Month: June 2016

By Lisa Baergen, director at NuData Security

Notorious hacker network Anonymous recently launched a month-long campaign targeting the global banking industry.

According to an article in Fortune, members of the secretive group of activists and hackers went after the Bank of Greece in May of this year, taking down the site for a few minutes and launching the first punch in a series of high stakes showdowns between global bank security systems and the infamous hacker network.

Several other high profile attacks have since followed over the last month in what Anonymous calls Operation Icarus. The group has so far claimed successful attacks on 9 other central banks, including the Central Bank of Mexico and Cyprus. Next on the hit list are the Bank of England, the World Bank, IMF, the US Federal Reserve and 160 other national banks. Anonymous vows to continue the project for 30 days, culminating in attacks on NASDAQ, NYSE, and PayPal.

The group appears to have joined forces with another hacker group, Ghost Squad Hackers. The objective appears to be to create chaos in the global banking industry and is “a retaliation to the 1%” as “elite banking cartels [are] putting the world in a perpetual state of chaos”, says hacker ‘s1ege’ who claims to be affiliated with the hacker collective GSH participating in the takedown.

These attacks on banking websites might take the site down for a few minutes or longer, depending on the level of penetration and severity and, while the attack may not be long by our standards, it can cost the banks millions — making the threat very real. Adding this to the perception that bank security is vulnerable it can’t help but hurt bank brands globally whose reputations rely on consumer trust.

This is just one more reminder that banks need to make it imperative to put a robust security strategy in place, and one that looks beyond the device or static data. No further reminders should be needed at this point. The cold, hard truth is that hackers have openly declared war, have scheduled their attacks and operationalised large-scale collaborative hacking projects. There is no doubt they can and will attack again.

In 2015, for example, we identified that a staggering 45 percent of new accounts created across our financial services and e-commerce clients (including some of the largest banks and merchants globally) are fraudulent attempts. Fortunately, those attempts can and are thwarted thanks to pre-transactional early detection using our passive biometric technology.

With industry estimates that account takeover and account creation fraud will increase by 60 percent in the next three years, it is more important than ever for financial institutions to have solutions that identify and prevent these attempts, ensuring that a company’s losses don’t escalate while also providing a white glove experience to legitimate consumers. Organisations that transact online know that they need to adapt to keep up with attackers who are constantly shifting tactics and attack vectors.

The proven way to outsmart fraudsters and hackers is through accessing the combined data obtained from observable behavioural signals from the time of login or account creation and throughout the user’s online lifecycle. Some solutions can also access the combined intelligence of their behavioural network (consortium) to further aid in determining who is, and who is not, behaving like a genuine user. In this way the software functions like a “good user detector” and the baddies are just filtered out of the equation organically as part of the process.

The bottom line is that the onus is on financial institutions to continue to improve their techniques in order to stop the latest fraud methods, and in this case Hacktivists, from plaguing their business. NuData Security can help security teams at big global banks sleep better at night by providing them a way to filter these bad actors right out of the picture, and do it in a way that’s invisible to the end-customer and to the hackers – evading the invitation for them to hack.

In recent years banks have suffered huge blows to their reputations and can redeem much of that by taking steps that not only put on a security show for customers, but actually improve security and customer happiness. Harnessing the power of behavioural and biometric analytic technology empowers banks to focus on how to treat good customers well at the same time as keeping them safer.

(169)

Following the news that researchers have encountered a denial-of-service botnet that’s made up of more than 25,000 Internet-connected closed circuit TV devices,  Stephanie Weagle, Senior Director at Corero provided @DFMag with the following comment; 

“The Internet of Things comes with advantages, as well as a host of security disadvantages. To begin with, IoT devices such as closed circuit TV devices often do not have strong security features built into them to prevent hackers from accessing them. Aside from personal privacy and security concerns that result from these security gaps, the bigger danger is that these connected devices can be harnessed by hackers to form a botnet, which is an interconnected network of computers infected with malware without the user’s knowledge.

