Month: May 2019

Automated facial recognition technology has rarely been out of the headlines. Police forces recognise biometrics as a potentially critical tool to improving the quality and efficiency of policing across the globe. As part of a diverse Digital Authentication strategy, automated facial recognition surveillance is becoming an integral part of our digital policing, with the UK Home Office planning to invest a huge £97 million into a broader biometric technology approach to safeguard our streets.

However, the latest court case against the South Wales Police as well as the Amazon backlash over the sale of its technology to the US police has highlighted that acceptance of the use of biometric technology as much as the maturing of the technology is important to achieve the expected benefits for the police.

Digital fingerprint based authentication is still widely regarded as having a higher level of maturity, has an implicit acceptance linked to the identity of the individual and delivers a lower false positive result. Facial recognition, when used as a stand-alone biometric, suffers from the risk of challenge or refusal to accept as in the case of the challenge to the South Wales Police pilot program. In addition, gender and racial bias as well as scenarios such as poor lighting and individuals wearing accessories impacts on reliability.

There is clearly a need to focus on how biometrics, as technology matures, can support identity verification at scale and to gain widespread public acceptance as part of a wider digital policing initiative according to Jason Tooley, Chief Revenue Officer at Veridium.

Jason comments: “Police forces around the world are looking to integrate the latest advancements in technology to enhance public security and cut costs, and biometric solutions are integral to this movement. With the maturing of biometrics techniques and many different scenarios to address, it’s imperative to use the right biometrics for the right requirements and to create a strategy that facilitates the use of multiple biometrics. We would advocate an approach that abstracts the identity verification and digital authentication processes from the services and creates a biometric platform to match the specific requirements of the police and the public.”

“There are current barriers to the acceptance of biometrics which will be overcome as trust in the technology becomes the norm. Fingerprint, being the most mature and widely used has high levels of acceptance today and is easily adopted by police and public.It requires public acceptance and doesn’t work for wider surveillance techniques but for individual verification, police moving to a digital fingerprint capture mechanism rather than physical has great benefits and the public are more likely to be accepting of enrolment. Facial recognition would be a surveillance at scale solution but the challenges of maturity and external factors as well as public acceptance are challenges to be overcome in the future.”

Jason continues, “It is imperative for police forces to take a strategic approach as they trial biometric technologies, and not solely focus on a single biometric approach. With the rapid rate of innovation in the field, an open biometric strategy that delivers the ability for the police to use the right biometric techniques for the right requirements will accelerate the benefits associated with digital policing and achieve public acceptance by linking the strategy to ease of adoption.”

(56)

Written by Dom Hume, VP Product & Technical Services,  Becrypt

As organisations continue to innovate to realise efficiencies through the use of increasingly sophisticated and pervasive mobile technologies, many are continually challenged by the risks associated with managing an ever growing device estate. Successfully managing the complexity of multiple software and hardware mobile platforms necessitates a practical, secure and cost-effective way to manage, monitor and track devices.

This is best achieved through implementing an end-to-end Mobile Device Management (MDM) strategy, that can sometimes require consideration of the entire software and hardware stack, to ensure valuable time and resources are used effectively in securing and monitoring mobile devices that accesses business-critical data.

I have summarised four of the themes we believe are important for organisations to consider when implementing a robust MDM strategy, much of which is based on work we have undertaken with UK Government.

Choose a device manufacturer committed to security patching

 It is important that you take into consideration that Android and iOS have fundamentally different approaches to the phone ecosystem. Apple has a closed eco-system, whereas Android is an open platform, and phone manufacturers are supported to build their own devices using  Android. Google releases updates and patches to its Pixel phones, at the same time as it releases patches to the wider Android community. It inevitably takes time for the individual manufacturers to integrate, test and release the patch to their handsets. Consequently, this can result in a period of time where publicly known vulnerabilities exist that may be exploited, for a period that depends on the responsiveness of the manufacturer. This situation is not directly mirrored in the Apple ecosystem.

It is worth also investigating the patch lifetime to which a manufacturer has committed, as this often correlates with patch responsiveness. Organisations with long-term projects may wish to consider specialist manufacturers such as Bittium that will commit to extended device lifecycles.

