Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 EDR for Everyone Is about Fighting Alert Fatigue Wed, 21 Feb 2018 04:16:58 -0600 Endpoint detection and response solutions (EDR) are predicted to become a key security technology by 2020, with 80 percent of large organizations, 25 percent of midsize organizations, and 10 percent of small organizations investing in them. Demand for incident response tools that offer early visibility into advanced threats will fuel the EDR market growth, with expectations of a CAGR of 45.27 percent from 2015 through 2020.

The EDR market is already booming, having grown from $238 million in 2015 revenue to about $500 million in 2016. By 2020, it’s going to be a billion-dollar market and could even match the $3.2 billion (2015) endpoint protection platform (EPP) market.

Despite the rapid growth in the EDR market, these preventative controls are still out of the reach of mid-size and small organizations. As EDR requires dedicated security operations center (SOC) teams to manually investigate alerts, the high cost barrier is something that only large organizations can currently overcome. Or is it?

Fighting Alert Fatigue

EDR solutions have emerged from the premise that it’s impossible to prevent all threats, meaning their purpose is to minimize dwell time of an infection while also reducing the amount of damage it can cause. However, managing the number of security alerts for potential threats can be overwhelming for any under-resourced IT team. Because of that, investigation decisions may end up being either ill-informed or based on summary judgements. This broad strokes approach can lead to full network compromise, especially if traditional EDR is not properly managed or used to its full potential.

Since EDR agents often come installed on top of existing EPP agents and other security technologies, such as SIEM, IDS and IPS, security teams are often bombarded with up to tens of thousands of alerts coming from multiple security consoles, making prioritization nearly impossible. Instead of increasing visibility and raising the overall security posture of the organization, this fragmentation and segregation of security consoles only makes security more cumbersome.

EDR should be about having a single agent and a single management console, and only focusing on really important security events, instead of spreading human resources thin. After all, EDR should enable your security “SWAT team” to focus on truly important tasks, and not just chase ghosts and put out fires.

EDR for Everyone

Advanced threat hunting capabilities enabled by EDR agents require alert prioritization and manual investigation by dedicated teams, something that drives costs up beyond the initial purchasing and deployment price. The key to having an EDR solution for everyone lies in detecting advanced attacks using built-in intelligence in the endpoint agent. This lets admins focus solely on specific elusive and advanced threats that have crossed the other layers of prevention, and prevents them from wasting time on false positives. This enhanced security operation enables automated triage of truly important security events, and doesn’t require a full-time dedicated team of security specialists to investigate each and every event or anomaly.

Incident visualization and investigation are also greatly simplified, as detected elusive threats are presented in a comprehensive fashion, with all contextually relevant information, so that the admins can assess the impact of the threat in seconds. This directly translates into swift incident response tactics that enable admins to use surgical precision to remediate the elusive threat by deleting or quarantining it, containing spread.

This type of evolved prevention, which even comes with the ability to fine-tune the protection level of controls from incident response workflows, helps reduce incident response costs by focusing on truly significant alerts. Unlike traditional EDR, which is usually noisy and overburdens already under-resourced IT teams, a smart EDR solution designed to bring the same early detection capabilities but with pinpoint accuracy is within the reach of any organization, regardless of size, vertical, or IT team size.

It’s the Last 1 Percent of Attacks You Should Worry About

Layered security solutions are doing a great job at detecting, preventing and mitigating close to 99 percent of all threats. However, the last 1 percent – or less – are usually the type of sophisticated attack that flies under the radar. The final frontier in cybersecurity involves having the capability of accurately identifying these elusive threats.

The value of EDR for everyone should lie in its ability to fully integrate with your EPP solution, while enabling IT admins to have a holistic view of the security status of the entire infrastructure. This last 1 percent of attacks is not only elusive, but the attacks can also hide behind background noise generated by trivial security incidents, which is why IT admins need the ability to focus on real dangers and problems by preventing, investigating, detecting, and responding to advanced threats effectively and promptly.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Researchers Detail Linux-Based “Chaos” Backdoor Tue, 20 Feb 2018 09:47:36 -0600 A Linux-targeting backdoor observed in live attacks in June last year was recently found to have been part of an older rootkit, GoSecure researchers reveal.

In a recent report detailing the threat, the security researchers explain that the backdoor was designed to spawn a fully encrypted and integrity checked reverse shell. Dubbed Chaos, the backdoor appears to have originally been part of the ‘sebd’ rootkit that emerged in 2013.

In the observed attack, the malware’s operator penetrated the targeted system by brute-forcing SSH credentials. The assault was launched from two IPs known to be part of the TOR network, the security researchers explain.

The attacker then disabled the logging history, checked the SSHD binary, and searched the system for certain files that would indicate that other malware has already infected the machine. These files are normally used by patched SSHDs to log stolen SSH credentials.

To finalize the infection, the attacker would then download and install the payload. A .tar archive containing two ELF executables (Chaos and Client) and two shell scripts (initrunlevels and install) and masquerading as a .jpg file would be fetched from a remote server.

While the Chaos executable in the archive is the backdoor itself, the Client executable is responsible for connecting to the installed backdoor. The install script would copy initrunlevels to /etc/init.d, thus ensuring it is executed at each system start.

The initrunlevels script was designed to open port 8338, check if certain files exist, and copy them to the paths it checked for. The script also copies the Client to /usr/include/cli.h and Chaos to /usr/include/stabd.h and /usr/sbin/smdb, to create backups of both of them.

As part of the attack, additional files were dropped and executed on the monitored system to make it part of an IRC botnet, the security researchers say.

Chaos first opens a raw TCP socket and monitors for a specific string in incoming packets in all open ports. When the string is identified, the malware connects back to the client listening on TCP port 8338. Next, the two exchange key material to derive two AES keys (which are used for sending and receiving data) and verify that the key negotiation was successful.

By using a raw socket, Chaos can bypass firewalls, as it can be triggered on ports running an existing legitimate service, the researchers point out.

The communication packets transmitted by the backdoor are not only encrypted but also checked for integrity using an HMAC.

The backdoor was previously part of the ‘sebd’ rootkit that first appeared in 2013, but became public after its source code was allegedly caught by a honeypot and the operator decided to release the source code on a forum to make it available for script kiddies.

The backdoor has a low infection rate, with most of its victims apparently located in the United States (the researchers performed an Internet-wide scan using the handshake extracted from the client in order to assess the spread of the malware).

“The Chaos backdoor is pretty interesting as it uses a stealthy raw socket to spawn a reverse-shell with full network encryption and integrity checks. However, the backdoor’s encryption can easily be broken if the pre-shared key is known, as it is transmitted in clear text,” GoSecure notes.

The researchers also point out that the opening of port 8338 for incoming packets suggests the attackers want to use the client binary on the infected machine. According to them, the compromised systems would be used as proxies to conduct further criminal actions, potentially crossing network boundaries in the process.

Related: Iranian Hackers Target IIS Web Servers With New Backdoor

Related: macOS Backdoor Uses Innovative Disguise Technique

Copyright 2010 Respective Author at Infosec Island]]>
Large Crypto-Mining Operation Targeting Jenkins CI Servers Tue, 20 Feb 2018 09:45:28 -0600 A large malicious crypto-mining operation has recently started targeting the powerful Jenkins CI server, Check Point security researchers have discovered.

Dubbed JenkinsMiner, the attack attempts to exploit the CVE-2017-1000353 vulnerability in the Jenkins Java deserialization implementation and to install a mining application designed to mine for the Monero crypto-currency.