“Botnets are also known as “zombie armies” that can be deployed on thousands—if not millions—of connected devices to send a spam attack, spread malware or launch a distributed denial of service (DDoS) attack. The more Internet-connected devices there are, the greater the potential for extremely large botnets.”

(60)

Following the news this morning that Britain has decided to leave the European Union, @DFMag obtained the following comments from industry experts;

Richard Patterson, director of Comparitech.com is greatly concerned about the risks to online privacy this exposes:

“With the announcement this morning that the UK has decided to leave the EU, it could spell bad news for privacy.  The Investigatory Powers Bill, or Snooper’s Charter as it’s more aptly dubbed, is imminent pending a review in the House of Lords.  This would enable ‘bulk hacking’ of communications on a large scale from GCHQ on whole towns, for instance.  Without the checks and balances that the EU Courts provide, an important role in overruling over zealous government laws which could erode privacy is taken away and there is a real danger that privacy as we know it will hang in the balance. 

“A recent OnePoll survey carried out on behalf of Comparitech.com found that almost half of the population was unsure about the effect Brexit would have on their privacy.  The erosion of privacy rights issue may have slipped through the backdoor while everyone was focusing on immigration and spending.  But if privacy is something that concerns you, now is the time to make it known to your Local MP and push back to protect your civil liberties.”

Dietrich Benjes, VP of strategic accounts and alliances EMEA at Varonis comments;

“The UK has been the biggest single market for tech in the EU, so many tech companies have their EU HQ’s here or at least a very strong presence. Now that the UK has voted out, the economic ramifications are already being felt and will carry on being felt regardless of the sector.  However, I think there is a very strong and compelling case to remain and further invest in the UK. It’s now down to the government to engage with business and communicate the strength of that case. As long as companies in the UK continue to do business with those in the EU, and they will, then GDPR will still need to be addressed. And regardless of the regulation, the impetus for it – the need to ensure that sensitive information, personal information is secure – remains.”

Green, technical specialist at Varonis, adds: 

“UK voters have decided to escape the EU,  so that means they’ll be free of the GDPR, right? Not really. As many observers have pointed out, the GDPR applies even to companies or “data controllers” outside the EU. This is the extra-territoriality nature of this data law (see article 3). So if UK-based web sites collect personal data from, say, a Dutch or French person, the GDPR still applies!  And for UK companies with subsidiaries (and therefore data controllers) within the EU, and which try to get out of the GDPR by outsourcing processing to the UK, the GDPR, ag.ain, would still apply.  

Why? Under the GDPR, the UK would have to be an “approved country” (with adequate data protection) in order for EU personal data to be transferred out of the  zone. In other words, the UK local data laws would have to be up to snuff and at the same level as the GDPR.

UK companies doing business in the UK, collecting only personal data of UK citizens, will be covered by the current Data Protection Act, which is basically the EU Data Protection Directive (DPD), the law of land in the EU now.  The UK’s local data laws are and will likely be in the future close to the current GDPR. In short, large UK-based multinationals will still have to deal directly with the GDPR, and local UK companies will be under a GDPR-like local data law.”

Aftab Afzal, SVP & GM EMEA at NSFOCUS IB commented: 

“Brexit will have impact on the industry as a whole. However it is too early to speculate on this being positive or negative. The coming weeks and months will be a telling time.  Cyber security is a global challenge and not EU specific.  With the vote being so close, the unrest will translate into some increased cyber attacks and organisations at the forefront should take extra caution.  As many cyber security vendors report dollar revenues, currency market volatility could see some prices increased. 

I do not foresee any big changes short term in cross border collaboration in cyber security.  Longer term, the vendors with global research teams who contribute to intelligence communities will play a bigger role in cooperation, as cyber security has always been a global issue.

GDPR is just one of many compliance drivers that ensure sensitive and personal data is handled with care. Compliance is born from best practices and when or if the UK mandates a new data policy, the main tenants of GDPR will no doubt be considered as the Government has to ensure the public safety, both physically and virtually.”

