Month: February 2016

The BBC has reported that “some of Nissan’s Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked”, according to a prominent security researcher Troy Hunt. It was also reported that a flaw with the electric vehicle’s companion app also meant data about drivers’ recent journeys could be spied on.

Paul Fletcher, Cyber Security Evangelist at Alert Logic told @DFMag;

“The Nissan Leaf vulnerability is an issue that needs to be fixed by the manufacturer and while this vulnerability doesn’t have the same impact as the Jeep vulnerabilities documented last year, it’s an entry point into the controls of a vehicle and the potential for a more severe hack is now present.  Nissan has an opportunity to embrace this discovery and enhance the security controls of it’s product.  Nissan would be smart to launch a “bounty” program, if for no other reason but to market their willingness to put their security controls to the test and build the confidence of their customers and the industry.  Only time will tell how serious Nissan takes this threat to it’s vehicles and customers.”

(88)

By Andy Green, technical specialist, Varonis

Am I the only one finding the recent upsurge in hotel data breaches troubling on some primal level? You’re in a vulnerable position as a traveler, and you want to believe that the suite you’ve booked is your castle. And a secure one – doors often have multiple locks, rooms have those teeny safes for storing valuables, and security cameras help guard lobbies.

Hotels, of course, have long recognised that as hosts, they have special responsibilities.

But hotels also host your data, particularly credit card data. Based on the spike in hotel data heists, this industry has fallen short, security-wise.  As it turns outs, the attack vector for these hotel breaches is the same PoS malware used against big box retailers.

Yeah, that’s right. BlackPos and the other RAM-scrapers variants have found hotels a good place to vacation—for months, apparently—and to check out with a haul of credit card numbers.

What makes all this so startling is that it appears little has been learned from the huge retail breaches.

PoS Malware Attack Scenario

There’s really nothing new in the attack chain in these incidents.  Well, perhaps one thing.  There’s new PoS malware afoot that’s stealthier than the old-school techniques, and may have been involved in some of the hotel data heists.

In any case, most security analysts would probably agree with the following scenario:

Attackers gain entry through—yawn–phishing, SQL injection, or some other well understood vulnerability (default passwords, etc.). They likely use a RAT or other tool for the initial part of the attack.

Once they have a beachhead, they move laterally, using standard techniques such as port scanning, working out host-naming conventions, password cracking, and pass-the-hash– all the methods we’ve talked about in the pen-testing series. The goal is to find a PoS machine or server.

After the PoS device(s) have been identified, the attackers load the payload, the special RAM-scraping software, and then exit. At this point, the PoSware takes over, controlled remotely by hackers from their C2 servers.

The PoSware begins searching OS memory and collecting card data, and then periodically dumping the data to the file system.

Finally, the PoSware exfiltrates the card data file to the C2 servers by embedding it in HTTP Post/Get requests.

While there are variations, the sketch above holds true for most of the POS attacks we’ve seen in recent years.

Playing Defense

But just as we know how the attack unfolds, security experts also understand the kill chain—how to stop the attack at different points in its cycle. We’ve also collected some of this advice in a blog post we wrote back in 2014.

One factor that may have changed the game, though, is that the amateurs have been supplanted by the pros. Criminal gangs such as Black Atlas has turned PoS hacking into a criminal enterprise.

So it becomes even more critical to move the kill chain for PoSware up a few notches in IT priorities, particularly if you’re in the hotel and leisure industry.

Here are few key areas where I think a modest investment will yield huge security benefits:

Employee Education – If you explain to employees what a phish mail looks like, you can stop most attacks from the start. It’s good policy to tell employees to never click on a link or attachment from an outside email without making sure of the sender’s identity. We recommend our own e-book on the subject, Anatomy of a Phish.

Data Governance — The attackers are not aliens from an advanced civilization. Like the rest of humankind, they need access to the file system in their initial surveillance work and exfiltration.  The idea is to carefully review ACLs and restrict access so that the hackers can’t leverage a generic random user’s credentials to read, copy, and create files in sensitive folders and directories.

Whitelisting – PoS systems should only be running software from a well-defined set—after all, these are single-purpose computers for handling credit card transactions. In theory, whitelisting software that prevents the OS from launching non-standard binaries is an effective antidote to this hackware. Mileage may vary though. Some of the recent attacks involved using rootkit techniques where the kernel is modified, thereby making the malware practically invisible to the OS.

Patch Management — Make sure you have the latest security patches. Enough said.

