies and threat detection sandboxing. Some technologies rely on machine learning algorithms alone as a single layer of defense. Whereas, other endpoint protection platforms use detection technologies that involve several security layers augmented by machine learning. In these cases, the algorithms are focused on detecting advanced and sophisticated threats at pre-execution, during execution, and post-execution.

A common mistake today is to treat machine learning as a standalone security layer capable of detecting any type of threat. Relying on an endpoint protection platform that uses only machine learning will not harden the overall security posture of an organization.

Machine learning algorithms are designed to augment security layers, not replace them. For example, spam filtering can be augmented through the use machine learning models, and detection of file-based malware can also use machine learning to assess whether unknown files could be malicious.

Signature-less security layers are designed to offer protection, visibility, and control when it comes to preventing, detecting, and blocking any type of threat. Considering these new attack methods, it’s highly recommended that next-gen endpoint security platforms protect against attack tools and techniques that exploit unpatched known vulnerabilities – and of course, unknown vulnerabilities – in applications. 

It’s important to note, traditional signature-based technologies are not dead and should not be discarded. They’re an important security layer, as they’re accurate and quick to validate whether a file is known to be malicious or not. The merging of signatures, behavioral-based, and machine learning security layers create a security solution that’s not only able to deal with known malware, but also tackle unknown threats, which boosts the overall security posture of an organization. This comprehensive mix of security technologies is designed to not only increase the overall cost of attack for cybercriminals, but also offer security teams deep insight into what types of threats are usually targeting their organization and how to accurately mitigate them.

About the author: Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild Trojan horses.

Copyright 2010 Respective Author at Infosec Island]]>
Why Cloud Security Is a Shared Responsibility https://www.infosecisland.com/blogview/24988-Why-Cloud-Security-Is-a-Shared-Responsibility.html https://www.infosecisland.com/blogview/24988-Why-Cloud-Security-Is-a-Shared-Responsibility.html Fri, 13 Oct 2017 10:57:53 -0500 Security professionals protect on-premises data centers with wisdom gained through years of hard-fought experience. They deploy firewalls, configure networks and enlist infrastructure solutions to protect racks of physical servers and disks.

With all this knowledge, transitioning to the cloud should be easy. Right?

Wrong. Two common misconceptions will derail your move to the cloud

  1. The cloud provider will take care of security
  2. On-premises security tools work just fine in the cloud

So, if you’re about to join the cloud revolution, start by answering these questions: how are security responsibilities shared between clients and cloud vendors? And why do on-premises security solutions fail in the cloud?

Cloud Models and Shared Security

A cloud model defines the services provided by the provider. It also defines how the provider splits security responsibilities with customers. Sometimes the split is obvious: cloud providers are, of course, tasked with physical security for their facilities. Cloud customers, obviously, control which users can access their apps and services. After that the picture can get a little murky.

The following three cloud models don’t comprehensively account for every cloud variation, but they help clarify who is responsible for what:

Software-as-a-Service (SaaS): SaaS providers are responsible for the hardware, servers, databases, data, and the application itself. Customers subscribe to the service and end users interact directly with the application(s) provided by the SaaS vendor. Salesforce and Office365 are two well-known SaaS offerings.

Platform as a Service (PaaS): PaaS vendors offer a turnkey environment for higher-level programming. The vendor manages the hardware, servers, and databases while the PaaS customer writes the code needed to deliver custom applications. Engine Yard and Google App Engine are examples of PaaS solutions.

Infrastructure as a Service (IaaS): An IaaS environment lets customers create and operate an end-to-end virtualized infrastructure. The IaaS vendor manages all physical aspects of the service as well as the virtualization services needed to build solutions. Customers are responsible for everything else - the applications, workloads, or containers deployed in the cloud. Amazon Web Services (AWS) and Microsoft Azure are popular IaaS solutions.

The key to understanding shared security lies in understanding who makes the decisions about a specific aspect of the cloud solution. For example, Microsoft calls the shots on Excel development for their Office 365 SaaS solution. Vulnerabilities in Excel are, therefore, Microsoft’s responsibility. In the same spirit, security vulnerabilities in an app you create on a PaaS service are your responsibility - but operating system vulnerabilities are not.

This all seems like common sense - but it means you’ll need to understand your cloud model to understand your security responsibilities. If you’re securing an IaaS solution you’ll need to take a broad perspective. Everything from server configurations to container provenance can impact your security posture - and they are your responsibility.

Security “Lift and Shift”

An IaaS solution can virtually replicate on-premises infrastructure in the cloud. So lifting and shifting your on-premises security to the cloud may seem like the best way to get up and running. But that approach has led many cloud transitions to ruin. Why? The cloud needs different security approaches for three important reasons:

Change Velocity

Hardware limits how fast a traditional data center can change. The cloud eliminates physical constraints and changes how we think about servers and storage. Cloud solutions, for example, scale by instantly and automatically bringing new servers online. But for traditional security tools, this cloud velocity is chaos. Metered usage costs rapidly spin out of control. Configuration and policy management becomes an overwhelming task. Interdependent security processes become brittle and unreliable.

Network Limitations

On-premises data centers take advantage of stable networks to establish boundaries. In the cloud, networks are temporary resources. Virtual entities join and leave instantaneously and across geographical boundaries. Network identifiers (like IP addresses) no longer provide the same stable control points as they once did and encryption makes it harder to observe application behavior from the network. Network-centric security tools leave cloud solutions vulnerable to lateral movement by attackers.

Cloud Complexity

When the cloud removes barriers to velocity, the number of machines, servers, containers, and networks explodes. As complex as on-premises data centers can be, cloud solutions are far worse: the number of cloud entities, configuration files, event logs, locations, networks, and connections are too much for even expert human analysis. Analyzing security incidents, assessing the impact of a breach, or even simply tracing an administrator’s activities isn’t possible with traditional data center security tools.

Cloud Security Needs New Solutions

Moving to the cloud is more than a simple lift-and-shift of existing servers and apps to a different set of servers. Granted, offloading infrastructure responsibilities to your provider is a huge win. Without capital expenses and the inertia of hardware, IT organizations do more with less, faster.

Fortunately, new cloud-centric security solutions make your move to the cloud easier. Three key capabilities can keep you out of trouble as you transition: automation, an expanded focus on apps and operations (in addition to networks), and behavioral baselining.

Automation makes it possible to keep up with cloud changes (and DevOps teams) during deployment, operations, and incident investigations. Moving the security focus up the stack reduces the impact of network impermanence in the cloud and delivers better visibility into high-level application and service operations. And behavioral baselining makes short work of otherwise tedious rule and policy development.