Simon Crosby, CTO and co-founder commented: 

“The incredible technical talent in the UK just became a lot cheaper for foreign countries to hire. Sadly, they will suffer as their standard of living drops, and their opportunity to live and work in other countries in Europe is restricted. Ultimately, I expect many of them to leave the UK permanently for countries that will pay what they are worth, such as the USA. 

There is another longer term worry: Over a third of research funding for universities in the UK comes from the EU. In the absence of new funding from the UK government, there will be a huge impact on university’s ability to deliver highly skilled tech workers to the UK economy.”

(88)

Over a third of those who work in the IT security industry (38 percent) fear that leaving the EU will make the UK more vulnerable to cyber attacks because they will no longer benefit from intelligence sharing with other EU states, according to new research conducted by Unified Security Management™ and crowd-sourced threat intelligence company, AlienVault®. 

The research, which surveyed the attitudes of around 300 IT security professionals at the Infosecurity Europe conference, also found that over half of respondents (52 percent) believe that UK organisations will still have to comply with EU legislation in order to trade with Europe.

Furthermore, the vast majority (78 percent) of those surveyed do not believe that their jobs will be made any easier by Britain leaving the EU. In fact, a significant proportion (22 percent) actively support EU legislation around data protection and believe that it benefits them and their work.

Javvad Malik, security advocate at AlienVault, comments: “Rather than offering an escape from the EU’s red tape, most people believe that they will still have to negotiate their way through complex legislation such as GDPR when Britain leaves the EU. But what’s more, a significant proportion of those surveyed believe that being part of the EU actually benefits them and their work. This is especially true of the industry’s attitudes towards intelligence sharing between EU states. Cyber attackers pay no attention to geographical boundaries, transcending borders and jurisdictions to maximize malicious effect. The truth is that we can provide a stronger and more robust defense against emerging threats by working together and sharing information.”

Probably due to the need to still comply with EU laws, the majority of respondents (66 percent) thought that the customer data held by their organizations will not be affected by Britain leaving the EU. But a quarter of those surveyed (25 percent) worry that the corporate data held by their organizations will be less secure after a ‘Brexit’, and 22 percent felt the same about the customer data held by their organizations.

As Javvad Malik observes: “The GDPR is due to come into force in 2018 and has the potential to significantly alter the way businesses handle data. At over 200 pages long, the regulation is possibly the most wide-ranging piece of legislation ever passed. But many Infosec professionals seem to view the legislation in a positive light, believing that stipulations such as ‘data protection by design’ will make the data held by their organizations more secure.”

(50)

A particularly nasty zero-day has been discovered widely spread across Office 365. It’s spread by an email via Outlook which gives the appearance of an invoice in the form of an Office document. When users open it, a message will appear saying that the document was created with a previous version of the software, so users will need to click something to enable the content. If they click the message, it will open up the ransomware. The malware is currently only affecting users in Australia.

Nathan Turajski, senior manager at HPE Security – Data Security said;

“Traditional malicious code protection typically found running on desktops—that relies on prior evidence of a threat such as a signature—are no match for these zero-day exploits that also incorporate new distribution techniques which catch ordinary users off-guard. However, enterprises can make an end-run around these threats by taking frequent data snapshots on a clean environment, using backup and recovery tools. While backup tools won’t prevent an attack, the intent is to quickly recover to a recent safe state quickly, and avoiding the consequences of being locked out of your valuable data.”

(66)

Security researchers have been posting updates about the Retefe banking Trojan. While it’s been around for some time, targeting Sweden, Switzerland and Japan, it is now targeting UK banking customers. Using fake certificates, the Trojan is designed to trick victims into giving up their login credentials and other sensitive information.

Lisa Baergen, director at NuData Security had the following comments;

“Like many Trojans, the Retefe Trojan is malware that requires unsophisticated users to participate in their victimhood by opening attachments. It’s still the case that many users will fall into this trap, but it’s also true that even the savviest users can still sometimes be fooled because these invitations can come across as extremely authentic. While behavioural biometrics can’t stop the data from being taken, what it can do is prevent it from being relevant and valuable to the thieves. Fraudsters buy this data and try to login to the account posing as the valid user or many other various ways the big hacker business uses stolen data.

