Monthly Archives: June 2016

A new wave of malicious documents containing highly obfuscated macros is using Anti-VM (virtual machine) and Anti-Sandbox techniques to avoid being downloaded and detected by the automated analysis systems.

In late May, Zscaler researchers spotted the malicious documents leveraging the ability to detect virtual environments via Office RecentFiles property and the ability to check for external IP ownership to prevent sandbox solutions, Zscaler Director of Security Research Deepen Desai said in a June 7 blog post.

The macros code checks if the number of RecentFiles collection is less than a predefined threshold and terminates if it is, the post said.

The use of Microsoft Office RecentFiles property to detect a virtual environment is a new technique that may seem trivial, but has been effective against many automated analysis systems, Desai told SCMagazine.com via emailed comments.

“The malware author makes an assumption here that most clean virtual environment snapshots will be taken after a fresh Microsoft Office install with probably one or two document files opened for testing the installation,” Desai said. “Alternately, a standard user system with Office applications should have at least 3 or more recently accessed document files.”

The cyber crooks behind the malicious campaign aren’t exploiting vulnerabilities to infect users, but instead are using social engineering tactics to lure the user into enabling the macros.

To prevent these types of attacks, Desai said end users need to be more vigilant and should never trust documents that prompt them to enable macros for viewing content.

He said Microsoft has acknowledged the rise in macro malware based attacks and has incorporated additional counter measures that will allow enterprise administrators to enforce a strict policy against untrusted documents containing macros.

Via: scmagazine

In what seems like a surprising and drastic move, the Singapore government has decided that all computers used by public servants will have their Internet access blocked from May 2017 onwards.

According to The Straits Times, more than 100,000 computers will be cut off, in an effort to minimise security risks.

A spokesperson for the Infocomm Development Authority (IDA) said: “The Singapore government regularly reviews our IT measures to make our network more secure.”

Memos are being sent out to all affected parties including government agencies, ministries and statutory boards, and trials at the IDA — the agency leading the blockade — have already started.

Public servants will still be able to surf the web, but only using their own personal devices which are not linked to the government’s network or e-mail system.

Employees will also still be able to forward work emails to their personal accounts and separate Internet terminals will be set up for those who needed access for work-related matters.

News about this “extreme” decision has drawn ire from many Singaporeans who have criticised the government’s decision on social media.

Via: mashable

Researchers at F-Secure found cybercriminals attempting to steal the personal information of Swiss nationals, and possibly other travelers, who were looking for help on how to file for visas to visit the United States.

To pull off this scam the bad guys are using malware called QRAT, or Qarallax RAT. In an interesting twist the malware is being distributed through Skype by criminals posing as U.S. officials offering the needed help, wrote F-Secure’s Frederic Vila in a blog. Skype has been used as an attack vector in the past, but for adware.

Vila added the software appears to be about six-months old and it was found for rent on a dark web forum with prices starting as low as $22 for a 5-day rental and running up to $900 for a year.

An incident starts when the victim conducts a Skype search to find more information on how to apply for a U.S. visa. While there is a legitimate place to contact, ustraveldocs –  switzeraland, there are others that pop up in Skype search that look legit, but in fact are fronts for the malware distributors. These can sneak passed an unwary person as they look almost identical,ustravelidocs – Switzerland. The “i” in the middle gives away the bogus Skype account.

The malicious file is a Java application that can run on operating systems with Java Runtime Environment installed, Vila noted.

Once the call is initiated the malware is downloaded onto the victim’s computer where it is capable of capturing mouse movements and clicks, keystrokes and control the webcam. F-Secure also found a copy of the open source LaZagne malware application stored on the same server as QRAT. This could indicate a plan to bundle the two together, and if this is done it would give the criminals the ability to also steal passwords from a user’s Wi-Fi, browsers, chat applications and mail programs.

Vila said in his blog that the code does contain some indicators about the malware’s origin.

“It is Arabic in origin with the strings “allah” and “hemze” found obfuscated within the body. The IP address 95.211.141[.]215 is located in Netherlands but the domain QARALLAX[.]COM has WHOIS history linking it to Turkey,” Vila said.