The actor behind this campaign is allegedly of Chinese origin and was previously observed targeting many Windows versions to maliciously install the XMRig miner on them. This has allowed it to already secure over $3 million worth of Monero.

However, it appears that the actor has decided to expand its operation to the Jenkins CI server, which allows it to generate even more coins. Because of that, the attack has the potential to become the largest malicious crypto-mining campaign ever, Check Point says.

The same as the recently detailed RubyMiner attack, JenkinsMiner can prove highly lucrative, but could also have a negative impact on the compromised servers. Once a resource becomes infected with a crypto-miner, sluggish performance and even denial of service (DoS) are to be expected.

The attack is targeting a critical vulnerability in Jenkins, the most popular open source automation server, with over 133,000 installations globally. The security flaw is created because of lack of validation of the serialized object and allows for any serialized object to be accepted.

The bug was addressed in early 2017 with the release of Jenkins 2.57 and 2.46.2 (LTS), but any unpatched system remains vulnerable to the attack.

As part of the newly discovered attack, 2 subsequent requests are sent to the CLI interface. The second request, matched by the session header, contains two main objects: the Capability object to inform the server of the client capabilities, and the Command object with the Monero miner payload.

The injected code includes a hidden PowerShell initiation to allow the script to run in the background, a variable (using case-sensitive diversion) to attempt to evade security products, a command to download the miner from the attacker’s server, and a start command to execute the miner.

Over the past months, the campaign was observed targeting victims all around the world with a mixture of malware that also included a Remote Access Trojan (RAT) in addition to the XMRig miner.

“The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed,” Check Point reports.

Because the campaign’s operator only appears to be using a single wallet for all deposits and does not change it from one attack to the next, the security researchers determined that they managed to mine $3 million to date. Other than that, the attack is “well operated and maintained, and many mining-pools are used to collect the profits out of the infected machines,” the researchers note.

Related: Crypto-Mining Attack Targets Web Servers Globally

Related: Monero Miner Infects Hundreds of Windows Servers

Copyright 2010 Respective Author at Infosec Island]]>
Three Ways to Take Home the Gold When It Comes to Cybersecurity at the Olympics Fri, 16 Feb 2018 09:50:00 -0600 The Winter Olympics have officially kicked off in Pyeongchang, South Korea – where the best athletes from around the world showcase their talents and vie for Gold as they represent their countries on the world stage.Although sometimes overlooked, the Olympic Games – and other high-profile events – become ground zero for another global talent race: cybercrime.

The Olympics are a massive undertaking – requiring additional help to be recruited to make sure the host-city is able to accommodate all of the athletes and attendees, under a tight timeline (i.e. building and maintaining the Olympic Village, stadiums, public transportation and lodging). Additional help is also required of the organizations who are broadcasting, sponsoring and advertising the Games. These professionals are not necessarily security experts, which attackers are both aware of and ready to take advantage of.

With the threat landscape and complexity of attacks continually increasing, here are the top three ways to go for the gold when it comes to getting you, your organization and your customers cyber-secure for the Olympic Games:

1) Put a Training Timeline in Place

Just as the cyclical nature of the Olympic Games presents a timeline for malicious actors to design their attacks around, it provides host-city organizations, attending organizations, and participating organizations a two-year timeline to develop threat intelligence. Organizations should be utilizing this timeline to their advantage: it gives them the (rare) opportunity to prepare for attack.

It’s best to put timeline in place to plan ahead and actually train for the likely attack scenarios, as well as preparing a response strategy in anticipation of when the unexpected happens. This two-year timeline leaves no excuse for putting cyber defenders in a position where they experience their first cyberattack scenario when it happens in real-life – requiring them to combat aggressive attackers under pressure (and manage it effectively). Instead, take advantage of the time in between each event to provide cyber defenders with real-life training scenarios, so they can be properly prepared for combat. Tokyo is following this best-practice and is already providinghands-on simulated training for cybersecurity professionals and citizens in preparation for the 2020 Tokyo Olympic and Paralympic games.

2) Evaluate and Identify Your Attack Surface

It’s important to realize that cybercrime is not getting smaller, as the attack surface continues to morph and grow. Therefore, it is critical to determine your own attack surface (which directly relates to your engagement level) – and then ensure that this surface is protected.

The first important step towards assessing your attack surface is identifying the likely targets for the events in question. This will most likely depend on where your engagement with the event exists. Are you a sponsor, are you engaging in business at the event with potential customers at risk, or did you send employees? Individuals often overlook that major events are a major risk –  even if the individual isn’t officially participating themselves. Why? The individual could still have high-value internal resources or employees that will be engaged or participate with the event. For example, is one of your C-level executives will be at the Olympics in South Korea? What preparation have you done to insulate that asset from potential threats at the event – whether they be physical or cyber? It’s time to think ahead and be on the offensive side of the equation.

3) Implement Training at the Individual Level Based on Attack Surface

Depending on the surface area of your attack surface, here are recommended, proactive approaches to ensure protection during future Olympics Games:

Hold a security training class for all employees planning to attend the Olympic Games

Educate attendees about the vulnerabilities associated with the Olympic Village and Stadiums. It will be important to explain that malicious actors are rethinking their approach to cyberattacks and how they execute on them. Thinking about the current trends in cybersecurity – here are two areas to focus on with attendees: 1) identify where IT links to OT or IoT within Olympic sites, and 2) beware of phishing scams and entering through the least protected link.

Secure your CEO

40 percent of organizations believe that C-level executives are the greatest risk to their organization being hacked. Furthermore, C-level executives are the most at-risk of cyberattacks when working outside the office – with airports, hotels and airplanes among the riskiest venues. If your CEO or members of your C-Suite are attending the event, hold a training seminar before they depart for the event to educate them about the threats associated with attending the Games – from “Checking-in” to the host city on social media to connecting to unsecured Wi-Fi during their travel and stay. In addition, pull together a one-pager with security tips and official sites for them to reference while they are abroad.

Educate all employees/customers of the vulnerabilities associated with digitally engaging with the Olympic Games

Make sure your employees and customers are aware of all of the phishing and malware campaigns associated with digitally engaging with the Games. With the Games happening overseas, it is imperative that they know the signs and can differentiate what is safe and what is not. This can be applied to planning to joining social media conversations around the events, purchasing merchandise, or even streaming content from their devices.

The Takeaway

Start planning now for the events on the horizon; hopefully you thought ahead for Pyeongchang – but remember Tokyo 2020 isn’t that far way. Plan, train, evolve from tabletop exercises to cyber simulators, educate your employees on the threats and have a plan for response. At the end of the day, athletes don’t win because they just show up – they win because of the rigorous training, planning, and relentless execution that comes from true focus on the objective. For this month’s Games and all that come after, we need to become World Class Cyber Athletes.

About the author: Ben Carr, is the VP of Strategy at Cyberbit. Ben is an information security and risk executive and thought leader with more than 20 years of results driven experience in developing and executing long-term security strategies.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – February 2018 Fri, 16 Feb 2018 09:29:00 -0600 The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • The second set of SAP Security Notes in 2018 consists of 26 patches with the majority of them rated medium.
  • Missing authorization check is the most common vulnerability type this month, again.

SAP Security Notes – February 2018

SAP has released the monthly critical patch update for February 2018. This patch update closes 26 SAP Security Notes (14 SAP Security Patch Day Notes and 12 Support Package Notes). 7 of all the patches are updates to previously released Security Notes.

14 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Five of the released SAP Security Notes received a High priority rating, two was assessed at Low, and 19 fixes were rated medium.

SAP Security Notes Distribution by Priority (September 2017-February 2018)

The most common vulnerability type is Missing authorization check.

