200,000 + devices still vulnerable to Heartbleed bug – expert comment

Security expert, Graham Cluley, posted on his blog that the Heartbleed bug, which was discovered in April 2014, is far from dead. In fact, it is estimated that over 200,000 devices are still vulnerable. It appears that a large proportion of the devices still affected are Internet of Things devices. Tom Court, cyber crime researcher at Alert Logic commented;

“Unfortunately, research like this highlights the issue that the ‘Internet of Things’ lags far behind traditional Internet infrastructure when it comes to security best practices and arguably cannot be treated in the same way. Traditional server-side infrastructure is, on the whole, administered by a someone with some level of IT security knowledge and end-user devices like phones, laptops and tablets usually have a user interface that nags when updates need to be applied and guides the user through the process.

When it comes to the Internet of Things, the many devices that fall in this category including home-automation, routers and devices embedded in industrial processes are often considered ‘install and forget’, meaning that once up and running they may never get administered again.  Until a solution to this problem is found, IoT devices will continue to present serious security issues.

In corporate and industrial environments, mitigations to counter the threat of attacks against unmaintained devices can be put in place. These countermeasures are most effective in the form of continuous network monitoring to detect common attacks



Homicide Suspect Warning Email Brings Mores Than Bad News

AppRiver have identified a new kind of e-mail scam which impersonates a communication from London City Police. Fred Touchette, Senior Security Analyst at AppRiver, has said “The fake alert is meant to raise community awareness about a supposed homicide suspect who is on the loose in London and was made to look like it was sent out by the London City Police themselves. All of the information provided in the email body is seemingly important looking, but rather vague, by design. This is to raise curiosity and to direct readers to the real target, the attachment. This is where the real details of the case are, what is this suspect’s name, what do they look like, where were they last seen, etc etc, but instead, as is the norm, the attachment actually contains malware.”


In the picture above, you can see how the email appears to be important, however also has an ambiguity to it, which is designed to trick users into opening the attachment. Few anti-virus companies are able to identify the email at this stage, meaning thousands if not millions of web users are at risk. Furthermore as scams go, this is a very convincing theme to try and engineer the intended response from a potential victim.

More information is available on scam at the AppRiver blog http://blog.appriver.com/



10 Facts You Need to Know About Data Breaches

By Deborah Galea, manager, OPSWAT

2014 was dubbed as ‘the year of the data breach’. With many new data breaches dominating the headlines in 2015, including Anthem, the White House, banking attacks, and the latest employee data theft at the US federal government, one can only imagine what the name for 2015 will be: the year of even more data breaches?

According to the Ponemon Institute, 43% of companies experienced a data breach in 2014. Not only is the number of data breaches rising, the number of records stolen per breach is increasing as well as the cost per stolen record. It is apparent that current security measures are not sufficient to protect organisations from data breaches.

The SANS Institute reports that a whopping 95% of all attacks on enterprise networks gained entry through a spear phishing attack. A spear phishing attack is an email targeted at specific individuals that are engineered to look legitimate and fool even tech-savvy users. The email has a malicious attachment or link that when opened installs malware and tries to gain system access.

Clearly, spear phishing attempts are sometimes able to get past traditional spam filters and antivirus engines. No single antivirus engine will be able to block every threat. However, by deploying multi-scanning with multiple antivirus engines, the different detection algorithms and heuristics of each engine can be combined, which significantly increases the malware detection rate for known and unknown malware. Other technologies such as data sanitization and file type verification can also prevent threats that may go undetected by antivirus engines.

Below, we have highlighted the top 10 most interesting, remarkable, and troubling facts about data breaches:

Number of stolen records up 78% in 2014

According to the 2014 Breach Level Index by Gemalto, one billion records were compromised in 2014 in more than 1,500 data breaches; a 78% increase compared to 2013.

Cost of data breach rose 23% since 2013

The total cost of a data breach increased 23% since 2013, as reported in the Ponemon Institute’s Annual Cost of Data Breach Study. In 2015 the average cost per lost or stolen record is $154.

Most costly breaches in US and Germany

The Ponemon Institute reports that the most costly breaches are in the US ($217 per record stolen) and Germany ($211 per record stolen).