With the right technologies, and an understanding of differences, security pros can easily make the move to the cloud.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Copyright 2010 Respective Author at Infosec Island]]>
Put Your S3 Buckets to the Test to Ensure Cloud Fitness https://www.infosecisland.com/blogview/24987-Put-Your-S3-Buckets-to-the-Test-to-Ensure-Cloud-Fitness.html https://www.infosecisland.com/blogview/24987-Put-Your-S3-Buckets-to-the-Test-to-Ensure-Cloud-Fitness.html Fri, 13 Oct 2017 09:33:00 -0500 A poignant aspect of many of the headline-grabbing data breaches is the relative ease with which hackers were able to get to sensitive data. We think of hackers running wildly complex algorithms and plotting with sophisticated schemes, but when you encounter a data repository named "Access Keys", and it doesn't require a password, it turns out your job is pretty easy.

AWS S3 buckets are getting the lion's share of the blame for many of these breaches. But like any asset, S3 buckets simply operate according to how they're configured and managed. And therein is a problem that's representative of so much of the vulnerabilities faced by cloud users. Misconfigurations, poorly constructed access policies, lack of controls; these are just some of the issues that can open a cloud environment to bad actors, and all of this work is directed by humans, with the S3 buckets just doing what they're told. In an environment that's as dynamic as a typical enterprise cloud, humans aren't necessarily going to be able to keep track of every aspect of every asset. For these assets to function optimally and securely, organizations have to apply active management along with continuous scrutiny to ensure they operate optimally and with effective security controls.

Within a cloud environment, there are so many factors all repeatedly and simultaneously occurring. IT teams have to think both about being active and reactive in order to effectively deal with vulnerabilities and attacks. To support those efforts, they have processes and tools that prevent, monitor, and remediate, all in an effort to constantly thwart risk. While the potential for incoming issues is massive, the work required to mitigate that risk can be fairly simple, but like exercise and regular check-ups, they have to be done regularly and with purpose.

We know that default settings from AWS tend to be fairly permissive; some of the problem in so many breaches relates to this permissive nature. But no customer should operate something so important to their environment without customizing it to their own needs. And no matter what their infrastructure needs are, the privacy of their data and that of their customers requires that they put their S3 buckets through fitness tests to ensure they are aware and in control of how those buckets are functioning. Enterprises that want to effectively secure S3 buckets must recognize the liability involved if these get breached. There are some key aspects to how S3 objects and buckets operate, and security teams should be familiar with AWS settings and functionality before they move forward with implementing a security plan. These include access to buckets, user rights within buckets, and versioning and logging capabilities.

Access to your stored data is the logical initial place to start. There are settings in AWS that allow you to determine who can view lists of your S3 buckets, and who can see and edit your Access Control Lists (ACLs). If your buckets have those settings set to give “All AWS Users” access, you are setting yourself up to be compromised. With global ACL permissions on, you allow anyone to grant wide permissions to your content, at best, you give them a detailed treasure map of which buckets may contain interesting data.

At the same time, while the breaches that make the news are all about hackers getting access to remove data, hackers putting data into your S3 buckets can be equally dangerous to your organization. If the Global PUT permission is enabled on any of your S3 buckets it means that anyone can place information into your S3 buckets. This may seem harmless, but someone with malicious intent could place content that would be harmful or embarrassing to your business into your buckets. It is best to only allow authorized users and systems to PUT to your S3 buckets. With the right permissions, a bad actor can also apply "global delete" to your repository which would wipe all the data contained therein. Requiring multi-factor authentication (MFA) in order to use that capability can ensure that CloudTrail logs and other sensitive data cannot be removed by an unauthorized user.

AWS customers should also be aware that the default settings do not enable versioning of S3 objects by default. Versioning is incredibly important; in the event of an object being overwritten or deleted, versioning keeps an instance of the object available to “roll back” to as a method of recovery. Additionally, with audit logging of your S3 buckets enabled, you will be able to get the details of all bucket activity. The logs are an important tool when troubleshooting issues, or investigating an incident. Logging cannot be enabled retroactively, so it is important to collect your audit logs as you set up your S3 buckets if you wish to keep tabs on bucket/object activity.

Advice must be followed by action in order to become, and remain, fit in the cloud. While these measures are critical to attain the basic level of security for your S3 buckets, they are always going to be a target because they store sensitive data. So, continuous awareness through automated monitoring will provide the necessary control needed to identify and fix vulnerabilities, and provide the right layer of control to maintain safe and effective business operations.

Copyright 2010 Respective Author at Infosec Island]]>
Is Your “Father’s IAM” Putting You at Risk? https://www.infosecisland.com/blogview/24986-Is-Your-Fathers-IAM-Putting-You-at-Risk.html https://www.infosecisland.com/blogview/24986-Is-Your-Fathers-IAM-Putting-You-at-Risk.html Fri, 13 Oct 2017 07:29:00 -0500 Identity and access management (IAM) is all about ensuring that the right people, have the right access, to the right resources and that you can prove that all the access is right. But as any of us that are heavily involved in IAM know, that is much easier said than done. There’s a lot that goes into getting all those things “right.”

First you must set up the accounts that enable a user to get to the right stuff – that is often called provisioning (and its dangerous sister, de-provisioning). Second, in order for that account to grant the appropriate access, there has to be a concept of authorization which provides a definition for what is allowed and not allowed with that access. And third, there should be some way to make sure that provisioning and de-provisioning are done securely (and ideally efficiently), and that the associated authorization is accurate – i.e. everyone has exactly the access they need, nothing more and nothing less.

Everyone has been provisioning and de-provisioning since we first started networking PCs. And as soon as larger numbers of users began using those computers, this has forced the need to implement some concept of authorization. The problem is that the practices that worked so well in these relatively closed networks with relatively few users simply don’t cut it in today’s open (close to boundary-less), fluid, and modern networks. The result is loads of inefficiency, elevated risk, and the potential for catastrophic breaches.

In recent research sponsored by One Identity, the dangers of old-fashioned practices for provisioning and de-provisioning and authorization were stripped bare before the world. Stated plainly, the practices and technologies that served you so well in the past, simply are inadequate in today’s digitally transformed world.

Here’s some of the key findings gleaned from responses from more than 900 IT-security professionals worldwide, with a little exposition on each:

  • 87% reported that they have dormant accounts and 71% were concerned about them – that means that more than three-quarters of those interviewed have not de-provisioned accounts that are no longer needed, either because the user is no longer with the organization or has switched roles and most of those are worried about it.
  • Only 1/3 expressed that they were “very confident” that they even knew which dormant user accounts exist. So not only do they have dangerous entry points into their networks, most people couldn’t even tell you what accounts they were.
  • 97% have a process for identifying dormant accounts but only 19% have tools to help find them. In addition 92% report that they regularly check for dormant accounts. This is where there is a disconnect. If the majority have dormant accounts and most have a process to find them, obviously the process is not working. In spite of best efforts (or as I would say old-fashioned de-provisioning practices) the risk is still there.

The risk is not in the fact that there are dormant accounts, the risk is what can be done with those hidden doors into your systems and data. Most high-profile breaches are the result of a bad actor compromising a legitimate user account. That could be gaining access through phishing or social engineering or hunting for and finding a dormant account that the organization doesn’t even know exists. Once in, a series of lateral moves and rights escalation activities can result in access to those systems and that data that you are trying to protect.

