Monthly Archives: March 2016

The malicious file first appeared on the Transmission BitTorrent site.

Apple Inc. customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft’s Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Olson said in a telephone interview.

An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs. The representative said he could not immediately provide other details.

The malware is programmed to encrypt files on an infected personal computer three days after the original infection, according to Olson.

That means that if Apple’s steps prove ineffective in neutralizing malware that has already infected Macs, the earliest victims will have their files encrypted on Monday, three days after the malicious program first appeared on the Tranmission website, he said.

The Transmission site offers the open source software that was infected with the ransomware.

Palo Alto said it planned to release a blog advising Mac users on ways to check to see if they were infected with the virus and steps they can take to protect against it harming their data, Olson said.

Transmission is one of the most popular Mac applications used to download software, videos, music and other data through the BitTorrent peer-to-peer information sharing network, according to Olson.

Representatives with Transmission could not be reached immediately for comment.

The project’s website, http://www.transmissionbt.com, on Sunday carried a warning saying that version 2.90 of its Mac software had been infected with malware.

It advised users to immediately upgrade to version 2.91 of the software, which was available on its website, or delete the malicious one.

It also provided technical information on how users could check to see if they were affected.

Via: fortune

Cox Communications is investigating a possible breach exposing the personal information of 40,000 of its employees, according to Motherboard.

“Selling 40k personal details of cox employs [sic],” reads a listing on the dark Web forum The Real Deal Market.

The database includes names, email addresses and other information that seems to be genuine, according to a small sample reviewed by Motherboard. Some of the information appears not to be publicly available.

“Cox Communications is aware of this matter and the business-related information to which it relates,” a Cox spokesperson told the publication in an email. “We’re taking this very seriously and have engaged a third-party forensic team to conduct a comprehensive investigation and are actively working with law enforcement. Cox’s commitment to privacy and data security is a top priority for the company.”

The company did not comment on whether the stolen information was authentic.

The hacker selling the data suggested that more data may have been stolen, possibly including customer details, but would not reveal how he or she gained access to Cox’s systems.

Via: thehill

Google built a way to quickly easily locate misplaced phones — and it’s as simple as a Google search.

It’s no secret, losing your smartphone in this day and age is the equivalent of losing a first-born child. Alright, not literally, but you can see where I’m going with this.

For me, I store a lot of stuff in my phone. Whether it be pictures, passwords, or credit card information, it’s essentially a life line to my digital world. So you could imagine the feeling of reaching into your pocket only to find the missing void that is your smartphone.

Thankfully, Google has a really quick trick to find your lost Android smartphone. Here’s how to find it if you ever find yourself in this situation:

First, navigate your way to Google and make sure you’re signed in to the Google account your smartphone is registered under.

Here’s the really simple part: Search “Where’s my phone?”

From here, a map will appear:

A couple seconds later, your phone’s location is displayed on the map!

You can even make it ring at full volume, even if the phone was previously on silent. For safe measure, you even have the ability to lock or wipe the phone all together.

Unfortunately this trick only works for Android devices. iPhone users will have to suffice with its iCloud feature.

Via: knowtechie

The popular video messaging application Snapchat has responded to a partial leak of its former and current employees’ payroll information following a recent phishing attack.

The Team Snapchat published a statement on their company’s blog:

“We’re a company that takes privacy and security seriously,” the statement begins. “So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.”

The blog post goes on to reveal that someone in the company’s payroll department fell for a phishing attack in which a scammer impersonated Snapchat’s CEO and requested employees’ payroll information.

The partial data leak occurred on Friday, February 26th. Shortly thereafter, the company determined that the attack was an isolated incident and that it did not result in any breach of its internal systems or its users’ data. It also notified all affected employees and reported the event to the FBI.

“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” Team Snapchat observes. “To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”

Phishing attacks are one of the most common types of scams on LinkedIn and other social media platforms.

Fortunately, there are ways for companies to protect themselves against these schemes.

