Month: December 2016

It has been reported that cybersecurity vulnerabilities in Panasonic in-flight entertainment systems, used by a several major Airlines (including Virgin, American and Emirates), allows attackers to control in-flight displays, PA systems and lighting, access passenger credit card data as well as the wider aircraft network, including the aircraft control domain. Below are comments from cybersecurity experts.

Stephen Gates, chief research intelligence analyst at NSFOCUS:

“In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s “experience” while flying, but have yet to prove they could impact flight control systems.  Let’s all hope that remains the case, long-term.

“It’s not too far of a stretch to suggest that flight entertainment systems could even be hacked from the ground, via the Internet access on the plane.  If remote access was gained while the plane was on the ground, or by way of a hacker planting a backdoor via an infected device while in flight, hackers could cause all kinds of disruption that would not directly impact them – since they’re not even on the plane.  Now that’s a scary thought…”

Mike Ahmadi, global director – critical systems security at Synopsys:

“Any system that gets the attention of the hacking/research community will eventually be found vulnerable.  There are literally an infinite number of ways to compromise any system.  Organisations need to constantly monitor and test their systems in order to keep up with security issues.  Moreover, organisations should assume compromise will happen and plan accordingly.”

Alex Cruz-Farmer, VP at NSFOCUS:

“Previous hacks and vulnerabilities have always been on the ground, but we’re now in the realms of something extremely scary – hacks in mid-air with no escape. The active threats will be growing, and with thousands of planes in the air, the remediation of this is going to be extremely complicated and time consuming. This will be a huge flag to all manufacturers to review their underlying platforms, and whether their integrated infrastructure has the necessary security around it to protect us, the passengers. If anything did happen it could at worst be life threatening leading this to be considered as major negligence across the multiple parties involved.”

(113)

Yahoo!’s latest revelation that more than one billion user accounts may have succumb to a cyber-attack in 2013 has been announced. Find below commentary on the breach.

Oliver Pinson-Roxburgh, EMEA director at Alert Logic:

“The most critical part of an incident response process is lessons learnt. Organisations need to question how far the rabbit hole goes in all cases. As things are detected during an incident, work streams should be started to question where else data resides and how can it be accessed from the systems hacked. The lessons learnt is second only to how you respond to an incident in the first place to an incident. How to respond relies on what information you have, getting pertinent information when under extreme pressure is tough when you in this position.

“It seems that in this case the investigators are still uncovering information, which again supports the fact that on average an attacker will be in 205 days or more before detection. It also supports the fact that, in many cases, organisations are unable to self-detect. An over reliance on blocking technologies and the lack of expertise, as well as the lack of  focus on detection coverage across the kill chain, is often the biggest challenge for organisations. In many cases for larger organisations the challenge of getting visibility is compounded by complexity, the fact the investigation is ongoing suggests that complexity is hampering them.”

David Gibson, VP of strategy and market development at Varonis:

“The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.

“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.

“Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.

“Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.

“The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.

“Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”

(251)

If you are online checking emails, posting Facebook images, paying your bills, streaming the latest Netflix series or monitoring your baby in its crib, you may be exposing your sensitive information. While consumers are online shopping for presents and new gadgets this season, cyber criminals are online stealing their information and hijacking their devices. As we gather more connected things, and collect more sensitive data, we expose ourselves and put ourselves at more risk of security incidents.  That is the nature of how our digital lives have evolved.

To help consumers and business people better protect themselves online, Varonis Systems, Inc. a provider of software solutions that protect data from insider threats and cyber attacks, has teamed up with renowned security expert Troy Hunt to offer five simple but effective steps the everyday user can take to secure themselves online and their organisation.