Plan your application lifecycle management

From an application provisioning platform perspective, the Apple App Store and Google Play Store perform the same functions. While there are some differences in approach, both no longer favour users’ side-loading applications.

Since its inception, the Apple App Store has implemented a quality and compliance gateway process, through which apps must pass before they appear on the store front. App developers can still sign their own apps and push them to devices, via some MDMs that offer private app stores. However, if an app developer’s certificate is revoked, the apps will no longer work.

A safer method is to get your developer to submit the app to the actual App Store, where apps are vetted to ensure they work and don’t affect the functionality and security of the device. For enterprise customers, Apple created the Volume Purchase Program (VPP) for businesses. This allows organisations to submit apps only for themselves or for specific customers to access.

It’s important to note that apps are not always delivered from Apple servers. They are in fact often provided by a Content Delivery Network middle man. All iOS devices have the App Store function built in; this can be switched off from an MDM server. Organisations can also push mandated apps and updates from the MDM server.

Google also has a vetting process for apps, subject to a review process that can be somewhat slow. While there is no dedicated business-only Play Store, Google offers a ‘Private Apps’ concept, allowing the user to differentiate between work and personal applications. MDM administrators can remove business apps from a managed phone. Similar to ‘Bring Your Own Device’, the organisation sets the rules and locks down the device, while allowing the user some freedom to adapt it for personal use. The user feels there is some degree of privacy afforded, but this is not a security feature per se.

Consider a ‘split proxy’ architecture for high-threat environments

Organisations that are considered high-value targets and are subject to sophisticated cyber-attacks have become increasingly concerned about the consequences of an MDM server compromise. Attackers that breach an MDM server can easily locate and unlock a device posing a serious threat to an organisation’s security. Compromised servers can also be used for subsequent lateral movement, or act as the ideal data egress point.

The data security challenges associated with managing mobile devices result from the characteristics imposed by the smartphone ecosystem. Such concerns apply regardless of whether an organisation’s MDM is on premise or consumed as a cloud service. MDM servers have complex communication protocols that interact with several internet-based services, such as push notification systems and online app stores. Usually, these communication channels are authenticated and encrypted end-to-end, preventing them from being inspected for threats.

Therefore, an organisation or its service provider can either open its firewall ports to an MDM server hosted in their most trusted network segment or host the MDM server in a less trusted segment – a ‘DMZ’ of sorts. Ultimately, this equates to either compromising a secure network, or sacrificing the MDM server.

One way to mitigate the risks of such a compromise is to choose a solution that employs a ‘split-proxy’ architecture. Utilising a series of proxy servers residing in a DMZ, these fulfil the range of encrypted communications with the smartphone ecosystem, which are required of an MDM server. MDM traffic is rendered inspectable by the proxies and is subjected to a web application firewall to test for anomalies.

The MDM server may be hosted within the secure network, with appropriately secured and managed communication with the proxy servers. This type of solution can provide a significantly improved level of defence, whilst being completely transparent to the end user.

 Consider the business objectives before implementation

Ultimately, organisations that prioritise data and employee protection as part of their MDM strategy should assess what they need from their mobile devices, and how they intend to be used. A multi-functional work device that requires access to multiple back-end systems including sensitive customer data will almost certainly demand a large budget spend, in addition to robust risk analysis capabilities.

On the other hand, a small business continuity project, that keeps employees informed of out-of-hours actions in certain circumstances, may be achievable without any MDM implementation at all.

Regardless of whether an organisation is operating in a high or low-threat environment, it needs to select an MDM solution that is resilient enough to protect its data from increasingly sophisticated and well-funded threat actors, who are intent on infiltrating the mobile ecosystem to compromise company data.

(96)

Written by Rick McElroy, Head of Security Strategy, Carbon Black

The threat to the cyber landscape continues to evolve at a rapid pace. High profile data breaches demonstrate not only the huge financial cost of being attacked, but also the considerable reputational damage that organisations face. With hackers continually moving the goal posts how can security and incident response (IR) teams fight back and effectively outpace their adversaries?

