ISS World hack leaves thousands of employees offline- Comment

It has been reported that a cyber-attack has hit the major facilities company, ISS World, which has half a million employees worldwide. Its websites have been down since 17 February, and This Week in Facilities Management said 43,000 staff at London’s Canary Wharf and its Weybridge HQ, in Surrey, still had no email.

Commenting on this, Sam Curry, chief security officer at Cybereason, said “In the case of the ISS World ransomware attack, and all ransomware attacks for that matter, corporations can either become a hero or a villain. In the adrenaline rush of “crisis mode,” I hope the executives and security staff of ISS World choose to be heroes by protecting employees, being transparent and erring on the side of doing the right thing. We all hope for minimum damage, rapid recovery and strengthening of ISS World in the wake of this and of peers from their experience when the dust clears. In any cyber attack, transparency and clarity is what matters and like so many others we’ll wait to hear more in the coming days. Recently, Travelex suffered a significant breach and leadership was widely criticized for a slow response. That criticism was coming from pundits without specific knowledge of the incident. Let’s not “bayonet the wounded” because being a target and a victim is happening more and more frequently. Organizations today need to take a much more proactive approach to cyber hygiene by actively hunting for anomalies in their networks. Preventing, detecting and responding to incidents has to highest on the list of steps being taken to minimize and reduce high impact breaches.”

(196)

Share

Watchdog probes Redcar council cyber-attack

As reported by the BBC, a watchdog is probing a cyber-attack on Redcar and Cleveland Borough Council, which was still unable to provide any online services more than a week after its systems were crippled. The council’s website and all computers at the authority were attacked last Saturday, affecting 135,000 residents. The council notified the Information Commissioner’s Office (ICO) – the watchdog said the authority had “made us aware of an incident and we are assessing the information”.
Jake Moore, Cybersecurity Specialist at ESET:
“This indeed has all the hallmarks of a ransomware attack. The knock-on effects just show the devastation that this simple yet effective attack can leave in its wake.
This is by no means the first ever council to be hit with ransomware and nor will it be the last. Local governments have tight budgets but sadly, IT security still appears way down the priority list with some leaders. I would be surprised if this council was unaware of previous similar attacks, so it suggests they need a better understanding in how to protect their networks. Funding is a difficulty in local government but this is about assessing risk and must be addressed properly.
Offsite backups can be restored in hours when they are set up correctly so when they fail to be back up over a week later, serious questions should be asked. I never condone paying the ransom being asked as you can never be 100% certain you will see the money again, but no doubt the council will have this as a consideration if they are cornered. It’s better to prevent and protect rather than pay.”

(107)

Share

EU unveils proposals to regulate AI

As reported by Verdict, the European Union will unveil a range of policy proposals to keep Big Tech in check. The package includes tougher rules for digital services, a single European data market and a white paper on artificial intelligence (AI).
The white paper is expected to include proposals for a regulatory framework for Europe’s AI sector, focused on high risk sectors and high risk uses of AI. This is likely to include biometric identification systems, such as facial recognition and deepfakes.
Please see here for the EU’s press release on the topic.
John Buyers, Head of International AI at Osborne Clarke LLP:
“Getting regulation right around a fast-changing, very powerful emerging technology is not easy and the Commission’s horizontal, one-size-fits-all approach is very ambitious.  A lot of industries will be concerned that the right balance has been struck between enabling a vibrant European market in these new technologies and protecting the rights of EU citizens.”
For post-Brexit UK, this initiative is highly significant – we know that the government is actively considering regulatory divergence where it would serve UK interests.  Data and AI are areas where we can’t assume the UK will opt will go for alignment.  So this White Paper sets a clear threshold for UK regulatory bodies to work with in deciding the right direction for the UK AI industry.  Which direction are we going to take?  The decision could prove to be highly determinative.”

(89)

Share

Millions of Windows and Linux systems vulnerable to cyber-attack- Comment

It has been reported that fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium. TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.