So here’s where the second set of data becomes remarkably intriguing. We asked the same 900+ IT security professionals a series of questions about the rights and permissions that their users possess, and here were the big reveals:

  • Only one in four expressed that they were “very confident” that user rights and permissions are correct. That means that ¾ of our respondents were unsure of the fundamental aspect of access control – authorization. Any user with excessive rights (rights that are more than necessary to do the job) is an easy path for bad actors to execute those lateral moves they are so good at.
  • Less than 1/3 are “very confident” that users are de-provisioned properly. By properly we mean fully and immediately (only 14% of respondents reported that users were de-provisioned immediately upon a change in status). De-provisioning is the process of turning off accounts and revoking rights when they are no longer needed. Poor de-provisioning, either through outdated and cumbersome manual processes or limited tools, is the primary cause of dormant accounts.
  • In fact, 95% reported that while they have a process for de-provisioning, it requires IT intervention. In other words, someone has to put hands on a keyboard to make it happen. Any amount of time that an unneeded account remains “open” is an invitation for disaster as evidenced by so many of the high-visibility breaches over the past several years.

So what can be done? There are many ways to modernize these processes and get IAM right. Here’s a few suggestions:

  1. Determine a single source of the truth for authorization. Define business roles once and use them everywhere. And most importantly, let the line-of-business be the decision makers here. Many instances of inappropriate rights are simply the byproduct of IT doing the best they can with the knowledge they’ve been given. It’s all too common for the line-of-business to ask IT to “give Joe the same rights as Bill” when there was no oversight into what rights Bill has, how he got them, and whether they are still appropriate for the job he does.
  2. De-provision immediately and completely. Tools exist that can update permissions at the instance status changes in an authoritative data source. For example, as soon as an employee’s status in the HR system switches from active to inactive, that user’s access rights across every system in the enterprise (including cloud-based services) can also be immediately terminated as well – effectively closing all those doors and eliminating dormant accounts.
  3. Implement identity analytics. A new class of IAM solution called identity analytics will proactively and constantly evaluate your systems to find instances where user rights are out of alignment with what is “right.” These technologies quickly find dormant accounts, mis-provisioned accounts, and instances of rights elevation that are often the smoking gun in breach detection and prevention.

Just like the technology we rely on every day is evolving and the boundaries expanding, the identity and access management practices we use to secure access to those systems must evolve as well. As our survey reaffirmed, what worked well a few years ago is almost certainly inadequate given today’s realities. But there is hope, with simple shifts in responsibility, IAM practices, and IAM technologies you can significantly reduce risk, modernize your business, and sleep better at night.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – October 2017 https://www.infosecisland.com/blogview/24985-SAP-Cyber-Threat-Intelligence-Report--October-2017.html https://www.infosecisland.com/blogview/24985-SAP-Cyber-Threat-Intelligence-Report--October-2017.html Fri, 13 Oct 2017 06:29:10 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • This set of SAP Security Notes consists of 30 patches with the majority of them rated medium.

  • A critical DoS vulnerability was found in SAP Enqueue service allowing to shut operations down, around 3000 of services are exposed to the internet.

  • SAP Mobile Platform vulnerabilities are on the rise, 4 issues in different components of SAP Mobile infrastructure were patched.

SAP Security Notes – October 2017

SAP has released the monthly critical patch update for October 2017. This patch update includes 30 SAP Security Notes (17 SAP Security Patch Day Notes and 13 Support Package Notes). 9 of all the patches are updates to previously released Security Notes.

15 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

5 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.7.

image

The most common vulnerability type is Information Disclosure.

image

DoS vulnerability in Enqueue service

One of the most critical loopholes fixed this month is a Denial of Service vulnerability in SAP Standalone Enqueue Server found by ERPScan researchers. This issue can be exploited by hackers in order to shut the business processes down, therefore compromising the company (the details are provided below).

After a today’s brief scan, ERPScan’s Research and Threat Intelligence Team has identified around 3000 instances of SAP systems with Enqueue service available online that pose a high risk of cyberattacks. The majority of these services are located in North America.

This is one of the most widespread SAP vulnerability this year so far.

SAP Mobile platform vulnerabilities

Nowadays companies tend to use more business applications and constantly involve mobile devices in their core business processes.

SAP like any other large vendor is also evolving towards greater mobility, therefore provides solutions for mobile users to interact with business applications.

SAP Mobile Platform (or SMP) is a mobile enterprise application platform solution designed to monitor and manage applications installed on mobile phones and access business data.

The “mobilization” opened unintentional doors to all the evil that comes along with integration and security. The purpose of SMP is providing business data to mobile devices with the enterprise cybersecurity.

This month, 4 issues in different components of SAP Mobile infrastructure were patched. Among them are 3 Information Disclosure vulnerabilities in SAP NetWeaver Mobile Client and one possible leakage of sensitive data in SAP Mobile Platform SDK. The vulnerabilities allow gaining access to critical data stored on mobile devices that use SAP NetWeaver mobile client such as passwords, keys and other sensitive information.

SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, one critical vulnerability identified by ERPScan’s researcher Vahagn Vardanyan was closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • A Denial of Service vulnerability in SAP Standalone Enqueue (CVSS Base Score: 7.5). Update is available in SAP Security Note 2476937. An attacker can use it to terminate a process of a vulnerable component. Nobody can use this service for this time. This fact negatively influences business processes, system downtime, and business reputation as a result.

Other critical issues closed by SAP Security Notes October

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2511453: SAP Mobile Platform SDK 3.0 has an Information Disclosure vulnerability (CVSS Base Score: 6.9). An attacker can exploit it for revealing additional information (system data, debugging information, etc.) that will help to learn about a system and to plan further attacks. Install this SAP Security Note to prevent the risks.

  • 2517501: SAP ERP Funds Management Account Assignments has an Implementation flaw vulnerability (CVSS Base Score: 6.3). Depending on the problem, an implementation flaw can cause unpredictable behavior of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality, and increase system stability. Install this SAP Security Note to prevent the risks.

  • 2236258: Adobe Document Services has an XML external entity vulnerability (CVSS Base Score: 5.5). An attacker can use it to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorised access to OS file system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Cyber Security in the Workplace Is Everyone’s Obligation https://www.infosecisland.com/blogview/24984-Cyber-Security-in-the-Workplace-Is-Everyones-Obligation.html https://www.infosecisland.com/blogview/24984-Cyber-Security-in-the-Workplace-Is-Everyones-Obligation.html Wed, 11 Oct 2017 07:20:00 -0500 Cyber security is no longer just a technology challenge—it’s a test for everybody who uses and interacts with technology daily. That means: everyone in your organization.

The protection and security of employees’ work and personal lives are no longer separate. They have been intertwined with evolving trends of social networks, the internet of things, and unlimited connectivity.  Because of this, cybersecurity is no longer just the responsibility of the company IT department. It is now the responsibility of every employee, not just to protect their work assets but their personal data as well. 

Failure to do so puts your organization at risk.

