Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Access Management and the Automation of Things Tue, 21 Feb 2017 05:24:28 -0600 Want to destroy the confidence of your IT department and amputate key appendages from its leadership’s chance of success? Force these folks to manage manual processes; bog down their ability to manage the access of users and create ever-changing and overbearing password management rules, as examples. I’m not suggesting that requiring your IT team to manage these tasks manually is a head scratching problem, but doing so does mean more obvious complications, extremely mundane work and a time consuming volume of requests.

For your highly technical teams, asking them to handle manual account management is a waste of resources. These employees should spend their time on more technical issues and complex projects for your organization, don’t you think?

But, wait. How can you get your IT department to move forward when it is asked to perform menial tasks related to a user’s account or password? There are solutions, of course, for managing these processes, but can they be trusted and are they really beneficial to operations of the organization?  That depends on your point of view, I guess – some experts once wondered about the benefits and purpose of a thing called the “internet” while others, respectable people, once wondered about the benefits of tablets and their touch screens.

The simple answer to the proposed question then, in my opinion, is: “yes.” Solutions on the market assist with these processes. The following provides a bit more detail about what these things than do.

Account creation and management from one place

Setting up a new account for an employee is frustrating – when done manually. It looks a little like this: An IT admin accesses each appropriate application, enters the required employee information then sets the appropriate access rights. Making matters worse, a single new employee likely needs multiple accounts to begin their work. Sometimes, a newly hired employee will be left waiting for a few days for the correct access to correct accounts. Who hasn’t had this happen to them when they’ve begun a new job?

Current technologies can automate this process. As such, by automating, an HR person simply needs to enter the appropriate employee information into the HR system, and voila, new accounts are created in all systems relevant to the person’s role in the organization! These solutions work seamlessly for both in-house and cloud applications, so any type of application or system your company uses can be easily integrated – completely automated.

Aspirin for time-sensitive request headaches

In manual processes, the need for additional access to accounts or resources created for an employee can be a headache. Here’s how the process typically works: An employee must contact their manager who contacts an IT admin when they need access to an application or to make a change to their account. If this request is time sensitive, the employee may continually contact the manager to check up on the progress of the access rights. Now imagine countless messages and emails coming in from more than one employee requesting the need a change as soon as possible – overwhelming.

This can be automated, too. When an employee needs access to a certain application for a project they are working on they simply make the request in an employee portal and the request is routed to the correct manager. That manager can either accept or deny the employee’s request. If accepted, the change is automatically made and the employee has immediate access. This eliminates the need for anyone to contact the IT department or an account admin to request the change. This is seamless with in-house and cloud applications so changes can be easily made to both.

Then, if an employee wants to check on their request, they can view the progress in their portal instead of contacting the admin directly. So, admins no longer need to be repeatedly contacted to ask if the change has been made. 

Responding to the same call over and over again

What about all of the password issues that the IT department must deal with? Many automated solutions work seamlessly with password management to address these issues to drastically reducing redundant calls. Here’s the problem: Employees call the helpdesk to have their password reset for one or more of their applications when they forget them or are locked out of their accounts. This continues over and over again. This, like the account change requests, is very simple to fix, but overwhelming difficult and mundane if managed manually. Certainly, this is time-consuming when employees – especially repeat offenders – who request information over and over again.

The most popular fix here is an automated password management solution. Such technologies provide a self-service reset option can be adapted for use in the cloud or in-house applications. This allows users to reset their own passwords without contacting the helpdesk even from their mobile devices like smartphones and tablets.

Also, don’t forget that single sign-on solutions have also been adapted to work in conjunction with cloud applications. Single sign-on allows your users to login in once with a single set of credentials (one password and such) and thereafter gain access to all other applications they are authorized to use, easily resolving the issue of users needing to remember multiple passwords. This, then, also eliminates the need to request so many resets and alleviates mundane treacherous tasks for the helpdesk.

With automated solutions these tasks can be easily automated making processes better for everyone involved, and resulting in a happy IT department where leaders are empowered to live up to their professional potential without being cut off at the knees.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence report – February 2017 Fri, 17 Feb 2017 11:25:00 -0600 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • The February’s set of Security Notes consist of 22 patches, most of them fix missing authorization check vulnerabilities.
  • The highest CVSS base score of the fixed bugs is 8.5.
  • This month, multiple vulnerabilities affecting SAP HANA were closed. They can be exploited together to crash applications on SAP HANA XS remotely without authentication.

SAP Security Notes – February 2017

SAP has released the monthly critical patch update for February 2017. This patch update includes 22 SAP Notes (15 SAP Security Patch Day Notes and 7 Support Package Notes).

4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 7 of all the Notes are updates to previously released Security Notes.

7 of the released SAP Security Notes has a High priority rating. The highest CVSS score of the vulnerabilities is 8.5.

SAP Security Notes February by priority


The most common vulnerability type is Missing Authorization check.

SAP Security Notes February 2017 by type

Issues that were patched with the help of ERPScan

This month, 3 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Mikhail Medvedev were closed.

Below are the details of these vulnerabilities.

  • Multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3). Update is available in SAP Security Note 2407694. An attacker can use a Denial of service vulnerability to crash a process of the vulnerable component. For this time, nobody would be able to use this service, which negatively influences business processes, system downtime, and, as a result, business reputation.
  • An XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5). Update is available in SAP Security Note 2386873. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests that will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS file system.

SAP HANA Multiple Vulnerabilities in detail

SAP Security Note 2407694 closes 2 vulnerabilities affecting SAP’s flagship product, HANA. Namely, there are DoS vulnerability and Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia.

These vulnerabilities can be exploited together. One of possible attack scenarios is the following. The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the application in process will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components could also be potentially impacted.

The most critical issues closed by SAP Security Notes February 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2408892: SAP Netweaver Data Orchestration has a Missing Authorization Check vulnerability (CVSS Base Score: 8.5). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2413716: SAP GRC Access Control EAM has an Implementation flaw vulnerability (CVSS Base Score: 8.2). Depending on a case, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality and increase system stability. Install this SAP Security Note to prevent the risks.
  • 2391018: SAP 3D Visual Enterprise Author, Generator and Viewer has a Memory Corruption vulnerability (CVSS Base Score: 8). An attacker can use Buffer overflow vulnerability to inject a specially crafted code into a working memory which will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and other attacks. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
DigitalOcean Launches Public Bug Bounty Program Fri, 17 Feb 2017 11:01:37 -0600 Cloud computing platform DigitalOcean on Wednesday announced the public availability of its bug bounty program, after successfully running it in private mode.

The same as the private program, the public one was launched in collaboration with Bugcrowd, which provides DigitalOcean with access to a large crowd of researchers and allows it to focus internal resources “on keeping the cloud secure.”

On the program’s page, the company reveals that the bounties available for interested researchers range from $150 to $2,500 per bug, depending on the severity and impact of the discovered flaw. At the moment, the company accepts vulnerabilities found in and

According to the company, it plans on investigating legitimate reports received through the program and on addressing vulnerabilities as fast as possible. Moreover, DigitalOcean says that it won’t take legal action against (or ask law enforcement to investigate) researchers who comply with a series of straightforward requirements.

Specifically, the company asks researchers to provide it with all the necessary details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC), as well as to make “a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation” of services.