One area where there has been a notable increase in attacks is via third-party supply chains. Advanced cyberattacks are evolving as attackers target supply chains and undertake ‘island hopping’ to the extent that today this hacking technique poses a serious and complex threat to business. Though it’s not a new phenomenon, this type of attack increased in prevalence in 2018 and is becoming more and more common.

So why is this?
There are a multitude of risks facing almost all major supply chains, from geopolitics to financial pressures to natural disasters to cybercriminals, which makes it harder for organisations to keep track. In particular, island hopping tends to be initiated in smaller organisations where cybercriminals infiltrate their target organisation through its smaller partner target. Often, these smaller companies have more vulnerable security systems than the larger target organisations, making them easier for hackers to access. Once in, hackers take advantage of the trust between the two companies and use their shared networks to reach the true target. At this point, the whole supply chain, including customer data, is at risk.

For those less familiar with island hopping, the name comes from a WWII military tactic used by the United States in the Pacific. Also known as leapfrogging, this involved capturing smaller, strategically located islands and establishing military bases there, as opposed to outwardly attacking mainland Japan. From these new bases, Allied soldiers would start the process again and continue until they reached their ultimate target.
Here at Carbon Black we’ve been tracking the resurgence of island hopping in the technology world and we’ve witnessed the tactic becoming more prevalent and dangerous. Once a quarter we undertake Incident Response (IR) partner investigations and our latest Global Incident Response Threat Report, shows that half of today’s surveyed attacks leverage island hopping, meaning attackers are not only after a network, but supply chains as well. Interestingly, our survey also found that attackers are ‘fighting back’ against security teams while also targeting supply chains. More than half of our survey respondents (56%) encountered instances of counter-incident response in the past 90 days. What’s more 70% of all attacks now involve attempts at lateral movement, our survey found, as attackers take advantage of new vulnerabilities and native operating system tools to move around a network.

So attackers are fighting back. They appear to have no desire to leave the environment. And they don’t just want to rob your organisation and those companies in your supply chain, they appear to want to ‘own’ your entire system.

In particular, our survey found that while the financial and healthcare industries remain most vulnerable to these attacks, the threat to manufacturing companies has grown significantly. In the past 90 days, nearly 70% of all respondents saw attacks on the financial industry, followed by healthcare (61%) and manufacturing (59%, up from 41% in our previous report). Likewise, as island hopping has become a more persistent threat, the technique has taken on new forms. Here are three that I’ve seen and would recommend organisations keep an eye on:

Network-based island hopping
This is what we typically think of when we think island hopping – an attacker leveraging your network to hop onto an affiliated network. Of late this has often taken the form of targeting an organisation’s managed security services provider (MSSP) to flow through their connections.

Website converted into a ‘watering hole’
Nearly one fifth of our survey respondents saw a victim’s website converted into a ‘watering hole’ – a technique aimed at ensnaring a victim’s customers and partners. This is one of the greatest ways to attack a brand and as such organisations need to make this a brand protection issue. This means CMOs need to have their own cybersecurity strategy in place as it relates to their digital marketing footprint.

Reverse business email compromise
This is a new trend, occurring primarily in the financial sector, wherein attackers take over the mail server of their victim company and leverage fileless malware attacks from there to those who trust it. Some are calling it the modern bank heist.
So as you can see, even as we become more adept defenders, attackers are doing everything they can to stay out front. They’re developing and sharing new techniques, exploiting new vulnerabilities, and finding new ways to remain invisible in a network in order to own the entire system. As adversaries seek to wreak havoc, businesses and IR teams need to stay on the cutting edge if we want to fight back with success. This means that businesses need to be mindful of the companies that they are working with, and ensure those companies are doing their due diligence around cybersecurity as well.

(91)

(68)

On Friday, May 3, 2019, SophosLabs Uncut released detailed malware analysis of new ransomware called MegaCortex.

According to Sophos, MegaCortex was a relatively little-seen malware that suddenly spiked in volume on May 1. Sophos has seen MegaCortex detections in the US, Canada, Argentina, Italy, the Netherlands, France, Ireland, Hong Kong, Indonesia, and Australia. The ransomware has manual components similar to Ryuk and BitPaymer, but the adversaries behind MegaCortex use more automated tools to carry out the attack – this is unique. Up until now, Sophos has seen automated attacks, manual attacks and blended attacks, which typically lean more towards using manual hacking techniques to move laterally; with MegaCortex, Sophos is seeing heavier use of automation coupled with the manual component. This new formula is designed to spread the infection to more victims, more quickly.