Cyber attackers do not care about age, gender, race, culture, beliefs or nationality.  They attack based on opportunity or potential financial gain. They attack irrespective of whom the victim is, whether it’s an 8-year boy at home playing computer games on dad’s office laptop or an employee sitting in the office reading emails.

So why are so many organizations experiencing cyber breaches?

Cyber breaches occur because of three major factors:

  • The Human Factor
  • Identities and Credentials
  • Vulnerabilities

Today people are sharing a lot more information publicly, ultimately exposing themselves to more social engineering and targeted spear phishing attacks. The goal of these attacks is to compromise devices for financial fraud or to steal identities in order to access organizations that employees are entrusted with protecting. Once an attacker has stolen a personal identity they can easily bypass an organization’s traditional security perimeters undetected, and if that identity has access to privileged accounts, the attacker can carry out malicious attacks in the name of that identity.

Employees power up devices daily and connect to the internet to access online services so they can get the latest news, shop for the best deals, chat and connect with friends, stream music and videos, get health advice, share their thoughts, and access their financial information.  As they use these online services they can quickly become a target of cyber criminals and hackers.  So, it’s critically important that everyone in your organization learns how cyber criminals target their victims, how to reduce their risk, and how to make it a lot more challenging for attackers to steal their information, identity or money.

When using services like social media people are often inadvertently sharing personally identifiable information—both physical and digital—like their full name, home address, telephone numbers, IP address, biometric details, location details, date of birth, birthplace, and even family members’ names.  The more information they make available online the easier it is for a cyber-criminal to successfully use that personal information to target them.

Did you know these facts? Cyber criminals and hackers spend up to 90% of their time performing reconnaissance of their targets before acting, meaning that they typically have a complete blueprint of their target.

With the increase in our digital activities, hackers and cyber-criminals have changed the techniques they use to target people, with email being the number one weapon of choice, followed by infected websites, social media scams, and stealing digital identities and passwords.  Reports and statistics in the past years have shown that more than 80% of data breaches have involved an employee as a victim—hackers claim that it is the fastest way to breach a company’s security controls.

This means that people—including your own employees—are on the front line of cyber security attacks. Threats can start from something as simple as a personal social footprint, and end up with individuals being used as a mule to gain access to your organization’s finances and sensitive information.

The time has come to create a balance between technology and people. We must increase our cyber security awareness to help us protect and secure both our personal assets and our company assets.  The time for a people-centric cyber security approach is now—which means that cyber security is everyone’s responsibility.

About the author: Joe Carson is a cyber-security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).

Copyright 2010 Respective Author at Infosec Island]]>
Hey Alexa – Show Me Whitelisted Malware https://www.infosecisland.com/blogview/24983-Hey-Alexa--Show-Me-Whitelisted-Malware.html https://www.infosecisland.com/blogview/24983-Hey-Alexa--Show-Me-Whitelisted-Malware.html Tue, 10 Oct 2017 05:18:23 -0500 Noise is a huge concern for the SOC. Security teams are struggling to deal with the daily barrage of noise coming from a myriad of security tools. As the volume gets louder, teams are increasingly seeking shortcuts and ways to automate certain processes in order to save precious time and cut down the noise.

One such popular shortcut among security analysts is to automate populating a whitelist by pulling from existing lists that the team deems to be safe. Curating a whitelist can be extremely time-consuming, and may seem like a distraction when other investigations are piling up on analysts’ plates. However, we’ve found that using existing lists for whitelisting could mean opening up your organization to vulnerabilities.

The team at Awake Security recently took a closer look at one seemingly benign list – the Alexa Top 1 Million list of domains – to assess whether it would be safe to use for whitelisting. While the Alexa list isn’t intended as a whitelist, many security teams see it as logical starting point. It makes sense that the most visited sites on the web would be nonthreatening, and could automatically be considered safe during an investigation.

In our investigation, however, we found that potentially malicious domains were making it up as high as #447. Just under Glassdoor, only five spots away from Dell and even more popular than BoredPanda.com, was a suspicious domain: piz7ohhujogi[.]com. At first glance, this domain looks suspicious because it appears to be randomly generated nonsense, much like the DGA domains that some malware like to use. At closer examination, courtesy of a quick Google search, we found pages of search results featuring advice on removing the domain from your redirects, with many sites referring to it as a pop-up or redirect virus.

We monitored the list for over a week, and saw this suspicious domain continue to creep up the list, reaching as high as #432. Since then, it has gradually fallen in rank, but it still remains as one of the top domains in the Alexa list.

Learning that this site had made it into the Alexa Top 1M begged the question: What other suspicious domains may have snuck their way in? To find the answer, we compared Alexa Top 1M with six different malware blacklists – Maltrail, ZeusTracker, MalwareDomains.com, Malware Domain List, Malware Bytes and Cybercrime.

The Malware Bytes list had the most domains that were also on the Alexa Top 1M (1308), however the types of domains it included were not all inherently malicious. The first domain, for example, qq.com, is a popular Chinese social website that offers a messaging app. The second was a Chinese news site. However, depending on your organization’s acceptable use policy, these sites and others on the list may still be threats to your whitelist if you don’t condone pirating software (thepiratebay[.]org, utorrent[.]com) or viewing pornography (cam4[.]com).

These are just a few of the examples we unearthed. In the end, it’s important to remember that lists like the Alexa Top 1M are not intended for whitelisting. As tempting as it can be to harness existing lists in order to cut down on noise, there is a danger in putting implicit trust in external sources.

To borrow a phrase from the Alexa website – “Information is power - if you have the right tools.” Those using popular lists for whitelisting should take another look at their tools and their approach to ensure security for their organizations.

About the author: Troy Kent  is a Threat Researcher at Awake Security. He has spent his career in SOCs as multiple Tiers of Analyst and an Investigator; working ticket queues, hunting for security incidents, rapidly prototyping new ideas into existence, working terrible hours and questioning career decisions.

Copyright 2010 Respective Author at Infosec Island]]>
Hackers Disrupt Etherparty’s FUEL Token ICO https://www.infosecisland.com/blogview/24982-Hackers-Disrupt-Etherpartys-FUEL-Token-ICO.html https://www.infosecisland.com/blogview/24982-Hackers-Disrupt-Etherpartys-FUEL-Token-ICO.html Wed, 04 Oct 2017 19:49:18 -0500 Vancouver-based Etherparty on Sunday was forced to shut down its website after hackers managed to hijack its ICO (Initial Coin Offering) less than one hour after the launch.

Etherparty is focused on simplifying the creating, managing and executing of smart contracts on multiple blockchains. It promises increased ease-of-use even for users with zero knowledge of smart contract programming, thus aiming to accelerate the adoption of smart contract technology.

To raise funds, the cryptocurrency venture announced a FUEL token crowdsale that entered the public phase on Sunday, Oct. 1, 2017 at 9 A.M. PDT.

By 9:45 A.M. PDT, however, hackers had already managed to breach the company’s website and post their own Ethereum address on the ICO page. Because of that, some of the ICO participants ended up sending funds to the hackers’ crypto-currency wallet.  