Researchers are also required to avoid accessing or modifying data that does not belong to them, as well as to provide the company with reasonable time to correct the issue before making any information public.

DigitalOcean's public bug bounty program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings, the company also announced.

Researchers interested in the program are encouraged to register for a new account on the company’s website and will receive access to five droplets. They are required to refrain from launching droplets > 1GB of RAM, and to focus on the aforementioned resources, except ticket creation. Vulnerabilities in other applications owned by DigitalOcean aren’t within the scope of the program either.

“Incorporating Bugcrowd's platform into DigitalOcean's overall security strategy has noticeably decreased the window for detecting vulnerabilities in our cloud. Additionally, and in line with our culture of love, we are able to have a more consistent interaction with security researchers through Bugcrowd, and we are able to reward researchers for their hard work!” DigitalOcean Director of Security Nick Vigier said.

The partnership with Bugcrowd, the company says, should provide it with good, consistent communication with researchers, while ensuring their development teams are provided with actionable and validated vulnerabilities. “We are excited to extend our program and continue enjoying the benefits of crowdsourced security testing,” Vigier concluded.

Last year, Bugcrowd’s second annual State of Bug Bounty Report revealed that an increasing number of “traditional” industries are launching bug bounty programs to secure their products and services. Earlier this week, the company revealed a partnership with Qualys to allow joint customers to share vulnerability data across automated web application scanning and crowdsourced bug bounty programs.

Related: Identity Management Firm Okta Launches Bug Bounty Program

Related: Bugcrowd Raises $15 Million to Expand Bug Bounty Business

Copyright 2010 Respective Author at Infosec Island]]>
What bicycle thefts can teach us about mobile security Fri, 17 Feb 2017 09:49:34 -0600 I recently had my mountain bike stolen. I had locked it with a device that I thought was strong enough, but the thief was able to cut through it and take the cycle. As anyone who has had something personal stolen will know, the theft makes you re-evaluate how you protect other things you own. So, after choosing a replacement bike, I naturally decided to buy a more secure lock. 

At the cycle specialist, I was looking at devices from ABUS, one of the leading bike security brands. All of the company’s devices perform the same basic function – helping to prevent ‘mobile devices’ from being stolen – but of course, its solutions cover a range of security levels. So the company rates each of its locks according to its intended usage and the threat environment it will be used in – from low-cost bikes and accessories in low-risk areas, to high-value bikes in high-risk areas for theft. 

This got me thinking – why shouldn’t organizations apply the same rating process to securing the smartphones and tablets being used across their employee base? As with bike security, the overall objective is simple: reduce the security risks of the device being stolen or compromised. And there is no ‘one size fits all’ solution, as the organization has various functions with different levels of risk and different security needs. The idea that every mobile device in an organization should be protected with the highest-grade security technologies looks good on paper – but in practice it simply doesn’t make sense, as some do not require that level of security or are not willing to pay the required security price.

Organizations need to ensure they provide the right levels of security for the device and data, based on several factors: the role of the individual using the device; what core business applications and data the person has access to; and the risk to the business if the device is stolen, compromised by malware, or communications are intercepted. Just as it is unlikely that you would use a 150-dollar lock to secure an old, 50-dollar bike, you wouldn’t use a 30-dollar lock to secure a hand-built Specialized or Colnago racer. 

Different staff, different security levels

So how should organizations approach stratifying the security requirements across their mobile estates? I believe there are three main security levels to think about. 

First, there are the senior members of staff or specific, sensitive organization functions (C-level, MNA, Legal, Finance, core IP, Research, etc.) who access and process sensitive corporate data. These personnel – and their devices – are critical to the organization, and therefore should be considered a high security risk. As such, layering multiple security products onto their company-issued or personal device is simply not a good approach. The tools and processes that provide reasonable levels of protection, often compromise the performance and usability of the device so much that users will seek workarounds, bypassing security measures to achieve productivity. This exposes the device, and the data on it, to even greater unnecessary risk. What’s more, underlying OS level vulnerabilities on these devices can also be targeted by hackers as part of a ‘whaling’ attack against the organization’s executives.

As such, instead of using vulnerable mobile devices with bolted-on restrictive security, senior executives should be issued with specialized, secure devices in which the standard OS and the entire software layer from the kernel level upward is replaced with a secure, hardened version with built-in security layers implemented seamlessly, without affecting productivity, functionality or usability. These devices should deliver full encryption of data at rest, as well as all communications to and from the device, secure its externally available interfaces (Web, Cellular, Wifi, NFC, USB, Bluetooth, etc.), and actively monitor, block and alert on all targeted attacks and attempts to gain unauthorized access to on-device resources, plant malicious code or install rogue apps.

As a result, cyber criminals will hit a very high security bar when trying to target the device. Also, since security is built into the devices’ lowest software layers (instead of being added on), the end user can still enjoy a standard, familiar, fully functional operating system, leveraging a complete app ecosystem and standard ease of use:  ensuring that their productivity is not compromised in any way.

Referencing back at the ABUS cycle lock rating system analogy, this method would be ranked 9 in a scale of 1 to 10 in terms of security rating, assuming realistically that a 100% bullet proof, 10 out of 10 rating cannot be achieved.

Mid-level security

The second level of security is mid-tier management staff, senior external contractors, project managers and other specific functions that have access to some sensitive data but are unlikely to be primary targets for hackers. These personnel – and their devices – are not as critical to the organization as the first group, and therefore should be considered a medium security risk. For these individuals, a standard smartphone, protected with a comprehensive security application that delivers data and communications encryption, attack detection and protection capabilities together with advanced device management features should provide sufficient protection to satisfy the level of risk and security requirements identified at corporate level.  

This method could be applied on a corporate-issued smartphone, or on the user’s own device under a BYOD scheme, and would be rated 6 out of 10 on the Abus scale. The security is not as strong as with a full hardened device and OS, but will be sufficient for the majority of mid-tier staff.

The third level of security applies to employees who have low-level access to data, including contract and freelance staff that are not part of the organization for long enough to warrant being issued with a company device, or included as part of a comprehensive mobile security scheme. Each individual’s device usage and data access should be assessed and monitored, providing visibility at the corporate level with regards to the security postures and risk levels of each device under this scheme. This should be achieved by applying lightweight security software on these devices. This method would be rated as 3 out of 10, and devices under this scheme treated accordingly – low risk, low access level, low security processing power.

Real time visibility and policy enforcement

These three levels of security should be underpinned with a management system which enables the organization’s IT team to see the real-time risk level and security posture of each mobile device in its estate. Monitoring the overall security health of a specific device, a group or the entire organization can effectively point out security gaps, users’ negligence and specific areas of risk that may affect the way IT rollout new services and access to services. This also enables the team to manage and apply policies to mitigate risks on devices as they occur, reducing the organization’s attack surface, the potential impact of threats and attempts to breach security. 

This stratified contextual approach to security means that businesses can apply protection to each device and the data it holds, in a way that is appropriate to the device user’s role, and risk profile. In turn, this makes it easier for organizations to lock down and manage the complete mobile security cycle.

Copyright 2010 Respective Author at Infosec Island]]>
The Third Party Threat Thu, 16 Feb 2017 06:20:00 -0600 63% of all data breaches can be attributed to a third party vendor according to a Soha Systems Security survey. Everyone from LinkedIn to the Hard Rock Hotel and Casino have all been hacked exposing their clients data, thanks to a third party vendor.