Commenting on this, Tim Mackey, senior principal consultant at the Synopsys CyRC (Cybersecurity Research Centre), said “With supply chain cyber attacks on the rise in 2019, this research should serve as notice to software publishers that they are a critical component of the digital supply chain – regardless of what type of software they provide. In the case of insecure update mechanisms, or lack of cryptographically secure validation mechanisms for their software, they open the door for malicious attacks. This is due to the reality that most end users are not equipped to validate the legitimacy of the software they use and rely on the software delivery process to perform all validation. Importantly, when they can’t locate what they believe to be a solution for their issues from the vendor, they’ll download a potential solution from the internet with the potential result of a malware infection. Since device firmware executes on a computer before the operating system starts, the protections present from anti-malware solutions are rendered ineffective due to the ability of malicious firmware to behave in ways that allows anti-malware to believe there is nothing wrong with the computer system.

In the end consumers of any software, whether it be packaged commercial software, IoT firmware, computer drivers, or open source solutions, should first directly contact the supplier of their software for any updates or patches. While it might be convenient to apply a patch following an internet search, the reality is that third-party repositories could easily host malicious versions of software. This is why the first principle of patch management is to know where the software came from as that’s where any patches need to also originate.”

 

Michael Barragry, operations lead at edgescan, added “It seems a bit strange that software signing has become a modern standard when it comes to various programs and executables in general, whereas for firmware it has apparently been ignored on a massive scale.The practice of software signing ensures that an end-user can verify that what they are downloading is from a trusted source and has not been tampered with by a malicious actor somewhere along the way. Failing to do this for firmware essentially gives a free pass for malicious code to enter your system. Depending on the hardware that falls under the control of the firmware in question, this could lead to a multitude of attacks.Addressing this threat from an industry-wide perspective is not a small task and will require collective effort and cooperation from hardware vendors and OS manufacturers alike.”

(202)

Share

Penetration Testing in the Age of Artificial Intelligence

The world as we know it is rapidly being impacted by A.I.-driven technology. It was only a decade ago when smartphones came to prominence, and now, the A.I. landscape is slowly hogging all the spotlight.

Markets rise and fall based on predictive algorithms, smart homes perform menial tasks based on people’s behavior and self-driving cars drive more accurately by the day, among other uses.

These innovations have been made possible by increased internet speeds, stronger computing hardware, and the rise of technologies like Edge and Cloud Computing.

However, all of the benefits come with equivalent hazards. Now that our personal data is situated in the cloud, it’s more vulnerable than ever to theft.

That’s why it’s not surprising that a heavy emphasis on cybersecurity and secure server practices have been strictly adhered to in recent years.

But, before we dive right in to how A.I. fits in the whole cybersecurity puzzle, we first need to discuss the individual concepts in their current state.

White Hat, Black Hat

Cybersecurity, as a whole, encompasses a wide range of aspects from the hardware-level all the way to the social-level. It serves as a direct response to the malicious practice commonly known as hacking.

While hacking itself is an even more general term, ranging from phishing scams to malware attacks, hackers themselves aren’t all bad.

“White hat” hackers, for instance, use the same toolkit and adhere to the same practices as their more hostile counterparts, but their intent leans towards the improvement of security rather than breaking it.

Penetration testing or (Pen test), otherwise known as Ethical Hacking or White Hat Hacking, is conducted by white hat hackers to combat the threat of malicious hackers, commonly known as “black hats.”

Pen testing is an authorized simulated cyberattack on a computer system with the main goal of detecting vulnerabilities and weaknesses of a system.

The whole process is an end-to-end test that starts from gathering the necessary information all the way to reporting all of the detected weak spots.

Contrary to popular belief, penetration testing doesn’t just involve hardware and software components, it also employs social engineering tactics to weed out weak employees.

White hat hackers who conduct social engineering penetration testing do this by deceiving employees into giving out sensitive data or perform actions that will create security weaknesses that allow the hackers slip through. 

Automate Everything

Unfortunately for white hat hackers, their black hat counterparts are up-to-date on the latest cutting-edge technologies themselves.

A.I. is being used as drones for large-scale bot networks (or botnets) to enact massive Distributed Denial-of-Service attacks, among many other illicit activities.

In order to keep up with the pervasive threat, white hat hackers must be willing to keep up and adapt to the ever-changing landscape.