The online course, “Internet Security Basics, 5 Lessons for Protecting Yourself Online,” was created exclusively for Varonis and is designed to teach the everyday connected individual about the top five online security risks they face and how to protect themselves, including:

• Practicing better password hygiene
• Identifying website trustworthiness and phishing
• Understanding the importance of software maintenance
• Establishing mobile device and app security
• Minimising the risks of household and corporate IoT

The on-demand course, intended to be consumable by anyone with basic familiarity with computers, web browsers and mobile devices, is divided into seven byte-sized modules that take just a few minutes to watch. The course can also provide an effective supplement to organisations’ ongoing efforts to keep their employees trained and vigilant about online risks.

Troy Hunt is a security expert and trainer, author, and creator of the free data breach service, “Have I been pwned?” As a leader in online training for technology professionals, Hunt distills complex technology and cybersecurity subjects into relatable explanations.

David Gibson, VP of Strategy and Market Development at Varonis, said, “We’re pleased to partner with Troy Hunt once again for this free video training course. We wanted to create a resource that both consumers and business people can use for online safety awareness and best practice tips to mitigate risks in their online environments. According to a recent Ponemon study, IT security practitioners say insider negligence is more than twice as likely to cause a compromise than any other culprit. By increasing awareness, we hope more consumers and employees will take preventive measures with their online security.”

(95)

Check Point has revealed that the number of ransomware attacks using Locky and Cryptowall both increased by 10% in November as the company released its monthly Global Threat Index, a ranking of the most prevalent malware families attacking organizations’ network.

Check Point found both the number of active malware families and number of attacks remained close to an all-time high as the number of attacks on business networks continue to be relentless.  Continuing the upward trend from October’s data, Locky ransomware continued to increase in prevalence with a further 10% increase in the number of attacks using this family – a pattern mirrored by the fifth most common malware, Cryptowall.

The pattern highlights the growing threat posed to corporate networks by ransomware and suggests that many organizations are simply paying ransoms to secure the return of their files, making it an attractive – and lucrative – attack vector for cyber-criminals.  For the eighth consecutive month, HummingBad remains the most common malware used to attack mobile devices.

Once again Conficker retained its position as the world’s most prevalent malware, responsible for 15% of recognized attacks. Second-placed Locky, which only started its distribution in February of this year, was responsible for 6% of all attacks and third-placed Sality was responsible for 5% of known attacks. Overall the top ten malware families were responsible for 45% of all known attacks.

1.  Conficker – Worm that allows remote operations and malware download. Infected machines are controlled by a botnet, which contacts its Command & Control server to receive instructions.

2.  Locky – Ransomware, which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.  Locky was the no.1 malware family in the largest amount of countries (34 countries compared to Conficker, which was the top malware in 28 countries).

3. Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.

The Ramnit banking trojan saw the largest increase in attacks globally in November, entering Check Point’s top 10 ranking for the first time as the 6^th most common malware.  It more than doubled its amount of infections since last October, and was mainly seen in Turkey, Brazil, India, Indonesia and the U.S. Ramnit is used to steal banking credentials, FTP passwords, session cookies and personal data.

The UK was also the 48th most attacked country globally (up sharply from 81st in October), higher than the US (87^th) and Germany (85^th) and France (82nd).

Mobile malware families continued to pose a significant threat to businesses. The three most common mobile families were:

1.  HummingBad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.

2. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

3.  Ztorg– Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.

Nathan Shuchami, Head of Threat Prevention at Check Point explained, “Ransomware attacks are still growing in volume for a simple reason – they work, and generate significant revenues for the attackers. Organizations are struggling to effectively counteract the threat posed by this insidious attack form; many simply don’t have the right defenses in place, and may not have educated staff on how to recognize the signs of a potential ransomware attack in incoming emails.  This, of course, only makes it even more attractive to criminals.

“Organizations must use advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, to ensure that they are adequately secured against the latest threats,” added Shuchami.

Check Point’s threat index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time.  The Threat Map is powered by Check Point’s ThreatCloud^TM intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors.  The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html

(80)

CEOs, MDs and board level execs are being targeted in the latest online security scam which takes advantage of the busy diaries of senior business figures.

