STE WILLIAMS

Equifax likely has more brand-name recognition today than it’s had at any time in the company’s history, which dates back to 1899. It’s a safe bet that the consumer credit reporting agency wishes that wasn’t the case.

When well-known organizations are hit by a cybersecurity breach, it becomes front-page and top-of-the-hour news, because these cases affect tens of millions of consumers.

But just because your small or medium-sized business doesn’t have tens of millions of customers, or the name recognition of a Target or a Yahoo, doesn’t mean you’re immune to becoming a cybercrime victim. In fact, there’s a good chance that your SMB has been victimized and you don’t know it.

The Identity Theft Resource Center has tracked security breaches since 2005. They estimate that 1,055,228,349 unique records containing personal identifying information have been compromised in nearly 8,000 data breaches that have occurred between January 1, 2005, and November 22, 2017.

If those numbers don’t grab your attention, consider that the average cost for each lost or stolen record containing sensitive and confidential information is $141, according to the Ponemon Institute’s “2017 Cost of Data Breach Study.” That cost jumps for businesses in financial services ($245) and healthcare ($380). Those dollar amounts do not include the cost of notifying affected parties. They also don’t account for damage to your reputation.

Are your company’s pockets deep enough to weather that financial storm? Even if they are, wouldn’t you rather spend that money on marketing your products and services, new RD, or business expansion?

The notion that a business is too small to be a target of hackers or cyber criminals is simply not true. The bad guys are more sophisticated than ever, relying on artificial intelligence, bots, and other advanced methods to gain access to networks and data. Unfortunately, too many companies still choose to roll the dice, hoping they don’t get hit or persist in the mindset that “it can’t happen to me.” That’s an irresponsible position to take for any organization, of any size, let alone for one that holds sensitive consumer information.

What can a small business or a startup do to lessen the chance it becomes a cybercrime victim? Here are three commonsense steps that any business can take.

1. Train Your Team: Whether you employ three people or 3,000, every one of them is a potential security risk. Human error continues to be the primary issue in most data breaches. Companies need to take extra precautions to assure they are practicing safe cybersecurity hygiene. It starts with training everyone in the organization on the security best practices that reduce online risks. But cybersecurity training can’t be a one-and-done activity, or something that’s only relevant to the IT department. Just like a fire drill, it needs to be a regular regimen, a refresher course for everyone in your organization.
2. Assess Your Risk: Customer data, employee records, financial, legal, trade secrets, and other highly confidential information are the lifeblood of your company. When was the last time you conducted an inventory of all your data? Do you treat all data the same way, whether it’s confidential (financials, employee records, contracts, trade secrets) or nonsensitive (sales brochures, marketing materials)? Most importantly, what security measures do you have in place to protect this data? In the event of a breach, what contingency plans do you have in place for business continuity and disaster recovery so that your company continues to function? Finally, are there plans in place to remediate the breach as quickly as possible and to notify customers and other affected parties?
3. Ask for Help: Even if you’ve made a strong commitment to security, your responsibilities as a business owner or entrepreneur may keep you from devoting enough time to the task. That’s especially true if you’re managing the business’s technology while running the business. If you have tech professionals on staff, encourage them to stay current with training and industry certifications. Certified tech pros are better equipped to spot problems before they happen and to stop breaches and intrusions quickly if they do happen. If you don’t have IT personnel on staff, consider partnering with a technology company. There are many options available for pay-as-you-go technology services, and many reasons (reduced cost, predictable pricing, peace of mind) why businesses, small and large, choose to turn over some or all of their technology functions to a partner.

The tech industry is doing everything it can to provide products and services to combat cyberthreats as they emerge. But the best security technology products and the most comprehensive policies and processes will only work if companies are willing to use these tools and enforce the best practices to reduce their cybersecurity risk.

Related Content:

• Deception: Why It’s Not Just Another Honeypot
• The Critical Difference Between Vulnerabilities Equities Threat Equities
• 7 Takeaways From The Equifax Data Breach

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development … View Full Bio

Article source: https://www.darkreading.com/risk/cyberattack-it-cant-happen-to-us-(until-it-does)/a/d-id/1330533?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A recently discovered and now patched vulnerability in Intel microprocessors could be used by an attacker to burrow deep inside a machine and control processes and access data – even when a laptop, workstation, or server is powered down.

Researchers who discovered the flaw went public today at Black Hat Europe in London with details of their finding, a stack buffer overflow bug in the Intel Management Engine (ME) 11 system that’s found in most Intel chips shipped since 2015. ME, which contains its own operating system, is a system efficiency feature that runs during startup and while the computer is on or asleep, and handles much of the communications between the processor and external devices.

An attacker would need physical, local access to a victim’s machine to pull off the hack, which would give him or her so-called “god mode” control over the system, according to Positive Technologies security researchers Mark Ermolov and Maxim Goryachy, who found the flaw.