But, as with other industries that are automatable, there is a looming question of whether or not Artificial Intelligence would eventually replace the human aspect of penetration testing.

To answer that, we first need to examine the current state of A.I and how it could supplant the need for manual intervention.

Even though science fiction novels and movies have led us to believe that A.I. would be so advanced in the present day that they could easily pass as humans, unfortunately that’s not the case.

Chatbots have made great strides over the last decade, but they have a long way to go before they effectively mimic the way humans speak.

It’s an underrated aspect but one that could make or break the social engineering part of spoofing potential attack vectors.

On the plus side, A.I. can sift through a hundred thousand lines of data in a matter of seconds. Even the search parameters doesn’t have to be extensive since they can adjust on-the-fly.

Throw in a good Optical Character Recognition (OCR) plugin and they could easily have the ability to read text in pictures and handwritten notes.

Unlike humans that get tired, A.I. can run 24/7 non-stop. Plus, they could easily multiply and are highly extensible. You wouldn’t need to pay them for their services as well.

All of these are highly relevant to the information gathering process when performing penetration testing.

However, given the unpredictability of human emotions and the probability of human error, tactics would need to be adjusted on-the-spot given whatever context presents itself.

This is something that A.I. could eventually learn to analyze, but currently their models need to be trained further to cater to the inherent randomness.

Given a proper setup, A.I. can seamlessly interface to different systems and it can follow its protocol exactly as it was designed – leaving none to minimum margins of error.

A.I. decision making might be rigid (to an extent), but it is objectively infallible, especially compared to humans. Not to mention, it can generate extremely detailed reports in a blink of an eye.

Humans are prone to error, lapses in judgment and, depending on the sensitivity of the information to be handled, hard to trust than technology that can be programmed or designed to “learn” new information.

These glaring weaknesses can be easily bypassed through the use of A.I. So, why hasn’t A.I. fully taken over this whole process yet?

Man and Machine Working Together

Even though A.I. has come a long way in the past two decades, it still has a long way to go before it can fully take over the different types of penetration testing processes.

Despite the growing stack of benefits, the biggest argument against handing complete control of penetration testing to A.I. is its reliability.

While the A.I. can follow a set of instructions, it can easily be exploited by hackers that are prepared to take on the automated defense system.

Here’s an example of how hackers can carry out their attack on AI-based cybersecurity systems. 

Machine learning – an application of A.I. – learns and gets “smarter” by observing patterns found in data, and making assumptions about its meaning – whether on a large neural network or on individual computers. 

So if a certain action within computer processors occurs at the same time that particular processes are running, plus, the action gets repeated on the specific computer or neural network, the system will learn that the action means that a cyber-attack is happening. 

This also prompts the system that the necessary actions need to be taken to address the attack.

The tricky part though is that A.I. – savvy malware, for instance, can insert false data for the security to read – the goal of which is to disrupt the patterns that machine learning algorithms utilize to make their decisions.

This means that fake data could be injected into a database to make it seem like a process that’s copying sensitive information is part of the regular IT system routine, and therefore, can just be ignored.   

Thus, A.I.-centric approaches might be the future decades down the line, but for the time being, human-led pen testing still remains as the go-to for many prominent companies.

But, that doesn’t discount what A.I. can do for pen testing today. While it may not be a viable alternative to give it autonomy, pen testers could still leverage A.I. as a tool to aid their practices.

As mentioned earlier, A.I.-supported information gathering can help ease the burden of having to sift through piles of information. That would leave human pen testers more time to focus on other aspects.

White hat bots can be employed to combat malicious bots, and automated sniffers can be used to detect fraudulent sites before they can do any significant damage.

Reports can be automatically generated and steps can be easily documented with the help of automated tools.

A.I. – powered tools are also used to “look at” rendered web pages to determine the ones that most likely have actionable leads. 

The current penetration testers’ method are to do this task manually – which can take up a lot of time since they have to check each screenshot one at a time. 

With the latest AI technology, however, and deep neural networks, performing this task – visually inspecting web-pages – can now be done through an automated process.  

There has never been an easier time to get into penetration testing. If you’re interested to start a career, you can read up on tech articles to help you get started on your journey.