The measures taken by organizations to protect corporate assets from electronic theft have to consider many avenues of access. Laptops, tablets and mobile phones that are hand carried into organizations everyday – right past the firewall. If these devices become infected off premises, it now becomes the corporate security teams’ responsibility to defend against it. Remote employees coming in via VPN connections must also be monitored. There is the additional issue of guests who need temporary access as well as contractors who need admittance to the Internet and possibly internal resources as well.

If these contagions aren’t gaining access through phishing attacks then there is always the assumption that someone – somewhere walked the infection right through the front door. The belief that malware of one form or another is always on the network is assumed. Currently, in every corporate network in every state, there is a computing device acting as a host for a bot that is waiting for just the right moment to make a move. 

The debacle of third party breaches hit prominence when Target revealed a massive data breach via a 3rd party contractor. According to the contractor, they utilized the remote access to Target’s internal network for electronic billing, contract submission and project management. Once Target was compromised, the hackers were able to access the point of sale machines (I.e. registers) and ultimately were able to get to roughly 40 million debit and credit card accounts. The data was then uploaded to compromised servers on the Internet which helped obfuscate the identity of the perpetrators. It was estimated that Target faced millions of dollars in losses as a result of the breach. 

Since then, the Yahoo breach has been one of the most spectacular incursions exposing more than a billion user accounts. Rather than breaching Yahoo's servers directly, email addresses and passwords were likely extracted from a third-party database according to Yahoo. "We have no evidence that they were obtained directly from Yahoo's systems," the company said. This unfortunate incident has lead to lawsuits and the delay of the acquisition by Verizon.

The Soha Systems Security survey also revealed:

·75% of the IT and security professionals said the risk of a breach from a 3rd party is serious and increasing

·2% of Enterprise IT and Security Managers, Directors and C-Level Execs consider 3rd party access a top priority

·87% of IT professionals report their organization’s use of contractors has increased

·56% of respondents had strong concerns about their ability to control and/or secure their own third party access

The gap between IT priorities and third party access risk is a serious problem that affects all industry segments and it appears to be getting worse. The use of 3rd party contractors is increasing and for some organizations this poses yet another risk to their security posture. 

A data compromise is inevitable for companies wherever it might emanate from.  Therefore an organizations’ ability to respond to an incident is key.  When responding to a cyber event, investigators almost always turn to the system logs and the history of the traffic patterns that occurred during the event. Having clear, historical visibility into traffic on the network is possible when NetFlow and IPFIX data is collected and archived. Since all major router and firewall companies support these flow technologies, they have become the critical tool for traffic analysis when investigating and sleuthing out the most covert insurgencies. Flow information provides a detailed foot print of every network connection leading up to, during and after a data compromise. Many technologies even leverage flow data for behavior monitoring where, end system behaviors are analyzed over time in an effort to uncover abnormal system communications. 

The faster data breaches can be detected and the entry points closed off, the faster damage can be mitigated. By monitoring and archiving all flow connections, companies stand a better chance of tracing malware back to the source.

Copyright 2010 Respective Author at Infosec Island]]>
When Ransomware Strikes: Does Your Company Have a Data Disaster Recovery Plan? Thu, 16 Feb 2017 05:20:29 -0600 Last year, nearly half of businesses were hit by ransomware. In the first half of 2016 alone, ransomware cost enterprises $209M. Even worse, experts predict that ransomware “will spin out of control” in 2017. Apparent in the headlines, ransomware is rampant and those who commit the attacks aren’t discriminating against any industry, company size, or company location. It’s no longer a question of if your company will be targeted by ransomware but rather when your company will be targeted by ransomware. To prepare, all enterprises should have a data disaster recovery plan to fight back.

The US Justice Department warns that “paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom … [after paying,] some victims were asked to pay more to get the promised decryption key.”

With a little bit of preparation and forethought, your enterprise could quickly retrieve data backups needed to keep the business running instead of haggling with cybercriminals to get access to vital and sensitive documents and ending up in the headlines for the wrong reasons.

Here are three best practices to get your company started on building a personalized data disaster recovery plan to combat ransomware and other data loss disasters:

Know the Facts

You can’t protect your assets if you don’t know what they are and where they reside. The first step of any data disaster recovery plan should be to take inventory of assets. Conduct a full risk assessment and business impact analysis to examine the consequences of disruption to a business function and processes. Understanding the impact of data loss on business-critical functions is crucial for personalizing your data disaster recovery plan. Don’t forget to include legal and audit ramifications. 

Secondly, know the facts of your company’s agreement with third-party vendors who handle your data. Don’t be lulled into a false sense of security if you use collaboration platforms like Microsoft Office 365 or G Suite. While they provide great capabilities, these SaaS applications can’t fully protect customers from data loss caused by ransomware, sync errors from integrations, or human error. It’s not that these providers don’t want to help, they simply can’t. When data is encrypted, changed or deleted by ransomware, sync errors, or other destructive activity, these actions look just like their customers changing or deleting data for legitimate reasons to the SaaS provider.

Make It a Team Effort 

Long gone are the days where only one person is responsible for enterprise security. To succeed, the entire company needs to be involved in securing its data and assets as part of the data disaster recovery plan. To this end, spend time and resources on educating your users on security best practices to prevent ransomware and phishing. Identify high-value targets for ransomware, spear-phishing, etc. and monitor for unusual activity on their end.

A hacker only needs one careless employee to gain access to your whole network. By having your whole team engaged in good security practices, hackers will be hindered by a united front. As Ben Franklin once said, “an ounce of prevention is worth a pound of the cure.”

Back Up Data & Test the Process

Ransomware attackers rely on the fact that majority of users don’t have a good way to restore data from a backup. Counteract this ploy by regularly backing up your data with automated systems that ensure point-in-time restore.

Don’t stop there though. Backups are only as good as the recovery that comes with them. Take the time to periodically test the restore process to ensure that restored files from backups are useable and accurate. In a moment of panic, you should be able to recover your data without thinking, and get it back exactly the way it was before.

Don’t become a statistic – make the investment to build a data disaster recovery plan before you need it. Take time to do the research to know the facts of your data assets and risks, make security a team effort and back up your data and test the process. You’ll never regret preparing too much but you’ll definitely regret having to cough up tens of thousands of dollars in bitcoin to get your business-critical data back and landing in the headline of every security publication naming your company as the latest victim to ransomware. 

Copyright 2010 Respective Author at Infosec Island]]>
DynA-Crypt Ransomware Steals and Deletes User Data Sat, 11 Feb 2017 06:46:17 -0600 A newly observed piece of ransomware doesn’t merely focus on encrypting user’s files, but also attempts to steal data from the infected machine, and to delete files, researchers warn.

Dubbed DynA-Crypt, and discovered by GData malware analyst Karsten Hahn, the new threat is composed of numerous standalone executables and PowerShell scripts designed to encrypt files, steal information such as usernames and passwords, and delete files without backing them up, meaning that some of the affected data can no longer be recovered.

The rasnsomware was reportedly created using a malware creation kit, a tool that allows any criminal wannabe to build their own malicious application effortlessly. In the case of DynA-Crypt, however, the actor who decided to create the ransomware didn’t have a clear idea of what they were doing, BleepingComputer’s Lawrence Abrams notes.