The company was able to detect the breach and shut down its website within 15 minutes to protect the participants. Etherparty was able to restore its website after about 90 minutes and the ICO recommenced at 11:35 A.M. PDT.

“We have received overwhelming support from our investors, partners and the community throughout the fine-tuning process for Etherparty. Unfortunately, this also means unwanted attention in the form of phishing and hacking attempts despite the vigilance of our tech and support team,” Kevin Hobbs, CEO of Etherparty, said.

The blockchain company says the ICO was off to a positive start, with over 10,000,000 FUEL tokens being sold in the first hour alone.

The company hasn’t revealed detailed information on the number of affected users, and only noted that a small group of contributors was affected. The company also said that all of those who sent Ethereum to the wrong address will receive FUEL after October 29, 2017, when the ICO ends.

“Our team has been consistently and successfully thwarting potential security issues to avoid further escalation. However, we do acknowledge and apologize for the temporary disruption to our otherwise successful launch day. Etherparty is eager and committed to compensating all affected contributors for the inconvenience,” Lisa Cheng, Founder of Etherparty, commented.

Related: Hacker Steals $8.4 Million in Ethereum from Veritaseum

Related: Hacker Steals $7 Million in Ethereum From CoinDash

Copyright 2010 Respective Author at Infosec Island]]>
The Weakest Link In Banking Security – ATMs https://www.infosecisland.com/blogview/24981-The-Weakest-Link-In-Banking-Security--ATMs.html https://www.infosecisland.com/blogview/24981-The-Weakest-Link-In-Banking-Security--ATMs.html Tue, 03 Oct 2017 10:12:00 -0500 by Vanishree Rao and Warren Jackson

A chain is only as strong as its weakest link. This statement is especially true in security, where ingenious cybercriminals manage to discover and exploit the weakest links. We have recently seen this weak link theory play out with the very familiar Automated Teller Machines (ATMs) that are used regularly around the globe.

Traditionally, cybercrime in the banking sector has involved stolen credit card details or consumer credentials. Thanks to substantial investments in countering such cybercrime, together with advancements in data analytics and multi-factor authentication, we now have extremely reliable fraud detection and prevention mechanisms. Strengthening this particular “weak link” has, unfortunately, pushed cybercriminals to search for a new weak link; and the recent surge in ATM attacks indicate that, indeed, criminals have found a new one.

Weak Links Being Strengthened

We have seen an astonishing number of data breaches leading to enormous amounts of user data for sale on the “dark web” (a collection of websites that cannot be reached with traditional search engines and browsers, where user accounts, drugs, guns, and other illegal things are traded). This data trafficking has quickly translated into a frenzied rate of unauthorized access and exploitation of user accounts. Fortunately, this criminal activity also created massive amounts of criminal behavioral data, offering data scientists a way to determine criminal behavior and tactics that ultimately facilitated the banking sector to curtail the work of cybercriminals through account-access rules and activity detection models. As a result, stolen credit cards and user information have become a strong link in the chain of banking security.

ATMs - The Next Weak Link

Since 2015, there has been a substantial increase in the ATM attacks. Fair, Isaac and Company (FICO) had noted that its fraud-tracking service recorded a 546% surge in ATM attacks from 2014 to 2015.  But these new attacks are starkly different from the traditional ATM attacks.

Traditionally, ATMs have been physically attacked, using sledgehammers or explosives, or through card skimmers (fake card readers placed on top of real ATM card readers). Banks have implemented a number of security systems to prevent such attacks, including securely fixing ATMs to the floor, installing security cameras and security alarms, and situating ATMs inside the banking lobby.

The new era of ATM attacks involves a clever orchestration of a sequence of steps consummating in the ATMs spewing out cash.

The New Style of Jackpotting ATMs

[Step 1] Gain access to an insider: This is a common first step of most hacking methods -- social engineering an insider to let the cybercriminal into his computer system. This entry can be achieved by sending targeted phishing emails to employees, hoping to serve two purposes: to attain the necessary digital access to perform malicious activities and to connect to the criminal’s command-and-control over the server.

[Step 2] Watch in order to gather information: The malicious code captures information about the workflows of the employee, from a few months to many years. This helps criminals design their next moves that look legitimate and do not set off any alarms. Also, the malicious code learns the potential vulnerabilities in the system and relays information to the criminals.

[Step 3] Make a legitimate-looking connection to an ATM server and install malware: Using the information, make a legitimate-looking connection to an ATM server, carefully chosen depending on security loopholes. Using the server, connect to a set of ATMs, carefully chosen depending on the geographical locations, the level of public activity and visibility, the level of ATMs’ physical security, and the security vulnerabilities of firmware and software. Finally, through the server, install specific malicious code on the ATMs.

[Step 4] Collect the cash from the ATMs: The malicious code in an infected ATM is programmed to dispense endless cash with a specific sequence of keys. To regular users, the ATM either works as it should or appears to be out of service. The malicious code contains a secret master-key, which generates a new and unique session key for each session. If the user enters the same session key, then the code allows the criminal to empty the ATM.

Quick Fixes

Most aspects of the new ATM attacks involve exploiting known methods of vulnerabilities. Social engineering (e.g., phishing) is a well-known threat to virtually every industry and most consumers. Additionally, many recent ATM attacks used a legitimate program called Cobalt Strike, designed to perform penetration testing, which is notoriously complicated and difficult to implement. Despite the popularity of these vulnerabilities, there are big problems to solve. But, there are a few quick-fix solutions to help deter criminals in the near term.

Avoid Falling for Phishing: It is critical to train employees on how to detect and avoid falling victim to phishing emails. Some organizations send phishing-drill emails and monitor employees’ reactions, and provide training accordingly. However, to err is human, and as long as there are humans in the loop, social engineering attacks will continue.

Look out for System Behaviors: Multi-factor authentication should be required for every new program to be installed in employee systems, servers, and ATMs. In addition, although a criminal’s activities look as if they are legitimate, modeling and profiling usual and unusual behaviors, through machine learning, and detecting and flagging anomalies in real-time will help hinder these activities. However, this solution is only a short-term fix because, as criminals decode the definitions of ‘normal behaviors,’ they will redesign their moves to conform to new normal behaviors.

Biometrics: Biometrics can be used to curb unauthorized ATM access. While this might mitigate the problem to some extent, in order to obtain substantial resilience against malicious codes entering ATM machines, software solutions fall short. For instance, a recent version of a popular ATM malware, called the Tyupkin malware, has anti-debug techniques that disable the anti-malware from the infected system. There are also hardware security measures, such as ones that self-destruct if tampered with making the criminal’s job more difficult.

Allow for Small Amounts of Cash: Another fairly effective fix is to simply prevent jackpot payouts by setting a maximum payout rate determined by a timer that cannot be tampered with. A similar idea is in effect on convenience store counters where the safes allow only so much cash access per hour, so that a robber cannot force an employee to release money any faster.

