STE WILLIAMS

New phishing campaign uses 30-year-old Microsoft mess as bait

Oct
24

The ever-vigilant folk at the Internet Storm Centre (SANS) have spotted yet another campaign trying to drop the Locky ransomware using compromised Word files.

As Internet Storm Center handler Brad Duncan writes, the vector in the Word documents uses Microsoft Dynamic Data Exchange (DDE), a feature that lets Office application load data from another Office file. This is the kind of attack that last week was spotted in a phishing campaign launched at Freddie Mac.

Duncan outlines the attack approach in this flowchart:

Necurs Locky DDE attack - SANS

Image: Brad Duncan, SANS

The phishing messages carrying this attack come from the Necurs botnet, he writes, and as with other DDE attacks the aim is to convince users to OK through the security warnings. A fake invoice is the scammers’ preferred weapon.

If the attack cons the victim, the poisoned document fetches a downloader which in turn pulls a copy of Locky to decrypt at the target.

Once the ransomware’s launched and it’s encrypted the victim’s hard drive, Locky is deleted (a downloader is left behind), and a demand for 0.25 Bitcoin issued.

Duncan writes: “This is an interesting development, because it shows how the DDE attack technique has spread to large-scale distribution campaigns. It’s not new, and I’m not sure how effective it really is. If you know of anyone who was infected from one of these DDE-based Office documents, please tell your story in the comments.”

The Register noted last week that DDE (Dynamic Data Exchange) has been around since 1987, and it’s an increasingly-popular target for attackers.

Since users have to okay execution, Microsoft steadfastly insists DDE is a feature, not a bug. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/23/locky_spread_by_necurs_botnet_in_dde_attack/

Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

Oct
24

A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead.

The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders.

Though controlled folder access has been known about for months – it surfaced with Insider builds earlier this summer – the feature is only now being thrust into the spotlight with the general public release of the Fall Creators Update for Windows 10.

The feature can be enabled through the Windows Defender Security Center App for most users, and is accessed by opening the virus threat protection screen within Defender. From there, users switch on the controlled folder access option to activate controlled folders.

Mixed Reality - a headline feature in Fall Creators Update, but fluff for many users

Windows Fall Creators Update is here: What do you want first – bad news or good news?

READ MORE

For enterprise users and administrators, controlled folder access can also be activated through PowerShell, Group Policy, and MDM configurations.

Once the feature has been activated, essential directories like the user’s documents folder are locked off from any malicious applications that seek to encrypt files to hold them to ransom, or scramble them to destroy them. Users can also designate additional folders to be protected from unauthorized changes.

The idea is to safeguard data from any ransomware infections that manage to give your third-party antivirus, if present, the slip.

“This feature protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold,” explained Microsoft today.

“Cybercriminals can’t extort money if they can’t encrypt your files. Controlled folder access is a powerful tool that can render ransomware attacks worthless.”

Intent is all well and good, but how does the new Windows 10 security feature perform in the wild? According to researchers, the initial results have been encouraging. The mechanism was able to stop the Locky ransomware.

It goes without saying, those who can activate the controlled folder access on their Windows machines should definitely do so.

Meanwhile, in Azure land…

Microsoft has inked a deal with Cray to allow folks to run one of the latter’s supercomputers inside an Azure data center.

The idea, as reported by our sister site The Next Platform, is to allow organizations to deploy high-performance applications on Cray iron right next to code and data in cloud services on Azure. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/23/fyi_windows_10_ransomware_protection/

Another day, another cryptocurrency miner lurking in a Google Chrome extension

Oct
24

Another Chrome extension has been found secretly harboring a cryptocurrency miner – and it appears this issue is going to get worse before it gets better.

Reg reader Alessandro Polidori, a Node.js software engineer, spotted the use of Coin Hive‘s Monero-crafting code in the “Short URL (goo.gl)” extension for Chrome. After getting an alert from his network security tools, Polidori dug in and found the extension was downloading and running a file from Coin-Hive.com called cryptonight.wasm every ten seconds.

Cryptonight is typically embedded on webpages to mine coins for whoever put the code there – either a site administrator or someone who has hacked the server to inject the code. It silently runs in browsers visiting the pages, sending any mined cyber-cash back to its masters. It’s estimated there 113,000 Cryptonight miners active right now, gradually generating XMR coins, each worth about $90, using strangers’ electricity and computer hardware

The code was traced to the Short URL extension, yet the plugin’s developers had neglected to mention its presence. Polidori found it was jacking up his computer’s CPU to 95 per cent workload.