The real issue, the researcher says, isn’t the file-encrypting code in this ransomware, although this represents a problem as well. The data stealing functionality, however, is a much greater concern, because the malware can take screenshots of the desktop, record system sounds, log commands typed on the keyboard, and steal data from numerous installed programs (Skype, Steam, Chrome, Thunderbird, Minecraft, TeamSpeak, and Firefox).

To steal the data, DynA-Crypt copies it to the %LocalAppData%\dyna\loot\ folder, then archives it to a .zip file (%LocalAppData%\, and then emails it to the operator. The malware also deletes the folders it steals the data from, as well as all the items on the desktop, although it doesn’t steal these as well, meaning that this data is lost forever.

The file-encrypting function of DynA-Crypt is powered by a PowerShell script that uses AES for encryption. The ransomware targets only specific file types to encrypt and appends the .crypt extension to them.

After completing the encryption process, the ransomware displays a lock screen requesting a $50 ransom in Bitcoins. Additionally, it deletes the computer's Shadow Volume Copies to prevent users from restoring their files using them.

“The good news is that this thing can be easily decrypted, so do not for any reason pay the ransom if you are infected with this program,” Abrams explains.

Related: Ransomware Authors Ask Security Researcher for Coding Advice

Related: Destructive KillDisk Malware Turns Into Ransomware

Copyright 2010 Respective Author at Infosec Island]]>
2017 Cybersecurity Trends Already in Action Wed, 08 Feb 2017 11:21:30 -0600 Everything related to cybersecurity is advancing at a breakneck pace. So it’s no shock that in the first month of 2017, we’ve already begun to see movement with the many trends and predictions we’ve been hearing for the year ahead.

Ransomware Continues Grabbing Headlines

One of the most frequently cited trends carried over from last year is ransomware, which I (and many others) believe will still be a big and continuously evolving threat in 2017. MarketsandMarkets backed up that expectation, kicking off the year by predicting a 16.3% compound annual growth rate in the market for ransomware defense, rising from $8.16 billion in 2016 to $17.36 billion in 2021.

So far, Ransomware has lived up to expectations, retaining its prominence as a widespread threat and getting even more dangerous with doxing and DDoS functionality in many strains. Anti-malware company Emsisoft reported a sophisticated new ransomware called Spora that is now being sold on the darknet. KillDisk, a powerful and compact software utility that can completely and securely destroy all data on hard drives and flash devices, has been developed into a ransomware package for both Linux and Windows systems. Unfortunately, victims of KillDisk have not gotten their files back – even after paying up. A variant of the Petya ransomware, called GoldenEye, has appeared in attacks targeting HR departments, playing off that industry’s propensity for opening email attachments. That’s just a sampling of what’s happened this month, and there’s surely more to come.

IoT Security Concerns on the Rise

Vulnerabilities related to the internet of things (IoT) is another big trend we’ve been hearing about. A whole range of smart devices can be used to take advantage of consumers, take down companies through DDoS attacks and blackmail, and even provide a myriad of new endpoints thorough which attackers can gain access to a network. Even the smallest devices today can (and will) be connected to the internet and controlled from a centralized location, making them a potential target for a cyberattack. The economics of manufacturing these small devices often makes security an afterthought, so communication protocols between those devices are often unencrypted and easily compromised. We’ve already seen how IoT can enable DDoS attacks and the damage those attacks can cause, but the real potential of IoT vulnerabilities is much more severe.

The FDA recently posted a cybersecurity notice on its website, warning that certain pacemakers, specifically St. Jude Medical’s Merlin@home Transmitters, were vulnerable to being hacked. According to the FDA, a hacker could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” and “the altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

Will Biometric Authentication Gain Mainstream Acceptance in 2017?

Enhanced authentication has also been a big prediction or 2017, with new smartphone-based authentication methods expected to enter the market. Enrollment and deployment have been major challenges when it comes to biometric security, but since most smartphone users in 2017 will have a fingerprint scanner, iris scanner, or voice recognition tool in the palm of their hand, the barriers to biometric authentication are rapidly disappearing.

Unfortunately, while the barriers to biometric authentication are disappearing, new vulnerabilities are emerging just as quickly. We’ve already seen that stealing fingerprints can be easily achieve with low-tech tools like gummy bears, and now we’re hearing that it might be even easier than that. Japan's National Institute for Informatics (NII) reported in January that flashing a peace sign in a photo may also put your biometric data at risk. According to Isao Echizu, professor of NII's digital content and media sciences research division (as translated by the International Business Times): “Even if you just casually show the peace sign to the camera, your fingerprint can be stolen.”

What Will Happen Next?

With so many trends showing teeth so early in the year, we’re left to wonder what else is to come. Most companies still can't face the volume and sophistication of cybersecurity alerts they get, which means they’re often playing catch up on potential attacks flagged months or years prior. With each passing year, it seems that newly-uncovered hacks and the number of users impacted grow larger and larger. One big prediction for 2017 that we haven’t seen come true yet is that we'll have a new major breach. Chances are very good that a breach like that has already occurred. So the big questions that remain are, when will we hear about it, and how did it occur?

Copyright 2010 Respective Author at Infosec Island]]>
Managing External Connectivity to and From Your Network: Do’s & Don’ts Tue, 07 Feb 2017 16:23:55 -0600 These days, no organization is an island:  it needs network connectivity with a range of external parties, including suppliers, business partners, credit card processing companies, market data feed providers, and more.  Managing these connections to and from your internal network servers is not only critical to your business; it also impacts on your information security and compliance posture. 

Unlike limited, transient connections such as customer access to web portals or VPN access for field teams, permanent connections allow external organizations direct access to and from your internal networked servers, as part of a mutually-beneficial business relationship.  But, each connection is also a potential attack vector, and cybercriminals with sufficient motivation and patience can, and will, probe both parties’ networks and their connections to find ways in, no matter how complex the pathway is. 

So, how should organizations approach managing an external connection to ensure they are not inadvertently opening holes that could expose your organization to breaches and cyber-attacks, or compliance failures?

First there are contractual obligations. Your external connections will, or at least should, be covered by a contract between your organization and the other party. It governs the commercial, legal, and regulatory aspects of the relationship, as well as the technical aspects, including IP addresses, testing procedures, the geographic location of servers, SLAs and technical contacts. Furthermore, the contract should provide the framework for how any problems should be dealt with, and outline the escalation process.

While a business contract covering the external connection implies a level of trust between organizations, it’s important to remember that someone else is connecting to your network and processes (and vice versa), and that you do not have control over them.  There could well be a security issue on the other party’s network that is invisible to you – but when the external connection is established, that issue becomes part of your security and compliance posture. 

So while contracts are all well and good, you still need to take steps to protect your organization from the potential security risks that external connections can introduce.  Here are the three key issues that organizations should consider when managing the security aspects of a third party connection.

Network segmentation and routing

Network segmentation can minimize the risks from external connections.  This means placing the servers needed for the external connection in a demilitarized zone (DMZ), segregating the DMZ from your internal networks using firewalls, and restricting and filtering traffic in both directions using additional controls such as web application firewalls, DLP and IDS or IPS to stop rogue intrusions.