‘Whaling’ – a form of spear phishing – sees high-net-worth individuals hoodwinked into authorising online payments to cyber scammers posing as employees or legitimate suppliers.

Notably different to other spear-phishing attacks because of the sums of money involved, cases of the online ‘confidence trick’ are on the rise with huge sums at stake – one MD approved a £30m payment in a single incident.

The targeted spear-phishing attacks use methods such as pretexting and baiting – creating fabricated scenarios and offering free products to build up a fake sense of trust before stealing sensitive information.

Often frontline workers are targeted to gain access to bosses’ credentials and information, helping attackers build a credible method of approach to their target.

Posted as urgent and looking legitimate, employees are being duped by the ‘whaling’ techniques, resulting in CFOs and CEOs making massive payments into accounts not run by the company.

Louie Augarde, cyber security specialist at Omni Cyber Security, warns if hackers are able to disrupt sophisticated companies like Twitter and Facebook what’s to stop them from hacking you?

“The clean-up of an attack like this is massive so it’s extremely important for C-level employees to sit up and listen. The FBI recently lost 20,000 records from someone calling the helpdesk and pretending to be a new employee. If it can happen to them it can happen to anyone.”

Paul Johnston, penetration tester at application security specialist company, Secarma, warns that cyber thieves are ready and waiting.

“Nothing is going to stop them, so it’s your responsibility to be prepared. Rather than educating your workforce you actually need to test them. There are three steps you need to take with your employees: tell them, test them, and then invest in more technology.

“The tech you must invest in is a secure email system. You will see this implemented in security-aware companies. The cost isn’t high, and if you’re looking at the potential cost of an attack then the cost of being safe is priceless.”

With over 8,000 phishing attacks occurring every month in 2016, Lawrence Jones, CEO of internet hosting firm UKFast, believes it’s essential, now more than ever, for companies to step up their cyber security game.

He said: “Cybersecurity is in the news daily and the risks are growing at an alarming rate. We look after nearly 6000 businesses online and we are seeing this kind of confidence trick working with alarming regularity. It’s only a matter of time before a large business is brought down by one of these attacks. It’s time for firms to knuckle down and strengthen their cyber security defences.”

Andrew Barrett, managing director at cyber risk management firm Coal Fire Systems, has seen first-hand just how devastating these attacks can be.

He said: “We’re seeing more and more of this switch from the guy on the corner of the street trying to sell something dodgy in person, to criminals performing advanced, persistent attacks on individuals online.

“This is a new cyber attack mixed with serious human error. I’ve seen attacks in which cyber thieves call up payroll departments pretending to be a C-level employee and say they want to change their sort code and account details. The effects can be devastating.”

The comments were made at a round table event held by cloud and colocation firm UKFast, at UKFast Campus in Manchester.

(450)

Following the news that an unknown hacker has supposedly breached video sharing platform DailyMotion and stolen details for 87.6 million accounts, please see below for a comment from Lee Munson, security researcher at Comparitech.com:

“While some 85 million users may be sweating over the apparent breach of DailyMotion, the actual damage caused by the attack, if confirmed, is likely to be very small indeed.

“The reason for that is the fact that the site used bcrypt hashing to protect users’ passwords, making them extremely hard to crack.

“Even though the use of a strong hashing function is extremely good news, it does not guarantee that passwords cannot be extracted, meaning users should still seriously consider changing them anyway.

“On a slightly more negative note, it does appear that email addresses may have been compromised though – DailyMotion account holders should therefore be on their guard against targeted attacks, especially phishing emails which may come their way, asking them to click on a link to update their passwords!

“Also concerning, if the breach is confirmed, is the fact that the attack is believed to have occurred on 20 October, giving the attacker(s) plenty of opportunity to make good use of any stolen credentials long before any official word comes from DailyMotion itself.”