SAP Security Notes Distribution by Vunerability Types – February 2018

SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, three critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov were closed.

You can find their details below.

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

Critical issues closed by SAP Security Notes in February

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2525222: SAP Internet Graphics Server (IGS) has an Security vulnerabilities (CVSS Base Score: 8.3 Unrestricted File Upload - CVE-2018-2395, DoS CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, XXE CVE-2018-2393, CVE-2018-2392, Log Injection CVE-2018-2389, Information Disclosure CVE-2018-2382, CVE-2018-2387). Depending on the vulnerability, attackers can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result or use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. and another vectors. Install this SAP Security Note to prevent the risks.
  • 2589129: SAP HANA Extended Application Services has an Security vulnerabilities  (CVSS Base Score: 7.1 CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372, CVE-2018-2373). An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2562089: SAP ABAP File Interface has a Directory Traversal vulnerability  (CVSS Base Score: 6.6 CVE-2018-2367). An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
The Only Gold Russia Can Win at the Winter Olympics Is for Cyber-Hacking Fri, 09 Feb 2018 09:52:00 -0600 Russia has already come out swinging against the IOC and WADA in attempted retaliation for being banned from the 2018 Olympics. Unfortunately, their old tricks appear to be decreasing in effectiveness. Each time Russia leaks information in connection to doping commissions, it garners less news attention and is increasingly being viewed as a failed operation.

Stumbling into the games makes Russia the most unpredictable threat actor vying for the title of “most disruptive to the Olympic games” this year. Other major contenders? Non-state actors and organized crime groups. Absent from this list, despite popular opinion, is who many view as the heavy favorite going into 2018, North Korea.

Likely to win Bronze: Your second runner up this year is likely to be organized crime. In the past decade or so they have made a consistent appearance with fraud and scams going after the visitors to the games. This year has the potential for them to expand their operations into match fixing, due to the increased reliance on electronic measurements to determine winners. This years judging scandal might be centered around a hacked timer rather than judges from Old Europe.

Reaching for the Silver: The safe money is on non-state actors (hacktivists, cyberterrorists, and fame seekers) to be the cause of the largest cyber disruptions to the games. They usually use large global events as a springboard for their agendas and are unusually hard to predict and model because of the relative obscurity of most of these actors. Having the element of surprise, a swashbuckling attitude, and a successful outcome being defined as any disruption, makes these actors the hardest to stop and generally the most prolific.

And the outside contender for Gold: We have the wild card Russia. They have the technical sophistication to out perform these other two groups but the question is - Is their heart really in the competition? The declining effectiveness of doxing, combined with recurring punishments could push the Kremlin to up its game. They have proven a willingness to unleash destructive malware in multiple countries for multiple reasons. Even if they just repackaged the self-propagating principles of the NotPetya attack with the payload concepts of the TV5Monde attack. They have the capability to shut down the broadcast of the games. If they decide that the Olympics is no longer a neutral arbiter of friendly competition but rather a politicized organization dominated by anti-Russian sentiments, Moscow could very well debut a few cyber tricks never before seen.

Who’s not taking home any honors? Noticeably absent from this list is North Korea. Cyber threats from groups linked to North Korea have been in the news practically every month in the run up to the games, so if anyone has a shot of pulling off something spectacular it was this group of well-funded and motivated actors. Fortunately for the South Korean defenders they appear to have withdrawn themselves from contention. Kim Jong Un’s strategy of rapprochement means that if negotiations are going where he wants them to, the DPRK cyber menace is likely in standby mode. South Korea, by sacrificing part of its women’s hockey team, made the overall games significantly safer.

Will South Korea prevent any of these threat groups from gaining the notoriety they seek? The country’s capability to deal with these types of intrusions far exceeds that of Brazil during the 2016 Rio games. From a vulnerability and defensive capabilities standpoint, the overall cyber interruption to the 2018 Winter Olympics should be low compared to previous games.

However, given the onslaught of high caliber tools and exploits released over the last year, the ability of the security teams to keep up with all of the needed patches and other security controls will still be a big challenge for South Korea and will be more difficult than in past years.

Like all good competitions, this one will likely be decided by which groups have focused more on the fundamentals. If South Korea has kept their house in order and focused on the fundamentals of network security, they stand a good chance of surviving the short duration of the Olympic games. If they have focused too much on elaborate concepts and advanced skills at the detriment of those fundamentals, they stand a strong chance of falling short when the real games begin.

About the author: Ross is the Senior Director for Intelligence Services at Cybereason. Before joining Cybereason in 2016, he served as a Technical Lead and Cyber Lead for the United States Department of Defense.

Copyright 2010 Respective Author at Infosec Island]]>
Think GDPR Won’t Affect Your U.S. Company? Guess Again Wed, 07 Feb 2018 04:55:00 -0600 When the EU General Data Protection Regulation (GDPR) deadline arrives in May, companies that handle information belonging to European Union residents will have to adhere to a strict new set of guidelines – regardless of whether the company is based within the EU or outside the 28 member countries.

This may be news for some: One in four U.S. cybersecurity professionals believe their firm won’t need to comply with GDPR, according to a recent survey. Organizations that fall under the GDPR mandate could be fined up to 4% of annual global turnover or €20 Million (whichever is greater) in the event of a breach. While this is a worst-case scenario, it should be enough to get the attention of most companies that do business with EU citizens.

Does your company need to comply?

It’s surprising that so many U.S. firms simply aren’t worried, as the GDPR represents a significant change in the way data must be handled.

An important change in the GDPR involves the geographic scope of this new law. To summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" – aka personally identifiable information (PII) -- as part of a marketing survey, for example, then the data would have to be protected GDPR-style.

What kinds of U.S.-based companies are likely to fall under the GDPR’s territorial scope?

U.S.-based hospitality, travel, software services and e-commerce companies will need to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized online content should review their web operations.

U.S. companies without a physical presence in an EU country typically collect most of the personal data belonging to EU data subjects over the web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR? Here’s where the scope of requirements becomes a little more complicated: The organization would have to target a data subject in an EU country. Generic marketing doesn’t count.

For example, a Dutch user who searches the web and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply. Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a “.nl” from the Netherlands -- would certainly seal the case.

Do your GDPR “homework”

The best offense is a good defense. Companies that can show they essentially “did their homework” in following the GDPR requirements -- with the paperwork to back it up -- will be better off in the event of a violation where fines are involved. When the Article 40 “Codes of Conduct” -- allowing compliance to existing data security standards count towards GDPR -- are officially approved by the regulators, companies may receive “partial credit” for their compliance.

In short, Article 40 says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a controller then follows an officially approved “code of conduct”, then this can dissuade the supervising authority from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.

While we'll have to wait for more guidance, the point is that EU regulators will eventually let companies leverage their efforts (and investments) in meeting standards such as PCI DSS or ISO 27001 for GDPR compliance.

Take stock of your data

The GDPR also mandates "data minimization" -- not keeping data when it's no longer needed or even collecting it in the first place when it's not completely necessary for a business function. Most companies already have a policy for deleting "stale" data, though they may not follow through by applying those policies.  GDPR says that this IT practice is not just a good idea, but the law!

So companies that proactively automate their retention and disposition policies for their files will be better prepared for compliance -- and they will also better protected from insider threats and cyber attacks.

Unfortunately, many organizations have lost track of where their most sensitive information lives and who has access to it – over 70% of folders we analyzed  on corporate servers contained stale data and almost half had 1000 files with PII, credit card credentials, and other data on file servers accessible to everyone.

