Month: June 2015

Eight children have been saved from a life of sexual abuse following the arrest of a group offering live-streamed sexual abuse. The arrests and rescues followed international efforts from Law enforcement authorities in Belgium, Australia and the Philippines.

Europol press release – “The operation began in Belgium as a case against a Dutch citizen in Antwerp who was sexually abusing his very young foster children in Cambodia as well as other children in the Philippines. Authorities tracked his involvement in producing and distributing child abuse images (including his own material) and videos of live child abuse that were filmed in front of webcams. The Dutch suspect and a female abuser were arrested, and all eight of the vulnerable children were removed from harm.” 

Christian Berg, CEO and founder of NetClean, which recently trained Task Force Argos, an Australian law enforcement unit involved in identifying the children, commented:
“Tackling live streamed abuse takes the typical analogy of finding a needle in a hay stack and adds the complication that this needle only exists for a finite period of time. This case is an incredible example of the law enforcement community collaborating to overcome one of the most challenging crime types that the online world has facilitated.

“This kind of case emphasises how critical it is to find those who view or distribute child sexual abuse material, and analyse all of the content they have, regardless of how much there is. One image, one video can sometimes be the clue that brings the whole house of cards tumbling down. This shows that even those who participate in live-streamed abuse, where the digital evidence of abuse is fleeting, can be brought to justice. 

“Those who watch this kind of content often save videos or screenshots of the content to look at again, analysing this material can be critical for breaking cases. But all too often this kind of imagery is hidden in plain sight, within case loads of hundreds of thousands of images of child sexual abuse. Law enforcement need investment, training and the right tools to ensure they can focus on new material, containing new and unrescued victims, not the same images that appear in every paedophiles collection.

“Every computer and every network should be equipped to identify when a child sexual abuse image or video is viewed, downloaded or shared. Finding one individual who uses this kind of content can be the start of a trail of breadcrumbs, leading to the rescue of children and the breaking of international abuse rings.”

(324)

Hershey Entertainment and Resorts, the company that owns Hersheypark, is investigating a possible data breach that may have exposed guests’ credit card information.

Commenting on this, Mark Bower, global director at HP Security Voltage, said: “Resorts and hospitality service providers have additional challenges to deal with in respect to payment card security. Card on file transactions are common, meaning card data is often stored longer than typical retailers to maintain customer bookings and for resort service charges after check-in. Feeds from online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information. However, resorts and hospitality organisations can avoid the impact of the advanced attacks common in the retail segment. Proven methods are available to neutralise this data from breaches either at card read a the POS in person or via web booking platforms. Leading travel related organisations, airlines, travel booking aggregators have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement aimed to making data security a “business as usual” matter for any organisation handling card payment data.”

(324)

A cyber attack against the IT network of LOT, the national airline of Poland, left at least 10 flights with over 1,400 passengers grounded over the weekend.

Cris Thomas, Strategist of Tenable Network Security, commented on the subject:

“Airline flight control computers, like the ones attacked at the Polish airline LOT aren’t anything special. There is nothing different about a computer that issues a flight plan than the one most people use at work every day, other than perhaps the flight plan software itself. As such the computer is susceptible to the same attacks, malware and other issues that plaque every other computer and ideally should have the same security systems in place as well.

 
Usually the people that attack computer systems want them to keep running, it does not help the bad guys if the computer systems they attack suddenly stop working. So it is a little surprising that the LOT systems were unusable for five hours while the systems were being fixed. It is possible that LOT took the machines offline on purpose to help them institute the fixes. Unfortunately there is a lack of technical information available about what exactly happened.

The quoted statement by Adrian Kubicki, LOT spokesman, that this was the first hack of its kind is incorrect. There have been several similar attacks targeting airports, airlines and related systems over the years. These date back to at least 1997 at Worcester Airport in Massachusetts where a teenager disabled the phone system, radio communications, runway lights and other systems at the airport for six hours.”

(325)

The news earlier this month that Syrian hacktivists from Syrian Electronic Army (SEA) hacked and defaced the official website of United States Army shows how important it is to ensure that your third party vendors apply adequate and robust security. In this case, the SEA defaced a page, inserting a message on the hacked US Army website, blaming the country for training and sending terrorists to fight the Syrian President Bashar Al Assad. 

TK Keanini, CTO, Lancope commented; “The take away for everyone should be that, as one outsources and does business with partners, security practices must be considered.  Outsourcing websites – whole or in part – still means it is your website and, when breaches occur, it is still your breach.  Evaluate and monitor the security of your partners as if it were your own.”

Gavin Reid, VP threat intelligence, Lancope added to this stating;
“TK is spot on with SEA. The hack of third parties to  compromise the parent organisation is a well known tactic of SEA. They used this same technique to hack a DNS registrar and in-turn compromise Twitter, The New York Times and The Huffington Post. Similarly, the SEA previously compromised “OutBrain” – a third party content recommendation system that allowed SEA to inject their message into the Washington Post, Times and CNN. Looking at CNN there are over 300 separate web connections that occur when a user connects many to third party services.  The content providers need to understand and ensure the integrity and security of all those connection.