Don’t feel too pressured that you need to catch up quickly with the latest trends. There’s a lot of ground to cover and you would need a lot of time to practice.

What’s next?

While it might be tempting to go for a DIY approach when it comes to protecting your site against cyber attacks — especially since there are a lot of available tools out there in the market — you might do yourself more harm than good.

For the most part, it is a good practice to work with reliable cyber security companies that do penetration testing since they have specialists who work on cybersecurity day in and day out.

With the help of experts running pen tests on your network, your network security is bound to get rid of its security gaps.

(299)

Share

Chinese Spies Charged for Equifax Breach- Comment

Recently, we are hearing more about the charge of Chinese spies for the 2017 Equifax breach, particularly in the US.

More information here: https://www.politico.com/news/2020/02/10/us-charges-chinese-spies-with-massive-equifax-hack-113129

As this news is surfacing, the US National Counterintelligence and Security Centre has also published a report suggesting that “More foreign countries, militias and other groups are targeting US intelligence agencies with hacking … Not only that, but they’re increasingly targeting the private sector and government agencies that aren’t directly involved in national security”.

More information here: https://www.cnet.com/news/foreign-hackers-are-targeting-more-us-government-agencies-report-says/

In response to the Equifax Breach story and the recent report publication, Rosa Smothers, Senior VP of Cyber Operations at KnowBe4, has given the following comment:

“The DNI’s CI report indicates the private sector is increasingly a target of state-sponsored hacking efforts. The recent charges filed against four Chinese intelligence officers for hacking the credit reporting giant Equifax is a prime of example of state-sponsored hacking to uncover sensitive information. The credit rating data provided could indicate a target’s financial vulnerability, which can then be used against them for China’s gain. This is the “spot” in our old Agency adage “spot, assess and recruit.”

(90)

Share

High Assurance Security – Why Should We Care?

Written by Dr Bernard Parsons, CEO, Becrypt

Today, the cyber security requirements of government and the private sector are rapidly converging. On the one hand, traditional methods of cyber defence are failing in corporate environments, given the ever-evolving threat landscape. While on the other, governments are increasingly needing to reduce their reliance on government-bespoke approaches to security, in order to deliver the operational benefits, flexibility and cost advantages of emerging technologies – from cloud to mobile and IoT.

High Assurance products and services seek to bridge this gap, allowing organisations to undertake informed risk management, defending against the more advanced targeted attacks, and highest impact risks, while enabling effective use of commercial “off the shelf” technologies.

What is High Assurance?

Definitions vary, but a typical starting point for a High Assurance system is a claim or set of claims that are made about a system’s behaviour, and an argument or evidence that a system will function as described (HAUK definition).

The approach to achieving this may be a selection of formal software verification methods, third-party expert evaluation, security testing and analysis, depending on the system characteristics and market needs. Formal verification itself is a rapidly evolving field driven in part by large platform vendors such as Amazon, who have a tremendous amount at stake regarding the correctness of their software platforms – we all do! (see provable security).

Given the complexity of most software platforms, and their often-infinite number of possible states, systems that seek to achieve high levels of assurance often look to integrate with hardware components that expose functionality on which to base security claims. Behaviour of hardware is typically more constrained (see for example HardSec blog), and any existing security analysis or evaluations can be inherited by the software that makes use of it. This principle is driving increased availability and use of hardware-based security functionality, from TPM chips, to Intel and Arm processor security extensions, as well as dedicated and evaluated hardware security platforms.

High Assurance systems may still have vulnerabilities, including those found within hardware, but the combination of explicit claims with constrained or verified security functionality means that associated risks can be both mitigated and quantified more effectively.

What High Assurance is not?

Of course, most cyber security products today would not be categorised as High Assurance, either because exaggerated marketing claims replace evidence-based security claims, or because of the probabilistic nature of technologies such as signature-based malware detection and AI-based anomaly detection. That is not to say we should not include the use of such technologies, but we should recognise the different type of contribution they can make to informed risk management. If I want to reduce the occurrence of malware within a network, then I will run the latest anomaly detection. If I want a high degree of confidence that I have removed the risk of malware, then my controls will include something like a High Assurance gateway that provides network isolation, which in turn can increase the effectiveness of my anomaly detection software.