Sean Gallagher of Ars Technica reports that data loss prevention (DLP) and email filtering tools could block messages containing sensitive information, such as employees’ Social Security Numbers and other personally identifiable information, from being sent to an external party.

Additionally, companies can invest in security education programs that teach employees to look out for phishing scams.

“As the scammers become ever more sophisticated, it’s easy to be duped, as Snapchat’s payroll department unfortunately discovered,” said Richard Beck, Head of Cyber Security at QA, as quoted by ZDNet. “The good news is that arming employees with some basic cyber security know-how — such as knowing not to click on a URL sent via email — makes it relatively easy to thwart these scammers and defend against the cyber threats that every business faces today.”

To learn more about how you can spot a phishing attack, please click here.

Via: tripwire

A review of network security is much like a personal tax audit, but a bit less painful.

Information security audits are on the rise, as organizations look to not only bolster their security postures, but demonstrate their efforts to other parties such as regulators.

Audits, which are measurable technical assessments of systems, applications and other IT components, can involve any number of manual and automated processes. Whether conducted by internal auditors or outside consultants, they are an effective way for companies to evaluate where they stand in terms of protecting data resources.

The high-profile data breaches of recent years have forced many organizations to take a closer look at their security technologies and policies, experts say.

“Public exposure to the steady volume of company breaches have led to increased scrutiny from legislators and compliance organizations,” says David Barton, CISO at security technology provider Websense. “A comprehensive security audit program is one way to satisfy the scrutiny of those compliance organizations.”

Audits can be complex, however. There are many standards in use, including some for regulated industries as well as independent standards developed by active industry control groups, says Sean Pike, program director, eDiscovery and Information Governance, at research firm International Data Corp. (IDC).

“For each standard there are many more attempts at encapsulating the required audit components into control or common-control frameworks meant to guide the security audit,” Pike says. “Each control framework typically has a tremendous amount of controls that are meant to assist [an] audit—anything from user passwords to data storage or physical controls. An audit can be overwhelming for even the most mature organization.”

Trends such as the rise in cloud services and mobile technologies are making audits even more complicated.

“While no one likes to see the dirty laundry of their organization, we can’t address and resolve what we don’t know is a problem.”

Rich Wyckoff, manager of information security at Fletcher Allen Health Care

“One of the immediate ways that an audit is effected is that it’s more difficult to determine where enterprise data is or where it moves throughout the course of a business process,” Pike says.

Here are some suggestions from experts on how to conduct an effective security audit:

Scope out the audit and do the necessary prep work. “The keys to a successful audit start long before the audit is actually conducted,” says Rich Wyckoff, manager of information security at Fletcher Allen Health Care.

Developing the scope for the audit and work with the auditors beforehand to agree on what they will be auditing. “I’m of the mindset that I want an auditor to help me find pieces of the business I don’t know about,” Wyckoff says. “While no one likes to see the dirty laundry of their organization, we can’t address and resolve what we don’t know is a problem.”

By developing the scope up front with the auditors, IT security can ensure that the auditors will spend time reviewing certain parts of business operations and give security an impartial view of those operations.

Along with scoping the audit, IT security needs to work with auditors to understand what else they might have on their agenda.

“Different audits may require different resources, so understanding the audit scope and schedule up front allows you to make sure that the appropriate individuals attend the necessary meetings,” Wyckoff says. “There’s nothing worse than sitting down for an audit meeting to quickly realize you do not have the appropriate resources in the room to answer the questions the auditors were looking to ask.”

Once the scope is identified and agreed upon, you can start working the prep work. “It is a good idea to get a list of requested items from the auditors in advance so you know exactly what documentation they will be looking for,” Wyckoff says. “If any cloud services are within the scope of the audit, you may want to request any service audits such as a SOC 1 or SOC 2 audit from the service organization.”

When preparing for an audit, it’s critical to understand what the auditors are looking at and how it’s relevant to your environment, adds Josh Feinblum, vice president of information security at security technology company Rapid7.