Credential Management/Pass-the Hash (PtH) Mitigation – This is a broad category. Simply put: don’t make it easy for hackers to get credentials.  Make sure you have solid password policies in place, search for and remove plaintext password or password hash files, and if possible disable Windows storing of plaintext passwords in LSASS memory. Finally, ensure that domain-level admin accounts are not being used to network to users’ machines—this allows hackers to steal the crown jewels through PtH.

UBA Anyone?

The attackers play the odds, and so they can still get lucky— default passwords that weren’t changed, a patch that was neglected, or, say, a successful phishing or watering-hole attack against the Director of IT.

And there are zero-day exploits that are impossible to protect against.

This is where monitoring and notification come into play. But not just standard intrusion detection or virus scanning. Remember: the PoS attackers are on the inside, and they play a very stealthy game as far as conventional detection techniques are concerned.

My advice now can be summarized by three words: User Behavior Analytics (UBA).

You won’t be able to spot these intruders without taking into account existing user file and system activities.

While they may look like ordinary users, the attackers will tip their hand by accessing system configuration files, copying or moving a large number of files, or encrypting credit card data—activities that are likely atypical for that user.

And that’s where UBA comes in. It understands the average or normal behavior of the real user behind the credentials, and then notifies the security group when variances occur.  

While you may not be able to prevent intrusion into a hotel PoS system, with UBA you will be able to spot the attackers’ activities further down the kill chain, and ideally prevent the extraction of the credit card data.

(107)

UK bank customers should be extra careful after a new wave of ‘smishing‘
attacks has seen data thieves drain thousands of pounds from current accounts.

One customer lost over £20,000 from his current account after fraudsters managed to ‘hijack’ a text message thread, claiming to be from Santander, and saying that there had been suspicious activity on his account. Mr Smith called the number and spoke to fraudsters who asked him for a ‘one-time password’ and wiped out £22,700 from his account.

SMS phishing – or ‘smishing’ – scams are the latest weapon fraudsters are using to target bank details. It involves tricking users into downloading a virus so they can impersonate a bank in text messages, hijacking genuine threads to steal passwords and security details.

Commenting on this, Lisa Baergen, manager at NuData Security, said:

“Smishing”, a twist on the “phishing” scam, is an old scam that evolves each time new technology comes along. When banks started offering telephone services, fraudsters would impersonate a bank and call customers  with criminal intent. As banks moved to providing online services and apps, fraudsters started emailing customer statements, fake websites popped up and phishing emails started to make the rounds. These SMS smishing scams are taking advantage of the consumer’s push for more mobile-friendly and innovative ways to communicate and interact with their financial institutions. With this specific wave of smishing attacks, hackers fool customers into downloading their malware by posing as a legitimate, unrelated app. The malware then takes over a legitimate SMS communication between the customer and their bank to socially engineer the customer into giving away their PII information and access their account.

Fraudsters know that it is generally easier to take over an account by phishing, spear phishing (targeting an individual) or smishing, than to open a new account using a real or stolen credentials, which is why account takeover (ATO) is alarming and, as we’ve been saying, on the rise. 

It only makes sense, that account takeover (ATO) has become a new favourite fraud tactic. So as we hear of yet another example of real customers being scammed of their hard-earned funds, it is just another blazing example underscoring the need for financial institutions to move away from PII as the relied-upon authentication method. With the overabundance of stolen data, access to full identities are prevalent and cheap, meaning it cannot be relied on for authentication purposes. Customer education can help reduce the number of times this scam is successful, but we shouldn’t rely only on placing that burden solely on customers and account holders. 

If your bank can’t distinguish between legitimate users and fraudsters, even with valid credentials, it’s time to they move away from static data to protect accounts, and move to behavioural analytics for authentication.  User behaviour analytics observes and understands how the user behaves. Behavioural analytics looks beneath the surface of matching usernames, passwords and other means of authentication such as one-time SMS, to truly understand user behaviour. These behaviour patterns reveal details that fraudsters can’t fake despite their best efforts.”

(83)

In light of recent reports that TfL’s CIO Steve Townsend is looking to solve London congestion issues with the help of IoT sensors, Cesare Garlati, chief security strategist for the prpl Foundation has had the following to say regarding the safety and security issues that may arise:

“While it is exciting that TfL is looking to IoT sensors and the data they provide to help improve congestion for commuters, it must not overlook wider security and privacy implications this will have on the City of London.  IoT, although growing at an enormous pace, is still very much in its infancy – with people eager to get their hands on the latest and greatest connected devices and manufacturers rushing to get them to market – security is often an afterthought.  If we don’t take steps now to improve security within devices at the development level, the results could be catastrophic, especially when used to capture data on passengers and whole cities as suggested by TfL’s CIO, Steve Townsend.  At best, people’s privacy and civil liberties are affected and at worst, poor security controls will mean terrorists will have access to a whole host of information they can use for surveillance or other nefarious purposes when security controls aren’t properly addressed.