And although Intel issued a security advisory and update for the vulnerability on November 20, Ermolov and Goryachy argue that the fix doesn’t prevent an attacker from using other vulnerabilities for the attack that Intel also patched in the recent ME update, including buffer overflows in the ME kernel (CVE-2017-5705), the Intel Server Platform Services Firmware kernel (CVE-2017-5706), and the Intel Trusted Execution Engine Firmware kernel (CVE-2017-5707).

All the attacker would have to do is convert the machine to a vulnerable version of ME and exploit one of the older vulns in it, they say. Those flaws “have been patched by Intel through its latest firmware release, but if an attacker has write access to the Management Engine region, they can downgrade to an older, vulnerable version of Management Engine and exploit a vulnerability that way,” Goryachy told Dark Reading.

“Unfortunately, it’s not possible to completely defend against this [buffer overflow] flaw” in the Intel ME, he says.

Intel OEMs can mitigate such attacks by turning off the manufacturer mode of the chip, he says. That way, they “make sure that a local vector attack … is not possible,” notes Goryachy.

How the Attack Works

An attacker would need access to the “write” feature in ME, which is part of the SPI-flash chip that contains the firmware for ME and the BIOS, according to the researchers. He or she would then rewrite the flash and run a buffer overflow exploit, which would give him or her access to the ME.

“An attacker will have almost full control at the target machine, with access to memory, USB devices, and the network,” Goryachy  says. “With this, an attacker could decrypt an encrypted hard disk of someone using Microsoft Bitlocker, or access content protected by DRM [Digital Rights Management], or intercept all activity on the PC, such as viewing what’s on the screen, intercepting what’s typed on the keyboard, and accessing data stored on disks.”

It’s up to Intel’s OEMs to issue firmware updates, and Intel in its security advisory last month urged customers to check with their system OEMs for the updates. Enterprises also can use the open-source CHIPSEC utility to check for BIOS configuration errors, Goryachy says, and update to the latest version of the BIOS.

The Intel processors affected by the flaw are: 6th, 7th 8th Generation Intel Core; Xeon E3-1200 v5 v6 Product Family; Xeon Scalable Family; Xeon W Family; Atom C3000 Family; Apollo Lake Intel Atom E3900 series; Apollo Lake Intel Pentium; and CeleronG, N and J series.

This is the second major firmware vulnerability issue for Intel this year. In early May, the company disclosed a critical privilege-escalation bug in its Active Management Technology (AMT) firmware used in many Intel chips that affected AMT firmware versions dating back to 2010.

“Over the past 12 years, only two vulnerabilities allowing the execution of arbitrary code on Management Engine have been found,” Goryachy says. “The AMT vulnerability only allows an attacker to bypass authentication, while the vulnerability Positive Technologies discovered enables an attacker to obtain ‘god-mode capabilities,’ making this new flaw much worse than the other.” 

Related Content:

• 6 Personality Profiles of White-Hat Hackers
• The Long Tail of the Intel AMT Flaw
• Secure Wifi Hijacked by KRACK Vulns in WPA2
• 7 Hardware Firmware Hacks Highlighted at Black Hat 2017

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/how-the-major-intel-me-firmware-flaw-lets-attackers-get-god-mode-on-a-machine/d/d-id/1330565?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Android application developer tools Android Studio, Eclipse, and Intellij-IDEA contain vulnerabilities, Check Point researchers revealed in a report today.

Android Application Package Tool (APKTool), Cuckoo-Droid service, and other Android application reverse-engineering tools also had vulnerabilities too, according to Check Point, which discovered the vulnerabilities.

The APKTool’s XML External Entity (XXE) vulnerability can expose the entire OS file system of its users. The attacker could then take a malicious AndroidManifest.xml file to exploit the XXE vulnerability, the report notes. As for the developer tools, Android Studio, Eclipse, and Intellij-IDEA, the attackers could load a malicious AndroidManifest.xml file onto any Android project, which in turn would start “spitting out any file configured by the attacker,” the report states.

Check Point notified Google, APKTool developers, and the other integrated development environment (IDEs) companies of the vulnerabilities, which have all now been patched.

Read more about the vulnerabilities here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/android-developer-tools-contain-vulnerabilities/d/d-id/1330555?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: napocska, via Shutterstock

When the general public thinks of “hackers,” top-of-mind thoughts include cybercriminals breaking into large retail stores like Target or Home Depot or state-sponsored hackers from adversary nations such as China, Russia, Iran, and North Korea. The bug bounty movement has been working hard over the past several years to raise the profile and improve the perception of white-hat hackers. While white-hat hackers have been around for a couple of decades, new bug bounty companies such as Bugcrowd and HackerOne have legitimized the work of white-hat hackers. The US Department of Defense has even bought in during the past year by starting a bug bounty program of its own.