Healthcare highest cost per stolen record

The cost of stolen healthcare records can be as high as $363, according to the Ponemon Institute. Healthcare records are more valuable than stolen credit card details since credit cards can easily be cancelled, but fraud using a person’s medical records is much more difficult to stop.

Identity theft most common motive

Gemalto’s research shows that the majority of data breaches are now perpetrated for the purpose of identity theft rather than stealing credit card information. In 2014, 54% of data breaches were motivated by identity theft, compared to 20% in 2013. In 2014 only 17% of data breaches were for financial access, down from 50% in 2013.

Malicious outsiders behind majority of attacks

The 2014 Breach Level Index by Gemalto reports that 55% of the data breaches were perpetrated by malicious outsiders, 25% were due to accidental loss, and 15% were committed by malicious insiders.

95% of breaches start with phishing attack

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks gained entry through a spear phishing attack. A spear phishing attack is an email targeted at specific individuals that is engineered to look legitimate and fool even tech-savvy users. The email either has a malware-laced attachment or a malicious link that when opened installs malware and tries to gain system access.

Traditional spam filters cannot detect spear phishing attacks

Most spam filtering products detect spam by checking black lists and known spam. However spear phishing emails are composed with considerable effort and target only a small number of individuals, therefore staying under the radar of traditional spam filters.

A single anti-virus engine is not enough to protect against all threats

With 450,000 new threats emerging daily, a single anti-virus solution is no longer going to cut it. By scanning email attachments and web content with multiple antimalware engines you are multiplying the chance that known as well as unknown malware is detected, speeding up protection against outbreaks, and protecting against threats designed to exploit vulnerabilities in specific engines.

Question is not if, but when

Data breaches are becoming more prevalent and more sophisticated. Suffering a breach is no longer a question of if but when. It is important that companies start increasing their security defences.

Read more about how to protect against spear phishing attacks and data breaches: https://www.opswat.com/blog/prevent-spear-phishing-attacks-improved-email-security



Russian-Speaking Hackers Tap Satellite Internet Connections

A group of sophisticated Russian-speaking hackers is exploiting commercial satellites to siphon sensitive data from diplomatic and military agencies in the United States and in Europe, as well as to mask their location. The group, which some refer to as Turla, after the name of the malicious software it uses, also has targeted government organisations, embassies and companies in Russia, China and dozens of other countries, as well as research groups and pharmaceutical firms. Security experts have commented as follow;

Ian Pratt, CEO and co-founder, Bromium:

“Whereas ISP’s can trace IP addresses associated with ADSL or cable modem connections to a within a few streets, broadband from geostationary satellites can cover whole continents, with the ISP having limited ability to locate where a particular access modem is — though techniques such as those developed in the search for Malaysia Airlines flight MH370 are potentially able to give rough areas. Hacking groups have frequently used satellite broadband for hosting key components of their infrastructure, but this has typically been done by purchasing a regular subscription under a false identity. Although there was little chance of law enforcement being able to track down the physical location of the satellite modem, once the IP address had been identified as hosting malicious content it would be straightforward for the satellite ISP to block the modem and remove it from the network. An even better covert technique is to effectively clone the access modem of an existing legitimate satellite broadband customer. Due to a lack of cryptographic authentication in most satellite broadband systems this can be done without having physical access to the victim’s modem and can be done just by listening to other traffic and then reprogramming an existing modem. Using a cloned modem makes it harder for the ISP to block the traffic since it would impact a legitimate user, and the miscreants can simply switch to cloning a different legitimate user’s device. Strong authentication of access modems using a key unique to each device is the only way to block this kind of attack, but can only realistically be done for new deployments.”

TK Keanini. chief technology officer (CTO), Lancope:

“If there was any question to the level of game play required in this day and age, here is your wake up call. We in security are always accused of spreading FUD, but this is the reality of the connected world we live in.  Even as an expert, I read news like this and it makes me anxious – and so it should. These are talented well-funded threat actors whose job it is to not make the news; so when one does, consider them the sloppy ones.”




Cyberattack on New York Blues plan Excellus affects 10 million

Excellus Blue Cross and Blue Shield, a Rochester, N.Y. based insurer, disclosed on Wednesday afternoon that it was the victim of a sophisticated cyber attack by hackers who may have gained access to over 10 million personal records.