With just a few months left to go, 60% of cyber security professionals in the EU and 50% of respondents in the U.S. say they face some serious challenges in being compliant with the GDPR by the May deadline.

Organizations are running out of time to take stock of how exposed their data is to attack. Now is the time to reduce your risk profile by locking down sensitive data, removing users that no longer need access, and deleting or archiving stale data – plan to maintain a least-privilege model to keep data secure.

Ignorance is not bliss when it comes to the GDPR, and organizations that have fallen behind in their preparations must ramp up their compliance activities or they could take a serious financial hit once the regulations take effect. Start taking control now.

About the author: Ken Spinner joined Varonis in 2006 and leads all technical pre- and post- sales engineering activities for Varonis customers worldwide. Ken’s career spans 30 years with organizations ranging from startups to Fortune 500 industry leaders. Prior to Varonis, Ken held leadership and senior engineering roles at Neoteris, Netscreen, Juniper Networks, BlueCoat Systems and Merck.

Copyright 2010 Respective Author at Infosec Island]]>
Advancing the Usability of PKIs Tue, 06 Feb 2018 09:48:46 -0600 Public Key Infrastructure (PKI) certificates have long served as the optimal method for securing the servers on the web and, increasingly, Internet of Things (IoT) devices. Deploying and updating PKIs used to be a largely manual process that required the time and attention of IT personnel. Today, there are tools that can automate those tasks, which makes securing the connections between networks, devices and their users simpler and more cost-effective. 

Certificates can be used to encrypt data at rest. PKI also enables the authentication of users, systems, and devices without the need for tokens, password policies, or other cumbersome user-initiated factors. In mutual authentication scenarios, certificates will uniquely identify devices which enhances authorization and secure device-to-device communication.  As a result, certificates ensure that any data or messages transferred cannot be altered.

The challenge for an enterprise becomes determining what exactly it’s trying to protect, particularly as more companies embrace the IoT trend. PKIs ensure that the basic security requirements for data confidentiality, data integrity, and data accessibility are properly configured for all devices.

That’s becoming more complex, and virtually impossible to perform via manual processes. Why? Because of the sheer number of devices that are coming online.

By 2020, over 25 billion devices will be connected to the Internet, and each one of those connections must be secure to mitigate risks and protect organizations and individuals from malicious attacks.

To give you a better sense of scale, consider that 10 years ago, Certificate Authorities issued approximately 10 million certificates that verify a digital entity’s identity on the Internet worldwide. Today, just one company may request 10 million certificates for its realm of devices and services. That’s where the math starts to get complicated.

After all, PKI is built on math, leveraging algorithms to direct the inspection and validation of the signatures that enable secure communication and data-sharing between devices and networks. Fortunately, technology has advanced to enable computers to handle the complex algorithms used to inspect and validate the secure connection to a device or web site.

Unfortunately, the cyberattacks targeting those systems are also becoming more sophisticated and hitting more frequently. That is why a critical aspect of the effective use of PKI is updating those certificates as the threat landscape changes. In other words, PKI usage is not something to “set and forget”, and today requires thoughtful security planning in the process. Too often, a cloud service provider will experience a system outage simply because someone forgot to renew a certificate. The blame falls on a faulty manual process.

Therefore, the way PKI becomes more usable is by partnering with a Certificate Authority (CA) that can introduce and manage automation technologies to relieve IT of those responsibilities. IT and users should not have to worry about “breaking” something because they were not paying attention to the right discussion forum or right threads about new attacks. 

This can also be especially valuable in development environments, where developers are checking code in and out. PKIs enable each developer to sign what they are accessing, thereby creating chains of trust. This can be very useful to both open source projects, and to protecting a company’s download site from being hijacked and falling victim to a DNS attack.

If your organization is going to rely on PKI, it’s important to also leverage the benefits that automation can provide. This is where partnering with a CA can help, both today and tomorrow. CAs take on the responsibility of managing PKIs, which includes participating in forums and working groups to ensure that PKIs evolve to meet the ever-changing threat landscape. This relieves enterprises of having to take on those responsibilities, so they can focus on their strategic business priorities.

About the author: Dan Timpson is DigiCert Chief Technology Officer, responsible for DigiCert's technology strategy and driving development that advances PKI innovation for SSL and IoT customers. Timpson’s team focuses on continuous improvement to deliver a comprehensive digital certificate management platform for DigiCert customers that includes standards-based, automated certificate provisioning for devices and APIs for seamless integration with third-party systems.

Copyright 2010 Respective Author at Infosec Island]]>
The Five Secrets to Making Security Awareness Work in 2018 Mon, 29 Jan 2018 11:29:00 -0600 So, it is the start of a new year and you are hoping to do great things with your security awareness and training program. You have a desire to move beyond simple ‘box checking’ and to actually change hearts, minds and behavior patterns. You know that it is the right thing to do for your organization and are looking forward to seeing the positive results. The sticking point, however, is that – like most organizations – you probably don’t exactly know how you are going to make it happen.

My hope with this article is to help you begin the process of creating a solid plan and foundation that will enable you to achieve a game changing level of security awareness and behavior transformation. With that goal in mind, here are the five secrets that I use to best position security awareness leaders for success:

Secret 1: Have a vision of what ‘good’ looks like for your organization

The key to implementing this secret is implementing a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It is always interesting to see the differences and similarities that this process can help uncover. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. For this, I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework—I use the Michael Hyatt version.

Secret 2: View Awareness through the lens of organizational culture. I’ll be writing about this more in the coming months. But here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will ‘win out’ over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture.

Remember the survey and interviews that I mentioned at the start of the first secret. This where you’ll really get an idea of any organizational culture gaps that you need to account for. When you find these gaps, you’ll have a few choices: 1) modify your awareness program’s expectations and goals based on the identified gap, 2) work with organizational leaders to see how you can help influence the larger culture, or 3) a hybrid approach where you modify some goals while also doing the work of trying to influence the larger culture.

Of these, option 1 is clearly the easiest – but has very little reward associated with it; it’s the ‘safe’ route. Options 2 and 3 will involve more work, politicking, and likely a bit of frustration, but offer the greatest long-term benefit for the organization and for you. This is also where you can begin to leverage things like security champion/liaison programs to help infuse security-related values throughout the organization to create consistency and sustainability.

Secret 3: Leverage behavior management principles to help shape good security hygiene. Your awareness program shouldn’t focus only on information delivery. There are plenty of things that most of us are aware of – but we just don’t care about those things. Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. Most of my thinking about behavior management is heavily influenced by the research by BJ Fogg, who heads-up the Persuasion Tech Lab at Stanford University. Fogg’s research has influenced technology companies around the world who seek to create engaging experiences for their users and drive specific behaviors. His behavior model and work around habit creation is located here ( and here (

I realize that most readers won’t have time to dig into the deeper details of behavior management and create their own unique programs. Don’t lose heart! Simulated phishing platforms distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change!

Secret 4: Focus on understanding the different personalities, drivers, and learning styles within your organization. (This goes back to the Specific and Relevant attributes of the SMARTER framework I referenced). It is critically important to understand your overall organizational context, the different types of people within the organization, regional contexts, divisional and departmental contexts, and so on. This not only helps you tailor content that will best speak to each of the groups, but can also help you avoid stepping on potential landmines.

Secret 5: Be realistic about what is achievable in the short term and optimistic about the long-term payoff

So here is where the rubber meets the road. You’ve got all of the planning out of the way, created goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained!