As indicated in the SophosLabs Uncut article, MegaCortex Ransomware Wants to be TheOne, there is no explicit value for the ransom demand in the ransom note. The attackers invite victims to email them on either of two free mail.com email addresses and send along a file that the ransomware drops on the victim’s hard drive to request decryption “services.” The ransom note also promises the cybercriminals “will include a guarantee that your company will never be inconvenienced by us,” if the victims pay the ransom, and continues, “You will also receive a consultation on how to improve your companies cyber security.”

Sophos has the following protection recommendations:

• It appears that there’s a strong correlation between the presence of MegaCortex, and a pre-existing, ongoing infection on the victims’ networks with both Emotet and Qbot. If IT managers are seeing alerts about Emotet or Qbot infections, those should take a high priority. Both of those bots can be used to distribute other malware, and it’s possible that’s how the MegaCortex infections got their start
• Sophos has not seen any indication so far that Remote Desktop Protocol (RDP) has been abused to break into networks, but we know that holes in enterprise firewalls that allow people to connect to RDP remain relatively common. We strongly discourage this practice and suggest that any IT admin who wishes to do this put the RDP machine behind a VPN
• As the attack seems to indicate that an administrative password was abused by the criminals, we also recommend the widespread adoption of two-factor authentication wherever possible
• Keeping regular backups of your most important and current data on an offline storage device is the best way to avoid having to pay a ransom
• Use anti-ransomware protection, such as Sophos Intercept X, to block MegaCortex and future ransomware

 John Shier, senior security advisor, Sophos:

“We suspect this is your script kiddie/living-off-the-land ‘mega bundle’ and a good example of what we’ve lately been calling cybercriminal pen-testing. The MegaCortex attackers have taken the blended threat approach and turned it up to 11, by increasing the automated component to target more victims. Once they have your admin credentials, there’s no stopping them. Launching the attack from your own domain controller is a great way for the attackers to inherit all the authority they need to impact everything in an organization. Organizations need to pay attention to basic security controls and perform security assessments, before the criminals do, to prevent attackers like these from slipping through.”

(100)

The House of Lords Select Committee for Science and Technology has released its report on ‘Forensic Science’. The report highlights the increasing importance of digital forensics and digital evidence in criminal trials.

Commenting on the report, Dr Sarah Morris, Senior Lecturer in Forensic Computing at Cranfield University, who gave evidence in front of the Select Committee, said: “It is vital for the criminal justice system that digital forensics keeps pace with the latest technological developments.

“Digital forensics is a fast-paced field where each device, each software update and each operating system can have a significant impact, not only on, the types of artefacts available but also their meaning. The committee has rightly identified the gaps in understanding between forensic specialists and the legal profession. Too often too much pressure is put on digital forensic investigators to conclude their investigations.Their needs to be a greater understanding of the timescales involved to conduct a thorough analysis.

“The Committees’ call for increased understanding of the field within the legal profession, increased research provision and greater collaboration between the various forensic science professionals is very welcome and I hope that the Home Office considers its recommendations and responds positively to them.”

Launching the Committee’s report, Lord Patel, Chairman of the Committee said: “A free society is dependent on the rule of law which in turn relies on equality of access to justice. Simultaneous budget cuts and reorganisation, together with exponential growth in the need for new services such as digital evidence has put forensic science providers under extreme pressure. The result is a forensic science market which, unless properly regulated, will soon suffer the shocks of major forensic science providers going out of business and putting justice in jeopardy.

“The situation we are in cannot continue. Since 2012 the Home Office has made empty promises to give the Forensic Science Regulator statutory powers but still no action has been taken. We believe that seven years is an embarrassing amount of time to delay legislation; our forensic science provision has now reached breaking point and a complete overhaul is needed.

“If our recommendations are implemented and the Government adequately invests in forensic science, our forensic science market can return to a world-leading position.”

(70)

(106)