David Gibson, VP of Strategy and Market Development, Varonis comments;

Excellus is currently saying there’s no evidence that the information was “removed.” Who are we kidding here? The hackers were just browsing around for kicks? The reality is that they probably have no idea what happened or what was stolen and never will. This would come as no surprise to anyone, and doesn’t sound much different than the major cyber attacks that we have more information on.

In the case of the notorious Anthem data breach, thieves were outsiders who were able to stealthily get a hold of employee credentials to access files. And we’d be willing to bet that’s exactly what happened here.

While CIOs and security professionals may feel safe with large investments in firewalls, virus detection and other perimeter defenses, the on-the-ground reality is that today’s hackers continue to get better at their jobs and will easily get around these protections through a virtual side-door without ever being spotted.

To the poor IT admin monitoring a system during a typical breach like this, the hackers’ activities would have appeared as an employee browsing the web.

We might as well be giving bank robbers an employee badge and a keycard to the safe deposit boxes. And in our experience we have found that healthcare, an industry that is responsible for a wealth of sensitive data of various kinds, is surprisingly bad at this. In a study we conducted with the Ponemon Insitute earlier this year, 65% of employees in the health and pharma industries believe they have access to sensitive data they don’t need to do their jobs, with 51% believing they see this data at least frequently.

So, the compromise of just a few, or even one, employee account opens a hacker up to a wealth of sensitive information.

It’s time for organisations to shift priorities and assume that some of their employees (and even their administrators and executives) will be duped into giving up information (like their password) and/or downloading malicious code. If an attacker steals an employee’s password (and you’re not using multi-factor authentication) then the attacker gets access to wherever they can use the password – any external or public-facing systems or applications where the employee used the same password are easily accessible.

Mike Spykerman – Vice President of Product Management, OPSWAT commented further that;

“The Excellus attack occurred back in December 2013 and went undetected until now. Unfortunately, Advanced Persistent Threats (APT) are capable of eluding single anti-malware defenses and staying under the ‘malware radar’ by lying in wait before executing their payload or by utilizing otherwise harmless files or processes. By implementing multiple layers of defense and using a multi-scanning solution that combines different detection algorithms and heuristics of multiple anti-malware engines, as well as other preventive measures such as data sanitization, many more advanced threats can be detected and a company’s exposure greatly diminished.”

Simon Crosby – CTO and Founder, Bromium concluded stating,

That the company only discovered the breach almost a year and a half after it took place is indicative of a naïve attitude toward security.   It is unforgivable that any organization should be so lackadaisical in its handling of customer data at a time when it is entirely possible to prevent breaches from happening in the first place, or to detect anomalous behavior in the network to indicate a breach in progress.




The global capital markets are highly vulnerable to cyber attack…and Greece could be the warm-up

By: John Edge

Because my roles have always involved new technologies applied to existing markets, I’ve been trained to think about technology related governance and risk; now as I look to a future of affordable mass compute power and artificial intelligence driven threats, I can’t help but think of where the weak points may be.  And my hunch leads me to places where both manpower and system power may be depleted.  And there’s an obvious one right now.  The Greek capital markets.  My gut tells me that Greece could be the warm up for an attack on the system integrity of capital markets.

I know that this is an odd statement to make, given that capital markets do not have systemic risk weak points and are designed to be resilient to cyber attacks – theoretically invulnerable to all comers.  But, instinctively, we all know that this cannot be the whole story – that risk cannot be entirely eliminated and that where there is human life, things can go wrong.  So, the question is – how bad could it get?

The truth is: bad, very bad.  In theory, global collapse of hitherto unseen proportions.

Automation of the capital markets infrastructure started in the 80’s, as technology evolved.  Both performance and price created the opportunity to splice automated functions into what were once manual processes. This concept of splicing is essential to understanding where we are today, in that we did not design for an end goal, we designed for what worked in the here and now.