This has several security benefits.  First, it filters out malicious content such as malware at multiple points along the connection pathway, reducing the risk of such content getting into either your or the peer’s network.  Second, it ensures that should a hacker manage to get through the external connection into your servers, they will be unable to move laterally to other areas of your corporate network, as they will be isolated in the DMZ.  Third, it restricts traffic across the connection to only the essential traffic needed for that particular connection, which reduces the processing burden on your security appliances and your overall risk exposure.

Taking care of compliance

It’s also crucial to remember that if the data that is accessed via the external connection is subject to regulatory compliance, then all affected servers on both sides are subject to regulatory compliance requirements and auditing.  For example, PCI DSS regulations state that if the connection touches credit card data, then both sides of the connection are in scope.  As such, outsourcing the processing and management of regulated data to a partner does not let you off the hook in terms of regulatory compliance.  Being aware of this from the outset will enable you to apply appropriate protections to the relevant data traffic, and help you to be compliant and audit-ready at all times.

Maintenance matters

Maintenance of external connectivity covers two types of issues:  planned maintenance tasks by your own or the peer’s IT teams, and unplanned outages that were caused by a server or network element failure, or a misconfigured device.  These issues are more complicated than internal network maintenance as they require coordination with your peer’s contacts, may involve different remediation workflows, and need external reviews before a change can be made, in order to comply with the terms of the contract. 

To ensure maintenance tasks go smoothly and adhere to contractual or SLA obligations, your IT teams will need to recognize and know that the maintenance activity applies to an external connection.  A security management solution can play a key role here, by identifying the applications that have an external connection, and providing access to the contractual and technical information related to the third party connection so that it is on hand when needed.  This will help teams quickly understand the guidelines they must follow and subsequently enable them to make the necessary changes more efficiently and without breaching the contract.  

A security management solution which includes security policy change management should include a dedicated change workflow for handling changes that involve external connections, including more stringent risk checks, additional review and approval steps, and coordination with the partner peer. Finally, a security policy management system should monitor all the changes made to any of the security devices controlling the external connection, and continuously check whether the security controls are still compliant with pertinent security guidelines, regulatory requirements, and contractual obligations.

In summary, while external connections are key drivers of effective business collaboration, they can introduce security risks to your organization unless you take preventative steps.  When planning to set up such connections in your organization, do:

  • Design and segment your network architecture carefully, to minimize the risks of cyberattacks and lateral exploration by hackers via external connections
  • Be aware of how the connection with the external party affects your compliance status
  • Have security policy management systems that provide all the relevant information that IT teams need when considering planned or unplanned changes to your business’ side of external connections, and help them to manage those changes in an automated, streamlined way to ensure that they don’t disrupt the business.

And whatever you do, don’t leave security of these business-critical connections to chance.  

About the Author: Professor Avishai Wool is CTO of security policy management provider AlgoSec

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; text-align: center; font: 11.0px Calibri} span.s1 {font-kerning: none}

Copyright 2010 Respective Author at Infosec Island]]>
2017 Singapore ICS Cyber Security Conference Call for Papers is Open! (APAC) Wed, 01 Feb 2017 09:57:00 -0600 Singapore ICS/SCADA Security Conference Logo

The official Call for Papers (presentations) for SecurityWeek's 2017 Singapore Industrial Control Systems (ICS) Cyber Security Conference, being held April 25–27 at the Fairmont Singapore is now open.   

As the largest and longest-running cyber security-focused event series for the industrial control systems sectors, the conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

With a long history, the conference has proven to bring value to attendees through the robust exchange of technical information, actual incidents, insights, and best practices to help protect critical infrastructures from cyber attacks.

Produced by SecurityWeek, the conference addresses ICS/SCADA topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

The Conference is unique and has historically focused on control system end-users from various industries and what cyber vulnerabilities mean to control system reliability and safe operation. It also has a long history of having discussions of actual ICS cyber incidents.

The 2017 Conference is expected to attract hundreds professionals from the Asia Pacific (APAC) region, including large critical infrastructure and industrial organizations, military and government officials.

Through the Call for Papers, a conference committee will accept speaker submissions for possible inclusion in the program at SecurityWeek’ 2017 ICS Cyber Security Conference | Singapore.

The conference committee encourages proposals for both main track and “In Focus” sessions. All sessions are 45 minutes in length including Q&A.

The Conference Committee is particularly interested in submissions on the following topics: ICS/SCADA cyber incidents in the APAC region, results and observations from ICS/SCADA mitigation measures, results and observations from ICS/SCADA vulnerability assessments, live attack demonstrations, vulnerabilities and exploits, and results and observations from joint IT/ICS projects.

To be considered, interested speakers should submit proposals by email to events(at) with the subject line “ICSS2017 CFP” by February 28, 2017. Submissions will be reviewed on an ongoing basis so early submission is encouraged.

Submissions must include proposed presentation title, an informative session abstract, including learning objectives for attendees if relevant; and contact information and bio for the proposed speaker.

All speakers must adhere to the 100% vendor neutral / no commercial policy of the conference. If speakers cannot respect this policy, they should not submit a proposal.

Plan on Attending the 2017 ICS Cyber Security Conference | Singapore? Online registration is now open, with discounts available for early registration.

Sponsorship Opportunities


Sponsorship and exhibitor opportunities for SecurityWeek’s 2017 Singapore ICS Cyber Security Conference are available. Please contact events(at) for information.

Copyright 2010 Respective Author at Infosec Island]]>
Android Trojan Downloads Google Play Apps onto SD Cards Wed, 01 Feb 2017 06:19:19 -0600 A newly discovered Android Trojan can download applications from Google Play, but saves them onto the SD card instead of installing them, to keep this malicious activity hidden from the user, Doctor Web researchers warn.

Detected as Android.Skyfin.1.origin, the malware was designed to infiltrate running Google Play processes to engage into software downloading activities. The malware is believed to be distributed via Trojans in the Android.DownLoader family, which usually gain root access onto infected devices and covertly install additional malicious applications into the system directory.

According to Dr.Web security researchers, because Trojans such as Android.DownLoader.252.origin and Android.DownLoader.255.origin contain snippets of code that are characteristic to that of Android.Skyfin.1.origin, it’s likely that Skyfin is distributed specifically by those malicious applications, since they are related to it.

When launched on the infected machine, the malware injects a second module called Android.Skyfin.2.origin in the process of Google Play. This module is designed to steals the mobile device’s unique ID, along with device owner’s account, as well as internal authorization codes for connecting to the Google Play catalog, and various other confidential data.

The stolen information, which allows the malware to interact with Google services, is passed to the main component of Android.Skyfin.1.origin. The Trojan also sends all of the gathered data, along with the device’s technical information, to the command and control server.

The malware abuses the stolen data to connect to the Google Play catalog and simulate the operation of the Play Store application. Some of the commands it can execute include searching in the catalog to simulate user action, request application purchases, confirm purchases, confirm consent to a license agreement’s terms, and request link to download an APK file from the catalog.

Additionally, the malicious program was designed to add, delete, and rate reviews in the Google Play marketplace, as well as to confirm a program’s download, which artificially inflates the total number of installs for that application.

Downloaded programs, however, are not installed, but instead saved to the SD card, which prevents victims from noticing an increase in the number of applications on their devices. This also means that the Trojan is likely to stay unnoticed on the infected devices longer, where it can continue increasing the number of installs of specific Google Play applications and artificially raising their popularity.