“To remove any doubts that my installation could be tampered, I tried to install the extension to a new Chrome instance,” he said. “Unfortunately I got the same result, so we can conclude that it was intentionally designed.”

After informing Google that the extension, which had nearly 15,000 downloads, was harboring a hidden currency miner, the software was pulled from the official marketplace. But it’s a demonstration of quite how common these kinds of deceptive practices are becoming as online currency mining becomes more popular.

Last month, a Chrome extension called SafeBrowse was yanked offline after it was found to b e running a crypto-coin miner.

There’s nothing intrinsically malicious with software harvesting spare CPU cycles for stuff, it’s just that the code should not hog a machine’s resources, and people should be made aware of it and given the chance to opt out. The technique has been used for ages – the Great Internet Mersenne Prime Search of 1996 was the first example we could think of.

Explosion

This year has seen an explosion in the number of software applications and websites hosting such miners, mainly from Coin Hive. That outfit had hoped site owners would embed its free code to make money from visitors’ spare processor cycles as an alternative to displaying ads. And websites have albeit surreptitiously. The Pirate Bay was one – although it coughed to the mining after being caught out – and other sites in the torrenting and pornography annexes of the internet make frequent use of mining software to defray costs.

A handful of euro 1 cent coins

More and more websites are mining crypto-coins in your browser to pay their bills, line pockets

READ MORE

Hackers have also moved into the area, by cracking popular websites, installing miners on popular pages, and then reaping the illicit profits. CBS’ Showtime website, as well as the Pulitzer-Prize winning Politifact, have both had miners installed after hacking attacks.

Coin Hive has recently responded to criticism, and stopped developing its easily concealable miner in favor of a new one, dubbed AuthedMine, which asks for permission before mining. But others actively eschew this approach.

Crypto-Loot, launched earlier this month, actively advertises itself as undetectable and stealthy. Basically, you can run it on a browser to mine Monero quietly, and without requiring user consent. It claims “our miner on your website will go unnoticed by users after they click run if you set threads between 2-4,” on its website, adding “we aren’t going to tell you how to run your business.”

Thankfully, security software vendors are getting wise to this – Malwarebytes, ad blockers, and other anti-malware packages have already blocked Coin Hive and similar software will be added to its kill list. But in the meantime there are going to be a lot of stressed and slow computers online as the unethical take CPU cycles without asking. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/23/cryptocurrency_miner_google_chrome_extension/

WHOIS embarrassed about security? APNIC, after database leaks

Oct
24

Asia’s internet numbers registry APNIC has apologised to network owners after a slip in its WHOIS database config leaked credentials, including weakly-hashed passwords.

The breach affected those in the regional registry’s Maintainer and Incident Response Team (IRT) database objects. During a June 2017 upgrade, those details were included in downloadable WHOIS data.

“Maintainer” is the administrative object that restricts who is allowed to edit other objects in the APNIC database; the IRT object identifies who receives abuse reports.

Chris Barcellos of eBay’s Red Team noticed the data on a third-party Website on October 12 and notified APNIC. The registry’s deputy general director Sanjaya*writes that the database configuration was fixed on October 13, and subsequently the relevant passwords were reset.

Had an attacker been able to recover the passwords, they could have altered WHOIS information or hijacked IP address blocks.

As this configuration guide shows, one of the hash options available is crypt-pw, a weak and easily-reversed hash because it can only handle eight-character passwords.

APNIC says it hasn’t found evidence of malicious activity as the result of the breach. Had anybody altered the records, it would not have been permanent, since “authoritative registry data is held internally by APNIC”. ®

* Sanjaya uses just one name.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/apnic_plugs_database_leak_resets_passwords/

Security pros’ advice to consumers: ‘We dunno, try 152 things’

Oct
24

A Google-conducted survey of 231 infosec pros worldwide has reaffirmed the industry’s faith in strong passwords, and achieved consensus about nothing else.

It’s almost unfair to make fun of the study’s title, “152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users”, because that’s clearly an editorial slip-up (the document [PDF] also includes the note, “ED: Please provide section title”).

What’s clear is that infosec types can’t agree, on an industry-wide basis, on the content of anything like the Australian Signals Directorate’s (ASD’s) enterprise-focussed “Essential Eight” safety strategies.