Banks can defeat these fraudsters by understanding how good users behave. Passive biometric technology collects hundreds of behavioural signals over the lifetime of the account interaction. These signals can include, how a user holds their device, how they interact with it, how they type their user name and password, among many other data points.  These tools use machine learning and data analytics to build a non-PII profile of the individual so they can tell if the user is behaving as they usually do, or some anomaly is present that warrants a closer look. These tools also aggregate data from the biometric network of billions of events to determine if this user is behaving like other humans do, and can even predict bad behaviour.

With Risk Based Authentication (RBA), behavioural biometrics identifies suspicious activity in real-time during authentication. For example, with a potential MITB attack such as what would occur with Retefe, the online bank could dynamically launch an Out Of Band (OOB) authentication method, something not transmitted via the Internet such as a phone call or SMS. There are other interdictions that could take place, providing the bank further options to investigate and validate.

In this way, banks use behavioural biometrics to defeat fraudsters who are unable to faithfully reproduce the real user behavior making it impossible to use the relatively few credentials they may have bought or stolen. Eventually, the credentials and data the fraudsters have will become useless as more and more banks come to understand that knowing their users is the best way to make fraudsters irrelevant, and they deploy technology that can do just that.”

(67)

Hackers have stolen information relating to around 45 million accounts from VerticalScope, a Canadian media company that runs numerous support forums on various topics. @DFMag has the following comments from three cybersecurity experts, who’ve worked in the field for years.

Lee Munson, Security Researcher at Comparitech.com: 

“While there is little information about how the breach was orchestrated, there does appear to be some news about how VerticalScope Inc. was storing its customers’  passwords.

“Unfortunately, that news does not look good – it appears as though the majority of user credentials were subject to MD5 hashing, something that is hardly considered secure in this day and age.

“The fact that the stolen data is not yet on the dark web is largely irrelevant at this point in time as it is certainly available on the regular web. Considering the nature of the breached information, any potential damage has already been done.

“Potential victims will be pleased to hear that their financial data is reportedly secure but the combination of usernames, email addresses and passwords revealed in this breach may potentially be far more concerning, especially to anyone who has re-used their credentials across a number of forums of other online sites.

“Thus my advice with this breach, just like any other, is to change passwords immediately across all accounts that may be using the same credentials and to use different passwords for each account in the future, something made easy through the use of a password manager.”

Mark James, Security Specialist at ESET:

Any insight into the breach and the way the passwords were stored?

“Storing precious data in the cloud and keeping it safe is rapidly becoming a hit and miss affair. You are often presented with a simple choice of being part of a community or website or not. The options for security sadly are not a choice for you, that’s down to the owners or operators. There is without a doubt a massive amount of information waiting to be plundered by cyber pirates, also bear in mind that keeping the data safe is only half the job, if it does get plundered or compromised making sure it’s unusable should also be a major factor when storing said data. There are many good and indeed bad processes for the safe storage of passwords and other critical information.”

The details are not on the dark web yet, is this good news for victims?

“Sadly not, we have seen many instances where the data appears at a later time, sometimes even years later databases appear with private data hacked from various sites. As with all breaches, changing your password should be your priority, then the next thing you need to do is change any passwords that you have duplicated for other sites and get in the habit of using unique passwords for all future logins. Often in these cases headlines read “ only limited information was stolen ”, that same “limited” information will and can be used for further phishing attacks to harvest more of your personal details by basing an attack on some previously stolen info that could be used to build a trust relationship with the victim. Always remember to be very cautious about opening any attachments or following links from within emails.”