As such capital markets grew organically from a technology point of view, with layer after layer of systems being built, duplication and overlap were created, whereby systems ran out of capability and were patched back together or replaced, often partially,

Throughout the 90’s and early 2000’s the rate of adoption of technology accelerated, driven by the relentless hustle to hit quarterly targets. Machines were built to trade millions of times a second, competition for trading flow at the exchange level was opened up, so exchanges were driven to advance their technology to stay competitive, which meant more machines were built. The cycle has continued at this pace and now extend to retail and commercial banking, with digital demand from customers driving the transformation of these markets.

Then we introduced cloud computing, which offered the opportunity to increase performance and scalability whilst reducing cost. So markets took a complex organic system and started to distribute it, across internal and external data centers plus service providers. Vendor technologies exploded in popularity; the age of ‘FinTech’ was born, bringing substantial advantages to market participants. Marvelous progress indeed.

However, much as it’s a downer – sometimes the ‘bear view’ needs to be considered.  What does the bear view show us?

Starting with the basic truth that old code often has holes in it and modernizing code is essential to system health.  Ah ha – you say – simple.  Just modernise the code, and everything will be fine.  But here’s the rub: Modernising code costs money.  Which eats into quarterly returns, making it somewhat unattractive to those who make the decisions. “Heigh-ho,” they may say.  “Let’s just hope the thing doesn’t break down on my watch.”

The next layer up is the compilation of the systems and the architectures in place; were they designed for entities with malicious intent? Entities armed with, thanks to a Mr. Moore and his law, low cost massive computer power?  The answer is, of course not.  Some of the newer types of cyber attack couldn’t have been conceived of when these systems were build.  That’s criminal ingenuity for you.

So, with aging code bases and system architectures not designed to resist the kind of power modern cyber threats at large have, we at least have well trained teams operating in a coordinated fashion globally to manage this fragile ecosystem. Oh wait, nope… we don’t have that either.

For a “mini” taste of how things can go wrong, there’s the bankruptcy of Knight Capital, caused by a rogue algorithm, a human ‘non malicious’ error that went undetected, which turned the largest trader in US equities into rubble in a little under a week.  Then there were the SIP issues with NASDAQ that shut off that market, and all other markets, for a large part of a trading day. Most recently we have seen glitches with NYSE.

All three of these crises, which were nothing on what could happen on a global scale, were created by human error and are in practice being addressed through Reg SCI. These incidents are indicative of what occurs when critical systems fail in capital markets. The elephant in the room is the possibility of a malicious attack.  Because that’s going to be worse than anything human error could cause.

Let’s, for a moment, create a nightmare scenario.  How could that come about and what would be the effect?

Imagine a powerful group looking to insider trade, which is trading with non-public information.  This group decides to create the non-public information by shutting down a stock exchange for two days. The night before the attack the group buys options contracts that will pay off, if the market moves down. When they shut down the market for two days, panic ensues and the market “sells off”.

Of some comfort is that the fictional baddies might be deterred by the fact that if the plan could go horribly wrong for them – the futures position may go against the intent and lose the monies deposited as margin.

Currently, all businesses in Greece are suffering a high amount of disruption. What we know is that often it is human error that causes problems, rushed code releases and poor processes creating production issues. The duress being suffered by business operators in countries such as Greece could increase the likelihood of human error.

But on top of this, opportunistic criminals could use these markets as a training ground – a ‘cyber attack gym’.  The functional layout of capital markets is roughly the same everywhere, although the volumes change significantly between countries. Could the current Greek crisis present an opportunity for practices attacks, and would the operators, in the current state of chaos, even know this was occurring?

There are global automated market places that have not trained enough people to operate information security defenses. Systems have been developed to aid humans in the management of security perimeters, however standards and processes have not yet been developed for many smaller market places.

On top of these challenges there is the issue of system re-engineering, the moving from the organic spaghetti infrastructure to an infrastructure designed for today’s environment. Which all comes down to budget.

Chewing the fat with my friend and colleague Alexei Miller, a managing director at global technology consulting firm, DataArt, he pointed out that chaos always begets criminal creativity and that Greece was that chaos. Cheaters, he said, will look for ways to circumvent capital controls.  He noted that if the Greek situation were happening in certain other countries (and he didn’t say which) and Europe was sending massive checks to keep them afloat, the biggest question would be how much of it would be stolen.

It is true that technology fosters spending accountability.  But when it is left to tick along, in the way the global capital markets technology often is in many places and organisations, it can be a force for evil.