“For this reason the prpl Foundation has provided guidance on how to create a more secure Internet of Things that advises manufacturers and developers to adopt an open source, hardware-led approach that sees security embedded from the ground up.”

(104)

Google has reported that a flaw in some commonly-used code could be manipulated to grant remote access to devices such as a computer, internet router or a piece of equipment connected to the Internet. The flaw – CVE-2015-7547 is found in glibc – an open-source library of code widely used in Internet-connected devices. The flaw can affect programming languages like PHP and Python as systems used when logging into websites or accessing email.

Craig Young, a cybersecurity researcher from Tripwire told @DFMag: “This is quite an interesting bug, but my expectation is that we will not see widespread exploitation for code execution due to several factors.  While many have espoused ASLR as making this vulnerability difficult to exploit, I actually take a different stance.”

ASLR or Address Space Layout Randomization is a security feature designed to prevent attackers from knowing in advance where critical blocks of code exist in the memory of a targeted system.  The fact of the matter though is that very few Linux systems have system wide ASLR enforcement and with a bug affecting such a widely used function; it is inevitable that many vulnerable products will not gain the ASLR protections.  The bigger barrier to execution as I see it is that in most cases the attacker needs to get parallel name resolution (IPv4/IPv6) to an attacker controlled name server either directly or through a recursive lookup.”

Craig explains, “The more common attack scenario of course would be a recursive lookup since hopefully most attackers do not have control over popular DNS servers.  The problem with this scenario however, is that payloads needed for exploiting this for code execution are probably not going to be well-formed responses and will likely get dropped en route.  That being said, it is important that users and service operators deploy patches as soon as possible. If we do see cases of in the wild exploitation from this, I would expect that web sites or services which query user-controlled domain names might be top on the list of ideal targets.”

(55)

In light of news that HM Inspector of Constabulary (HMIC) Zoe Billingham has found over a third of police forces require improvement in how they investigate crime and manage offenders, Johann Hoffmann, Head of Griffeye commented to @DFMag:

“The findings from this report are unsurprising for those that work with the security forces. Too often our police forces are bogged down by the shear overwhelming volume of seized data. Sifting through and handling that material is an impossible task to handle manually. However, these processes can be automated, allowing them to focus more time on solving crimes. Take video evidence, for example. The volume of video produced is growing exponentially, but the amount of content an investigator is able to sift through without improved technology remains the same. On average, only a fraction of the video seized – whether its video produced by a surveillance camera or personal smartphone – is analysed, leaving content that potentially may lead to a breakthrough untouched.
 
Investigators need tools that enable them quickly find what they are looking for, and most importantly, uncover significant material that may not have been on their radar in the first place. There are solutions out there that eliminate non-pertinent video, and which prioritise and present information based on elements such as a specific timeframe, noise or movement. Our forces just need to be able to use it.
 
As our society creates and consumes more video, law enforcement is seeing this type of content play an increasingly important role in investigations. Whether it is for child sexual abuses cases, serious organised crime, fraud or national security investigations, specialised technology can accurately uncover crucial intelligence held within video. This will help digital forensic specialists to quickly put together the missing pieces to create a complete picture for investigations. Embracing this technology will not only save them time, which could be spent solving crimes, but will also improve cost efficiency.” 

(85)

You are back in the office after the long holiday break and busy catching up. Did you miss the story about the EU’s General Data Protection Regulation (GDPR) receiving final approval?  Some are calling it a “milestone of the digital age”.

We’ve been following the GDPR on the Varonis blog over the last two years. If you want to catch up very quickly, read our omnibus post that’s a tasty distillation of our wisdom on this subject. Or if you have some more time, check out our comprehensive GDPR white paper.

With the final draft, a few ambiguities and loose ends were ironed out from the different versions provided by the EU Parliament and the Council. I’ve put together a few key points that should resonate with Inside Out readers. Keep in mind the GDPR will take effect in the later part of 2017.

Fines
We have closure on the question of fines: the GDPR has a tiered fine structure. For example, a company can be fined up to 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach (articles 31, 32), or not conducting impact assessments (article 33).
More serious infringements merit a 4% fine. This includes violation of basic principles related to data security (article 5) and conditions for consumer consent (article 7)– these are essentially violations of the core Privacy by Design concepts of the law.