(71)

Yesterday, the BBC broke the news that thousands of TalkTalk and Post Office customers had their internet access cut by an attack on certain routers. See below for several comments from cybersecurity experts.

Stephen Gates, chief research intelligence analyst at NSFOCUS:

“The upsurge of commercial, industrial, and municipal IoT-based attacks and outages was part of my predictions for 2017.  It appears the world will not wait for January 1, and the weaponisation of these technologies has arrived – ahead of schedule. No longer can service providers continue to operate their vulnerable networks in this fashion.   Hackers apparently have them in their cross hairs, and the damage they can cause to their scantily secured infrastructures will continue to be a major pain in the backside for their customers; who are now likely looking for other options.”

Mike Ahmadi, global director – critical systems security at Synopsys:

“Massively scalable attacks are the current trend in cybersecurity, and this should raise concern among all users and organisations.  We have multiple issue to deal with here.  One is the fact that most product vendors and organisations deploying the products remain unaware of the level of vulnerabilities in their systems.  The other issue is for those that are aware, strategies to mitigate against large, scalable attacks are either rudimentary or non-existent.  Simply put, organisations are not good at preparing for what they do not know about.  The amount of risk out there is staggering, but there are ways for stakeholders to raise their awareness and come up with more effective pro-active strategies.”

Gavin Millard, EMEA Technical Director of Tenable Network Security:

“With the battle for control of poorly configured IoT devices and routers being played out by multiple cybercriminal gangs at the moment, having default credentials on any device connected to the internet has a high probability of ending up with some derivative of Mirai installed. Any device that requires an inbound connection from the internet should have a strong, non default, password rather than one of the list Mirai is currently targeting. If you do have something with default credentials, reboot it and change the passwords immediately.”

Adam Brown, manager, security solutions at Synopsys:

“Now that the source code for Mirai is out there this will most likely not be the last that we will see if this type of attack. Modern routers with 1+GHz CPU’s make a great platform for a Botnet army and being located at the end of a high speed broadband connection make a great base for executing a DDoS attack. This outage may just be the first symptom of these infections. Suppliers of hardware like this must ensure they govern their supply chain.”

Andy Green, senior technical specialist at Varonis:

“The lessons that should be learned from these ongoing Mirai attacks is just how vulnerable we were as a result of our own IT laziness. Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it. So what excuse do professional IT types have for this rookie-level behaviour?

Not much!

Unfortunately, default-itis still plagues large organisations. As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras.

Even if hackers use other methods to get inside a corporate network — phishing, most likely — they can still take advantage of internal enterprise software in which defaults accounts were never changed.

For those organisations who think that the Mirai botnet incident has nothing to do with them, or have to convince their board of this, here are two points to consider.

1.       The lesson of the Mirai botnet attack is that the perimeter will always have leaks. For argument’s sake, even if you overlook phishing scenarios, there will continue to be vulnerabilities and holes in routers, network devices, and other core infrastructure that allow hackers to get inside.

2.       Human nature tells us that IT will also continue to experience default-itis. Enterprise software is complicated. IT is often under pressure to quickly get apps and systems to work. As a result, default accounts and weak passwords that were set for reasons of convenience — thinking that users will change the passwords later — will always be an issue for organisations.

You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders.

In a way, we should be thankful for the “script kiddies” who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs.”

Lisa Baergen, director at NuData Security:

“The unfortunate reality is that organisations that have been victimised by a breach can find themselves getting targeted over and over as cybercriminals seek to exploit previous known weaknesses or test systems to find new vulnerabilities.”

(95)

There is a new infographic from credit reference agency Equifax that looks at public awareness of identity theft, with original research conducted by YouGov. It also includes steps on how to avoid becoming a victim.

In the run-up to Christmas, millions of people across the country will be handing over personal and financial details while doing their Christmas shopping online. A growing danger is that these details could end up in the hands of criminals looking to commit identity theft.

(117)