Why should we care?

If you’ve made it to this part of the article, you will probably have some differing perspectives on parts of the above, and areas you may improve, I would be interested in your feedback. But too many consumers of cyber security products and services do not yet adequately distinguish between well implemented and well marketed security products, and others. In fact, they often do not have the resources, time and expertise to do so. Economists refer to this market dynamic as ‘Information Asymmetry’ and point out that it is one of the key drivers of market failure (often leading to further regulation).

In some sectors and for some categories of security product or service, third-party evaluations or accreditation schemes can address Information Asymmetry, but it is unrealistic to assume these can scale to address even a minority of the market’s needs.

Within the UK, the direction of travel from government seems to be towards placing more focus and then trust on the vendor’s standards and practices. If part of this leads to the encouraging of more formal security claims, and a closer relationship between these and marketing claims, the industry will make a significant step forward in addressing Information Asymmetry and supporting more informed risk management.

(44)

Share

Reluctant Apple joins FIDO

Recently, it has been revealed that Apple, which has been one of the tech companies that appeared more resistant to the FIDO Alliance, has joined the biometrics and authentication standards body. FIDO was founded by companies including Google, Yubico and Microsoft and was later joined by multiple chipmakers, financial institutions and other tech companies.  Apple hasn’t actually announced that it joined the FIDO Alliance, but it has been listed as one of the 40 or so “board level members” on FIDO’s website.
Jake Moore, Cybersecurity Specialist at ESET:
“Strengthening the security of an account, whilst making it more convenient for the user, is a step in the right direction. As the private key is stored locally on the device, even if the website has suffered a data breach, the hackers would have no passwords to steal, minimising the risk of exposure online. People tend to struggle with the concept of cyber security so rendering it compulsory for them in a convenient way is the best way to add an extra layer of protection.”

(38)

Share

RESEARCH: The Hole in the Bucket – Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

The Cybereason Nocturnus Research Team is following an active campaign to deliver multiple different types of malware and infect victims all over the world. Due to the unprecedented number of malware types deployed in this attack, the attackers are able to steal a wide variety of sensitive data, mine for Monero, and ultimately deploy ransomware. All of the payloads observed in this campaign originated from a code repository platform, Bitbucket, which was abused as part of the attackers delivery infrastructure.

Key points:

  • Abuses resource sharing platforms: TheCybereason Nocturnus team is investigating an ongoing campaign that abuses the Bitbucket infrastructure to store and distribute a large collection of different malware. The attackers aren’t satisfied with one payload, they want to use multiple to maximise their revenue.
  • Attacks from all sides: This campaign deploys seven different types of malware for a multi-pronged assault on businesses. It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and ultimately deploy ransomware.
  • Far Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.
  • Modular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many different types of malware at once. In order to evade detection, they have an array of user profiles and continuously update their repositories, at times as often as every hour.
  • Many kinds of malware: The attackers use the Evasive Monero Miner to steal a combination of data, mine cryptocurrency, and deploy other malware including the Vidar stealer, Amadey Bot, and IntelRapid. They also use Predator the Thief, Azorult, and the STOP ransomware over the course of their activities.
  • Devastating impact: The combination of so many different types of malware exfiltrating so many different types of data can leave organisations unworkable. This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.

This highlights an ongoing trend with cybercriminals, where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.

(43)

Share

New PayPal phishing campaign tricks users to send over passport details- Comment

A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports. The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a bit.ly address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.

Full story here: https://threatpost.com/active-paypal-phishing-scam-targets-ssns-passport-photos/152755/

Commenting on the news is Javvad Malik, security awareness advocate at KnowBe4:

We are seeing the criminals becoming more and more brazen in their attacks and methods. The key is to dupe someone to click on a phishing link,  once that has happened then the criminal can ask for whatever they wish.

This is not uncommon as we have seen this evolution in ransomware. Whereas previously ransomware only encrypted files now criminal look to steal data and logins and as much information as possible.

Similarly, we could be seeing the emergence of a trend where phishing attacks will look to gather more and more information.

It is why organisations need to ensure staff receive effective and timely security awareness and training so that they can spot phishing emails and report them appropriately.

 

(41)

Share