STE WILLIAMS

UK Defence Secretary Sir Michael Fallon has denied that vital British warships may be quietly sold to South American nations as part of the ongoing defence review, according to reports.

Helicopter carrier HMS Ocean, already earmarked for sale to Brazil when she is withdrawn from the Royal Navy next year, may be joined by Type 23 frigates, according to respected defence industry magazine Jane’s.

The Type 23s are the backbone of the Royal Navy’s anti-surface and anti-submarine capability. They are the fighting teeth of the RN, used to ward off potentially hostile surface ships and submarines alike.

Current plans are for the new Type 26 frigate to replace the ageing but capable Type 23s. These new ships are set to enter service from the middle of the next decade, with the old leaving service on the (approximate) basis of “one in, one out”.

Two crucial amphibious warships, HMSes Albion and Bulwark, are rumoured to be on the chopping block of current defence cuts. Without these two ships, the Royal Navy cannot carry out amphibious landings, in the sense of “put Royal Marines in smaller boats that they can sail to beaches”. Both ships (only one is in service at any one time because we have neither the money nor manpower to run both at once) are fitted with big ramps and well docks allowing troops and vehicles aboard to be quickly loaded into landing craft.

Without its amphibious landing capability, the UK would not have been able to take the Falkland Islands back from Argentinian invaders after the 1982 invasion.

The root of the problem here is the ongoing defence review, known by many defence-watchers as the Strategic Defence and Security Review 2017*. This is the codename for “even more defence cuts” as exchange rate shifts cause the prices of big defence equipment projects to skyrocket. Most of the current big projects (the F-35 fighter jet, the upcoming P-8 maritime surveillance aircraft and new Apache attack helicopters, to name but three) are being bought from the US in dollars.

With central government uninterested in increasing the defence budget to cope with this, it follows that defence spending has to be slashed to maintain the capability of paying for the new big shiny toys. Thanks to previous decades of defence cuts having slashed all of the fat and large chunks of meat from within the MoD, the latest round of defence cuts is digging into the bone: hence the already drumskin-taut Royal Navy is almost certainly going to lose major units. Cutting frigates takes the RN well below the number of ships it was supposed to have:

Except already 17! Original calculation in late 1990s was 30 frigates dests to handle CV escort other tasks. Remains right calculation.

— Iain Ballantyne (@IBallantyn) October 25, 2017

At defence questions in Parliament yesterday, Sir Michael appeared to deny that any ships were up for sale. Nonetheless, losing key anti-submarine warships right as a resurgent Russia flexes its naval muscles, along with one of the biggest remaining elements of British power projection, amphibious warfare, would send the world the wrong signal – despite the billions being spent on aircraft carrier HMS Queen Elizabeth and the F-35 jets to fly from her. ®

*Bootnote

There is no SDSR ’17, at least not officially. The last SDSR was held in 2010; however, the current review is of such crucial importance that “naval gazers” have begun using the name to keep the issues in the public eye.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/navy_warship_cuts_mooted/

LG SmartThinQ smart home devices were totally hackable prior to a recent security update, according to new research.

The so-called HomeHack vulnerabilities in LG’s SmartThinkQ mobile app and cloud application created a means for hackers to remotely log into the SmartThinQ cloud application and take over the user’s LG account, Check Point security boffins said.

Once in control of an account, any LG device or appliance associated with that account could be controlled by the attacker – including a robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioners. Devices could be switched on and off, settings changed and more.

IoT hackers might be able to gain control of the LG Hom-Bot vacuum cleaner’s video camera. The technology streams live video to an associated LG SmartThinQ smartphone app as part of its HomeGuard Security feature. Hacking the system therefore creates a spying risk (as demonstrated below).

Youtube Video

The vulnerabilities in the SmartThinQ mobile app allowed researchers to create a fake LG account before using this to take over a user’s legitimate LG account, and in turn gain remote control of the user’s smart LG appliances.  Check Point disclosed the vulnerability on July 31. LG fixed the reported issues at the end of September.

Koonseok Lee, manager of smart development team at LG Electronics, said: “In August, LG Electronics teamed with Check Point Software Technologies to run an advanced rooting process designed to detect security issues and immediately began updating patch programs.  Effective September 29 the security system has been running the updated 1.9.20 version smoothly and issue-free. LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances.”