The EU GDPR rules apply to both data controllers and processors, that is “the cloud”.  (Refer to our white paper to learn more about this law’s data security terminology.) Therefore huge cloud providers are not off the hook when it comes to GDPR enforcement.

Data Protection Officer
It’s official: you’ll likely need a Data Protection Officer or DPO. You can read the fine print in article 35. If the core activities of your company involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of “special categories” of data—racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation– then you’re required to have a DPO. In the US, the closest job title to this is a Chief Privacy Officer. In any case, the job function of the DPO includes advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority or DPA.

Data Breach Notification 24 or 72 hours?
And the winner is … 72.
Article 31 tells us that controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.
According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data – the EU’s term for PII—is considered a breach. Note my emphasis on unauthorised.
Based on my understanding of the GDPR, this means that if an employee sees data that’s not part of their job description, it could be considered a breach. Of course, this is not a problem for your company, because your IT department has done a thorough job reviewing file access lists and has implemented role-base access controls. 

You can read more about what you have to provide to the data authority in our “What is the EU GDPR” post. 
Bottom line: The GDRP notification is more than just saying you have had an incident.  You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insider were doing.

Data processors have a little more wiggle room: they’re supposed to notify the company they’re doing the work for—the controller– “without undue delay”.
Under what conditions does a company have to tell the subject about the breach? 

You can read the details in article 32, but if a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.

For Countries Outside the EU
We’ve been raising the alarms on extra-territoriality for several months now.
With the GDPR finalised, we can say with certainty the law applies to your company even if it merely markets goods or services in the EU zone.
In other words, if you don’t have a formal presence in the EU zone but collect and store the personal data of EU citizens, the long arm of the GDPR can reach out to you.

As many have been pointed out, the extra-territoriality requirement (article 3) is especially relevant to ecommerce companies. 

Social media forums, online apartment sharing, artisanal craft sites, or beers of the world clubs: you’ve been warned!

Other Resources
All the permutations of the GDPR and how it can applies is just too complex to cover in a few blog posts.  Of course, your Data Privacy Officer is the go-to person for advice, along with outside legal experts.

Speaking of law firms and attorneys, they are understandably all over this.
Thankfully, they do offer some very practical and free information on their public-facing sites.

Here are my own favorite legal advisors:
• Bird and Bird: www.twobirds.com
• Daniel Solove’s Privacy and Security blog: www.teachprivacy.com
• Hogan Lovells:
www.hoganlovells.com
• BakerHostetler: www.bakerlaw.com

(260)

The prpl Foundation, an open-source, community-driven, collaborative, non-profit foundation supporting the next gen connected devices industry, has announced availability of a new document entitled Security Guidance for Critical Areas of Embedded Computing that lays out its revolutionary vision for a secure Internet of Things.  It describes a fresh hardware-led approach that is easy to implement, scalable and interoperable.  The prpl Foundation’s guidance aims to improve security for devices in a rapidly expanding connected world where failure to do so can result in significant harm to individuals, businesses and to nations. It is available at: http://prpl.works/security-guidance/.

“The Internet of Things is connecting our world in ways not anticipated even a decade ago. This connectivity finds its way into everything from light bulbs and home appliances to critical systems including cars, airlines and even hospitals,” said Art Swift, president of the prpl Foundation. “Security, despite its huge and increasing importance, has so far been addressed in piecemeal and often proprietary ways.

“Given ubiquitous connectivity and the rapid emergence of IoT, the need for a well-designed, structured and comprehensive security architecture has never been greater,” he continued.

Embedded systems and connected devices are already deeply woven into the fabric of our lives, and the footprint is expanding at a staggering rate. Gartner estimates that 4.9 billion connected things were in use by the end of 2015, a 30% increase from 2014. This will rise to 25 billion by 2020 as consumer-facing applications drive volume growth, while enterprise sales account for the majority of revenue.

Security is a core need for manufacturers, developers, service providers and others who produce and use connected devices. Most of these – especially those used on the “Internet of Things” – rely on a complex web of embedded systems. Securing these systems is a major challenge, yet failure to do so can result in catastrophic consequences.

“Under the prpl Foundation, chip, system and service providers can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach,” added Cesare Garlati, prpl’s chief security strategist.