Already, Bugcrowd customers have paid out more than $10 million in bounties and HackerOne has topped $20 million.

“While someone living in New York or San Francisco would have to earn at least $100,000 to do bug hunting full-time, for people in places like the Philippines, something like $300 a month can be enough to survive on,” said Sam Houston, senior community manager at Bugcrowd. “The vast majority of Bugcrowd users are based in the United States and India, but more and more we are getting people from around the world from places like Egypt, Morocco and Turkey.”

According to a recent Bugcrowd report, Inside the Mind of a Hacker 2.0, the company lays out five profiles of white-hat hackers. The categories range from people who are attracted to hunting bug bounties to make the Internet safe to those who do hacking full-time as a vocation. HackerOne, which added a sixth trait, reports in The Hacker-Powered Security Report 2017 that the average bounty paid to hackers for finding a vulnerability reached $1,923 in 2017, up 15% from $1,631 in 2015.

Based on interviews with Bugcrowd’s Houston and Michiel Prins, co-founder of HackerOne, we developed a list of six traits of hackers that we think our readers will find familiar. 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/6-personality-profiles-of-white-hat-hackers-/d/d-id/1330522?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The massive surge in Bitcoin prices in recent months suddenly has made online cryptocurrency exchanges and services popular targets for distributed denial-of-service (DDoS) attacks.

This Monday, Bitfinex, one of the largest US dollar Bitcoin exchanges in the world, said it was the victim of a DDoS attack that knocked it offline for a short period of time. The company reported a similar incident just a few days earlier, and at least one other incident in June affected withdrawals and deposits of the then newly launched IOTA cryptocurrency.

In a report released Tuesday, security vendor Imperva said that nearly three in four of the 27 enterprise Bitcoin sites that are using the company’s services were hit with DDoS attacks in the last quarter. From being hardly a blip on the radar of most cybercriminals earlier this year, the Bitcoin industry emerged as one of the top 10 most-targeted industries for denial-of-service campaigns in the third quarter of 2017. 

Online gambling and gaming sites continued to be the most heavily targeted, as usual, and accounted for 34.5% and 14.4% of all DDoS attacks last quarter, respectively. Internet service providers, financial companies, the retail sector, and software vendors also were seriously affected by DDoS attacks, in keeping with previous trends, Imperva’s report said. But with 3.6% of all DDoS attacks aimed against it last quarter, the Bitcoin sector suddenly found itself thrust into the list of most-attacked industries for the first time, says Igal Zeifman, director and security evangelist at Imperva.

The attacks are a textbook example of cybercrooks following the money, Zeifman says. With Bitcoin trading at near-record highs, attackers may be attempting to shake down sites dealing with the cryptocurrency by threatening to disrupt services or to take them offline totally via DDoS attacks. It is also conceivable that cybercriminals and their hired guns are trying to manipulate Bitcoin prices through such disruption, Ziefman says.

In recent months, it has taken little to cause big fluctuations in Bitcoin pricing. In September, for instance, Bitcoin prices fell by as much as 24% in a little over a week after JP Morgan chief executive Jamie Dimon called Bitcoin a fraud.

Financially motivated entities have also taken advantage of the unregulated nature of the Bitcoin ecosystem to drive sudden changes in Bitcoin prices by showing intent to buy or sell very large volumes and then canceling the transaction before it is executed. Given the relative ease with which some have manipulated Bitcoin prices, it is possible that cybercriminals are trying to trigger and profit from price fluctuations via outages at big exchanges.

“I believe that the reported sharp increase in DDoS attacks on Bitcoin and cryptocurrency sites during the last quarter is an attempt at manipulation of cryptocurrency prices, rather than an attempt at extortion,” says Martin McKeay, global security advocate at Akamai, which released its own DDoS quarterly update last week.

“There is much more money to be made in casting the stability of a cryptocurrency site and affecting a change in cryptocurrency prices than there is to be made in a simple extortion scam,” he says. If attackers can predict or control the timing of a surge or a drop in prices, they can make significantly more money than they could get from a single company in a ransom, he says.

Another option is that the attacks could be directed by a competing type of cryptocurrency network or by a competing system, McKeay says. “When users find themselves unable to quickly and reliably access their currency, it is not unusual for them to switch to a more reliable service.” Small organizations in other sectors have shown a tendency to fund DDoS attacks on a competitor to slow them down, he says. “We may be seeing a similar tactic playing out with cryptocurrencies.”

Ilia Kolochenko, CEO of High-Tech Bridge, says that while a single DDoS attack is unlikely to produce tangible results for cybercriminals, a well-planned one could create damage. For example, if a major proponent or Bitcoin trade platform were suddenly to go offline accompanied with fake news about the government seizing its servers, a large-scale panic could ensue and undermine Bitcoin exchange rates, Kolochenko says.