F-Secure found 21 additional Skype accounts that start with ustravelidocs indicating that the criminals are also trying to target travelers from these countries, but Vila did not have any information that this was taking place.

Via: scmagazine

At this year’s RSA Conference, Tripwire conducted a survey where it asked 200 security professionals to weigh in on the state of phishing attacks.

More than half (58 percent) of respondents stated their organizations had seen an increase in phishing attacks in the past year. Despite that increase, most companies didn’t feel prepared to protect themselves against phishing scams. Indeed, a slight majority (52 percent) stated they were “not confident” in their executives’ ability to successfully spot a phishing scam.

The growth of phishing attacks in both frequency and sophistication, as noted by Verizon in its 2016 Data Breach Investigations Report, poses a significant threat to all organizations. It’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information.

With that in mind, I will use a guide developed by CloudPages to discuss six common phishing attacks: deceptive phishing, spear phishing, CEO fraud, pharming, Dropbox phishing, and Google Docs phishing. I will then provide some useful tips on how organizations can protect themselves against these phishing scams.

1. DECEPTIVE PHISHING

The most common type of phishing scam, deceptive phishing refers to any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.

For example, PayPal scammers might send out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account. In actuality, the link leads to a fake PayPal login page that collects a user’s login credentials and delivers them to the attackers.

The success of a deceptive phish hinges on how closely the attack email resembles a legitimate company’s official correspondence. As a result, users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.

2. SPEAR PHISHING

Not all phishing scams lack personalization – some use it quite heavily.

For instance, in spear phishing scams, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.

The goal is the same as deceptive phishing: lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.

Spear-phishing is especially commonplace on social media sites like LinkedIn, where attackers can use multiple sources of information to craft a targeted attack email.

To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that are capable of analyzing inbound emails for known malicious links/email attachments.

3. CEO FRAUD

Spear phishers can target anyone in an organization, even top executives. That’s the logic behind a “whaling” attack, where fraudsters attempt to harpoon an executive and steal their login credentials.

In the event their attack proves successful, fraudsters can choose to conduct CEO fraud, the second phase of a business email compromise (BEC) scam where attackers impersonate an executive and abuse that individual’s email to authorize fraudulent wire transfers to a financial institution of their choice.

Whaling attacks work because executives often don’t participate in security awareness training with their employees. To counter that threat, as well as the risk of CEO fraud, all company personnel – including executives – should undergo ongoing security awareness training.

Organizations should also consider amending their financial policies, so that no one can authorize a financial transaction via email.

4. PHARMING

As users become more savvy to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming – a method of attack which stems from domain name system (DNS) cache poisoning.

The Internet’s naming system uses DNS servers to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses used for locating computer services and devices.

Under a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice even if the victims entered in the correct website name.

To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), on a regular basis.

5. DROPBOX PHISHING

While some phishers no longer bait their victims, others have specialized their attack emails according to an individual company or service.

Take Dropbox, for example. Millions of people use Dropbox every day to back up, access and share their files. It’s no wonder, therefore, that attackers would try to capitalize on the platform’s popularity by targeting users with phishing emails.

One attack campaign, for example, tried to lure users into entering their login credentials on a fake Dropbox sign-in page hosted on Dropbox itself.

To protect against Dropbox phishing attacks, users should consider implementing two-step verification (2SV) on their accounts. For a step-by-step guide on how to activate this additional layer of security, please click here.

6. GOOGLE DOCS PHISHING

Fraudsters could choose to target Google Drive similar to the way they might prey upon Dropbox users.

Specifically, as Google Drive supports documents, spreadsheets, presentations, photos and even entire websites, phishers can abuse the service to create a web page that mimics the Google account log-in screen and harvests user credentials.

A group of attackers did just that back in July of 2015. To add insult to injury, not only did Google unknowingly host that fake login page, but a Google SSL certificate also protected the page with a secure connection.

Once again, users should consider implementing 2SV to protect themselves against this type of threat. They can enable the security feature via either SMS messaging or the Google Authenticator app.

CONCLUSION

Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. But that doesn’t mean they will be able to spot each and every phish. On the contrary, phishing is constantly evolving to adopt new forms and techniques.

With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives stay on top of emerging phishing attacks.

Via: tripwire

Even more fast-food patrons may have a beef with The Wendy’s Company, after the restaurant chain announced June 9^th, 2016 that the total number of restaurants affected by a point-of-sale data breach discovered last February may be “considerably higher” than originally thought.

Wendy’s had previously reported in May that the malware found on certain franchised locations’ POS systems affected fewer than 300 North American locations, with another 50 locations also suspected of experiencing unspecified cybersecurity issues. Victims who purchased food at these locations had their payment card data stolen and used fraudulently at other merchants.

However, according to a new press statement from Wendy’s, further investigation into the incident has turned up a variant that is “similar in nature to the original but different in its execution.” This variant, which Wendy’s described as “extremely difficult to detect,” was uploaded via a remote access tool to a second POS system that was not previously known to be infected. Though Wendy’s did not provide any figures, the company did admit that the total number of victimized franchise restaurants is now much higher than once thought.

Wendy’s emphasized that no company-operated restaurants appear to be impacted, and explained that the franchise locations were likely affected as a result of attackers stealing credentials from third-party service providers who help maintain and support franchisees’ POS systems.

Adam Levin, chairman and founder of identity theft firm IDT911, was critical of Wendy’s statement. “Wendy’s is quick to deflect blame and point the finger at franchisees and third-party service providers, and continues to make excuses by claiming the malware used by attackers is ‘highly sophisticated’ and ‘extremely difficult to detect,'” said Levin in a statement provided to SCMagazine.com. “By downplaying the severity of the breach, Wendy’s runs the risk of further compromising its reputation and has put tens of thousands of consumers in jeopardy.”

Jonathan Cran, vice president of operations at cybersecurity crowdsourcing service Bugcrowd, added in his own statement to SCMagazine.com, “It’s surprising we don’t see more follow-on breach announcements like this. Once an attacker is in and laterally moving throughout the network, it can be very difficult to fully contain and remove their access. Attackers are going after sources of magnetic stripe credit card data as consumers move to EMV “chip” cards. While EMV was not designed to prevent malware (ram scraper) attacks, in practicality, these cards would probably have protected consumers in this case.”

Via: scmagazine

Global financial services firm Morgan Stanley has agreed to pay a $1 million penalty for failure to safeguard customer data, the U.S. Securities and Exchange Commission (SEC) said on Wednesday.

According to a statement by the SEC, the Wall Street bank violated a federal regulation – known as the “Safeguards Rule” – by failing to adopt federally required written policies and procedures reasonably designed to protect customer data.

As a result, former financial advisor Galen Marsh was able to gain access to confidential information and transfer client data from an estimated 730,000 accounts to his personal server from 2011 to 2014.

His personal server was ultimately hacked by third parties, the regulator said, and details of about 900 accounts were later released online:

“A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities,” the SEC said.

In a separate SEC order, Marsh was barred from the industry for five years. In December, he was criminally convicted for the breach and was sentenced to three years probation, and ordered to pay $600,000 in restitution.

Marsh reportedly conducted about 6,000 unauthorized researches on the bank’s computer system, taking client names, addresses and phone numbers, as well as account numbers, fixed-income investment information and account values.

Although the bank did not admit or deny the offense, Morgan Stanley spokesman Jim Wiggins told Bloomberg the firm is pleased to settle the matter.

Wiggins added the bank “worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services.”

Via: tripwire

When it comes to security, you’re better off employing a specialist. However, according to recent research, less than half of companies employ a CSO/CISO.

Your CIO has enough on her/his plate without taking on responsibility for security, too. While there’s plenty a CIO (or a CTO) can tackle when it comes to security, these roles are “generalists.” What you really need is a chief security officer or a chief information security officer (CSO/CISO) — a security specialist.

The Cyber Security Job Trends survey from free online security MOOC provider Cybrary, which polled 435 senior-level technology professionals from October to December 2015, found that only about half or 49 percent of respondents say their companies employ a CSO/CISO who’s solely responsible for security.

“Even though we found that cybersecurity professionals, at all levels, are fully aware, and experiencing first-hand that the available talent is not keeping pace with demand needs, I was surprised by the alarmingly low number of companies that employ a CSO/CISO who is responsible for security,” says Trevor Halstead, product specialist, talent services, Cybrary.

Why a CSO/CISO?

But if you already have a CIO and a CTO, why do you need a separate C-suite role for security? It’s about prioritizing both the business and the security of information, infrastructure, sensitive data and your public reputation, and minimizing the risks to all of these before a breach occurs.

A dedicated CSO/CISO will not only have depth and breadth of knowledge about the threat landscape, protective approaches, tools and techniques to protect infrastructure and information, but a unique perspective on how to analyze and mitigate risk, says Salo Fajer, CTO of data loss prevention and managed security service provider Digital Guardian.

“What a CSO/CISO can bring to the table is much more than just a specialty in technology, an acute awareness of the possibility of attacks and knowledge of the threat landscape. It’s about having a broad and deep perspective on risk, and how to enable the business while minimizing that risk,” says Fajer.

Balancing business with risk

A CSO/CISO’s major role in an organization is first to enable the business to function optimally, but within safe parameters to minimize the risk of threats, attacks and business disruption, says Fajer. Being able to identify and assess threats, and then translate the risks into language to help other members of the C-suite to understand what’s at stake is critical, he says.

“You not only need to be able to view business operations from a risk versus functionality perspective, you have to be able to discuss these in the language that a CEO, a CIO and other C-suite peers can understand and can appreciate,” Fajer says. A background both in the technical aspects of security and broader business knowledge and experience are important here, he says.

Where do CSOs/CISOs come from?

Digital Guardian’s research, culled from publicly available information on the Fortune 100 (F100) companies that employ a CISO shows that most in this role effectively combine both.

Though most F100 companies’ CISO’s, 59 percent, came up through the IT and IT security ranks, 40 percent hold a degree in business; 85 percent hold a bachelor’s degree, according to the Digital guardian research.Bottom of Form

“There’s no specific path for becoming a CSO/CISO; there is a propensity for coming from IT and IT security, and there’s definitely an emphasis on integrating that with the needs of the business. You need to have someone with the security background, the experience and certifications that are enriched by business knowledge,” says Fajer.

While IT certifications in general aren’t the major differentiator they once were, Fajer says in the IT security space in particular, they’re still incredibly relevant. Digital Guardian’s research shows that on average, F100 security leaders hold 2.86 certifications, with the CISSP certification held by 53 percent of those CISOs.

“Security certifications are still very much experience-oriented, with a lot of hands-on learning and real-world components to the credentialing exams. Because of the diverse mix of educational background, security pros rely on these certifications to show they have the necessary skills and experience,” he says.

Level up

In the overall hierarchy of the C-suite, there are benefits to having an independent, separate role for a CSO/CISO, says Fajer.

“Some organizations have the CSO or CISO reporting to the CIO or CTO; some have the role separate and reporting to the CEO, much like the CIO and/or the CTO does. It depends on the individual businesses, but there’s something to be said for a stand-alone role who’s more independent; that way, the CSO/CISO can act almost like an auditor for other C-suite executives, and bring objectivity into discussions about budgets, resource allocation and business decisions,” he says.

Where your CSO/CISO came from is less important that what they can provide to your business; it’s really the difference between having a generalist with limited knowledge of a broad set of potential issues and having a specialist who can weave security best practices into your existing IT operation without disrupting the business, says Cybrary’s Halstead.

“Companies and C-level executives need to realize the absolute necessity of having a CSO/CISO responsible for security, and at the table when making security decisions. We have reached a tipping point where security should not be an afterthought; it should be incorporated into the everyday business decisions a company is making,” he says.

Via: cio

 Microsoft said on Monday it was acquiring LinkedIn in a $26.2 billion cash deal.

The companies said that Microsoft had agreed to pay $196 a share to buy LinkedIn, a business social networking site that has more than 400 million members globally.

“The LinkedIn team has grown a fantastic business centered on connecting the world’s professionals,” Satya Nadella, Microsoft’s chief executive, said in a statement.

The companies said Reid Hoffman, a founder of LinkedIn and its controlling shareholder, had approved the deal, as did Jeff Weiner, the chief executive of LinkedIn. Mr. Weiner will remain chief executive of LinkedIn, which will operate as an independent brand, the companies said.

LinkedIn shares had fallen by nearly half since a peak of almost $260 a share last fall and ended trading on Friday at $131.08.

Microsoft and LinkedIn Stock Activity

Via: nytimes

Following up on its promises from January, Microsoft today released a free trial of Minecraft Education Edition – the version of Minecraft meant for use in the classroom – to educators worldwide. This “early access” version of the program includes new features and updated classroom content and curriculum, the company also says.

For those unfamiliar with the Education Edition, the idea is to bring the world of Minecraft to the classroom to be used as a learning tool where students can develop skills in areas like digital citizenship, empathy, literacy, and more. They can use the software as part of a coding camp, study science, learn about city planning, or they can study history by re-creating historic landscapes and events in the program, for example.

Microsoft also notes that this early access release includes more lesson plans, across a range of grade levels and subjects. For example, some sample lessons are: “City Planning for Population Growth”, “Exploring factors and multiples”, and “Effects of deforestation.”

This early access release available now is not the final version of the software – there will still be some kinks to work out. And Microsoft is still interested in hearing feedback from teachers who try out this edition over the summer break.

This is also not the first time that teachers have been able to get their hands on the Education Edition – Microsoft began a beta test in May that reached 100 schools in 26 countries around the world. During that time, it collected feedback from teachers who used the software with some 2,000-plus students.

Thanks to their input, the release arriving now has a few more features that teachers asked for, including things like easier classroom collaboration, non-player characters and chalkboards to provide instruction, camera and portfolio features that lets students snapshot and document their work, among other things.

Up to 30 students from a classroom can play in a world together, without the need for a separate server, and they can work together or in groups. In a future release, Microsoft will launch a “Classroom Mode” interface for teachers that offers a map and list view of all their students, teleport capabilities, and a chat window for communication.

Microsoft didn’t develop this version of Minecraft in-house, but is rather building on top of the learning software is acquired earlier this year called MinecraftEdu. It plans to license the Education Edition to schools this fall, with costs per user ranging from $1 to $5, depending on the school’s size and volume licensing agreements.

Via: techcrunch

Forgot to back up your phone again? Meem‘s new product might be just the solution to your woes. The company creates power cables for iOS and Android that back up your device every time you plug it in. After a successful Kickstarter campaign, Meem’s cables started shipping earlier this week.

The way we use smartphones has changed a lot, and many of us never even plug our smartphones into computers anymore. At the same time, the data you keep on your phone is important, and if you don’t trust the cloud storage providers to keep your data safe, the question is how you work backups into your daily routine.

Meem claims that because the cable is a physical device (rather than a cloud service, or files on your computer), it’s more secure. That makes sense on one level, but I don’t know about you — I know I’ve lost a lot more charging cables than cloud passwords over the years.

The beauty of Meem is that it’s completely transparent. While you may forget to back up your device, the likelihood of forgetting to charge it is practically nil. Plug in the Meem cable, type in a four-digit PIN and your personal data starts backing up right away, every time you charge your phone.

The charger cable comes in 16GB and 32GB variants for both iPhone and Android devices. The storage space might sound like it may not be enough (a lot of phones have more storage than that, after all), but the Meem team has found a way of backing up only the essential parts of the phone, while leaving things like the operating system and the apps behind on the device. The company also said they will make a USB-C version available further down the line.

The Meem product started its life as a Kickstarter project in January, and while it only barely met its Kickstarter goal, the company and its top brass have an impressive track record. Before founding Meem, CEO Kelly Sumner’s resume lists CEO of Take-Two interactive (best known for Grand Theft Auto) and CEO of RedOctane (best known for Guitar Hero), and ahead of the Kickstarter campaign, Meem used the U.K. equity crowdfunding platform CrowdCube to raise £710,000 ($1 million) from 282 individual investors, valuing the company at a £11 million ($16.3 million).

The cables are available from the manufacturer’s website and from Amazon.

via: techcrunch