The new Security Guidance Document lays out a vision for a new hardware-led approach based on open source and interoperable standards. It proposes to engineer security into connected and embedded devices from the ground up, using three general areas of guidance. These are not the only areas that require attention, but they will help to establish a base of action as developers begin deal with security in earnest.

These areas include:

Addressing fundamental controls for securing devices. The core requirement, according to the document, is a trusted operating environment enabled via a secure boot process that is impervious to attack. This requires a root of trust forged in hardware, which establishes a chain of trust for all subsystems.

Using a Security by Separation approach. Security by Separation is a classic, time-tested approach to protecting computer systems and the data contained therein. The document focuses on embedded systems that can retain their security attributes even when connected to open networks. It is based on the use of logical separation created by hardware-enforced virtualization, and also supports technologies such as para-virtualization, hybrid virtualization and other methods.

Enforcing secure development and testing. Developers must provide an infrastructure that enables secure debug during product development and testing. Rather than allowing users to see an entire system while conducting hardware debug, the document proposes a secure system to maintain the separation of assets.

By embracing these initial areas of focus, stakeholders can take action to create secure operating environments in embedded devices by means of secure application programming interfaces (APIs). The APIs will create the glue to enable secure inter-process communications between disparate system-on-chip processors, software and applications. Open, secure APIs thus are at the centre of securing newer multi-tenant devices. In the document, the prpl Foundation offers guidance defining a framework for creating secure APIs to implement hardware-based security for embedded devices.

(134)

Researchers  have discovered that hackers have evolved the Black
Energy Malware to infiltrate other sectors. It was first seen when hackers
used BlackEnergy to take down the Ukrainian Power grid affecking more
than 1 million Ukrainians. Now Trend Micro is reporting that the malware
have also been found along with KillDisk in a Ukrainian mining operation 
and railway system.

Tim Erlin, Director of IT Security and Risk Strategy at Tripwire told @DFMag;

“Industrial control systems aren’t limited to the energy sector, so it should be no surprise that BlackEnergy can and has been used in other industries

We may find that 2016 is the year of Industrial Control Systems for cybersecurity. 

Attribution has always been tricky business in cybersecurity, but it’s clear that the BlackEnergy has 
expanded its footprint as a tool, whether the actors behind it are the same or not. 

If your business has an industrial control system footprint, whether you’re in manufacturing, transportation 
or energy, now is the time to evaluate how you’re securing that environment.”

(77)

The IRS has released some details on a data breach that involves personal data of taxpayers who use the IRS’s e-file website. The personal information was first obtained from another, unidentified source(s) – not the IRS – and was then used to log into the IRS website to obtain personal ID numbers used to file tax returns.

Ars Technica reported:

The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday. Identity thieves made the haul by using taxpayers’ personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them. No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.

The full story: http://arstechnica.com/tech-policy/2016/02/irs-website-attack-nets-e-filing-credentials-for-101000-taxpayers/

In response to this news, @DFMag received comments from the following security experts.

Mark Bower, global director, product management at HPE Security – Data Security:

“Attackers are very capable of taking data stolen from other sites and using it for secondary attacks to more lucrative systems, as in this case. SSN data is regulated personally identifiable information under many regulations and should be protected.

Modern data-centric security is the technology of choice, delivering an end-to-end encryption approach – protecting data at rest, in use and in motion – thereby minimising any clear data exposure and ensuring attackers get nothing of value when they do penetrate systems. The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.

Cyber criminals today are motivated to steal personal data, as well as enterprise data, intellectual property and employee or customer information. Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash.  As this attack points out, there is a clear need to protect personal information like name, full address, phone number and email address so that criminals can’t use the information to open bogus accounts, sell it for use in more targeted larger-scale spear-phishing, steal identities, or as in this case to obtain tax identification information.”

Lisa Baergen, manager at NuData Security:

“It is disappointing that the IRS’ Get Transcript Tool has once again been used by hackers in the run up to tax season, and their success rate was shocking. Last year the same tool was used to gain information on American citizens in order to submit fraudulent tax returns. This year the same tool has been leveraged to obtain the very Identity Protection PINs that were lauded last year as a way for tax payers to protect their accounts and private information. What did the hackers use in their automated attack? Just the name, address, date of birth and Social Security Number – and thanks to countless breaches, some even at the highest levels of the American government, this information is not hard to find. If the data is out there, it will be used. Why are we making it easier for hackers? So long as key security measures rely on easily obtained, personally identifying information, this will keep happening. We have to devalue that cheap, easy to come by data and approach authentication in an entirely new way or these headlines will keep appearing every spring.”

(82)