Keep up the Watch: Cameras placed at vantage points allow banks to perform behavioral analytics on ATM users, and identify and quickly flag anomalous behavior. However, criminals can resort to breaking cameras with sledgehammers. Also, criminals could potentially identify camera locations and try to block them just before jackpotting the ATMs.

Long-term Solution

The world that previously transacted with physical money is embracing electronic money, although, cash is still king. In 2016 about 61% of transactions in Singapore were cashless, 45% of transactions in the United States were cashless, and only 2% of transactions in India were cashless. The banking sector is investing disproportionately in securing digital transactions, while ATMs are still running on Windows XP, which Microsoft barely supports today.

Fortunately, countries like India are making headway into embracing a completely digital currency system. Platforms like Paytm and Airtel Money, that help make digital transactions such as paying bills, are gaining popularity in India. The hope is that the banking sector will join hands with such platforms to accelerate the transition.

Although digital transactions are rife with cyber-security challenges, digital is here to stay. The banking sector is making advancements to protect digital accounts against fraud. Black money and tax evasions are made possible due to real cash, where transactions don’t leave a trail.

Is it time to remove the physical ATM? And is it time to move to a 100% digital currency system? The absence of an additional challenge and the cost of securing ATMs will help channel all resources and efforts towards securing digital money.

"The best way to strengthen the weakest link is to remove it."

About the author: Vanishree Rao is a Security and Cryptography researcher. She is mainly interested in the design and analysis of practical protocols from the provable security perspective.

Copyright 2010 Respective Author at Infosec Island]]>
Unpatched Type Confusion Flaw Impacts Microsoft Browsers https://www.infosecisland.com/blogview/24980-Unpatched-Type-Confusion-Flaw-Impacts-Microsoft-Browsers.html https://www.infosecisland.com/blogview/24980-Unpatched-Type-Confusion-Flaw-Impacts-Microsoft-Browsers.html Mon, 25 Sep 2017 14:29:59 -0500 A type confusion bug in Microsoft Edge and Internet Explorer remains unpatched as Microsoft doesn’t consider it a security vulnerability, Cybellum reveals.

The issue was reported to Microsoft on August 21, 2017. The researchers say that while Microsoft has confirmed the vulnerability, it decided against releasing a patch for it, because of the special conditions required to reproduce it. Specifically, it requires developer tools to be opened.

Affecting the latest versions of x86 Edge and x86/x64 Internet Explorer, the vulnerability occurs in the layout rendering engine (EdgeHTML & MSHTML), and the security researchers claim that, with some additional work, it would be possible to reproduce the crash without the developer tools.

“The type confusion occurs in the function window.requestAnimationFrame, which expects to receive a single function pointer parameter. The vulnerability occurs because the function doesn’t properly validate the parameter, and may be called with a value that is not a function pointer (an integer value),” the researchers say.

Being treated as a pointer, the supplied integer goes through a series of dereferences and a compare function and, if all the requisites are satisfied, the function performs one more dereference and returns that value to the caller. The function pointer is checked against CFG protection and, if the test succeeds, the function pointer is called, thus providing the attacker with full control over EIP, Cybellum says.

The researchers argue that the only prerequisite required for the vulnerability to be triggered is to make the function AreAnyListenersFastCheck@CDebugCallbackNotificationHandlers return “true”, mainly because the actual vulnerability happens in the function BeforeInvokeCallbackDebugHelper@CAnimationFrameManager.

According to them, the easiest way to trigger the vulnerability is to open the developer tools, but that exploitation doesn’t have the same requirement. Moreover, the researchers claim that the bug was discovered with developer tools turned off, and that viewing the page source can also trigger it.

To exploit the bug, an attacker would need to successfully control a series of dereferences, successfully bypass\satisfy the CFG protection check, gain full control over EIP, and continue with standard exploitation until code execution has been achieved.

“Practical exploitation of this vulnerability isn’t trivial, and might require combining it with another vulnerability (e.g. an info leak). That said, this is a great starting point for a multi-browser (Edge\\IE) remote code execution exploit,” the researchers say.

The security researchers note that they reported the bug to Microsoft on August 21, but that the tech giant informed them on August 30 that, “because of the hard requirement to open developer tools in order to manifest the issue, this submission doesn’t meet the bar for servicing via security update, and will not be assigned a CVE.”

However, the company suggested that typical user behavior won’t involve opening the developer console while browsing. “While we understand that users can be tricked into opening this, we don’t believe that this will be a common scenario for a typical user,” Microsoft reportedly said.

Nonetheless, the tech company agrees that opening the Developer Console alters the application and puts it in a less secure state and that the issue needs to be addressed. Moreover, Microsoft also told Cybellum that a future version of Internet Explorer will resolve the issue.

RelatedUnpatched Vulnerabilities Impact Popular Browser Extension Systems

RelatedGoogle Discloses Unpatched Flaw in Edge, Internet Explorer

Copyright 2010 Respective Author at Infosec Island]]>
Deceptioneering: Exploring How Humans Are Wired for Deception https://www.infosecisland.com/blogview/24977-Deceptioneering-Exploring-How-Humans-Are-Wired-for-Deception.html https://www.infosecisland.com/blogview/24977-Deceptioneering-Exploring-How-Humans-Are-Wired-for-Deception.html Sat, 23 Sep 2017 09:11:00 -0500 No matter how much security technology we purchase, we still face a fundamental security problem: people. This is a realization that we’ve been grappling with as an industry for quite a while. As a security practitioner and during my time as a research analyst and industry adviser at Gartner, I spent countless hours evaluating security technologies and helping organizations decide which technologies and products would best enable them to secure data. But one malicious or negligent human can often intentionally or unintentionally nullify the effectiveness of technology based controls. The truth is that humans are both our biggest threat and they serve as our last line of defense.

To make humans an effective last line of defense, we need to first grapple with two disturbing truths: 1) All humans are master deceivers; and, 2) we are all easily deceived.

Let me explain… Each of us are trained in the ways of deception beginning early in our childhood. Early-on we were taught that lies make life easier and social situations more comfortable. Do you remember going to family reunions and being told to just act like you enjoy being there? Shake crazy uncle Bob’s hand even though he freaked you out? Eat your peas without complaining? And as we get older, we refine the talent even more – from learning how to expertly navigate questions like, “do these jeans make my butt look fat?” to when your significant other asks if you like their new hair style, to when your boss asks for your ‘honest opinion’ about his/her new strategy.

And those are just lies from the ‘little white lie’ category; we haven’t even started to get into the whoppers that we and others tell to hide things, get away with things, trick people, cheat, mislead, and outright steal from each other. And yet, we all know people who have believed both benign and malicious lies. And – if we are truthful with ourselves – we’ll even admit that each one of us has been deceived badly more than a few times over the course of our lives.

If I were to give the main reason that we fall for scams, social engineering and the like, it is because our brains our easily fooled. Our brain’s job is to filter and present reality. Each of our brains take-in a massive amount of input and then decide what is important, what the implications are of the input, and what (if any) response is needed. And our brains do that very efficiently by employing several shortcuts. Over the millennia, magicians, pickpockets, con-artists, scammers, and others have learned how to hijack these mental shortcuts and use them to their advantage.