“Your preparation and response are wholly driven by the evaluated controls and purpose of the audit,” Feinblum, says. “Are the auditors using prescriptive benchmarks like ISO 27001, FedRAMP, or PCI DSS? Is the audit being done to help your organization improve its controls?”

Eliminate any disconnect between IT and the compliance/audit function. “This is drastically important,” Pike says. “One of the biggest problems with IT audit is that the results are often meaningless. The reason they are meaningless is because IT controls and audit control tests don’t always get to the root of a potential risk.”

For example, a control test might request verification that user passwords are changed every 30 days. “In response, an IT professional might provide the auditor with a screenshot of a domain policy that, sure enough, shows a box that is checked and a setting of 30 days for changing passwords,” Pike says.

“The problem is that this evidence alone doesn’t actually tell an auditor enough to actually verify that all users are forced to change their passwords every 30 days,” Pike says. “There could be a number of exceptions or technological problems that allow user passwords to remain unchanged indefinitely.”

Unfortunately, there is often a lack of coordination between IT and the audit function. “The auditor has a task to do and the IT professional probably views it as a burden,” Pike says. The two need to communicate about exactly what’s needed.

Leverage efficiencies. For most organizations, a security audit is hard because there’s too much to do and a knowledge gap between the auditor and the IT group, Pike says.

“Over the last several years we’ve seen a concentration on narrowing the knowledge gap in two ways,” Pike says. One is by using frameworks that consolidate audit control tests. “Instead of auditing one control over and over to meet different standards, it’s more effective to understand that several standards require auditing a specific control. Audit that one control in a meaningful manner and pass the results through to every standard as opposed to doing a poor audit five times.”

The second, and probably more important way to narrow the gap, is to use analytics. “Especially for the enterprise market there have been significant advancements in injecting audit process into technology,” Pike says. “These solutions can eliminate false positives and create a focused view of where systems might have problems.”

Major auditing firms are leading the charge in developing customized systems in highly regulated industry to tackle well-known audit challenges, Pike says. “Currently some of these solutions can be expensive, but over the next few years should find their way into the mid-market,” he says.

Make sure the audit is comprehensive. The IT infrastructure now extends well beyond the walls of the organization, and the audit needs to reflect that.

“Our audits/assessments involve a cross-functional approach that involves an assessment of tools, processes and response procedures,” says Myrna Soto, corporate senior vice president and global CISO at media company Comcast. “The emergence of mobile technology and cloud services expands the technical capabilities required” to conduct an effective audit.

Traditional protocols can’t be assumed to be applicable for areas such as cloud-based computing capabilities or data storage, Soto says. “Testing containers and portability of data stores in the cloud—for us, a private cloud infrastructure—is important,” she says.

“Network  zoning has evolved as a result of cloud infrastructure capabilities and effective assessments/audits must account for multiple vulnerabilities.”

As an example, network security audits account for one vector, but when you’re assessing something for the Internet of Things, including multiple connected devices performing multiple functions, that requires a comprehensive end-to-end assessment of security protocols for a variety of transactions, Soto says.

“Protocols can include access controls, data masking, authentication and intrusion prevention,” Soto says. “Needless to say, the evolution of technologies has required an evolution of assessment needs and ultimately audit practices.”

Barton agrees that security audits need to be comprehensive and cover areas such as understanding all ingress and egress points for data within the organization and the controls applied to those points; knowing where all sensitive information is stored within the organization; knowing what systems support revenue generation and where they reside related to security controls; and evaluating internal security policies.

Ensure strong audit leadership. Whoever owns the audit function, whether it’s the CFO, CIO or some other executive, must be held responsible for the results and effectiveness of an audit.

“Hopefully, this will create the culture change necessary to perform effective audits,” Pike says. “It doesn’t necessarily mean that a breach is his or her fault. What it does mean, however, is that the audit owner should ensure that employees in [the] organization can answer difficult questions about IT capabilities and architecture.”