But here’s good news, the data show that you can see dramatic behavior change in as little as 90 days if you follow a best practice of combining security awareness content (e.g. computer-based learning modules) with frequent simulated phishing testing conducted at least monthly. In a recent study, we looked at the progress of more than six million accounts across nearly 11,000 organizations over a 12 month timeframe. Organizations that followed the best practice that I just mentioned saw their employee’s Phish-prone percentage drop by 50% in just 90 days – from a 27% baseline Phish-prone percentage down to 13.3%. And consistent training brought that down even more dramatically at the 12 month mark… from that initial 27% baseline all the way to 2%.

Are you ready to make 2018 a break-out year for your security awareness program?

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
Crypto-Mining Is the Next Ransomware Fri, 19 Jan 2018 05:28:48 -0600 Hackers are opportunistic creatures. As device manufacturers continue to add more CPU cores and gigabytes of RAM to smartphones and tablets as well as enterprise-grade cloud servers, these devices will continue to be increasingly useful targets for botnets. What’s more, hackers will seek device vulnerabilities or exploit mobile applications and devices when a network is not secure.

Ransomware took the dark web by storm by creating such an easy way to monetize these vulnerabilities. As a side-effect, the cryptocurrency market exploded from the increased attention. Cryptocurrency mining—the process of confirming Bitcoin transactions and generating new units of digital currency—is perfectly legal. Developers are looking for ways to make money in a competitive mobile app market, and mining bitcoin via these apps has become an inviting venture. However, this method of monetization becomes a legal and ethical dilemma once users are not aware that their devices are being used to mine digital currency.

The recent lawsuits against Apple for throttling down older versions of iPhones may set a legal precedent for cryptocurrency mining lawsuits. If a user can successfully sue Apple for unknowingly slowing down a phone, developers who unknowingly install mining capabilities that affect performance and battery life could be liable as well.

Not only is this a threat that is here to stay, it is shaping up to become a threat as pervasive as ransomware. For instance, there are reliable indicators that show hackers use older vulnerabilities to mine cryptocurrency after initial infection attempts to generate bitcoins from victims without demanding a ransom. As that pool gets smaller, miners focus on extracting value in other ways, such as using the malware as a DDoS weapon.

While the maliciousness of these kinds of infected mobile apps and web browsers is subject to debate, we can say for sure we are witnessing a new birth of a new form of malware—perhaps with the impact as ransomware or adware. And without a robust security and monitoring strategy, along with network visibility to protect applications and computers, you should expect to become the next cryptocurrency mining victim.

Mining Malware for the Mobile Era

The mobile era has generated a malicious opportunity to make the most of cryptocurrency mining malware. Cryptocurrency mining latches onto as much CPU power to mine digital coins, consuming electricity, processing power and data as information is passed through the mining process — all of which cost money.

Research shows there is a plethora of malicious Android apps roaming the Internet right now, and some crypto-miners have managed to bypass filters to get into the Google Play Store. In fact, recent static analysis on mobile malware led researchers to a number of cryptocurrency wallets and mining pool accounts belonging to a Russian developer, who claims what he is doing is a completely legal method of making money.

We in the industry do not agree — cryptocurrency miners are a misappropriation of a user’s device. While it is technically legal if the extraction of cryptocurrencies is disclosed, these actions are purposefully misleading and frequently lack transparent disclosure.

We’ve witnessed the use of cryptocurrency miners embedded in legitimate applications available on the Android store, which are used to extract value from people’s phones during times when their devices are not in use. And, in recent months, there have been several cases of hackers mining cryptocurrencies even after a visible web browser window is closed.

Other methods that hackers are using to deploy cryptocurrency miners include using Telnet/SSH brute forcers attempting to install miners, along with SQL injection and direct installation of miners. Crypto-mining in browsers and mobile applications will continue to persist, so concerned companies should improve their security performance, bringing application-level visibility and context to their monitoring tools.

More devices, more mining

Since new security threats surface every week, there is a good chance that more devices will be infected with cryptocurrency mining malware in the near future. The increased presence of IoT devices will lead to create new targets for cryptocurrency miners. We may also see hybrid attacks that are ransomware-first and crypto-coin miners second, as they attempt to cash in twice on the same computer.

Most of these crypto-mining attacks occur at the edge of the network. One of the more common attacks that attempts to install crypto-miners are the EternalBlue vulnerability released this past summer, which was at the center of ransomware outbreaks like WannaCry and Not-Petya. Here’s the worst part: hackers are not using new tools or advanced methods to deploy these cryptocurrency miners, but they are still successful. As a result, companies need to have a responsive patch management strategy, make sure their IPS rules are up to date, test to make sure they can detect the vulnerabilities that cannot be patched immediately, and finally, monitor the network traffic for peer-to-peer mining traffic.

If organizations do not have insights into their networks, they are unable to tell if their endpoints are mining without permission, leaking data from a breach, or spreading malware across internal networks. Or, perhaps there is no malicious activity going on; they’ll want to see that too. Having a network monitoring solution in place will alert them early on into a compromise by showing a shift in network traffic patterns. 

About the author: Senior Director of the Application and Threat Intelligence Program at Ixia. Steve is responsible for gathering actionable, application and security, intelligence for Ixia products. Steve has more than 25 years of experience working in Computer and Network Security for companies like IBM, TippingPoint, SolarWinds, BreakingPoint, and now Ixia.

Copyright 2010 Respective Author at Infosec Island]]>
Increasing Importance of Mobile Makes Malware a Priority Wed, 17 Jan 2018 10:14:22 -0600 In August, Google pulled more than 500 apps from its Play store, after a security firm warned that the mobile applications had incorporated an advertising library, called lgexin, that could download malicious plugins. Unfortunately, the action came after the apps had been downloaded by users more than 100 million times.

The incident underscores that even a minor success can quickly have a major impact when the mobile ecosystem is so pervasive. Google and Apple have put phenomenal effort into vetting the apps in their stores, but malware developers and criminals are increasingly targeting mobile platforms.

Mobile devices have become the keystone in our digital lives — holding our data, allowing access to a variety of capabilities, and gathering information on what we do. Even with only limited privileges, malicious software can do significant damage to people's digital lives.

The threat to business is even greater. Because digital businesses run on apps, the threat of mobile malware exposes them to risks on two fronts — from the compromised devices of customers and those of workers. Businesses have to protect their customers from attackers looking to gain access to the customers’ accounts while protecting themselves against inside attacks powered by intruders hitching a ride inside the network defenses through a mobile app.

Recent data underscore the problems. Smartphones accounted for 72 percent of all infections detected by Nokia in the first three quarters of 2017 on the 100 million devices the company monitored by its security solution, far outpacing Windows computers, which accounted for the other 28 percent. While the monthly infection rate for devices is only 0.68 percent, that can quickly grow when a major threat, such as the lgexin library, is successful or when users get apps from third-party app stores, which tend to have more lax security requirements.

And while vulnerabilities in applications and Trojan horses can be deleted, the operating system software for most smartphones is rarely updated. Patching is hard, so there are still a lot of vulnerable devices out there, which means that — even when a problem is discovered — it is not going get better overnight.

The long-term onus is on companies that drive the ecosystem, such as Google and Apple. In markets where third-party app stores are popular, those providers need to step up their security, as malware encounters in those markets are far more likely than in the Google and Apple stores.

Yet, companies need to focus on keeping their own code secure. Vulnerable application released to app stores can be used by attackers to spread malware. In addition to hurting customers, such attacks damage the business’s brand.