Hence: by asking 231 security pros for their top three pieces of advice, the suffering authors of the study (Robert Reeder, Iulia Ion, and Sunny Consolvo) ended up with a list 152 items long. As the paper dryly notes, “future work is needed to distill the 152 pieces of advice and communicate to users the most important ones”.

The better news, threading through that quagmire, is that at least the most-cited advice was reassuringly “don’t be stupid” stuff. Here, we pick out everything with more than 30 mentions:

However, to Vulture South’s eagle eye (sorry), it’s depressing how many things we’d consider obvious lacked traction even among experts.

Two of these least-mentioned strategies (backup, and privilege limitation), are on the ASD’s “Essential Eight”, so why experts didn’t agree on their importance is a mystery.

As our Googlers said, “it’s perhaps unsurprising that users don’t follow all the advice on offer—there’s a lot of it, it spans diverse areas, and it’s not clear where to start. Users are probably not receiving a consistent message on what’s most important and exactly what to do in each area”.

We couldn’t agree more. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/googles_security_advice_we_dunno/

Kaspersky Lab Offers Up its Source Code for Inspection

Oct
24
Beleaguered security vendor fights back against Russian-spying claims with new transparency program aimed at assuaging concerns.

Under intense political and market pressure in the wake of reports that its software was used by Russian nation-state cyberspies to steal US National Security Agency secrets, security firm Kaspersky Lab today announced it will allow independent third parties to review its source code as well as its internal processes and business operations.

The initiative follows a pledge made by Kaspersky Lab chairman and CEO Eugene Kaspersky in early July to share his firm’s source code with the US government as a show of good faith. The Trump administration last month ordered US federal agencies to uninstall Kaspersky Lab software and services from their systems due to US national security concerns due to possible ties between “certain Kaspersky officials and Russian intelligence and other government agencies” as well as Russian law that allows intelligence agencies there to “request or compel” help from the security firm to intercept communications across Russian networks.

Eugene Kaspersky and his firm have vehemently denied helping the Russian government with any cyber espionage efforts, and said it had no knowledge of a recently reported breach of an NSA employee’s home computer via the Kaspersky AV software running on it. The software was used to steal classified information and tools from the US spy agency, according to the reports, which allege the firm was complicit by either assisting in the heist or by selling software that was abused by Russian hackers.

The new transparency program indicates that the security firm has no plans to fade away under intense pressure by US officials and loss of commercial sales outlets such as Best Buy, which recently pulled the software from its shelves after the various reports of possible Russian government ties.

Kaspersky Lab did not name the third parties who will be performing its code reviews, but said it’s looking for experts with experience in software and assurance testing. The reviews will entail technical audits, code base reviews, vulnerability assessments, architectural risk analysis, and secure development lifecycle process reviews, according to the company. “Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at [email protected],” the company said in response to questions about the new program, which it calls the Global Transparency Initiative.

The first phase of the program includes the kickoff of an independent review of Kaspersky Lab’s source code by the first quarter of 2018, and subsequent reviews of updates and threat detection rules to then get similar vetting. The company also will launch an independent analysis of its secure development lifecycle processes and its software and supply chain risk mitigation practices during the first quarter.

Kaspersky Lab in Q1 also will work with an outside party to develop additional controls for its data processing practices, and also will set up the first of three Transparency Centers where “trusted partners” can inspect code, software updates, threat detection rules, and related operations by Kaspersky Lab. The centers will be based in Asia, Europe, and the US, and will be completed by 2020.

By the end of this year, Kaspersky Lab also will up its bug bounty awards to $100,000 for the most critical vulnerabilities.

Chris Wysopal, CTO of Veracode, which offers source code analysis, says the code and development process inspection announced by Kaspersky Lab is “good news” and should be adopted by all security vendors for their software. “Security software requires an enormous amount of trust from its users because of the privileged access that is granted security software for it to work,” he says. “Add in dynamic software updates and dynamic rule updates and you have allowed an external party complete access to your computer.”

Because software today gets updated on a continuous basis, a third-party review should occur for each update, he says, which Kaspersky has announced it will do. “A third-party review of the integrity of the SDLC and software supply chain is something all vendors should be providing to their customers, as almost all software is putting customers at varying levels of risk from vulnerabilities or backdoors.”