(319)

There have been recent reports that a new hacking threat has the medical community alarmed as a security researcher says he’s discovered a way for hackers to change the dosage of medications delivered by a patient’s drug pump.

The security researcher, Billy Rios, had been testing several drug pumps for vulnerabilities. Earlier this year, he discovered that a hacker would be able to change the maximum level allowed for certain drugs, meaning that, if a higher dose of a particular drug was given, the device would not alert medical staff. The devices all have a “drug library” that holds information about maximum dosages for different medications, and Rios had discovered that access to that library didn’t have to be authenticated, and anyone on the hospital’s network could load a new one, with higher maximum dosages. 

This wasn’t too alarming, since Rios hadn’t seen any way to actually change the dosage being administered itself. But then he kept on searching. He discovered that the same connection that exists in the pump allowing Hospira to access and update the device’s firmware, can also be accessed by hackers to upload a faulty update. The system doesn’t require authenticated and digitally signed updates. If you can update the firmware on the main board, you can make the pump do whatever you like.

Commenting on this rather scary story, Lancope CTO, TK Keanini, said:

“The Internet connects computers around the world, and these devices have transformed over the years.  From giant systems that fill an entire room, to the Internet of Things, the Internet also connects us with cyber criminals; unfortunately, you will be a target of their activities, frequently without being aware. Now that practically every device we use – from printers to thermostats to medical equipment – is connected to the Internet, the security of ‘things’ has become a scarily large topic. In fact, by 2020, 26 billion objects will be connected to the internet. Unless we can quickly adapt to the Internet of Things, the next compromise will likely be on a massive scale and could affect the most intimate levels of our lives. Today you may tend to the security of maybe several devices. However, with the Internet of Things, you will add your car, all of the home and even medical devices as this story mentions. These talented bad guys will find a way to compromise the system and then you will need an update. Most people will never update these Internet of Things devices and herein lies the real issue.  Securing a system is about constantly being able to adapt to the changing threat environment. We have a hard enough time updating all our current applications, now add 30 more devices from 10 different vendors and you see the problem.”

(226)

There have been reports today that a new hacking threat has the medical community alarmed as a security researcher says he’s discovered a way for hackers to change the dosage of medications delivered by a patient’s drug pump.

The security researcher, Billy Rios, had been testing several drug pumps for vulnerabilities. Earlier this year, he discovered that a hacker would be able to change the maximum level allowed for certain drugs, meaning that, if a higher dose of a particular drug was given, the device would not alert medical staff. The devices all have a “drug library” that holds information about maximum dosages for different medications, and Rios had discovered that access to that library didn’t have to be authenticated, and anyone on the hospital’s network could load a new one, with higher maximum dosages. 

This wasn’t too alarming, since Rios hadn’t seen any way to actually change the dosage being administered itself. But then he kept on searching. He discovered that the same connection that exists in the pump allowing Hospira to access and update the device’s firmware, can also be accessed by hackers to upload a faulty update. The system doesn’t require authenticated and digitally signed updates. If you can update the firmware on the main board, you can make the pump do whatever you like.

Commenting on this rather scary story, Lancope CTO, TK Keanini, said:

“The Internet connects computers around the world, and these devices have transformed over the years.  From giant systems that fill an entire room, to the Internet of Things, the Internet also connects us with cyber criminals; unfortunately, you will be a target of their activities, frequently without being aware. Now that practically every device we use – from printers to thermostats to medical equipment – is connected to the Internet, the security of ‘things’ has become a scarily large topic. In fact, by 2020, 26 billion objects will be connected to the internet. Unless we can quickly adapt to the Internet of Things, the next compromise will likely be on a massive scale and could affect the most intimate levels of our lives. Today you may tend to the security of maybe several devices. However, with the Internet of Things, you will add your car, all of the home and even medical devices as this story mentions. These talented bad guys will find a way to compromise the system and then you will need an update. Most people will never update these Internet of Things devices and herein lies the real issue.  Securing a system is about constantly being able to adapt to the changing threat environment. We have a hard enough time updating all our current applications, now add 30 more devices from 10 different vendors and you see the problem.”

(265)

More than 50 million people per month could be at risk of a mass-scale ‘malvertising’ cyber-attack that turns computers into Zombies, according to researchers at Websense. The attack routes through advertising platforms to target popular websites, with researchers noting breaches on Bejewelled Blitz on Facebook, CNN Indonesia, the official websites of Prague Airport and RTL Television Croatia, as well as Detik and AASTOCKS.

It was discovered that the attack utilises open advertising platform OpenX, which sees up to 100 billion impressions per month, to compromise and inject malicious code which is spread to multiple websites. The injected code leads to a redirect which has been seen to lead to the highly prevalent Angler Exploit Kit, which exploited the latest Adobe Flash Player vulnerability (CVE-2015-3090), distributed CryptoWall 3.0, Bedep and Necurs, as well as a Trojan known as ‘Bunitu.’ The Bunitu malware dropped by Angler ‘Zombifies’ computers, by causing infected machines to act as a proxy. This enables it to be used for subsequent malicious activity and allows cybercriminals to hide behind legitimate users’ machines to avoid detection by the authorities.