Jonathan Sander, VP of Product Strategy at Lieberman Software comments:

“As more and more sites are breached and passwords are stolen, the hope is that users are getting the message that password use is not OK. If a bad guy gets access to their sports forum account, they probably are only in danger of angering the folks in their local clubhouse with fraudulent posts. If they used the same password at their bank as that sports forum, however, then maybe they’ll get kicked out of their club when they can’t pay their dues when their account is drained of all its funds.”

(56)

Cellebrite, a leader in digital forensic extraction, decoding and analysis solutions, introduced an enhanced version of its UFED InField solution recently at Mobile Forensics World.

The new platform agnostic software solution delivers simplified, secure forensics data access and control while streamlining investigative workflows as part of a multi-tier forensic architecture. An intuitive user interface and new selective extraction capabilities make accessing specific live device data quick and easy. These new capabilities accelerate investigations by allowing agencies to increase access by extending the reach of extraction capabilities to investigators, unify investigative teams by connecting lab and field personnel around the evidence collection process, and secure digital evidence that they can defend in court.

“Today, mobile forensics is touching every single type of crime we investigate, from petty theft, to high-profile, complex homicide investigations,” said Sgt. Frank Pace, Phoenix Police Department Digital Forensics Investigative Unit. “As a profession, we are at a point that we need to integrate digital forensics, related training and policies into our culture and processes. Every officer, investigator and prosecutor is going to need that to be effective in their job.”

Field tested and proven, the InField solution allows officers and investigators at every level and in any location to securely access and perform forensically sound logical and physical extractions of mobile device or SIM card data by timeframe, data types or relevant persons with minimal training.

Whether accessed via in-car workstations, laptops, tablets or self-service kiosks located at a station, this single-purpose, frontline solution supports the widest variety of device types with intuitive workflows that prevent errors or contamination of evidence. The InField software runs across hardware platforms, including the UFED Infield Kiosk and UFED TK. The new enhanced version now enables:

-Real-time Access to Qualified Digital Evidence
-Field users can select and extract only the relevant data needed based on time range or specific subject information.
-The Quick Copy feature encourages digital consent by allowing officers and investigators the ability to copy only specific evidence from witnesses and/or victim’s phones, leaving personal data private.
-Centralised Management & Control

UFED InField simplifies the end-to-end visibility to and management of software updates, configuration modifications, user permissions and usage statistics by crime types and devices processed to ensure evidence is properly managed and protected.
Evidence Integrity
 
Built on the proven UFED platform, InField enables the real-time, forensically sound extraction of mobile device data and produces defensible evidence investigative stakeholders can stand behind.

“Designed to work on our form factors or an agency’s existing laptops, UFED Infield delivers new and improved digital forensics workflows and the actionable intelligence necessary to quickly and effectively focus investigative efforts, reduce case backlogs and significantly shorten case cycle times,” said Ron Serber, Cellebrite Global Co-CEO.

(184)

Following the news that remote access service GoToMyPC is the latest company to fall victim to a ‘sophisticated password attack’, @DFMag received the following comments from industry experts;

Lisa Baergen, director, NuData Security:

“I sound like a broken record; but here we are again, news of yet another hack attack hits the wire.  It’s only been a couple of weeks since TeamViewer user accounts were hijacked, and now GoToMYPC hit by a very sophisticated password attack. No matter how long it takes to come out, the bottom line is that organisations have to stop thinking “what IF” and accepting it should be seen as “ WHEN” we get hit…

Although usernames and passwords can be changed, as being asked here by Citrix, victims of a breach need to understand that every bit of information exposed is important and building out solid packages of identity information on the Dark Web. Fraudsters are creating, selling and buying more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, fraudsters can ultimately do more damage and permeate a lot of these “temporary” points solutions and step up authentication solutions a lot of organisations are putting up.

For example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually, we’re seeing generally a 10% month-over-month increase in new account fraud.

Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and know and trust it is not the hacker using all of our identity information online. User behaviour analytics can provide victims of this, and other breaches, with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to consumers.  This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with our legitimate information ripped from all these breaches.  Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.  The only way to achieve this is by truly being able to identify the IDENTITY of the user behind the device.” 