When asked if Veracode was one of the third parties that will inspect Kaspersky Lab’s code, Wysopal said he could neither confirm nor deny it was working with the security firm. Veracode typically has nondisclosure agreements with customers, for example, he says.

Fidelis Cybersecurity’s John Bambenek says Kaspersky Lab’s new program may help, but the allegations by Israeli intelligence reported that hackers searched for classified information in Kaspersky Lab’s telemetry were especially damaging. He says the new controls Kaspersky Lab has planned for how data gets processed “might” address those allegations, but it’s not yet clear.

“It certainly is a bold step Kaspersky is taking, and that they don’t plan to retreat from the North American market quietly,” says Bambenek, Fidelis’ threat systems manager. “What this actually shows is that there might need to be best practices and rules all cybersecurity companies adhere to worldwide because the accusations against Kaspersky by the US today could easily be the accusations against a US company by another country tomorrow.”

He says transparency and specific rules on how to handle user information by AV firms has been “long overdue.”

Veracode’s Wysopal concurs that the Kaspersky Lab program makes sense. But code-vetting still won’t stop nation-states from abusing software and networks via backdoors and covert channels, which can be more difficult to police. “Due to the nature of software and networks, I don’t think the risk can be entirely eliminated through transparency when it is nation-state risks we are dealing with,” Wysopal says.

When asked how the transparency program addresses recent concerns about Kaspersky Lab’s alleged relationship with the Russian government, Kaspersky Lab provided this statement: “Recent allegations aside, Kaspersky Lab company understands that as nations compete in cyberspace, IT security vendors must independently validate the assurance and integrity of their products in addition to their efficacy and effectiveness. As a cybersecurity company in operation for over 20 years, Kaspersky Lab has launched its Global Transparency Initiative to reiterate its industry leadership on not only providing great cybersecurity products and solutions, but also to demonstrate its continued willingness to go above and beyond to protect its customers.”

Eugene Kaspersky says the new initiative is all about showing the firm’s openness and transparency. “We’ve nothing to hide. And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”

He also called for curbing “attempts to introduce national boundaries in cyberspace” because cybersecurity requires multinational cooperation and “has no borders.”

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/kaspersky-lab-offers-up-its-source-code-for-inspection/d/d-id/1330195?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Windows 10 Update Aims to Block Attackers’ Behavior

Oct
24
Microsoft protects machines from common attacker behaviors with security updates in Windows 10.

Microsoft unlocked a host of new security and management features in the Windows 10 Fall Creators Update, which started rolling out last week. One of its new tools, Windows Defender Exploit Guard (WDEG), aims to protect businesses from ransomware by blocking common attacker behaviors.

Several studies point to the growth of ransomware hitting enterprise victims. Dark Reading found 35% of businesses were hit with ransomware in the past year, and only 27% believe current anti-malware tech is effective in preventing ransomware.

It’s not uncommon for victims to get tricked twice. An ESG Research Insight Report found many organizations have a recurrence of ransomware attacks, with 22% of 300 IT and security pros saying the same ransomware re-infected the same endpoints, and 38% claiming the same ransomware affected other endpoints within the business. Nearly half (46%) had been hit.

Microsoft is aiming to shrink the attack surface for next-gen malware with Windows Defender Exploit Guard, a suite of intrusion prevention tools shipping with the Creators Update. The set includes four parts created to block a range of attack vectors and actor techniques:

  • Attack Surface Reduction (ASR): Controls that block Office-, script-, and email-based threats to prevent malware from getting on the machine
  • Network Protection: Blocks outbound processes to untrusted hosts/IP via Windows Defender Smartscreen to defend against Web-based threats
  • Controlled Folder Access: Blocks untrusted processes from accessing protected folders with sensitive data
  • Exploit Protection: Exploit mitigations replacing EMET that can be configured to protect the systems and applications

Peter Firstbrook, Vice President at Gartner, says the idea is to get at the root cause of how attackers launch ransomware. Currently, AV systems mitigate ransomware by detecting and eliminating malicious files once they are on the endpoint. The problem is, attackers evade these technologies with new tactics to compromise endpoints and execute ransomware without writing anything to disk.

“Attackers are a pretty creative bunch,” he explains. “They may just move on to different types of applications and files, or find a way around it … we need to make it harder for attackers, and that’s really the key theme here with Windows.”

Instead of building security tools to react to new forms of malware, Firstbrook points out how companies like Microsoft, CrowdStrike, and Carbon Black are creating more proactive systems that anticipate hackers’ behavior and defend against it.