Users of the LG SmartThinQ mobile app and appliances should ensure they have updated to the latest software versions from the LG website. To address the specific vulnerability identified by Check Point, users should update their LG SmartThinQ app to the latest version (1.9.23), either via Google play store, Apple’s App Store or via LG SmartThinQ app settings.

LG’s range of smart appliances and safety solutions allow users to monitor and maintain their homes from a smartphone. Sales of the Hom-Bot robotic vacuum cleaner alone exceeded 400,000 in the first half of 2016.  In 2016, 80 million smart home devices were shipped worldwide, a 64 per cent increase on the year before. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/lg_iot_smart_home_hack/

Security researchers have gone public about “critical” security flaws in a maritime communication platform.

Stratos Global’s AmosConnect 8.4.0 satellite-based shipboard communication platform is vulnerable to cyber attacks, according to researchers from IOActive. Inmarsat, which owns Stratos Global, dismissed the research as irrelevant because it related to a recently discontinued platform. The vendor also said the hacking scenario against its earlier kit outlined by IOActive would be difficult to pull off in practice.

Friggin’ in the riggin’

AmosConnect mobile satellite communications platform was used by thousands of vessels worldwide. Flaws in the technology discovered by IOActive include “blind SQL injection” in a login form and a backdoor account that allows full system privileges. This account provides a means for hackers to execute arbitrary code on the AmosConnect server leaving any sensitive information it might contain exposed to theft, according to IOActive’s principal security consultant Mario Ballano.

IOActive warns that the flaws could allow hackers to gain access to sensitive information stored on AmosConnect servers including emails, instant messaging, position reporting and automatic file transfer, as well as potentially opening access to other connected systems or networks.

AmosConnect supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication, and more into a single messaging system.

IOActive informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July this year. Inmarsat has since discontinued the 8.0 version of the platform with the recommendation that customers revert back to AmosConnect 7.0 or switch to an email solution from one of their approved partners.

In response to queries about IOActive’s research from El Reg, Inmarsat downplayed the significance of the findings, arguing it affected discontinued version of its technology that it planned to retire even before IOActive informed it about security problems.

We are aware of the IO Active report but it is important to note AmosConnect 8 (AC8) is no longer in service. Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.

Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.

Inmarsat has made IO Active aware of all of this information.

All at sea

An Inmarsat spokesman added the “potential vulnerability” would have been “very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. Any attempt to enter remotely would have been blocked by Inmarsat’s shoreside firewalls.”

Maritime cybersecurity has been under increasing scrutiny this year after a series of disasters, including the June GPS spoofing attack involving over 20 vessels in the Black Sea. In August, there was speculation that the collision involving the USS John McCain with a chemical tanker might have been the result of cyber tampering.

Ballano conducted his research in September and found that he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed. If there were to be any other software or data stored in this box, the attacker would have access and potentially to other connected networks.

“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” Ballano said. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack.”

Recent research by security consultancy Pen Test Partners into shipboard comms more generally can be found here. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/inmarsat_maritime_sat_comms_security/

Traditional signature-based antivirus solutions are falling short on protecting endpoints, even when there are two or more deployed.

Nearly 40% of users who had multiple, traditional antivirus solutions loaded on their endpoints faced a malware attack during the first half of the year, a Malwarebytes report revealed today.

The Mapping AV Detection Failures report, which scanned nearly 10 million endpoints, found a number of malware attacks occurred despite having two or more traditional, or signature-based, antivirus solutions installed.

“The takeaway for enterprises is [that] the most basic threats have not been caught by the AV they have deployed,” says Marcin Kleczynski, Malwarebytes CEO. “Yet, they continue to use these and grow desensitized.”

He adds CISOs and other IT security leaders may be adopting a common assumption that no one ever gets fired for using antivirus software from the industry leaders, especially when analysts rate them high on the effectiveness scale in comparative reports. Antivirus pen tests and how the software reacts in a live attack are likely to lead to vastly different results, Kleczynski notes.

Malware that Sneaks Past AV

Ransomware, botnets, and Trojans are able to slip past traditional antivirus solutions to varying degrees, the report says.

Ransomware’s Hidden Tear compromised nearly 42% of machines with traditional AV, while Cerber hit 18%, the reports states. Cerber is also proving it can outsmart even next-gen solutions after researchers found it can evade machine-learning detection systems.

As for botnets, IRCBot averted AV detection in 62% of users’ computers that were compromised, while Kelihos evaded AV detection in 27% of the machines.

“Often, botnets do not come with an infection signature that would be noticed,” Kleczynski says. “Kelihos comes and go and it’s one of the most common threats this year. It’s very difficult to detect it as malware that is signature based.”