If an auditor goes out to the field to audit a development workflow in an environment regulated by the Health Insurance Portability and Accountability Act and knows little about HIPAA, development processes or the actual workflow, the audit isn’t going to work, Pike says. “Auditors must have the requisite knowledge required to approach [an] audit with skepticism,” he says.

Those in charge need to make sure audits account for the latest technology trends within the organization. The combined influence of mobile, cloud, big data/analytics and social media has brought about new challenges for security auditors.

“It is a steep learning curve for the auditors along with the CIOs, CISOs and risk professionals,” says Khushbu Pratap, principal research analyst at Gartner. “Digital business innovation disrupts risk and security management. Clearly, this also brings about new challenges on providing independent assurance on such risks.”

Via: csoonline

Security teams will benefit from its service management platform’s workflow, automation, orchestration and systems management capabilities, says ServiceNow.

Most companies like to think their security operations run like a well-oiled machine. In truth, however, many security teams could use a tune-up. Security teams often store plans that explain how they should respond to a data breach in documents on a fileshare, in spreadsheets or even in paper notebooks.

“Security vendors sell you systems to detect threats or enforce security policies, but CISOs are looking at how to address what to do when a rootkit is installed or when a data breach occurs,” said Sean Convery, vice president and general manager of ServiceNow’s new Security Business unit. The provider of service management software this week rolled out its first security product, called Security Operations.

The product is part of ServiceNow’s long-term strategy to transform how organizations respond to security threats, Convery said. “We want to help security teams improve their day-to-day execution and workflow so they are not relying on static documents that they only refer to occasionally.”

The company’s customers are increasingly using its service management software for non-IT functions such as human resources and facilities management. When ServiceNow learned customers were building their own security apps on top of its platform, it realized there was an “unmet need in the market,” Convery said.

Because the new product is part of ServiceNow’s service management platform, it includes workflow, automation, orchestration and systems management capabilities that Convery said help security teams manage the processes involved in responding to and remediating incidents and removing manual processes that slow security incident resolution times. The product includes two cloud-based applications: Security Incident Response and Vulnerability Response.

Putting Security in Context

Running the applications on the same service management platform used by IT teams gives security teams context that they currently lack, Convery said.

Customers can attach incidents and vulnerabilities to records within the ServiceNow configuration management database (CMDB), he noted, which gives security teams insight into the virtual or physical assets at risk and the business services supported by those assets.

“Security analysts are often stuck in a world of IP addresses. When they get an alert, often the first question they need to answer is ‘who the heck is this IP address?’ That usually involves calling IT. With our platform they know more about that asset and often even the business service that the asset supports,” he said. “This is incredibly useful in the triage stage of incident response when you have more things to do than you have time to do them. It helps to know if the attack is against your financial reporting infrastructure or a website where you are doing a survey about an employee summer picnic.”

The system can trigger automatic patching, configuration changes to security infrastructure or other standard workflows to contain and fix security incidents and vulnerabilities. It also creates automatic post-incident reports, which are often needed for auditing purposes.

“We can effectively run the play all way through the remediation action itself,” Convery said. “Instead of deciding ‘this is bad’ and then going into different tools to patch and quarantine, you can have the workflow kick off the necessary approvals and notifications to IT to retrieve an asset, to patch a system or to make some other emergency change. Rather than having to go from console to console, the security team can see the execution of the playbook from the initial alert being created all the way through to the actual production response to that event.”

Part of the new product’s appeal is its ability to help bridge the communications gap between IT and security teams, which often have a “Hatfield and McCoy relationship” that makes it tough to collaborate, Convery said.

“Security is heavily dependent on IT. If a change needs to be made to an endpoint or a server, IT needs to do it. Not only that, but sometimes HR needs to get involved or legal needs to get involved,” he said. “How do you coordinate and collaborate as a group? How do you get the right people on the phone and the right people responding to emails? Collaborating in the enterprise is hard enough, but when you introduce a time-critical security event it just exacerbates all of those problems. That can lead to poor decisions being made when folks are under stress. A service management approach to security addresses some of those challenges.”