ASR, one component of WDEG, was built on the idea that email and Office apps are common attack vectors and let actors distribute fileless attacks. It can block behaviors that malicious documents use to execute; for example, it can block Office apps from injecting into process.

Controlled Folder Access, another, locks down critical folders so only authorized applications can access files. Unauthorized apps, like malicious and suspicious files, DLLs, and scripts, will be denied even when they are running with administrator’s privilege.

The Controlled folder protects common folders, which contain documents and important data, by default. It’s flexible, though, and admins can add other folders they want to be protected. This also allows trusted apps, such as a unique or custom app, to access protected folders. Users are alerted when unauthorized apps attempt to access or change files in protected folders.

“These are more durable changes than the traditional signature-based antivirus approach where we say, ‘Is the file good or bad?'” says Firstbrook. “Instead of issuing a new signature, [Microsoft] is saying ‘Why are they successful, and let’s deal with the root cause.'”

The decision to push automatic updates will also ultimately benefit companies in the fight against ransomware. “With continuous updates, and focus on security, they’re responding quickly to changing attack patterns on the OS they weren’t before,” he adds.

Microsoft isn’t the only company buckling down on endpoint security. The growth of ransomware has motivated businesses to think beyond traditional antivirus and host intrusion prevention systems, and build next-gen tools that don’t rely on signatures to detect malware.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/windows-10-update-aims-to-block-attackers-behavior/d/d-id/1330194?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US Critical Infrastructure Target of Russia-Linked Cyberattacks

Oct
24
Attacks have been under way since May, targeting energy, nuclear, aviation, water, and manufacturing, FBI and DHS say.

Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned.

In an advisory issued late last week, the Department of Homeland Security (DHS) and the FBI said the threat activity has been ongoing since at least May 2017 and appears to be the handiwork of the Dragonfly advanced persistent threat (APT) group.

The group has been using a combination of tactics and techniques to break into victim networks including information harvesting using open-source reconnaissance, spear-phishing emails from compromised legitimate accounts, credential-gathering, and using watering-hole domains for hosting malware. Once on a victim’s network, the attackers have focused on finding and browsing information pertaining to Supervisory Control and Data Acquisition (SCADA) systems and control systems.

Dragonfly, also known as Energetic Bear, is a Russia-linked group that is suspected of numerous attacks on organizations in the manufacturing, pharmaceutical, industrial, and construction sectors globally since 2011. Symantec in September had warned about renewed attacks by the group against energy sector targets in the US and Europe. The DHS/FBI alert basically confirms the findings in the report, while noting that the campaign has included targets across multiple critical infrastructure sectors – not just the energy sector.

“This is the first time we are seeing such a widespread campaign that is specifically targeting industrial control systems which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors,” says Dana Tamir VP of market strategy for Indegy.

The DHS and FBI advisory, which includes indicators of compromise and other pointers, described Dragonfly’s activity as an ongoing “multi-stage intrusion campaign.” The threat actors are targeting small and relatively low-security partner and peripheral networks to gain access to high-value asset owners in the energy and other sectors.  

The initial, or “staging,” victims are not opportunistic targets. Instead, they are carefully chosen for their pre-existing relationships with the intended victim. Their networks, once compromised, are being used as malware repositories and as pivot points for gaining access to the network of the final intended victims, the DHS and FBI said.

Nearly 50% of the known watering holes being used in the campaign to serve malware on target networks are trade publications and informational websites related to critical infrastructure, ICS and process control the advisory said.

There is little evidence that the attackers are using any zero-day vulnerabilities, or particularly sophisticated tools to gain access to their intended victim’s network. Rather, they have been using publicly available information to identify intended targets and craft customized spear-phishing campaigns for gathering credentials and information.

In instances where the threat actors managed to obtain a legitimate user’s credentials, they have used the credentials to gain access to the victim’s network and to download malware on it from remote servers. In some cases the malware created a user account and attempted to convert it to an administrator account with privileged access rights. The malware also disabled the host-based firewall on the compromised system and opened ports that would allow an attacker remote access to the system.

In addition to energy companies, others being targeted include organizations in the government, nuclear, aviation, water, and critical manufacturing sectors. The threat actors have succeeded in penetrating the networks of at least some of the intended targets, the advisory said.