Kelihos and the Internet Relay Chat (IRC) botnets are indeed hearty. The resiliency of Internet Relay Chat (IRC) botnets was noted even back in 2015 and Kelihos even further in 2012.

Fileless malware, meanwhile, continues to avert AV detection and infected 17.8% of the endpoints scanned in the first half of the year, while DNSChanger was just as sneaky in 17.5% of the cases, the report states.

“Fileless attacks are on the rise,” Kleczynski says. “In the old days, when you build AV you scan every file written to the disk and you find the signature and delete the malware. But now, you’re not writing the threat onto the disk. It’s in the browser, or Excel document or in memory.”

The four top traditional AV companies failed to protect 39.1% of users against all malware attacks, according to the report. Without revealing the four vendors, Kleczynski says some are taking steps to adopt new next-gen AV techniques, such as behavioral based AV. However, he notes that the transition will take time.

Related Content:

• Do Antivirus Companies Whitelist NSA Malware?
• ‘AVPass’ Sneaks Malware Past Android Antivirus Apps
• 20 Endpoint Security Questions You Never Thought to Ask

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/endpoint/doubling-up-on-av-fails-to-protect-40--of-users-from-malware-attacks/d/d-id/1330229?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s This?

If you think all you need is technology to defend against bad guys, you shouldn’t be a CISO. But technology is all cryptocurrency is, starting with Bitcoin.

“Are we doing anything with Bitcoin?” You’ve probably heard that question from a board member. When they ask, maybe you say something noncontroversial like “We’re looking into it.” But seriously, anyone with a risk management background should be a cryptocurrency skeptic. Here are five reasons why.

Reason 1. Volatility
The recent rocket-like rise of the conversion value of Bitcoin to $4,000 will have even more board members (or directors or bartenders or barbers) asking you the same question in the months to come. But has everyone forgotten that just three years ago, Bitcoin was the worst-performing currency in the world, losing 56 percent of its value?

The meteoric rise in the value of Bitcoin comes from the perception that the Bitcoin community has solved the years-long “block size” problem, which had led many to claim Bitcoin was a failed experiment. The main Bitcoin fork introduced Segregated Witness (SegWit), which allows offline transaction chains. A new fork of Bitcoin introduced in August 2017, called Bitcoin Cash, increased the blockchain block size. Both of these improvements should speed up transaction verifications, though it would be nice if they were the same fork. (Thanks, guys!)

Speculators are now resuming their irrational exuberance. Sure, volatility is an aspect of currency; in real life (IRL, as some say), arbitrage markets exist to absorb that risk. And you’re not dabbling with them, are you?

Reason 2. Maturity
There are thousands of ways to steal real money IRL; fraud, impersonation, counterfeit, embezzlement, and money laundering are just the big ones.

IRL, we have infrastructure to deal with these schemes. Laws, for one. And courts, insurance, Federal Deposit Insurance Corporation (FDIC), double-entry accounting, and regulation. What does cryptocurrency have? Not much. Just some blockchain stuff running on volunteer computers. Sure, the blockchain verification sounds like built-in accounting, but if you can be anonymous, what exactly is the point of all that accounting? What is the point of cryptographically proving that someone stole your Bitcoin and spent it on a Samsung TV, but you have no idea who it was?

In Pennsylvania this summer, a man admitted to stealing $40 million worth of Bitcoins. The authorities didn’t charge him with theft, because while Bitcoin is money, it isn’t legal tender.

Reason 3. The Nation State
One of the supposed benefits of Bitcoin and other cryptocurrencies is that they aren’t tied to any particular nation state. This prevents Bitcoin assets from being frozen by the state, and gives consumers the freedom to do anything they want with their money. State sponsorship of a currency has obvious benefits, though. Consider, in the 1990s, George Soros nearly single-handedly destroyed the pound sterling by betting that it was overvalued. To keep the pound from a precipitous fall, the UK government had to raise the interest rate to 15%. Pledging the resources of 80 million Britons kept the pound afloat. Had the defense failed, however, the pound would have fallen against all other currencies, possibly leading to a nationwide depression. Who’s going to defend cryptocurrency from the next Soros?

In the United States, the Secret Service has only two jobs: protecting the president, and protecting the currency (mostly against counterfeiting). Where is the Secret Service for cryptocurrency?