David Gibson, VP of strategy and market development, Varonis:

“The GoToMyPC attack illustrates that data breaches should be considered a real and inevitable possibility – even for the most secure environments.  Organisations need to get the basics right when it comes to securing their most valuable data, and disposing of information that is no longer necessary to the business. In this GoToMyPC attack, good corporate citizenship and a fast response enabled everyone to remain relatively safe – as long as everyone remembers to change their passwords. Folks are probably used to that by now, but they may not be following best practices for password hygiene.

For example, ‘dadada’!  Even Mark Zukerberg had a reminder earlier this month that you shouldn’t use the same password on multiple sites. From what we know, hackers worked from a list of cracked accounts that came from a 2012 breach at Linkedin, and then reportedly got into his Twitter, Instagram and Pinterest account utilising the same password. 

People are bad at coming up with their own passwords. We’re all guilty! For convenience, we make them obvious or short or both, and use them more than once. Hackers are good and getting better all the time at breaking them, either though brute force guessing or dictionary-style attacks if the hackers have access to the password hash.

The ‘correct horse battery staple’ method is a memory trick where each letter of the password represents a word in a story. You can read more about that, here.”

(154)

Hackers appear to have stolen information relating to around 45 million accounts from VerticalScope, a Canadian media company that runs numerous support forums on various topics, @DFMag has obtained the following comments from three cybersecurity experts, who’ve worked in the field for years.

Lee Munson, Security Researcher at Comparitech.com: 

“While there is little information about how the breach was orchestrated, there does appear to be some news about how VerticalScope Inc. was storing its customers’  passwords.

“Unfortunately, that news does not look good – it appears as though the majority of user credentials were subject to MD5 hashing, something that is hardly considered secure in this day and age.

“The fact that the stolen data is not yet on the dark web is largely irrelevant at this point in time as it is certainly available on the regular web. Considering the nature of the breached information, any potential damage has already been done.

“Potential victims will be pleased to hear that their financial data is reportedly secure but the combination of usernames, email addresses and passwords revealed in this breach may potentially be far more concerning, especially to anyone who has re-used their credentials across a number of forums of other online sites.

“Thus my advice with this breach, just like any other, is to change passwords immediately across all accounts that may be using the same credentials and to use different passwords for each account in the future, something made easy through the use of a password manager.”

 
Mark James, Security Specialist at ESET:

Any insight into the breach and the way the passwords were stored?

“Storing precious data in the cloud and keeping it safe is rapidly becoming a hit and miss affair. You are often presented with a simple choice of being part of a community or website or not. The options for security sadly are not a choice for you, that’s down to the owners or operators. There is without a doubt a massive amount of information waiting to be plundered by cyber pirates, also bear in mind that keeping the data safe is only half the job, if it does get plundered or compromised making sure it’s unusable should also be a major factor when storing said data. There are many good and indeed bad processes for the safe storage of passwords and other critical information.”

The details are not on the dark web yet, is this good news for victims?

“Sadly not, we have seen many instances where the data appears at a later time, sometimes even years later databases appear with private data hacked from various sites. As with all breaches, changing your password should be your priority, then the next thing you need to do is change any passwords that you have duplicated for other sites and get in the habit of using unique passwords for all future logins. Often in these cases headlines read “ only limited information was stolen ”, that same “limited” information will and can be used for further phishing attacks to harvest more of your personal details by basing an attack on some previously stolen info that could be used to build a trust relationship with the victim. Always remember to be very cautious about opening any attachments or following links from within emails.”

Jonathan Sander, VP of Product Strategy at Lieberman Software comments:

“As more and more sites are breached and passwords are stolen, the hope is that users are getting the message that password use is not OK. If a bad guy gets access to their sports forum account, they probably are only in danger of angering the folks in their local clubhouse with fraudulent posts. If they used the same password at their bank as that sports forum, however, then maybe they’ll get kicked out of their club when they can’t pay their dues when their account is drained of all its funds.”

(85)