A lack of coordination among teams and reliance on manual processes are common challenges, according to an Enterprise Strategy Group research study commissioned by ServiceNow. Nine out of 10 respondents said their incident response effectiveness and efficiency is limited by the burden of manual processes. A third of organizations spend at least half of all incident response time on manual processes. The top challenge cited by respondents was coordination between IT and security teams.

Proactive Security Response

The Vulnerability Response module will help security teams become more proactive, Convery said.

“Once you’ve learned about alerts, you can integrate with scanning vendors and map the information to assets. Then you can say ‘Here are our 50 most critical business services, the IP addresses that support them and the vulnerabilities associated with those service.’ Now you can have a direct action plan to reduce organizational risk by focusing on addressing vulnerabilities in your most critical capabilities,” he said. “Again, you’ve got business context being introduced into the security conversation.”

In addition, he said, ServiceNow’s embedded analytics can give CISOs valuable visibility into an organization’s security posture.

“When we ask CISOs if their security posture good or bad, if it’s getting better or worse, we get a lot of anecdotal answers,” he said. “With our embedded business intelligence analytics, we can do time-based trending on anything in the system so we can show you a timeline of security incidents being opened over time, the close rate, how long it took to identify and close them, how many are misconfigurations, how many are false positives. You can start feeding that information back into the organization to show trend lines.”

Noting that most security teams already use multiple security tools, Convery said the Security Operations software integrates with third-party software applications, including security incident and event managers and vulnerability identification solutions. It also integrates with the National Vulnerability Database, which is the U.S. government repository of standards-based vulnerability management data.

“The entire product is API based. Some partners will build integrations for us and some less popular integrations can be built as custom,” he said.

Via: esecurityplanet

Exploits can trigger a specific function in EMET that disables all protections it enforces for other applications.

Hackers can easily disable the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a free tool used by companies to strengthen their Windows computers and applications against publicly known and unknown software exploits.

Researchers from security vendor FireEye have found a method through which exploits can unload EMET-enforced protections by leveraging a legitimate function in the tool itself.

Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. However, it’s likely that many users haven’t upgraded yet, because the new version mainly adds compatibility with Windows 10 and doesn’t bring any new significant mitigations.

First released in 2009, EMET can enforce modern exploit mitigation mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or Export Address Table Access Filtering (EAF) to applications, especially legacy ones, that were built without them. This makes it much harder for attackers to exploit vulnerabilities in those applications in order to compromise computers.

Security researchers have found various ways to bypass particular EMET-enforced mitigations over the years, but they were primarily the result of design and implementation errors, like some modules or APIs being left unprotected. Methods to disable EMET protections completely have also been reported in the past, but they were not always straight-forward and required significant effort.

The FireEye researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. Furthermore, it works against all supported versions of EMET — 5.0, 5.1 and 5.2 — with the exception of EMET 5.5, and also on versions that are no longer supported, like 4.1.

EMET injects some DLLs (Dynamic Link Libraries) into third-party application processes that it’s configured to protect. This allows it to monitor calls from those processes to critical system APIs and to determine if they are legitimate or the result of an exploit.

However, the tool also contains code that is responsible for unloading mitigations in a clean way, returning the protected processes to their initial state without causing malfunctions or crashes. It’s this feature that the FireEye researchers have figured out how to trigger from an exploit.

“One simply needs to locate and call this function to completely disable EMET,” they said in a blog post Tuesday. “In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

This is a significant new attack vector that’s easier to use than bypassing each of EMET’s individual protections as they were designed, they said.

Since this technique is now public, EMET users should consider upgrading to version 5.5 as soon as possible to avoid future attacks that might adopt it. In addition to Windows 10 compatibility, this new EMET version improves the configuration and management of protections through Group Policy and improves the performance for the EAF and EAF+ mitigations.

Via: networkworld