The security researchers explain that several modifications of the Trojan are at large, including one that can download any app from the store, based on a list of software that the cybercriminals provide the malware with. Another variant can download only one program, namely com.op.blinkingcamera.

“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server,” the security researchers reveal.

Because Android.Skyfin.1.origin is installed in the system directory, only anti-malware applications that have root access on the infected device can remove it, Doctor Web notes.

Related: "Gooligan" Android Malware Steals Authentication Tokens to Hack Accounts

Related: Xiny Android Trojans Can Infect System Processes

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication

Copyright 2010 Respective Author at Infosec Island]]>
FriendFinder Breach Highlights the Need for Better Practice in Password Security Tue, 31 Jan 2017 07:32:00 -0600 The FriendFinder Network breach is a perfect example of how poor password storage can exacerbate the impact of a breach and expose accounts to further exploitation. Storing passwords in clear-text, or using weak hashing schemes, will make it far easier for attackers to exploit the stolen data.

FriendFinder Networks owns several adult-only websites where individuals input their own details in the hope of finding a match, and this is not the first time it has been hit by a data breach. In May 2015, the details of four million users were leaked. Unfortunately, it seems that FriendFinder has not learnt its lesson, as this recent attack is very similar to the one it suffered the previous year. It would seem that it has done very little to improve its security, with many newly registered accounts having passwords still stored in clear-text.

The latest leak, which included 412 million FriendFinder users’ personal information, is the largest breach of its kind and just one more in a long list of high profile attacks to occur in the past few years. Customers who had previously deleted their accounts have also found their details to have been stolen, bringing to light the fact that FriendFinder is storing deleted customer account details without permission. It has become apparent that FriendFinder also did not store passwords using secure methods. In total, 99%of the passwords, including those hashed with SHA-1 or stored in plain visible format, were discovered by LeakedSource, a data breach monitoring service.

Furthermore, the effect of the breach of passwords was not limited to accounts on FriendFinder, as it is still a common practice for people to use the same password multiple times. This makes a hacker’s job far easier, as once they have successfully discovered a password they will try to use it on all other sites requiring one, potentially gaining access to numerous accounts.

Best practice for protecting passwords

FriendFinder is far from the only company to fall short when it comes to password best practice however, and there are a number of steps all companies should be taking to prevent themselves becoming the next headline.

When it comes to protecting sensitive information on websites, users should be advised on how to create strong passwords. Traditionally, the usage of a mixture of upper and lower case letters, words, numbers and symbols has been suggested. General advice is also to avoid using easily guessed combinations of words or numbers, especially consecutive ones or ones which someone could easily deduce, for example dates of birth or well known names connected to you. Words found in the dictionary can also be easy to hack, and there are password-cracking tools readily available on the internet that often contain dictionary and common word or name lists.

The National Cyber Security Centre (previously CESG) has recently published more modern advice on how to choose strong passwords. These guidelines encourage the usage of long, memorable phrases rather than short passwords that expire often. These are more difficult to crack for attackers.

But protecting passwords is not just a user’s responsibility. It is also essential that companies take appropriate measures to store user credentials. The current preferred way to store passwords is by using adaptive one-way functions that support the configuration of salts and work factors. Cryptographically strong salt values augment entropy and prevent dictionary attacks based on pre-computed lookup tables. Moreover, work factors allow us to impose long verification times on the attackers, making them less effective at cracking passwords at scale. Examples of such algorithms that should be used today to store passwords include: Argon2, PBKDF, scrypt and bcyrpt.

We must assume that, even with strong passwords and appropriate storage, an attacker could still in some cases manage to retrieve some passwords, such as through key loggers. In such cases, an additional defence-in-depth control should be considered in the form of multi-factor authentication as an obvious step to increase account security and mitigate the exposure of accounts whose passwords have been compromised. 

Preventing password theft

Finally, it is also important to build processes and controls that help reduce the probability of credentials being stolen. The FriendFinder breach was reportedly caused by a Local File Inclusion (LFI) vulnerability. Introducing security activities from the very beginning in the Software Development Lifecycle and ensuring all developers are properly trained on security topics are good controls that would have helped prevent and/or detect this type of vulnerability before the application went live. ​

Given the number of large scale attacks we have seen in a relatively short space of time –TalkTalk and The Panama Papers, to name just two – it is more important than ever to ensure that organisation’s make data security a priority. They must implement software that will store all passwords following the most updated security guidelines. They also need to advise users on how to create strong passwords or passphrases that are difficult to guess or decipher using brute force methods. Every extra character used makes it an order of magnitude harder to crack.

Copyright 2010 Respective Author at Infosec Island]]>
New Year’s Resolution 2017: Build Better Security Programs Mon, 30 Jan 2017 07:50:00 -0600 Right up to bitter end, massive cyber attacks made waves in 2016. In the heart of holiday season, Yahoo presented us with a lump of coal instead of a gift: their December 14 announcement of yet another massive breach of user accounts was shocking for many reasons. The scale of the breach is alarming: more than a billion accounts were compromised, and the associated names, phone numbers, birth dates, security questions, and encrypted passwords are in the hands of an unauthorized third party, as confirmed by law enforcement. Moreover, the data was stolen in August 2013, which means that Yahoo failed to detect the breach for more than three years, and that unsuspecting users have been exposed to identity theft and further account compromise for the entire period.

This most recent incident holds the dubious distinction of being the largest known breach in the history of the Internet, and may finally seal Yahoo’s fate. It follows closely on the heels of Yahoo’s September breach announcement about a 2014 attack that resulted in 500,000 stolen user account records, which topped yet another breach in 2012 that affected 450,000 users. Yahoo had ample warning and time, but there is evidence that security was not a high enough priority at the company struggling to reinvent itself in the shadow of giants Google and Facebook.

Unfortunately for Yahoo, they may become a legendary cautionary tale. Their $4.8 billion dollar deal with Verizonwill likely be downsized, their reputation with customers and partners sullied, and their stock devalued. We’ve seen other massive breaches lead to a cascade of negative incidents: stolen credentials that were used on multiple sites and services can be used to commit identity thefts, account takeovers, bank fraud, and breaches at other organizations.

Being jolted by such a harsh reality check should spur us to learn from others’ lessons and take meaningful preventative measures. Based on comprehensive assessments of the threat landscape, Information Security Forum recommends that businesses focus on the following security topics in 2017:

  • The Internet of Things (IoT) Adds Unmanaged Risks
  • Crime Syndicates Take a Quantum Leap
  • Government and Regulators Won’t Do It For You
  • The Role of the End User – the Weakest or Strongest Link in the Security Chain

We’ve provided an overview for each of these areas below:

 1. The IoT Adds Unmanaged Risks

Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. Fines for data breaches will increase. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines. The European Commission has said it is planning to push industry governance measures to improve the security of internet connected devices such as cameras, set-top boxes and other consumer electronics, amidst increasing exploitation of such devices to carry out online attacks.

The IoT will also transform supply chain leaders' access to information, as well as the exposure of operations to cyber-risk. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake.  Businesses must focus fixes on the most vulnerable spots in their supply chain now, before hackers, or other cybercriminals, find their way in to disrupt your global distribution of goods and services.