For that reason, developers need to be more aware that unknown sources of code libraries and components are a threat to their apps and users. While malicious developers are a problem for app-store providers, many developers are unwitting users of libraries that have malicious functionality. Testing services that check source code for vulnerabilities and builds a manifest of the libraries included in the application will help developers stay on top of their third-party code.

For individuals and businesses, the scale of the problem can be contained if they take enough precautions. Data should be backed up to avoid its total loss. Employees and customers should be educated on what behavior should be deemed suspicious and only install apps from trusted sources. Any connected devices should be regularly updated, and proactively monitored to ensure that rogue applications have not compromised the devices. In addition, companies should focus on detecting anomalous behavior among their users and employees.

In the end, businesses can't trust that their mobile devices are secure and have not been compromised, so it's in their best interest to fortify their high value apps with additional security precautions from the inside out.

These steps will blunt the impact of attacks in the short term, allowing companies to respond to any malware outbreak before it causes widespread damage.

About the author: Asma Zubair is a senior director of product management at Arxan. As a seasoned security product management leader, she has also lead teams at WhiteHat Security, The Find (Facebook) and Yahoo!

Copyright 2010 Respective Author at Infosec Island]]>
What Global Manufacturers Need to Know About Security in the Cloud Mon, 08 Jan 2018 06:59:00 -0600 Manufacturers deal with sensitive information each and every day. This includes test and quality data, warranty information, device history records and the engineering specifications for a product that are highly confidential. Trusting that data to a cloud-based application or cloud services provider is a major step, and manufacturers need to fully educate themselves about the security risks and advantages of cloud-based software.

Consider the questions below as a guide to use when discussing application infrastructure and operations with cloud providers.

What do you do to keep my data safe?

This is the most important question a manufacturer should ask a cloud provider.

The answer should be long and multi-faceted. Because no single tool can defend against every kind of attack in any network, cloud providers must deploy multiple layers of defense using: internal systems; protection provided by tier 1 cloud platforms; and security service providers.

All of these elements come together to provide complete protection. Below are some examples of these layers:

  • Physical Defense: Cloud platform providers can and should exercise tight control of access to the physical devices on which the software systems reside. In best case scenarios, Independent auditors attest to the safety of this access. This control and documentation must be reviewed on a regular basis.
  • Barriers to Entry: Firewalls built into the cloud service can limit access to ports managed by the application. Unneeded ports should be blocked so that they cannot be accessed.
  • Application Password Protection: the best-designed cloud applications allow your organization’s identity management system to provide authentication and password management, limiting access to your data and following your internal security policies. This should also support two-factor authentication if your internal policies require it. Some of the more advanced systems can also provide an identity management service as an alternative to your internal solutions, if required.
  • Application Firewalls: Most enterprise-class application designs will include a Web Application Firewall service that uses the latest technology to defend against such things as denial of service attacks and other types of malicious access.
  • Activity Monitoring: State-of-the-art cloud platform providers continuously monitor for suspicious activity that could be the result of hacking or malware. Again, in best case scenarios, warnings are sent automatically and steps taken to protect the data and the integrity of the platform.
  • Malware Monitoring: Both the application provider and the hosting platform provider must run active checks for malicious code to ensure each piece of code that is executed matches the published signature for that code. Be warned: this is a step that many providers have not migrated to yet.
  • Code Standards: Good security starts with good code. Security standards must be included in the system development life cycle, governing every aspect of the system. Be sure to review the code standards of the application developer.
  • Third Party Code Scanning: The most advanced application providers use a third-party firm to scan code looking for opportunities to improve security and look for known vulnerabilities with each new version of the application. Ask for details about this, as there are many different levels of scanning available; a once-a-year scan is obviously not as valuable as regularly scheduled scans before each new release of software.
  • Data Encryption: Generally accepted practices for data encryption provide different options for data in different modes: data in transit (being communicated within the system or between the database and your user interface) and data at rest (data that resides within the database and is not currently being accessed).

○ Data in transit can be encrypted using industry standard encryption through the browser. Additionally, APIs that access the data should use encrypted data and include encrypted tokens to increase access control.
○ Encryption of data at rest protects against accessing data from outside the application’s control. As the physical access to the system is protected and the data is in password protected databases, at-rest encryption may not be essential for every customer - but the question is still worth asking.

What do you do to prevent the data from being hacked and stolen?

“Hacking” or stealing data is the number one security concern of most people considering a cloud solution. Note, however, that some common misunderstandings often drive this concern.

According to the “Data Breach Investigations Report” from Verizon, about 50 percent of all security incidents are caused by people inside an organization. Good user management and password security policies are the best way to prevent these types of attacks. This is the underlying purpose of application password protection, as described above.

For preventing external hacks and data theft, the system must be architected to prevent as many types of attacks as possible (see above). Also, application providers must use internal personnel and external consultants to run frequent penetration testing. These tests look for common paths that attackers use to gain access to systems through the internet. The tests help ensure there are no doors left open for hackers. Be sure to ask about penetration testing, including both the frequency and the methodologies used.

How does cloud security compare to on-premise security?

This is a question that should be asked internally, as well as externally. There is a common misperception that a set of servers running on-premise at a corporate office is more secure than a cloud-based application. Owning the hardware and software often gives a false sense of security; most on-premise systems fall far short of the security that the best cloud providers have deployed.

For example, the cloud storage system utilized by my company was designed for 99.999999999% durability and up to 99.99% availability of objects over a given year. That design and those numbers are virtually impossible to duplicate with an on premise solution. In addition, the comprehensive access control described above is nearly impossible to duplicate on-premise. To deploy tools like these in an on-premise environment would require not only large investments in infrastructure, but large teams to manage them too.

Ask yourself: how big is your security team? How much is your budget for security around your manufacturing data? Then remember, the best application providers and data centers have large, dedicated security teams who have implemented automated threat monitoring systems that operate 24x7. In the end, the best cloud software companies have dedicated more time, resources and budget to securing our systems than most organizations are able to provide themselves.

More Security in the Cloud

The security issue for cloud manufacturing software is perhaps best summed up by this quote from LNS Research:

“By moving to the Cloud, security is usually enhanced rather than diminished as Cloud suppliers devote huge efforts to ensuring their underlying systems are as secure as possible and are constantly updated to react to potential threats. No individual manufacturer could devote such efforts, and they should focus on plant security working with their MES and plant software vendors to ensure maximum security and properly maintained systems. Do not get caught out by obsolete and vulnerable systems.”

About the author: Srivats Ramaswami, CTO at 42Q, has worked at both OEM’s and contract manufacturers, most recently as vice president of IT Operations. His expertise includes the architecture and implementation of IT solutions, making the global supply chain visible and more efficient. Srivats is now responsible for customer acquisition and engagement, technology development and deployment for 42Q.

Copyright 2010 Respective Author at Infosec Island]]>
Security in Operational Technology: Five Top Trends in 2018 Fri, 05 Jan 2018 11:15:00 -0600 “There has been a noticeable increase in security issues and data breaches during recent years in a variety of industries. Following an upsurge of Internet of Things (IoT) devices being utilised in industrial environments and critical infrastructures, it is clear operational technology (OT) is next in line for some very bad news. The critical systems that monitor and control our power distribution networks, our industrial capacity and our connected healthcare systems have been under attack for a long time and while only some of these attacks have been successful, it’s almost inevitable that bigger breaches are yet to come.”

Here are the top five security trends we at Applied Risk are watching out for in 2018:

1. Wireless: a major attack inevitable - Perhaps the single most unsettling piece of news in 2017 was that the ubiquitous WiFi security protocol, WPA2, has a fundamental flaw which is unlikely to be addressed in the majority of WiFi enabled devices. The challenge in 2018 is that the use of wireless communications, including Low Power Area Networks, will continue to grow in line with IoT device deployments. This will result in a far greater OT attack surface which is not being adequately protected with second and third lines of defence. A high-profile malware attack is therefore probable.