Sleep tight.  Don’t have nightmares, now

 John Edge is an innovator and social entrepreneur in the digital economy, with a recognized expertise in financial technology and a track record of creating breakthrough business models by harnessing network capital to identify patterns created by market needs, inefficiencies and new technologies. With the mission to create value for individuals, corporates, investors and society.  He is an advisor to global technology consulting firm, DataArt.



WhatsApp security breach lets hackers target web app users

The Telegraph has reported a software vulnerability has been discovered in the web-based version of the popular WhatsApp messaging app for Smartphones, which could allow hackers to trick users into downloading malware on their PCs. This could potentially put 200 million webapp users at risk.

Richard Cassidy, technical director EMEA, Alert Logic comments:

“This type of threat against WhatsApp isn’t new in terms of how we see hackers attempt to exploit popular messaging services. Given the inherently open trust model that WhatsApp is built on, such as finding contacts in address books who may be using WhatsApp and sending invites openly to others, in addition to open sharing of files, images, videos and of course vCards; it’s an app that presents a great deal of opportunity for attackers to trick users (for whom they have details for) into opening a seemingly legitimate or interesting file, that could lead to an exploit of the host device. That said the move to a browser based version of the popular application, means greater security risks are now present that weren’t before on mobile platforms. 

Users of any IM application need to stick to online best practices to reduce the risk of being compromised. Always be vigilant when receiving any type of file from an unknown source and question the sender if you’re unsure. Even if files seem to come from someone you know, put in into context on the basis of your normal communication with that person; would they have had a need to send you a file, were you expecting any files or contacts – if not, never be afraid to delete or question.

How WhatsApp have responded to this vulnerability is a great example of the vendor doing a sterling job in helping to mitigate against a newly discovered vulnerability in as short a time-frame as possible; there is only so much they could have done to prevent this; we very much live in a world of shared security responsibility and users have to remain aware of the potential risks of accepting suspicious communication in any online activity.”

Rob Sobers, director, Varonis notes:

“While the impact of this exploit is quite scary in that an attacker can take full control of a victim’s computer, it does require the target user to be tricked into opening a vCard that they don’t recognise, making it analogous to an email phishing attack. With the user-base of the web app being so large (200M+), we might see users continue to fall victim until WhatsApp forces users to upgrade to a patched version.” 

TK Keanini, CTO, Lancope states:

“The news here is not the vulnerability but the agility and responsiveness of the application vendor to protect their community of users.  This is what responsible disclosure looks like and an example of a software vendor that users can trust to do the right thing (quickly). It is the users’ responsibility is to keep things up to date. If you don’t know if you are up to date, chances are that you are not.”



Cyber attack against Match.com expose millions of singles to malware

UK’s online daters could be the latest victims of cyber crime, after researchers discovered a malware attack aimed at Match.com’s millions of users. The malicious content is being spread through adverts on the website in a “malvertising attack” which is reportedly targeting UK users in particular.

Security experts gave the following comments to @DFMag:

Adam Winn, senior manager, OPSWAT:

“The most vulnerable users are those who do not block ads, and have Flash set to autoplay. A vulnerability like this can strike anyway, no matter how safe their browsing habits or how well-patched their software is. Protection can be achieved with two simple techniques: Click to Play, and Ad Blocking. This combination of techniques is nearly bullet-proof against malvertising.

1) Click to Play: Set your browser to use Click to Play, which means no Flash/Java/Silverlight/etc. can launch unless the user explicitly requests it.
2) Ad blocking: While somewhat controversial, ad blocking is nonetheless an extremely effective way that users can protect themselves from malvertising. There are many competing alternatives for ad blocking, yet AdBlock remains the most popular.

Any average user can configure these two items in less than an hour, and rest assured that they will be nearly invulnerable to malvertising and many Flash/Java/Silverlight exploits in general.”

Gavin Reid, VP of threat intelligence, Lancope:

“It is important to not confuse the attack at Match with full site compromises like the recent hack of Ashley Madison. The information on this attack shows a much different issue of malvertising (ads that contain links to malware) being viewed on their website. Malverstising has plagued online websites, with almost all of the top 100 sites having hosted them at some time.”