When it comes to corporate communications, the primary way that many connected devices communicate is via the cloud. Organizations need to understand that putting private information into the cloud creates risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection. With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.

2. Crime Syndicates Take a Quantum Leap

Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime.

Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide.Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls. Emerging markets will be hit the hardest, particularly where newly connected organizations are novices with online security. This may also occur where the rule of law is weak and political structures are susceptible to co-option or corruption. Cooperation between governments and international organizations such as Interpol will be strained and appear feeble when faced by the challenges of safe havens for criminal organizations.

Legal grey areas will open up new market niches to organized crime. One of the most prominent markets will be for criminal groups who ‘hack back’ on behalf of legitimate organizations and who base their operations in countries with permissive legal environments.  These groups will leverage ‘jurisdictional arbitrage’ to provide services to companies who have lost valuable data and are frustrated with the inability of law enforcement to cooperate internationally and deter expensive and embarrassing hacking incidents.

3. Government and Regulators Won’t Do It For You

In 2017, the number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organizations while doing little to deter attackers.

With reform on the horizon, organizations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. The demands of the incoming EU General Data Protection Regulation and the Network Information Security Directive will present significant data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber-attack or information loss.

4. The Role of the End User – The Weakest or Strongest Link in the Security Chain

In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.

Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.

A Continued Need to Engage with the Board

The role of the C-Suite has undergone significant transformation over the last decade. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.

The executive team sitting at the top of an organization has the clearest, broadest view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber security will be unmanageable. Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.

Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.

Don’t Become a Legend for the Wrong Reason

In the face of Yahoo’s bad news—and many other high profile breaches around the world—it is hard to ignore the pervasive threat of cyber attacks and their cancerous consequences. Government agencies, democratic elections, critical infrastructure, multinational corporations, and high profile individuals have been targeted and damaged this year. Every kind of organization needs to be more aware of emerging threats, shifting attack vectors, and the latest strategies for defending against them. And every person, from the CEO to the cashier, should be held to a higher standard of security awareness and accountability. The Internet is a vital, shared resource—a reality that should be more ingrained in our corporate and civic culture.

Incidents will happened; it’s impossible to avoid every breach. But you can commit to building a mature, realistic, broad-based, collaborative approach to cyber security and resilience. Maturing your organization’s ability to detect intrusions quickly and respond expeditiously will be of the highest importance in 2017 and beyond.

Copyright 2010 Respective Author at Infosec Island]]>
Alan Turing, Undecidable Problems, and Malware Mon, 23 Jan 2017 07:54:00 -0600 In 2003, Oxford University Philosophy Professor Nick Bostrom posed the following question: what if an artificial intelligence (AI) machine were given just one task: to create as many paper clips as possible? If you think about it, this AI machine might decide to kill off the human race. Why? Because 1) humans may decide to turn it off, and 2) humans are made up of atoms that could be used to make more paper clips.

Alan Turing thought about such information technology challenges almost a century ago. In 1936, Turing argued that humans can never predict whether a computer (a “Turing machine”), even given infinite processing power, storage space, and time, will provide a final Yes or No answer (given a random program and random input). In other words, we cannot know if or when a computer will finish its work, or simply run forever, calculating who knows what. The reason is that any algorithm can be made to contradict itself. Therefore, humans just have to wait for a computer to provide some kind of answer, and then evaluate whether it is what they were looking for, and whether the result seems reasonable.

Over the years, there have been interesting variations on this theme. In 1983, Turing Award winner Ken Thompson argued that an evil compiler could automatically insert a secret backdoor into every program it generates, and that no one could know about it because every “trace of malice” in the compiler’s source code could be removed. The moral, Thompson wrote, is that you cannot trust code that you do not “totally” create yourself – including the compiler.

These are not idle, philosophical questions with no practical value. For the analysis of malicious code – or “malware” for short – simple programs do not pose too much of a problem. However, in the current IT landscape, there is simply too much “attack space.” Hackers regularly sneak malware into images, advertisements, software updates, steganography, and more within the millions of lines of code passing through your network every day. And even with access to source code, it is not possible to discover all possible vulnerabilities and attacks, from buffer overflows to SQL injection techniques.

Furthermore, we have to consider the impact of time. Software analysis is not only complex, but also time-consuming. In the Internet era, the average human’s attention span is down to 9 seconds. Consider an analogy from tournament chess, where each player has two opponents: the person sitting across the table, and the ticking chess clock. The business world has the same problem: time is money, and you have to move fast.

Attackers know that complexity plus time constraints are a dynamite combination. Your employees need access to untrusted files and programs, but your anti-malware solutions cannot deliver a reliable verdict within a reasonable time frame.

So what is the best way to secure your network? In order to keep workers happy and productivity high, sometimes you have to run untrusted code. But that code should be run in quarantine, where it cannot damage your IT infrastructure. In parallel, the untrusted code must be subject to a combination of software and (if need be) human analysis. Following that, the previously unknown code can be added to the whitelist of trusted files – or to the blacklist, where it will stay forever.

About the author: Kenneth Geers (PhD, CISSP) is Senior Research Scientist at Comodo, a global innovator and developer of cybersecurity solutions. He is also a NATO CCD COE (Cyber Centre) Ambassador, a Non-Resident Senior Fellow at the Atlantic Council, an Affiliate at the Digital Society Institute of Berlin, a Visiting Professor at Taras Shevchenko National University of Kyiv in Ukraine and an accomplished author.

Copyright 2010 Respective Author at Infosec Island]]>
The Forgotten Security Frontier: The Phone Call Mon, 23 Jan 2017 07:02:00 -0600 If you’re reading this article, then the chances are good you’re planning to attend at least one or two security conferences this year. 2017 is ramping up to be a banner year for security, between the national stage (i.e. the unfortunate hacking saga) and the high-profile brands that have experienced network attacks at the end of 2016.   

It’s a sure bet, however, none of the conferences you plan to attend will lead with a session like “UC Communications: The Way In!” But maybe they should. IP-based Unified Communications (UC) and phone security is one of the most overlooked and misunderstood pieces in your security fabric.  

Your Communications Network Is Likely Unsecure 

In the late 90s and early 00s, a lot of companies, including Sonus, were part of a massive Voice over IP (VoIP) revolution that quietly moved most wired and wireless communications onto IP-based networks through a protocol known as SIP (Session Initiation Protocol). Most consumers weren’t even aware of the change. Prices became cheaper, and phone quality was initially an issue for some of the early adopters, but today it’s nearly impossible to tell the difference between a voice call that traverses the Internet and one that runs over a private network.  

But here’s the problem: the changeover was so subtle, many people kept thinking of their phone as a device connected to a private network, rather than one connected to the public Internet. For those of you still using a desk phone; yes, it is probably an IP device. The same goes for those of you using a softphone—that’s also an IP device just like your smartphone, laptop or personal computer. And the signaling and messaging between the devices is all over IP, typically the SIP protocol. Many companies have had to disable their firewalls for SIP communications because it doesn’t work if your firewall blocks the SIP ports. This leaves your mobile clients and your communications networks susceptible to Internet-based attacks including DDoS attacks, fraud, malware and more. Independent risk assessments, penetration testing and compliance audits have all shown this to be one of the most common vulnerability gaps in network security.  