But such attacks would require rigorous preparation and significant resources for execution. “If a dozen Bitcoin exchanges simultaneously go offline at a time of a major negative announcement concerning Bitcoin or cryptocurrency in general, and sellers [aren’t] able to sell their Bitcoins, a huge depreciation [could happen],” Kolochenko says.

Related Content:

• Why Size Doesn’t Matter in DDoS Attacks
• ‘Pulse Wave’ DDoS Attacks Emerge As New Threat
• Another Massive DDoS Closes Out 2016, But Mirai Not To Blame
• 7 Things to Know About Today’s DDoS Attacks

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/bitcoin-sites-become-hot-targets-for-ddos-attacks/d/d-id/1330556?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Organizations continue to focus on protecting the perimeter while neglecting to monitor bad guys getting inside and ultimately pilfering data, says a security researcher at SafeBreach, which released a new report today.

In 3,400 breach methods used for 11.5 million attack simulations, SafeBreach in its new Hacker’s Playbook Findings Report found that virtual attackers had a more than a 60% success rate of using malware to infiltrate networks. And once in, the malware could move laterally roughly 70% of the time. In half the cases, they could exit networks with data, according to simulated attacks SafeBreach conducted on its customers.

“The most surprising thing is that there is so much focus on the hard-candy shell of the perimeter without paying enough attention to the soft, squishy middle,” says Chris Webber, a security strategist at SafeBreach. “It is not that hard to get past the perimeter and once the attacker is in, it is really easy to move around laterally and then exfiltrate out.” 

Webber points to the amount of money and solutions he has seen customers pour into protecting the perimeter, yet the majority of simulated malware attacks were still able to move around and steal information.

When it comes to malware infiltration methods, the research found nesting, or “packing,” malware executables fooled security controllers more than 50% of the time. For example, packed executables inside JavaScript had a 60.9% success rate of infiltrating a network, while an executable inside a VBScript (VBS) using HTTP managed to make it in 56.5%, and an executable inside a compiled HTML file format (CHM) extension had a 55.9% success rate.

But WannaCry 2.0’s method of exploiting a server message block (SMB) vulnerability in Windows achieved a 63.4% success rate in simulated attacks SafeBreach performed, pushing it to the top of successful infiltration methods.

Financial malware Carbanak, which relies on Google’s App Script, Sheets, and Forms cloud-based services to communicate its malware commands, also ranked among the top five infiltration methods used in the study. 

“So, in the case of Carbanak, the infiltration ‘move’ we highlighted was indeed the transfer of the specific Carbanak malware file via HTTP,” Webber says. “This could be stopped, for example, by network controllers configured to scan for malicious files and block them before they make their way to the endpoints/hosts for installation to disk.”

Concerns over lateral movement appear to be overlooked by a number of organizations, says Webber.

“Folks are focused on keeping things out and not worrying about the other phases of the kill chain,” Webber says.

That approach could be a problem, the report notes, given Petya and EternalRocks were both identified as having worm-burrowing capabilities that could move laterally in the network.

Data exfiltration is the last hurdle cyberthieves face, and they usually opt for the easiest method of stealing data, the report found. Traditional clear or encrypted Web traffic, or traditional Web ports, are the preferred method for attackers to exit the network with their cache of data, according to the report.

“A lot of outbound traffic is making its way out through Port 443 (HTTPS) and Port 123 (NTP),” Webber says. “They are pumping out all of your data past your controls by stuffing the data into encrypted packets that look like packets for things like keeping time on your computer and sending it out over NTP [Network Time Protocal].”

Port 123 had a 63.1% exfiltration success rate and Port 443 had 53.7%, according to the report.

Fixing the Links

Webber says it is not enough to try to stop attackers from breaking into the network, nor is it adequate to try to box them in by preventing their entry and exit. Paying attention to lateral moves within the network is also important, he notes.

However, organizations face limited resources. “It comes down to understanding each company. If you have a ton of credit card data, then you spend all the more time from preventing them from exiting the network. But if you have a manufacturing company, then you are more concerned about getting hit with a ransomware attack that can stop your operations. You would probably care more about internal segmentation to prevent worms from moving across your system,” he says.

He adds that the best moves companies can take to secure their systems is to optimize their current security solutions, constantly update the configurations as needed, and then test the changes they make.

Related Content:

• Automated Lateral Movement: Targeted Attack Tools for the Masses
• Wannacry Inspires Worm-like Module in Trickbot
• Cloud AV Can Serve as an Avenue for Exfiltration

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/cloud/study-simulated-attacks-uncover-real-world-problems-in-it-security/d/d-id/1330553?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple