Monthly Archives: February 2017

A university, attacked by its own malware-laced soda machines and other botnet-controlled IoT devices, was locked out of 5,000 systems.

Today’s cautionary tale comes from Verizon’s sneak peek (pdf) of the 2017 Data Breach Digest scenario. It involves an unnamed university, seafood searches, and an IoT botnet; hackers used the university’s own vending machines and other IoT devices to attack the university’s network.

Since the university’s help desk had previously blown off student complaints about slow or inaccessible network connectivity, it was a mess by the time a senior member of the IT security team was notified. The incident is given from that team member’s perspective; he or she suspected something fishy after detecting a sudden big interest in seafood-related domains.

The “incident commander” noticed “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” That explained the “slow network” issues, but not much else.

The university then contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and handed over DNS and firewall logs. The RISK team discovered the university’s hijacked vending machines and 5,000 other IoT devices were making seafood-related DNS requests every 15 minutes.

The incident commander explained:

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.

After reading the RISK Team’s report, the senior IT security team member said:

Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password—locking us out of the 5,000 systems.

At first, the incident commander thought the only way out of trouble was to replace all the IoT devices, such as “every soda machine and lamp post.” Yet the RISK Team’s report explained that “the botnet spread from device to device by brute forcing default and weak passwords,” so the university used a packet sniffer to intercept a clear-text malware password for a compromised IoT device.

With the packet capture device operational, it was only a matter of hours before we had a complete listing of new passwords assigned to devices. With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once.

Verizon’s sneak peek report includes mitigation and response tips, such as change default credentials on IoT devices. It also advises, “Don’t keep all your eggs in one basket, create separate network zones for IoT systems and air-gap them from other critical networks where possible.”

via:  networkworld

With the rapid expansion of the ransomware threat landscape, defenders are scrambling to find ways to fight back. RSAC 2017 dedicated a full day for a ransomware seminar.

The ransomware threat is not strictly new, but the expansion of the threat over the past year is enough to get a full-day seminar at RSA Conference 2017, with over a dozen experts scheduled to examine the latest malicious-attack phenomenon.

Andrew Hay, CISO of DataGravity Inc., in Nashua, N.H., and host of the ransomware summit, opened the first panel of the seminar by asking for a show of hands of those who had been affected by ransomware; hands shot up throughout the large hall. Hay asked the two questions likely on everyone’s mind: “Just how big is ransomware, and should victims pay the ransom?”

Panelist Michael Duff, CISO at Stanford University, said “ransomware is nothing more than monetized malware,” adding that while money is behind the vast majority of cyberincidents, ransomware is not actually entirely bad when compared with other types of attack. “It’s very loud — you know almost immediately when you’re attacked, and you know what you need to do to recover.”

And panelist Gal Shpantzer, CEO at Security Outliers Inc., in Arlington, Va., said ransomware is much easier to monetize than any other type of malware. Ransomware shortens the attack lifecycle, Shpantzer said, adding that it’s a way to “lob a grenade into your LAN, and now you owe me some money.”

Ransomware threat is a business

When considering the moral question — whether or not victims should pay — virtually all speakers during the day echoed the same sentiment: Victims should do all they can to avoid paying ransoms, while at the same time being pragmatic about paying to get access to critical systems.

Panelist Neil Jenkins, director of the Enterprise Performance Management Office at the Department of Homeland Security, pointed out that “paying a ransom encourages the business model,” adding that every time a victim pays, “it’s a good thing for the criminals.”

“I will not moralize to you,” Shpantzer said about paying if there’s no other option, but at the same time, he pointed out that it’s not always so cut and dried. If there are backups available, but it will take some time to determine whether they are recoverable, Shpantzer suggested taking a two-pronged approach of testing the backups, while also opening a line of negotiation. “You can test them. And parallel to testing them, you can negotiate with your new ‘friends.'”

“You can actually negotiate; it’s like kidnapping,” Shpantzer said. “It cost them nothing” to attack, and “you can and should negotiate” to extend the payment deadline and to get the attacker to accept less. That way, if the backups are good, you don’t need to pay the attackers anything. And if the backups aren’t usable, at least you can get a better price.

Dmitri Alperovitch, CTO at CrowdStrike, based in Irvine, Calif., told SearchSecurity that the increased volume in ransomware threat attacks “is a proxy for the fact that there’s been a merging on the botnet underground marketplace.”

For many years, it’s been possible for hackers with a new piece of malware to go to botnet owners and do a “pay per install” to distribute their ransomware. Now, ransomware authors are able to deploy their own botnets and get immediate payoffs. “No need to get clicks — it’s just a guaranteed success.”

In a session titled, “What the Kidnapping & Ransom Economy Teaches Us About Ransomware,” Jeremiah Grossman, chief of security strategy at SentinelOne Inc., based in Palo Alto, Calif., explained how the rapid rise in ransomware attacks is fueling a parallel growth in cyberinsurance offerings — and that has the potential to protect everyone.

Grossman said “seven-figure” payments for ransomware threats have already been paid, though he had to withhold details for obvious reasons. “There’s going to be professional ransomware negotiators,” a new job description for the people who will help cyberinsurers deal with attacks in the future.

The insurers will soon be able to tell everyone what to do to avoid ransomware, and they “will soon have the best data in the world” about ransomware threats and defenses. “They have all the actuarial data,” Grossman said.

via: techtarget

When talking about cybersecurity, we instantly think of viruses and malware. But advances in personal computer security have made it much harder for hackers to infect your PC through traditional channels like email.

As a result, they have developed new attack methods to get around your defenses using a range of techniques, on and off-line. One of the most used and also successful is the “Technical Support Scam” that combines social engineering and technology to empty a victim’s bank account.

What is the Technical Support Scam?

Social engineering relies on building trust with a victim, before tricking them into doing something that gets around their security defenses. In the case of the Support Scam, criminals telephone their victims pretending to be from a reputable business, like Microsoft or your security or telephone provider – a company name you recognize.

Posing as an engineer, the hacker informs their target that they have already fallen victim to criminals, and they must take urgent action to plug the security gap. The victim is asked to visit a webpage from their computer, and to download a remote control tool that will allow the engineer to access their system to perform “repair work”.

Once in control of the computer, the “engineer” may call up the computer’s event log and show a number of scary looking (but completely harmless) alerts. They will then suggest downloading further tools that allow them to fix these errors.

Unfortunately these tools are actually malware that will steal valuable information from the victim’s computer – particularly online banking details and passwords. The victim may feel that the engineer has done them a favor, but the reality is that they have invited the hacker to steal from them.

Avoiding the Technical Support Scam

There are several ways you can protect yourself from becoming a victim of this scam. These four tips will help keep you safe:

1. Use your common sense

Microsoft or Panda (for example) never ring customers to inform them of security problems. These companies may provide assistance by telephone, but they never call you first. In fact, unless you pay for a third party technical support service, no one should call you about problems with your computer or router.

No matter how urgent the issue sounds, anyone claiming to be calling about PC security problems is lying.

2.Protect your personal and sensitive information

Never give your account numbers or passwords to anyone over the phone or the Internet unless you are 100% sure who they are. If you are in any doubt at all, hang up. Keep in mind that fraudulent activities are profitable for the bad guys.

A good rule to follow for any incoming call: never hand over your credit card or bank details. Just don’t do it!

3. If you have a doubt: tell everyone about it

The Telephone Support Scam preys on people’s insecurity about their lack of tech knowledge. It is very easy to be a victim, and the best defense is sharing knowledge – telling other people about this scam, and what the criminals are doing. It is much easier to put the phone down if you know that the call is a scam.

You should also consider reporting the scam to the company being investigated. If you do, make sure you find the right details though.

4. Protect your PC in advance

Do not forget to use antivirus protection for all your devices. If your device is protected by an anti-malware toolkit, it will not be generating security errors online or anywhere else. So you know that someone claiming you have a problem is also lying.

If your computer does not have an up-to-date security toolkit installed, you must act now.

Most social engineering attacks can be avoided by taking a second to think through the implications of what you are being told. You must not allow yourself to be bullied into making what could be a very costly mistake.

For more useful tips and advice about staying safe online, please check out the Panda Security knowledge base.

via:  pandasecurity

The autofill feature that many browsers offer is a useful time-saving tool that saves you from having to manually fill out forms with the same information every time. Programs include all the necessary information without the user having to go from one field to another to write information that is often repeated in most forms. However, what at first seems to have nothing but upsides for workers and individuals, does in fact carry with it some security risks.

Autofill can be used by cybercriminals to perpetrate phishing attacks in order to collect user data through hidden fields. When the Internet user allows the browser to fill in the form information, it would also fill in a number of spaces that the screen does not display. In this way, when the individual sends the document, she would also be sending her personal information to cybercriminals without realizing it.

Finnish developer Viljami Kuosmanen has revealed how such attacks work with a practical demonstration. He created a form in which only the fields “name” and “email” can be seen, along with a “send” button. However, the source code of the web page harbors some hidden secrets from the user: there are six other fields (phone, organization, address, postal code, city and country), which the browser also automatically populates if the user has activated the autofill function.

The method is a simple strategy to get all sorts of personal information that, according to Kuosmanen tests, can be used in both Chrome and Safari. Other browsers like Opera also offer the autofill feature and Mozilla Firefox is currently working to implement it.

Fortunately for users, it is possible to disable this option in the program settings without too much difficulty. Browsers have it activated by default without asking permission first, so the only way to turn it off is by taking a moment to change the setting manually.

This is a serious threat to the security of personal and corporate information and is difficult to detect because, unlike other types of attacks, the user does not see any links or other types of samples that might lead her to suspect anything is amiss.

It is therefore advisable to disable the option in your browser, even though this means that you’ll be spending a little more time filling out those pesky forms.

via:  pandasecurity

Yahoo is warning users of potentially malicious activity on their accounts between 2015 and 2016, the latest development in the internet company’s investigation of a mega-breach that exposed 1 billion users’ data several years ago.

Yahoo confirmed Wednesday that it was notifying users that their accounts had potentially been compromised but declined to say how many people were affected.

In a statement, Yahoo tied some of the potential compromises to what it has described as the “state-sponsored actor” responsible for the theft of private data from more than 1 billion user accounts in 2013 and 2014. The stolen data included email addresses, birth dates and answers to security questions.

The catastrophic breach raised questions about Yahoo’s security and destabilized the company’s deal to sell its email service, websites and mobile applications to Verizon Communications.

The malicious activity that was the subject of the user warnings revolved around the use of “forged cookies” — strings of data which are used across the web and can sometimes allow people to access online accounts without re-entering their passwords.

A warning message sent to Yahoo users Wednesday read: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Some users posted the ones they received to Twitter.

“Within six people in our lab group, at least one other person has gotten this email,” Joshua Plotkin, a biology professor at the University of Pennsylvania, said. “That’s just anecdotal of course, but for two people in a group of six to have gotten it, I imagine it’s a considerable amount.”

Plotkin said in a telephone interview that he wasn’t concerned because he used his Yahoo email for messages that were “close to spam.” In the message he posted to Twitter , he joked that “hopefully the cookie was forged by a state known for such delicacies.”

via:  enterprise-security-today

Apple iOS users upgrading to the latest beta of the famous Signal secure messaging app should consider disabling CallKit integration if they want to preserve maximum privacy, its developers have warned.

Ostensibly, the big feature in Signal release for Android and iOS is encrypted video calling, something mass-market app WhatsApp (which uses Signal’s technology) announced in November.

The feature is enabled via Settings menu > Advanced and, of course, users at both ends must have configured it for video to work.

Video is one part of a larger overhaul that sees Edward Snowden’s favorite communication app integrate open source Web Real-Time Communications (WebRTC) while phasing out the old Phil Zimmermann ZRTP protocol previously used for authenticated key exchange.

The Speex VoIP audio codec has also been replaced with Opus, considered more resilient for smartphones. In short, Signal is evolving from its origins as an app built from bolted-together parts into something altogether more sleek.

Nevertheless, Apple iOS users should pay careful attention to the settings around the app’s new integration with iOS 10’s native CallKit framework.

The purpose of CallKit is that VoIP apps work in a more “native” way, offering behaviors such as the ability to answer calls from the lock screen and storing conversations in the “recent calls” list.

The downside is that some of this metadata will be synchronized to Apple’s iCloud, including who was in the conversation and how long it lasted. For anyone bothered by this, Signal’s developer Open Whisper Systems advises:

If you decide that’s not for you, you can opt-out of the CallKit features at any time in Settings > Advanced > Use CallKit, while continuing to use the rest of the new calling system.

Open Whisper Systems’ grand wizard Moxie Marlinspike told Wired that the company has yet to decide what do in the next version: “There are a bunch of things we can do other than just having it on by default.”

After pioneering encrypted messaging, Signal has become the yardstick by which the whole sector is judged. But which features matter most when choosing a secure app?

The market divides into mass apps (WhatsApp, Facebook Messenger) which have lots of users but have been accused of taking privacy shortcuts, and challengers with stronger privacy but few users. Numbers matter because it increases the chances of finding contacts.

Beyond that, it depends how far the user is prepared to go to get more privacy:

• Good privacy means end-to-end encryption with forward secrecy at all times (so no confusing mixed mode such as Google Allo’s incognito mode)
• Software should be peer or independently reviewed for security flaws
• Defending against man-in-the-middle attacks requires user/session verification. Signal has this feature but many don’t
• Apps that erase messages after they are read, such as Confide, offer an alternative model with some caveats

Notice that no single app solves every problem, which suggests that the smartest approach might be to use several. But, finally, never forget that the best app encryption in the world will fail if the device running it isn’t well secured too.

via:  sopho

Following a breach, the Taiwan-based computer manufacturer Acer will pay $115,000 and improve its security practices in a settlement with the New York State Attorney General (NYSAG) Eric T. Schneiderman.

The breach, first reported in June 2016, included personally identifiable information (PII) – including names, addresses, email addresses, card numbers, expiration dates, security codes and user names and passwords – and was accessed over a one-year period, May 2015 through April 2016. The PII of more than 35,000 Acer customers across the U.S., Canada and Puerto Rico was compromised, including more than 2,200 in New York State.

An investigation by the NYSAG office found that the data was exposed owing to its being stored in an unsecured format, if debugging mode was enabled on the e-commerce platform. Acer misconfigured its e-commerce platform enabling directory browsing by unauthorized users. The AG’s investigation determined that “at least one attacker exploited Acer website vulnerabilities to view and ex-filtrate sensitive customer data.”

In addition to the fine, terms of the settlement require Acer to take a number of steps to bolster its data security practices, including designating an employee to coordinate and supervise privacy and security of personal information; training employees, particularly those handling PII; responding to network anomalies, including unauthorized acquisition, access, use or disclosure of personal information; designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of multifactor authentication; regular testing of the effectiveness of the safeguards’ key controls, systems and procedures; and developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement.

The computer manufacturer as well agreed to adhere to the data security standards mandated by the credit card industry.

“Businesses have a duty to protect their customers’ personal information as securely as possible,” said Schneiderman in a statement. “Lax security practices like those we uncovered at Acer put New Yorkers’ credit card information and other personal data at serious risk. That’s unacceptable, and will change under the terms of our settlement today. My office will continue to hold businesses accountable for protecting their customers’ private information.”

via:  scmagazine

MIRAI – possibly the biggest IoT-based malware threat that emerged last year, which caused vast internet outage in October last year by launching massive distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.

 
Now, the infamous malware has updated itself to boost its distribution efforts.

 
Researchers from Russian cyber-security firm Dr.Web have now uncovered a Windows Trojan designed to built with the sole purpose of helping hackers spread Mirai to even more devices.

Mirai is a malicious software program for Linux-based internet-of-things (IoT) devices which scan for insecure IoT devices, enslaves them into a botnet network, and then used them to launch DDoS attacks, and spreads over Telnet by using factory device credentials.

 
It all started early October last year when a hacker publicly released the source code of Mirai.
Dubbed Trojan.Mirai.1, the new Trojan targets Windows computers and scans the user’s network for compromisable Linux-based connected devices.

 
Once installed on a Windows computer, the Trojan connects to a command-and-control (C&C) server from which it downloads a configuration file containing a range of IP addresses to attempt authentication over several ports such as 22 (SSH) and 23 (Telnet), 135, 445, 1433, 3306 and 3389.

 
Successful authentication lets malware runs certain commands specified in the configuration file, depending on the type of compromised system.

In the case of Linux systems accessed via Telnet protocol, the Trojan downloads a binary file on the compromised device, which subsequently downloads and launches Linux.Mirai.

“Trojan.Mirai.1’s Scanner can check several TCP ports simultaneously. If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands,” claimed the company in an advisory published this week.

Once compromised, the Trojan can spread itself to other Windows devices, helping hackers hijack even more devices.

Besides this, researchers noted that the malware could also identify and compromise database services running on various ports, including MySQL and Microsoft SQL to create a new admin “phpminds” with the password a “phpgodwith,” allowing attackers to steal the database.

 
At this time it’s not known who created this, but the attack design demonstrates that your IoT devices that are not directly accessible from the internet can also get hacked to join the Mirai botnet army.

via:  thehackernews

New features for Windows and Office 365 aim to help businesses with cybersecurity.

Companies concerned about cybersecurity have a fleet of new Microsoft tools coming their way. The company announced a host of new security capabilities Friday morning as part of the run-up to the massive RSA security conference next week in San Francisco.

On the Windows front, the company announced that it’s adding the ability to use on-premises Active Directory with Windows Hello, its system for allowing biometric-based logins with Windows 10. Microsoft also launched new tools to help organizations get more use out of mobile device management products by giving them tools to migrate group policy settings to cloud-managed devices.

What’s more, Microsoft has launched a new tool that’s designed to help customers configure the Surface hardware under their administration, doing things like disabling the tablets’ cameras.

Office 365 customers get a new security assessment tool and the private beta of a service aimed at showing them information about security threats.

Microsoft has been pushing advanced security capabilities like the ones announced Friday as a key part of its pitch to enterprises concerned about securing their data from a growing threat landscape. Here’s the rundown.

New Windows Capabilities

Windows Hello, Microsoft’s biometric-based authentication system, is getting two new enhancements with the forthcoming Windows 10 Creators Update. First off, Microsoft is making it possible to use its biometric Windows Hello login system solely with on-premises Active Directory servers, rather than requiring Azure Active Directory.

Microsoft is also trying to address the problem of users forgetting to lock their computers by using a new Dynamic Lock feature in Windows Hello. That will connect a user’s smartphone with their Windows 10 device, and automatically lock the device when the phone’s Bluetooth signal drifts far away.

Using it requires customers have the Microsoft Authenticator app installed on their smartphones. Once the app is connected to a PC, it uses the Windows Hello Companion Device Framework to automatically lock the computer when its user walks away.

The Surface Enterprise Management Mode (SEMM) allows enterprise customers to apply additional hardware restrictions to Microsoft’s Surface Pro 4 tablet, Surface Book laptop, and Surface Studio desktop in order to comply with security needs. That way, it’s possible for them to do things like disabling the device’s microphone.

Administrators can set policies that only kick in under a particular set of conditions, like when a Surface is connected to a specific network. Applying the policies requires that administrators have physical access to the Surfaces in question but does not require they erase them.