How Much Trouble Can an IP-based Communications Cause?

Any IP-based device that is connected to both the Internet and your internal network represents a potential “hole” in your network. That device may be a smartphone that has access to business apps, a laptop carrying sensitive financial data or an office phone with access to your corporate directory. For most of us, I hope, securing our smartphones and laptops is second nature. Yet how many of us really give a second’s thought to securing the UC network and mobile clients that power our communications?  

If you need some incentive to secure your UC network, here are several powerful reasons:  

Toll Fraud

Every year, businesses lose billions of dollars through long-distance phone call fees that are placed illegally from their business. How do hackers get access to their phone system? Through the UC enabled Private Branch Exchange (PBX) or by hacking an employee’s mobile client directly. Each year, more enterprises—and, sadly, small businesses too—discover that someone has breached their phone system and racked up tens of thousands of dollars in long-distance fees. Unfortunately, these companies are often responsible for these fees even if they can prove the calls didn’t originate from their employees.  

Distributed Denial-of-Service (DDoS) Attacks

DDoS attacks have been making headlines after recent high-profile attacks temporarily took down the sites of Twitter, Airbnb, the New York Times and many others. But websites aren’t the only target of DDoS attacks; call centers are also vulnerable. By targeting a phone number or SIP URL instead of a website’s URL—remember, in the Internet world, both are simply IP addresses—DDoS attacks can paralyze customer service and shut down phone sales for hours, severely impacting business.   

Caller ID Spoofing

For better or worse, caller ID carries a more implicit sense of trust than an email. That makes the act of caller ID “spoofing”—displaying a false caller ID—more dangerous. One criminal group, for example, was able to steal millions of dollars from unsuspecting U.S. citizens by posing as the Internal Revenue Service. These calls, which claimed that the victims owed the I.R.S. various payments for taxes, prominently displayed the I.R.S. credentials on the victim’s caller ID. Never one to miss an opportunity, criminals are now using caller ID spoofing to collect personal information, a tactic known as “vishing” (a portmanteau of “voice phishing”).  

For Security Beyond the Call, Dial “SBC”

Although VoIP and SIP allowed enterprises to consolidate their voice and data networks into a single IP-based network, voice and data communications still have unique characteristics. Specifically, voice (and live video) have a much lower tolerance for latency and packet loss. These real-time communication (RTC) sessions need to be handled more sensitively in the network because they have different requirements than data, such as media transcoding, SIP message manipulation and special security considerations (e.g., network topology hiding, NAT traversal, blacklists).  

Using a standard data firewall to protect your IP network and mobile clients will likely backfire, because firewalls aren’t designed to support RTC’s requirements. Instead, companies need a session border controller (SBC) to secure RTC—and provide the transcoding and interoperability features as well. You can think of an SBC as a “traffic cop” that can enforce rules, give directions (in a variety of languages) and ensure that network real-time traffic flows smoothly and safely.  

As with many network technologies today, the SBC as a network element is increasingly being “virtualized” to reduce hardware, simplify deployment and support network service automation. In our own business, we’ve seen an increase in demand for virtualized SBCs that can be deployed in public or private clouds so they can scale up and down as traffic increases or decreases. This is especially useful in the case of DDoS attacks, which can range from light to heavy, and often do by design.  

The reality is that office voice communications are not going away any time soon. In fact, with the popularity of UC, we’re seeing the role of the UC mobile client increase to handle live video, text messages and more. Despite our longstanding comfort with the phone as a business tool, companies need to remember that each mobile client is a connected, potential doorway into their network. SBCs can shut that door—and offer a host of other benefits, from high-definition voice capabilities to toll-free routing. It’s something that every business should be talking about, because it’s only a matter of time before hackers come knocking on your communications network.  

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – January 2017 Fri, 13 Jan 2017 03:00:00 -0600 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • The first set of SAP Security Notes of 2017 consist of 23 security patches. Most of them address XSS and Missing authorization check vulnerabilities.
  • The most dangerous security issue was assessed 9.8 (of 10) by CVSS base score v.3.0.
  • SAP SSO has a DoS vulnerability. This mechanism provides access for cloud and on-premises solutions, web applications, via mobile devices, and native SAP clients. Thus, by exploiting the vulnerability, an attacker can prevent numerous SAP customers from accessing applications required to their work.

SAP Security Notes – January 2017

SAP has released the monthly critical patch update for January 2017. This patch update closes 23 vulnerabilities in SAP products (19 SAP Security Patch Day Notes and 4 Support Package Notes).

4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 2 of all the Notes are updates to a previously released Security Notes.

1 of the released SAP Security Notes has a Hot News priority rating. The highest CVSS score of the vulnerabilities is 9.8.

The most common vulnerability type is Missing Authorization check.

Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

  • A Denial of service vulnerability in SAP Single Sign-On (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389042. An attacker can use Denial of service vulnerability to terminate a process of vulnerable component. For this time, nobody would be able to use this service, which negatively influences on a business processes, system downtime, and, as a result, business reputation.
  • An XML external entity vulnerability in SAP Netweaver Visual Composer (CVSS Base Score: 6.4). Update is available in SAP Security Note 2347439. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests that will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS file system.
  • A Cross-Site Scripting vulnerability in SAP Enterprise Portal Real Time Collaboration (CVSS Base Score: 6.1). Update is available in SAP Security Note 2341302. The component does not sufficiently encode user input, resulting in a Cross-Site Scripting vulnerability
  • An SQL Injection vulnerability in SAP Netweaver UDDI Server (CVSS Base Score: 4.1). Update is available in SAP Security Note 2356504. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, removedata or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands.

About Denial of service vulnerability in SAP Single Sign-On

SSO (Single Sign-On) is a mechanism that allows a user to use one set of login credentials instead of numerous sets of passwords, which may be weak, reused, or written down somewhere, to access multiple applications the user has rights to access. Thus, it enhances the security level and protects sensitive company and personal data.

SAP states that SAP SSO technology provides SAP customers with a secure access to SAP and non-SAP business applications across the whole landscape. It also “supports both cloud and on-premises scenarios, providing simple and secure single sign-on access through the web, via mobile devices, and using native SAP clients” (source).

Unfortunately, sometimes security measures implemented by a vendor could pose another security risk. This month, SAP closed a DoS vulnerability in the SAP SSO solution identified by ERPScan’s researcher. The issue allows an attacker to crash or flood the service, as a result, legitimate users won’t be able to access all linked applications. A downtime may prevent a victim company of profit.

It is not the first time ERPScan researchers discover vulnerabilities in solutions introducing security measures. For example, there is a vulnerability in PeopleSoft SSO and several critical security issues in SAP Afaria (an MDM solution from SAP).

The most critical issues closed by SAP Security Notes January 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2407862: SAP Sybase Asset Management has Multiple buffer overflows vulnerabilities (CVSS Base Score: 9.8), CVE-2015-8277. An attacker can use a Buffer overflow vulnerability to inject specially crafted code into a working memory that will be executed by a vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and others. Install this SAP Security Note to prevent the risks.
  • 2361633: SAP Business Intelligence platform has an SQL Injection vulnerability (CVSS Base Score: 6.4). An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, remove data or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2377626: SAP Enterprise Portal Theme Editor has an Cross-Site Scripting vulnerability (CVSS Base Score: 6.1). An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>