In my keynotes, I love using examples from magic, pickpocketing, and hypnosis to quickly and easily demonstrate how our brains can be manipulated. In this article, we don’t have the benefit of many of the visual aspects of what I’d usually demonstrate, however I’ll do my best to provide some of the high-level theory and principles.

Principle 1: Misdirection and attention

Our brains are programmed to constantly scan and determine what to ‘lock on’ to. This is referred to by brain scientists as our “spotlight of attention." Magicians and pickpockets are masters at exploiting vulnerabilities in our attentional spotlight. They will draw your attention to one object or area while doing the ‘dirty work’ at the periphery or completely outside of the attentional spotlight. They frequently use a large visible action to cover for a smaller action.

We think that we are masters of our attention, but it is extremely easy for our attention to be hijacked. Unfortunately, it isn’t just illusionists that know and take advantage of this; criminals and scam artists do as well. The world is still recovering from NotPetya. This malware was originally widely believed to be what it appeared to be – ransomware. However, it was even more malicious. It was a wiper disguised as ransomware and very likely initiated as a state sponsored cyberattack.

Another example of misdirection in the cybersecurity world is when attackers launch a DDoS attack against a financial services company to cause diversions from the account takeover attacks. The end user and the bank see the extremely visible effects of the DDoS attack, and the account takeover and fraud activities are obfuscated for a time.

Principle 2: Influence and rapport

Another principle that comes into play when hijacking our brains is that of influence and rapport. Hypnotists, magicians, pickpockets, as well as criminals and con-artists are all masters at pulling the levers of influence and building rapport. Street and stage magicians, hypnotists, and pickpockets work to ensure that their participants quickly form a level of trust. This allows them to gain complicity as the performer shows them where to stand, what to do, and so on.

Robert Cialdini, Regents' Professor Emeritus of Psychology and Marketing at Arizona State University, wrote Influence: The Psychology of Persuasion, what is most often referred to as the definitive book on how influence works. Cialdini's theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity. He also recently added a seventh principle: the unity principle. The principle is about shared identities; what Seth Godin would refer to as Tribes. The more we identify ourselves with others, the more we are influenced by them.

Rather than describing each of the influence factors here, I encourage you to review Chaldini’s work, or one of the many derivative works based on his research. Needless to say, however, scam artists and phishers around the world leverage many of these tactics as they bait their hooks! The influence tactics are also additive; meaning that a savvy phisher will employ multiple influence tactics within a single message to make the lure attractive. For instance, if a phisher creates a message using scarcity/urgency, authority, social proof, and reciprocity all in one phishing email, they bring more fire power to their message than a simple message that uses none or only one of the tactics.

Principle 3:  Framing and context

Framing is of critical importance for performers, politicians, and marketers… as well as social engineers and con-artists. The concept of framing is derived from the social sciences. And it is basically the context, world view, or lens that a person views reality (or a specific situation) through. Framing can also be a social engineer or attacker’s way to hide in plain sight (costuming, persona development, and playing to the situation).

An example of framing that I use in presentations is where a specific effect can be presented in multiple ways depending on the frame that I’m trying to play to. For instance, if I have a sealed envelope that contains a written record of a participant’s upcoming choice, I can reveal that as either a prediction (if I want to play the part of a psychic) or as an example of how I can influence the participant to think or choose something (playing the part of a mentalist or Svengali-like hypnotist).

Simply stated – a frame gives us the context to interpret or understand the information we are presented or the situation in which we find ourselves. In fact, there are political, religious, and marketing organizations all dedicated to understanding the frames that people have and how to work within or to expand those frames so that people are open to new or different/challenging ideas. Frames are an extremely powerful force – and they are not always fact-based. When frames and facts collide, the facts are pushed aside and the frame is embraced tightly. FrameWorks President Susan Bales is known to often say, “When the facts don’t fit the frame, the facts get rejected, not the frame.” (PDF)

Since everything operates within a frame, scammers, phishers, con-artists, and other unsavory types learn how to play to the frame. They will impersonate respected authority figures – such as in Business Email Compromise attacks. Framing also takes place in the way that language is used, the choice of medium for an attack, and more. For a great breakdown of framing in the context of social engineering, I encourage you to read the ‘Framing’ entry in the ‘Influencing Others’ section of The Social Engineering Framework at Social-Engineer.org.

Conclusion

Understanding how our brains can be used against us is a critical first step in learning how to combat the attacks of savvy attackers. The immediate take-away is that we need to give ourselves permission to slow down and think before acting. Doing so takes us out of situations where we are just acting in a reflexive/automatic manner and allows us to process things a bit more logically. Then we can mentally rewind the actions and potential motivations behind what people are saying, the emails that we are receiving, and situations that we are in to see if someone might have just tried to hijack our brain.

About the author: Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner Research, in addition to covering areas of IAM strategy, CISO program management mentoring, and technology service provider success strategies.

Copyright 2010 Respective Author at Infosec Island]]>
Phishing Campaign Abuses Compromised LinkedIn Accounts https://www.infosecisland.com/blogview/24976-Phishing-Campaign-Abuses-Compromised-LinkedIn-Accounts.html https://www.infosecisland.com/blogview/24976-Phishing-Campaign-Abuses-Compromised-LinkedIn-Accounts.html Tue, 19 Sep 2017 10:18:52 -0500 A recently observed phishing campaign was abusing compromised LinkedIn accounts to distribute phishing links via private messages and email, Malwarebytes warns.

The attack abuses existing LinkedIn accounts to distribute the phishing links to their contacts, but also to leverage the InMail feature to target external members. The campaign abuses long standing and trusted accounts, including Premium membership accounts that can use the InMail feature to contact other LinkedIn users.

The fraudulent message claims to link to a shared document but instead redirects to a phishing site for Gmail and other email providers. To ensure that victims don’t immediately realize they’ve been scammed, a decoy document on wealth management from Wells Fargo is displayed after the user is asked to input their username, password, and phone number.

The phishing message Malwarebytes has encountered came from a trusted, compromised contact and contained a link to a so called shared Google Doc. The Ow.ly URL shortener is used to hide the true URL used in the scheme, a method employed many times in previous phishing campaigns. Free hosting provider gdk.mx was also abused to redirect to a phishing page hosted on a hacked website.

The analyzed page was built as a Gmail phish, but also asks for Yahoo or AOL user names and passwords. It also asks users to input their phone number or a secondary email address before displaying the decoy Wells Fargo document to them.

Messages sent via InMail, which allow premium LinkedIn members to contact users who aren’t in their network, include a security footer message with the user’s name and professional headline, so that other members can distinguish authentic LinkedIn emails from phishing email messages. However, the platform also warns users that they can’t trust the content of these messages, even if they are sent via LinkedIn.

Malwarebytes also points out that the use of InMail, which requires a Premium account, comes at a hefty monthly cost. While spammers were seen upgrading free accounts only to send spam messages, the method couldn’t be used in large scale attacks, due to limited InMail credits.

“This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim’s reputation so long as it allows them to deliver their payload far and wide,” the security researchers note.

According to Malwarebytes, the number of compromised accounts isn’t known and is also unclear how the impacted LinkedIn accounts were compromised. Attackers might have abused the large scale LinkedIn breach that was disclosed last year, but could have also gained access to the compromised account by using data from other major data breaches.

“It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link,” Malwarebytes says.

LinkedIn members who have been compromised should immediately review their account’s settings, change their password and enable two-step verification to prevent further compromise. They are also advised to warn their contacts of the compromise, as previous messages could be part of similar phishing attempts.

Related: 4.2 Billion Records Exposed in Data Breaches in 2016: Report

Related: Scrub 6.5 Million - It Was 117 Million Passwords Stolen From LinkedIn in 2012

Copyright 2010 Respective Author at Infosec Island]]>
BankBot Spreads via Utility Apps in Google Play https://www.infosecisland.com/blogview/24975-BankBot-Spreads-via-Utility-Apps-in-Google-Play.html https://www.infosecisland.com/blogview/24975-BankBot-Spreads-via-Utility-Apps-in-Google-Play.html Mon, 18 Sep 2017 14:55:34 -0500 Several utility applications distributed through Google Play have been infected with the BankBot Android banking Trojan, TrendMicro reports.

Initially spotted in the beginning of 2017, when its source code leaked online, BankBot has been highly active throughout the year. Between April and July, the malware managed to slip into Google Play via infected entertainment applications or posing as banking software, and has recently switched to utility apps, it seems.

Designed to steal users’ online banking credentials via phishing pages, the malware can request admin privileges on the infected devices to perform its nefarious routine. In addition to stealing login credentials, it can also intercept and send SMS messages, retrieve contacts list, track the device, and make calls.

According to TrendMicro, the malware managed to infect four utility apps in Google Play, and might have impacted thousands of users. One BankBot application, the security researchers reveal, has been downloaded over 5000 times.

The same as previous variants, the new Trojan iteration targets legitimate banking applications. However, the security researchers noticed that, while it still targets banks in 27 countries, the variant has added phishing pages for ten more United Arab Emirates (UAE) banking apps.

On the infected device, BankBot checks the installed software and, if it finds a targeted banking app, it connects to the command and control (C&C) server and upload the target’s package name and label. The server responds with a URL download the library containing the files necessary for the overlay page displayed on top of banking apps.

The overlays have been designed so that the users believe they have accessed the legitimate pages. Thus, they input their login credentials without realizing the page is fake.

BankBot also packs a series of evasion techniques, and won’t work unless it runs on a real device and if the targeted banking app is installed. It also avoids devices located in the Commonwealth of Independent States (CIS) countries.

When it comes to UAE banking apps, the malware also performs an additional step, prompting users to enter their phone numbers. The server then sends a code to the victim via Firebase Message and the victim is instructed to input bank details only after providing the pin. However, even if the bank information is correct, , BankBot shows an “error screen” and asks the user to input the credentials again.

“Apparently, the author of BankBot wants to verify the banking details of their victims. They ask for the details twice, just in case users input it incorrectly at first. BankBot will send the stolen data to the C&C server only after account information is entered twice,” Malwarebytes says.

BankBot’s widened reach and the fact that it is experimenting with new techniques are concerning, TrendMicro points, out, citing research claiming that mobile banking users in the Middle East and Africa are expected to exceed 80 million by 2017.

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: Source Code for BankBot Android Trojan Leaks Online

Copyright 2010 Respective Author at Infosec Island]]>
How to Fail Safe Your Data in the Cloud or When It’s Shared with 3rd Parties https://www.infosecisland.com/blogview/24973-How-to-Fail-Safe-Your-Data-in-the-Cloud-or-When-Its-Shared-with-3rd-Parties.html https://www.infosecisland.com/blogview/24973-How-to-Fail-Safe-Your-Data-in-the-Cloud-or-When-Its-Shared-with-3rd-Parties.html Tue, 12 Sep 2017 13:24:32 -0500 Experienced engineers know to “fail safe” the systems they design. This basic principle merely says that a system remains in a safe state in the event of any failure. For data security systems, this means that the sensitive data should remain inaccessible if anything goes wrong with the system. The simplest way of accomplishing this is data encryption.

Unfortunately, enterprises often overlook this critical principle when securing their data, even when the data is stored in the cloud or shared with 3rdparty service providers. In these scenarios, the scope of potential failures increase as enterprises lose control and visibility over their data. Take Verizon as an example. They shared customer data with NICE Systems for the purpose of customer analytics. That data included customer information in unprotected form. As a result, when NICE accidentally put the information in a misconfigured S3 bucket in the Amazon cloud, that information was available for the whole world to see.

What happened to Verizon is just a trivial example of how security systems could fail with an honest mistake. Any CISO will tell you that their IT systems are constantly being attacked every day and that their employees are regularly receiving phishing emails. These events represent efforts by malicious parties to actively create failure in enterprise security systems, and the reality is that they only need to succeed once. The question, then, is what those hackers or rogue insiders see when they have circumvented the firewalls, evaded the monitoring, and bypassed access controls. Do they see valuable data ready for the taking, or are they confronted with an encrypted blob that encourages them to give up and seek other targets?

Given the fundamental role encryption can have in securing data, the use of data encryption is still surprisingly low. Nearly every data breach disclosure has indicated that the data was not encrypted. Of course, this may be due to the fact that many regulations do not require a disclosure when the data is encrypted. Despite this safe harbor, however, there’s still breaches disclosed weekly and hundreds of millions of records lost every year. Clearly, many are still not getting the message.

The reasons given for not using encryption are many: encryption is too complex, its overhead is too high, key management is tricky. Furthermore, for cloud and 3rdparty use cases, traditional data-at-rest encryption appears more for meeting bare minimum compliance requirements rather than securing data. Fortunately, encryption solutions have made great strides. In addition to traditional storage and database encryption, application-level encryption options are more readily available and can protect data at a columnar granularity. Encrypting at the application level allows enterprises to maintain control and visibility of sensitive data values even if data is uploaded to the cloud or shared with 3rdparties.

Modern application encryption solutions reduce the application development effort by taking care of key management, monitoring, and reporting. The best solutions eliminate the need for application code changes and make encryption an operational exercise rather than create new development work. By making data security part of the operational process, enterprise can create a uniform agile encryption strategy that can quickly adapt to new security and compliance requirements while focusing their application development team on their core business requirements.

Whether ephemerally or permanently, data will be shared with 3rd parties and/or stored in the cloud. It behooves enterprises to protect that data with application encryption to ensure that there is a last line of defense against any failure in the data security system.

About the author: Min-Hank Ho has been developing enterprise security solutions for over 16 years and currently leads engineering for Baffle, Inc. Prior to joining Baffle, he led the development of Oracle Advanced Security and Oracle Key Vault, widely used data security products for enterprises with Oracle databases.

Copyright 2010 Respective Author at Infosec Island]]>