2. Healthcare attacks will increase - The most notable victim of the WannaCry malware outbreak in early 2017 was the UK National Health Service (NHS) and many US hospitals have fallen victim to other ransomware attacks. Healthcare is a key industry for IoT adoption with new network connected medical devices delivering life-saving outcomes, but the security of these devices has been too low a priority for too long, accentuating the risk of further attacks.

3. The skills shortage will drive security automation -  It’s been predicted by Frost and Sullivan that the shortfall of skilled security professionals compared to the market needs could be as high as 1.5 million by 2020. This will drive investment in alternative service models for the security industry, and we expect to see innovative new products and processes based on artificial intelligence for both monitoring and testing to safeguard industrial environments.

4. Advanced persistent threats will infiltrate more OT environments - As the Industrial IoT grows in terms of both device numbers and data volumes, inevitably the challenge of detecting and closing down advanced persistent threats (APT) becomes harder to achieve. Even relatively well understood and straightforward techniques, such as data exfiltration over DNS, remain stubbornly easy to exploit. Investments in knowledge sharing and networking monitoring are not yet at the scale required to fight APTs effectively.

5. Security-by-Design will start to improve ICS security - The good news is that heightened awareness of security issues in critical environments is having an effect. More teams are integrating “security-by-design” into their development cycles for industrial control systems, creating products that take into account current and future threat concerns. There is still a long way to go to make this the norm, but legislators around the world are building strong regulations and frameworks which penalise security weaknesses.

About the author: Jalal Bouhdada has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission provider, water utilities, petro chemical plants and oil refineries.

Copyright 2010 Respective Author at Infosec Island]]>
Bitcoin in the Darknet Ecosystem Fri, 05 Jan 2018 10:44:53 -0600 2017 was without a doubt the year of Bitcoin. The first decentralized cryptocurrency, which had been skyrocketing from a value of $1,000 USD a Bitcoin in January 2017 up to a maximum value of $20,000 USD in December. The worldwide awareness of Bitcoin and the cryptocurrency phenomenon is affecting and challenging traditional financial institutions, investors and even governments in a variety of ways.

The Underlying factors – what makes Bitcoin (et al.) different than other currencies and payment forms?

Bitcoin’s attributes make it profoundly different from traditional currencies and financial assets, which aspire cybercriminals and other potential users:

  • Decentralization and deregulation: One of bitcoin’s most valuable features is its decentralization - The fact that the currency is not controlled by any country, or governing body. Additionally, most countries and central banks have yet to regulate it in any way. This combination makes it attractive for cybercriminals (and others) looking for an easy way to launder money, but also to investors looking for diversification in their funds with a high-risk, but potentially very profitable, tax-free investment.
  • Privacy: Bitcoin and transactions in which it is involved are perceived as anonymous. This claim is not entirely accurate – as there are links to aliases or public keys.
  • Ambiguity: It’s becoming harder and harder to decide whether Bitcoin is indeed a currency, or essentially a commodity/product/goods. In the past, the cyber community was using it as means to buy online products and services in numerous fields, among them dark web markets. However, it seems that most of the Bitcoin purchasers in the 2017 bull-run were buying it for the purpose of investment, as if it were a financial asset.

These attributes, and their perception (and in some cases - misperception) leads to the current changes and trends we are seeing from threat actors and hackers as to how they approach Bitcoin.

The go-to currency for hackers

Bitcoin has long been the go-to currency for hackers, scammers and fraudsters, due to its relative anonymity and high tradability in the black market, especially in the last couple of years, as Bitcoin is much more accessible to the public. This tendency was and still is reflected in the rise of ransomware. An easier solution for collecting Bitcoin with minimal effort is the use of cyber-extortion, known as Doxware.

Doxware is similar to a ransomware attack, but instead or in addition to encrypting the victims’ files, it informs the corporation or the individual that it had penetrated their systems, and is threatening to leak confidential information unless a ransom is paid (in Bitcoin of course).

A similar type of cyber extortion, seen in 2017, is the threat to perform a denial of service attack (DDoS) unless the victim pays a ransom in Bitcoin. This type of attack can appear following an attack in a small scale or with any proof of capability to perform such an attack.

Another threat on the rise these days, is cryptocurrency mining malware. Hackers infect websites, servers and end-users with mining code (sometimes implemented in a distributed manner) while victims are unaware they are being used. A known mining malware attack is the recent Adylkuzz malware, which spread using EternalBlue exploit used by the infamous WannaCry ransomware. Once infected, Adylkuzz will mine the cryptocurrency Monero. 

How Hackers try and steal your Bitcoin

Due to Bitcoin’s relative anonymity and the mass of new investors eager to hop on the cryptocurrency wagon, it is no surprise that scammers, hackers and fraudsters are taking advantage of the inexperienced users.

An infamous way of fooling both experienced and inexperienced Bitcoin owners, is conducting fake Initial Coin Offerings (ICOs). New companies in the field of cryptocurrency and blockchain offer cryptocurrency tokens at a low-price, in order to raise funds.

Investors participate in ICOs, hoping one would turn out to be the next crypto-bonanza, and the tokens issued are bought and sold on trading platforms. Their prices peak and drop before even one line of code is written or currency issued.

Other than the fact that many of these companies go down along with the tokens, many of the ICOs are not actually intended to develop a crypto platform, but rather, make an exit scam by disappearing with the funds raised or selling their tokens on high rates in a classic “pump and dump” move.

There are several red flags that can indicate a fake ICO:

  1. No decentralization: If the companies’ mining project does not require the use of a blockchain or another distributed platform, there is a good chance the ICO is a scam.
  2. Promised returns: As cryptocurrencies are by definition a high-risk investment, you can assume that an ICO that suggests high returns in minimal risk is most definitely an attempt to steal your money.
  3. Vague data: If you cannot know for sure what is the expected net value of the ICO, who the company behind the ICO, or what is the roadmap of the project, there is a good chance there are none. Read the ICO’s whitepaper and make sure to go through a prolonged research of the project, its founders, and its mining structure before you put your money in.
  4. Be careful who you trust: YouTube investment gurus and other internet experts often get paid to promote an ICO. Even if these experts have a solid reputation, it is not recommended to trust them blindly.

Another known scam is the proliferation of fake wallets. In two known scam campaigns, attackers used Google ads to promote phishing websites that mimic famous wallets, luring inexperienced users to download or log-in online to their wallets.The victims end up entering their private key or login information to the fake wallets, and losing all their Bitcoins.

How anonymous is Bitcoin?

Bitcoin is thought to be anonymous, as the identity of its owner is unknown. Nevertheless, all the transactions made in Bitcoin are recorded on the blockchain, and can be seen upon request. These transactions are linked to the users’ public key, in a case where this key is somewhat linked to a real identity, the user might be uncovered. Users of some cryptocurrency exchange markets are even more exposed, since they are going through a business identifying process, exposing their true identities to the owners of the exchange. Bitcoin should be addressed as pseudonymous, as the public key is the alias.

Another possible breach in user anonymity in Bitcoin is following transactions made from Bitcoin ATMs to wallets, which can usually indicate a geographical location of the wallet owner. Cross-referencing the geographic location with other transactions, time of purchase or even street cameras, can allow law enforcement or cyber-espionage organizations to identify the user behind the Bitcoin wallet. 