SEMM works at the Unified Extensible Firmware Interface level, “so a lot of the attacks you would expect attackers to use in order to just re-enable the camera without the user knowing, won’t even work, because the device is disabled at a fundamental, hardware level,” said Rob Lefferts, the director of program management for Windows Enterprise and Security.

Microsoft is also allowing mobile device management (MDM) software to apply settings and configurations from the Security Baseline Policies list. Previously, those settings were only available through Group Policy. It’s a move that’s designed to make it possible for administrators to have the same policies on devices managed using Group Policy and MDM.

The company also released a new MDM Migration Analytics Tool designed to help customers figure out migrating from Group Policy to MDM. It scans a system for all of the policies applied to it, tries to map those policies to their MDM equivalents, and spits out a report of the results.

There’s one hitch to MMAT when it comes to international users: The tool only works on the English names of Group Policy settings, which means that the system it runs on needs an English language pack. At this point, Microsoft recommends that users install English on a non-English system to work around that issue.

Windows Defender Advanced Threat Protection, which is designed to help find and contain security threats, is gaining support for custom security rules to protect against particular threats.

Microsoft

The Office 365 Secure Score tool provides users a graphical representation of how fully they’ve deployed the security tools at their disposal.

Office 365

Organizations using Office 365 can use a new Secure Score tool to benchmark their security. It analyzes an organization’s configuration, then provides them with a score based on the security controls they have fully or partially deployed.

The feature also provides guidance on what Office 365 security features administrators could use that would improve the security of the organizations they work for. By default, the Score Analyzer first shows users features that provide the most security benefit with the least impact to users and then lets people drill down further from there.

While the score is a useful tool for giving organizations an at-a-glance view of their security practices, it will also have some practical considerations. The Hartford plans to use the Secure Score in evaluating customers that it’s considering for cybersecurity insurance, Microsoft CISO Bret Arsenault said in a blog post.

Microsoft also announced the private beta of its previously-announced Office 365 Threat Intelligence service. That allows administrators to see information about the cybersecurity threats both inside and outside an organization.

For example, admins can see who in their organization is the most targeted for attack, along with general information about security threats, like how much bitcoin attackers usually request from a ransomware attack.

via:  itworld

A county located in Ohio has suspended its IT system after a ransomware attack affected computers inside its government center.

Licking County officials first discovered there was a problem when they couldn’t open files saved to some government computers. When they rebooted those machines, they saw a ransom note and contacted the IT department. IT personnel launched an investigation into the incident and determined that ransomware had infected more than a thousand computers in the county’s government center on 31 January. Out of abundant caution, the county decided to suspend its computer and phone systems.

Announcement posted on Licking County office doors. (Source: Licking County Commissioners on Facebook)

County business proceeds in the aftermath of the attack. For instance, 9-1-1 dispatch continues to take calls. But it’s certainly not business as usual.

As County Commissioner Tim Bubb told 10TV:

“They are operating like the old days you have a piece of paper, dry erase board and you have your radios to dispatch so we haven’t missed a beat in terms of safety.”

In the absence of computers, dispatchers also can’t automatically pinpoint the location of an emergency call. That means they can’t send help to an address if an emergency caller becomes unresponsive or hangs up. This jeopardizes the efficiency of emergency services.

Meanwhile, county auditor Mike Smith told Newark Advocate that his office can accept tax and dog license payments but can’t record the payments in the computers:

“When you’re computer dependent, especially government, it makes it difficult to do much. Appraisers are in the field because they can’t do anything on the computer. We’ve let a handful of people go (home early). Their sole function is to do data entry and can’t do anything. If this goes on for many days, it’s going to be difficult to come up with work.”

Neither Bubb nor any other county official has elaborated on how much the ransom demand is and whether the county intends to pay it. In a Facebook post, however, Bubb said IT staff members are reviewing the county’s backups as a means of recovery.

News of this attack comes about a week after a Texas police department lost digital evidence and other files dating back to 2009 as a result of a ransomware attack.

via:  tripwire