Carl Leonard, principal security analyst at Raytheon|Websense, said: “Advertising networks are an increasingly popular focus for cybercriminals, as they open up avenues to infect millions of users with minimal effort. The growing nature of evasion, stealth and variation employed in the malicious code means that it’s more important now than ever to deploy a security solution capable of stopping threats at multiple points in the kill chain.”

Commenting on this, Lancope CTO, TK Keanini, said:

“I think this quote from Websense says it all, and let me call out a few things here to highlight the salient points.

These methods are popular for cybercrime because they require minimal effort, which means lowering their operational costs.  We, in turn, need to ensure that we are doing everything thing to raise their operating costs.  Business leaders understand these economics, and until we treat this as a business problem, cyber crime will continue to operate at a low cost and high profit meaning their business is growing and they are expanding.

He also says that we need to do everything to stop their operations along the kill chain.  This kill chain terminology limits us in our discussion, and I prefer to call it the attack continuum because then we can, in the same thought process, speak about a defence continuum which describes perfectly the strategy we must instrument and operate.  The defence continuum captures the defender’s tactics, techniques and procedures that raise to the cost to the attacker’s operation and objectives.”

(284)

In light of last week’s 4 million strong data breach, described as one of the largest thefts of government data ever seen

“Last Thursday night, U.S. officials said that the Office of Personnel Management (OPM) had suffered a breach. Data from four million current and former federal employees, across numerous government agencies, may have been stolen by Chinese hackers. It does not take a security expert to see a pattern taking place here.  Most of the attacks allegedly from China over the past few years have gone after the personal information of US citizens, and there is no sign that this trend will diminish.  It is fair to assume at this point in the game, China may have more accurate information on US citizens than the US itself.  

The OPM manages security clearances for various government organisations. During that process, employees must provide extreme detail to every aspect of their life – which is in turn stored and kept in the same systems that were breached.  

Organisational confidence takes a long-time to build, but can (and is) eroded much more quickly. Governmental breaches put these trusted government organisations in the same light as all the recent private company breaches (like Target, Home Depot). Much like your personal medial history, the big difference here is the government has much more sensitive data about their victims, and the victims have no choice in sharing that data.

This attack once again exemplifies the need for more security resourcing in the federal government and the need for a different more comprehensive approach to incident detection and response. The current methodologies have lead to this breach – not avoided them. Attacks are being detected much too late in the attack continuum.  Effective security these days means detecting these threat actors as they operate and before they exfiltrate data.  You can’t win all the battles but all of these headlines suggest that we are still on the losing side.

In particular organisations need to categorize and isolate what they need to protect, place additional controls around that information, and meticulously log & monitor access to that encrypted data.

For example, some past advanced attacks have targeted Windows administrative accounts. Smart organisations have realised this, and created a separate isolated set-up for domain admin accounts, with additional security controls around them (like dual factor authentication, jump boxes that are the only place domain admin activity can occur and logging and monitoring of that separate set-up). This isn’t fast, easy or cheap, but organisations have been pushed into adding these controls by ongoing attacks.

In addition, organisations need to leverage telemetry, and leave hackers no place to hide.  If there is a blind spot on your network, someone will be hiding there.  Find them and remove them in a way that they can’t get back in.  These types of incident detection and response approaches have been vastly under-funded in the past, but as these hacks increase, we will see a shift in focus. Until organisations get better at doing this, we can guarantee that the Chinese will continue to have better data on US citizens than anyone in this country does and this information superiority is what scares me the most.”

(241)

Ronnie from PhishMe explains, “It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre. To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe).

Here’s what the output looks like:

Here’s a link to the script: http://phishme.com/wp-content/uploads/dyre_config_dump.txt

(444)

A new research paper has been released revealing how Chinese hackers have exploited vulnerabilities in the country’s most frequented websites to target individuals accessing web content that state censors have deemed hostile.

The research, by Jaime Blasco, Vice President and Chief Scientist at AlienVault, details a new watering hole attack being used to identify and track users in China who visit websites that are blocked by the China’s censorship technology, often called the Great Firewall. The attacks exploit vulnerabilities in the top 5 websites used in China, including those run by Baidu and Alibaba, and use cross-site request forgery to expose users even if they have been accessing restricted sites via the TOR or VPN – two of the most trusted privacy tools on the internet.

The vulnerability, known as JSONP, was first publicised in 2013, but the affected sites did not patch the problem, making these most recent attacks possible. The paper outlines how affected sites can fix JSONP hijacking vulnerabilities. It also warns private web users who live in an authoritarian country or are worried about being tracked to follow best practices when browsing the web, such as not browsing sensitive websites while logged into another website – even in a different tab or window.

The full report is available at the link below.

https://www.alienvault.com/open-threat-exchange/blog/watering-holes-exploiting-jsonp-hijacking-to-track-users-in-china

(368)