In pursuance of better anonymity, cybercriminals are turning to different services that can obscure the real user behind transactions. Some are using “mixing services”, in which users can trade their Bitcoin wallets with others containing a completely different history, or sending dozens of small amount transactions, combining their Bitcoins with others’, in order to keep the sender’s real address unknown.

WannaCry, the ransomware that hit the world in May 2017, used only three Bitcoin wallets. A research tracing these three public keys[1] completed by the writer of the blog Le Comptoir Sécu, demonstrates how three wallets were emptied into nine new addresses, which were later emptied as well, creating hundreds of micro transactions. In a high-profile attack like WannaCry, it is only natural that the attackers would want to avoid any option of exposure, and make the tracing as hard as possible for law enforcement and the cyber-security community.

Bitcoin makes the underworld go round, it that so?

Bitcoin is still perceived by many as underground money, used by criminals, drug dealers and hackers. However, recent hype around Bitcoin caused high volatility, heavy load on blockchain networks, and costly fee expenses. This hype had actually drawn darknet users away from Bitcoin, as many black markets are now adhering to other, new cryptocurrencies (known as ‘Alts’) such as Ethereum, Bitcoin Cash, Litecoin, and the recent favorite Monero – a currency which currently offers the highest anonymity in the cryptocurrency market. Libertas market, one of the most known black markets in the dark web, had even went as far as giving up on Bitcoin and solely accepting Monero.

It seems that the acceptance of Bitcoin by the public had brought it from the margins of the internet society to the center of the stage, and sent the cyber criminals searching for other solutions, more compatible to their needs of anonymity.


To sum it up, Bitcoin is a rollercoaster for both investors and cybercriminals, and as it becomes more and more accepted in the public and financial ecosystem, cybercriminals are more interested in stealing Bitcoins, than using them as a currency. This trend will probably continue as long as the Bitcoin bull run lasts, turning Bitcoin from a means to an end. Alternatives are getting better by the day, threatening to take over Bitcoin’s roll as the main currency of the cybercrime community.

[1]115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

About the author: Guy Caspi is a seasoned CEO and leading global expert in cybersecurity, big data analytics and data science. A pioneer technologist by the world economic forum in Davos.

Copyright 2010 Respective Author at Infosec Island]]>
The 5 Motives of Ransomware Thu, 04 Jan 2018 08:30:00 -0600 When 2017 began, we knew that ransomware  was going to be a major topic. However, who would have foreseen the impact of both WannaCry and NotPetya? 

WannaCry hit the world on May 12, infecting more than 230,000 systems in over 150 countries. In the process, it caused havoc in the UK’s National Health Service, using the EternalBlue exploit that was part of the Vault7 leak of the U.S. National Security Agency (NSA) offensive tools. The impact was huge, causing many disruptions around the world and highlighted the importance of patching systems with security updates. 

Was the lesson learned? The answer is no.

Shortly after WannaCry, we were introduced to NotPetya in late June, this time escalating out of the Ukraine and quickly cascading around the world, impacting system after system. This caused major issues with energy companies, transportation, medical, power grid, bus stations, airports and banks. 

The financial gain from both variants of ransomware was quite low with approximately a combined total of $150k compared to older variants, such as Zeus, that claimed more than $100 million. 

In my experience in digital forensics, I have always been taught to follow two things when trying to understand cybercrime and that is to follow the motive or follow the money. Either or both will lead to the criminal. In both WannaCry and NotPetya, it looks like the motive was not the financial part of the crime or that the payload and financial portion has been constructed by two different groups or cybercriminals. 

When we look at the motives of those who use ransomware, it is usually the following:  

  • Destructive – This means they do not care about the financial reward it is purely to cause disruption and fear. Of course, the cybercriminals may decide to take the financial takings if it is untraceable. 
  • Financial Motivation – This is to get as much financial reward as possible and usually to ransom is a premium to get the data or access back. 
  • Cryptocurrency Manipulation – Knowing that ransomware usually requires payment in the form of cryptocurrencies and that the value is derived from the number of wallets you could use ransomware to cause a significant increase in value.  The best way to get away with the crime is to make money legally.
  • Disguise Real Motive– This is usually to hide the real crime. After committing a cybercrime and you need to hide your traces, what better way to do it is to cause disruption with a ransomware. While the world is racing to keep secure and reduce the impact, cybercriminals have escaped from the real crime, hiding traces of what happened. Make a disaster or catastrophe to cover tracks.
  • Misdirection – Like disguising, the real motive is similar to a trick used by magicians to get your eyes to focus on something else. I believe we have seen examples of this in the recent nation state attacks in which if you leave breadcrumbs that lead the investigators to focus time on another country when in fact it was attributed by another. This is quite common in cybercrime in the hope that time will prevent the true criminal from being found.     

I will leave you to consider what the real purposes of recent ransomware threats have been. However, remember it can also be a combination of multiple threat actors involved with different motives. 

Remember: It is always important to step back and think if this was your crime how would you have done it. Sometimes it's crucial to be able to think and look at the world through the eyes a hacker or cybercriminal.

About the author: Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic.

Copyright 2010 Respective Author at Infosec Island]]>
Fake Android Security Tools Harvest User Data Thu, 04 Jan 2018 06:29:09 -0600 Tens of Android applications masquerading as security tools were found bombarding users with ads, tracking their location, and secretly harvesting user data, Trend Micro reports.

A total of 36 such applications were found in Google Play in early December, all of which executed the aforementioned unwanted behavior. The applications were posing as security utilities like Security Defender, Security Keeper, Smart Security, Advanced Boost, and more.

The offending applications, the researchers discovered, advertised a variety of capabilities, including scanning, cleaning junk, saving battery, cooling the CPU, locking apps, message filtering, WiFi security, and the like.

When first launched, the apps would hide from the device launcher’s list of applications and would also remove their shortcuts from the device screen. Thus, users would only see the notifications pushed by the apps, which would normally be alarmist security warnings and pop-up windows.

The apps were designed to hide their presence only on specific devices. They would not exhibit such behavior on Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St, and LGE LG-H525n, most likely because the tactic would not work on these devices or because they wanted to avoid additional scrutiny from Google Play.

Once up and running, the apps would bombard users with “security” notifications and other messages. However, most of the “detection” results displayed in the notifications are false, such as the reporting of all newly installed apps as being suspicious.

Some of these notifications would prompt users to take action on supposedly detected issues on the device. When the user clicks to perform the action, the app would display a fake animation to trick the user into believing that the app is working as intended.

While sending these notifications, however, the apps would also collect the victim’s private data, including specific location details. The collected data is then sent to a remote server.

In addition to pushing said notifications, the applications would also display advertisements to the user, in various different scenarios: after a notification to unlock the device screen or after the user is prompted to connect a charger.

Almost every user action triggers an ad, which suggests the apps were designed mainly for ad display and click fraud.

The security researchers also noticed that users are asked to sign and agree to a EULA (end-user license agreement), where details on the information gathered and used by the app are included. However, because the collection and transmission of personal data is not related to their functionality, these apps are still considered abusive.

These apps can upload to a remote server user information, details on the installed apps, information on attachments, user operational information, and data on activated events.

Additionally, the apps were observed collecting the Android ID, Mac address, IMSI, information about the OS, brand and model of the device, device specifics, language, location information, data on installed apps, and information on what permissions are granted or not.

Google has been informed on the behavior of these applications and has already removed them from Google Play.

Related: Google to Warn Android Users on Apps Collecting Data

Related: Majority of Android Apps Contain Embedded User-Tracking: Report


Copyright 2010 Respective Author at Infosec Island]]>