Simon Crosby, CTO and co-founder, Bromium:

“If you use any online services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider.”

Dr David Chismon, Senior Researcher at MWR:

“The reported malvertising attack through Match.com, and the choice of CryptoWall and Bedep payloads indicates that the attackers are interested in compromising consumers and individuals for data ransom purposes. However, users increasingly blur work and personal lives and people browsing Match.com from their work computer may lead to their corporate computer being infected and potential files on any mapped fileshares encrypted and ransomed. Furthermore, there is a risk that attackers discover they have compromised computers of note and sell that access onto attackers with more interest in information theft.

Users are recommended to ensure they are fully patched, however, the Angler exploit kit used is reported to sometimes use unpatched vulnerabilities (0-day). Organisations should therefore ensure they are applying defence in depth, such as using application whitelisting and only minimum privileges to conduct actions.”



The legal aspects of obtaining and analysing forensic evidence from the private cloud

By: Shahaf Rozanski, Director of Forensic Products at Cellebrite

Cloud data offers a digital footprint that can prove vital in forensic investigations. Sources can generate critical leads which can help investigators piece together criminal cases and provide important evidence. This evidence can then be put forward by prosecutors in a court of law or provide defence lawyers with a much needed alibi for their client. The process may sound simple, but there are a number of aspects that both police forces and legal professionals need to consider before the data can be presented and accepted in a given case.

There are three types of cloud data which can be categorised by their organisational deployment: enterprise, public and private cloud data. The latter has an infrastructure which is operated solely by the organisation which owns that cloud service, as such this type of cloud data in particular can pose limitations to forensic investigations before cases even reach the criminal courts.

Legal framework and specific procedures apply to collecting private cloud data and this can differ from country to country. There is no ‘one model fits all’ solution so the problem has the potential to escalate when investigations spread overseas. Investigating authorities can only obtain this data when either party agrees to provide access, a judge issues a warrant, where parties to the Convention on Cybercrime can obtain access to data under the provisions of Article 32 or when the concept of ‘virtual presence’ is accepted by the courts for the purposes of seizing data[1].

When investigators don’t have consent from the user to access such data, they have to turn to the service provider. In this instance, a number of questions can arise regarding the ownership of the data. Is the owner the user who uploaded it to social media or is it the provider? Some legislators may claim that the user is the owner of data, much like they would own equipment they stored in a third party warehouse. If this is the case, why should data be requested from the cloud provider and potentially put the investigation on hold for weeks, if not months? In such cases investigators can then turn to mobile forensic technology, which can provide access to private-user cloud data by utilising login details that have been extracted from the mobile device of the suspect or victim.

The next question to be asked is where the data is and what jurisdiction is applied to retrieving it. Is there a way to determine where the data actually resides? With the complex architecture of the internet, it is impossible to know if data resides in a specific datacentre operated by the cloud service provider or if it’s cached on your internet service provider servers. Due to this lack of clarity, some legal systems use the notation of virtual presence which means that as long as the cloud provider is providing service in your country, where rules can apply on the data and law enforcement, you should have access to that data under relevant local legal authority. Such is the case of Yahoo in Belgium where the court ordered the company to provide relevant records even if it doesn’t have local presence in the country. This case is now being discussed in higher court hierarchies.

Finally, to be able to submit data in court, data should be forensically retrieved. A piece of data can be easily removed by someone that has access to a private account, and as such, being able to repeat the process of private cloud data acquisition and get the same results might be a challenge. The legal system needs to appreciate that when dealing with cloud data there may not be any other resort but to take a snapshot of the data that existed in the cloud at a certain time. This is similar to a murder case taking place in a park in which the police can’t confiscate the entire park and preserve it as is. Instead measures are taken to document a snapshot of the park as close as possible to time of the crime.

There are a number of hurdles investigators have to clear in order to extract and present private cloud data in criminal cases. As criminals take advantage of technological advances to aid their criminal activities, governments have had to adapt and adjust the legal framework to deal with new types of crime. It’s essential that the process of carrying such data from field to court has clarity to ensure justice can be served in the modern, technological age.

[1] Obtaining evidence from mobile devices and the cloud, E. George, S. Mason, 2015