“Threats to industrial control systems and critical infrastructure networks are definitely on the rise,” says Patrick McBride, chief marketing officer at Claroty. “We’ve arguably seen more threat activity in this space in the past four- to five months than the past three years.”

So far, the attacks have not caused actual physical disruption. But the theoretical is becoming reality, McBride says. “We need to recognize that nation-states are going to continue laying the groundwork for potential disruption in these networks. It is a logical action as a component of any potential conflict.”

Phil Neray, vice president of industrial cybersecurity at CyberX, says the FBI and DHS warning highlights the urgent need to address security weaknesses in US industrial control networks. Real-world network data that CyberX collected over the past 18 months from 375 industrial networks worldwide shows that operational technology (OT) networks are riddled with vulnerabilities.

CyberX’s data, contained in a soon-to-be published report, showed that industrial networks are not as air-gapped and isolated as many might imagine, with some one-third of them connected to the Internet. More than 75% of the sites had obsolete Windows technology such as XP and Windows 2000; 60% had plain-text passwords traversing their control networks; and 50% of the sites used no antivirus software at all.

“The data we’ve collected from real-world OT networks shows that once the adversaries get into the OT, it’s relatively easy for them to move around and compromise industrial devices that control physical processes such as assembly lines, mixing tanks, and blast furnaces,” he says.

Related Content:‘Dragonfly’ APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-critical-infrastructure-target-of-russia-linked-cyberattacks/d/d-id/1330196?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Unpatched Bugs Rampant on Mobile Devices in Financial Services Firms

Oct
24
More than a quarter of mobile devices used by financial services employees carry known vulnerabilities, according to a recent report.

Many financial services employees are toting around unpatched mobile devices, putting their companies and customers at risk of a data breach, a recent report found.

More than 25% of mobile devices used by financial services employees had unpatched vulnerabilities, according to Symantec’s Q2 2017 Mobile Threat Intelligence Report: Mobility and Finance.

The data, gleaned from Symantec’s endpoint mobile security software and other sources, also found that 15% of employees’ mobile devices at financial services institutions had been exposed to a malicious network, while three in every thousand devices were infected with malware.

“If I read this report and I was Procter Gamble, I would be asking my bank, what you are doing to protect my data when your executives are connecting to suspicious WiFi networks, or how many of your employees have phones with malware?” says Varun Kohli, a senior director at Symantec. “I would be asking these questions because my data is at risk.”

And although corporate customers may find there is little they can do to protect themselves from the actions – or lack of actions – that their financial services company is taking, Kohli says that may change in the future.

“I hear enterprises are asking their software vendors to take certain steps to protect their information, but I have not heard this of the banks,” Kohli says. “But companies need to also ask this of their business partners, too.”

Patching Problem

Although Apple and Google may regularly patch vulnerabilities, employees at financial institutions may be unaware of the patch notifications. In part, Apple is able to push its patches out relatively easily since it controls both the hardware and software, whereas the task is more challenging for Android.

When Google issues a patch, it has to be delivered to the device manufacturer, which then performs its own version of the update if it decides to issue a patch for the flaw at all, Kohli says. 

Other findings in the report include a general lack of good mobile security hygiene. For example, more than 13% of mobile devices used by financial services employees lack the latest major OS version, while 99% do not have the latest minor update issued by Google or Apple, the report found.

Some 4.6% of iOS users in this sector have yet to install the latest mobile operating system, compared to 47.8% for Android, according to the report.

Despite those results, the financial services industry as well as the healthcare sector tend to institute more frequent updates than all industries overall, Kohli says. He notes both industries suffer the most attacks because of their valuable information and data and, as a result, more is spent to secure those industries and the devices they use.

“They are early adopters of security; but even then, we are seeing problems,” Kohli says. “I was very surprised at the results. I would have expected the number in the financial services industry to be lower.”

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/unpatched-bugs-rampant-on-mobile-devices-in-financial-services-firms/d/d-id/1330197?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What the KRACK was that? [Chet Chat Podcast 264]

Oct
23

This episode of the Chet Chat podcast was recorded live at the BSides Calgary conference in Alberta, Canada.

Sophos expert Chester Wisniewski (he’s the Chet in the Chat) caught up with fellow security researcher and former colleague Michael Argast for a whirlwind tour of the big security issues of the past week.

In this episode

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Listen and rate via iTunes...
Sophos podcasts on Soundcloud...
RSS feed of Sophos podcasts...


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bBfic7HB6do/