Reason 4. All Those Flipping Thefts
For a currency that was designed to make theft impossible, Bitcoin has a terrible and ironic history of constant, massive thefts. You can read the entertaining Blockchain Graveyard list of 44(!) cryptocurrency bank failures, most due to theft. Mt. Gox, the world’s largest repository of Bitcoins, failed after 744,000 Bitcoins (representing 6% of the worldwide total) were stolen. Today’s market value of those Bitcoins is $3 billion. They are still out there somewhere, and they haven’t been used.

IRL, banks fail. Occasionally it is due to mismanagement, but often it’s just market forces at work. The FDIC in the United States guarantees the first $100,000 in deposits for each customer in any failed bank, and then ensures the easy transition of assets as the failed bank is folded into another bank. After 4,000 years of banking, the financial community still hasn’t figured out how to avoid bank failure—but at least there’s a process for cleaning it up. Cryptocurrency banks appear to fail all the time as well, but there is no depositor guarantee. The associated monies just vanish.

If, IRL, bank failures are inevitable, why would anyone think that it would be different for cryptocurrencies?

Reason 5. Quantum Expiration
Bitcoin and most other cryptocurrencies seem like the bleeding edge of cryptographic technology, but they are actually heavily dependent on asymmetric encryption algorithms that are decades old. And those underlying algorithms are not resistant to quantum computing, should a quantum computer ever be built. Bitcoin private keys are just 256-bit Elliptic Curve Digital Signature Algorithm (ECDSA) keys, so a quantum computer with just a few thousand qubits could, in theory, find every wallet’s private key in the Bitcoin universe. Won’t that be a fun day!

Infrastructure Isn’t Just Technology
The financial community has the largest cybersecurity budgets in the world. And even with regulation, nation-state support, security teams, threat intelligence, and every security inspection device imaginable, they are just barely capable of keeping hackers from stealing all the monies. The CISOs for those companies know that they need more, way more, than just technology to secure a bank.

On the other hand, if you think all you need is technology to defend against bad guys, you shouldn’t be a CISO. But that’s all cryptocurrency is: technology.

Get the latest application threat intelligence from F5 Labs.

 

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/5-reasons-why-the-ciso-is-a-cryptocurrency-skeptic/a/d-id/1330211?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fugitive couch-surfer and angry leaker Julian Assange has made the explosive claim that Cambridge Analytica asked WikiLeaks for something before last year’s US presidential election.

I can confirm an approach by Cambridge Analytica [prior to November last year] and can confirm that it was rejected by WikiLeaks.

— Julian Assange 🔹 (@JulianAssange) October 25, 2017

Cambridge Analytica is known to have provided services to US president Donald Trump’s campaign and is owned by investors including Robert Mercer, billionaire keen on conservative causes. The company’s political services arm offers “data driven political campaigns”, and claims it will “find your voters and move them to action.”

“CA Political has redefined the relationship between data and campaigns,” the company says. “By knowing your electorate better, you can achieve greater influence while lowering overall costs.”

The company’s modus operandi appears to involve micro-targeted ads, a practice that some find uncomfortable but The Register‘s own SA Mathieson rated as not quite the dystopia you’re looking for.

Assange’s Tweeted claim is, however, significant in the context of the three US congressional inquiries into Trump’s links to Russia. US intelligence agencies believe that leaked emails from the Democratic National Committee (DNC) made their way to WikiLeaks through Russian sources. It’s therefore possible to imagine links from Trump, to Cambridge Analytica, to Russia. And possibly also to secret unicorn farms where horns are ground into chemical weapons that will see North Korea achieve world domination.

Assange has previously denied the DNC leaks came from Russian sources. He’s said nothing more on this matter, other than to say he’s not told anyone what Cambridge Analytica sought. Other reports say the company sought Hillary Clinton’s controversial private emails, in order to make them public.

We have confirmed the approach and rejection only. Not the subject. https://t.co/UOLY62tDY5

— Julian Assange 🔹 (@JulianAssange) October 25, 2017

Clinton used a private email server for some official business during her term as secretary of state,, Investigations found that decision worthy of reprimand, but further action. Trump’s campaign featured calls for Clinton to be prosecuted over the emails.

The Republican Party has responded to Assange’s Tweet by pointing out Trump signed up to use its own analytics operation, which it suggests was a major factor in the Tweeter-in-chief winning his job. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/assange_says_trumps_votertargeting_firm_asked_wikileaks_for_isomethingi/

Dell forgot to re-register a domain name that many PCs it has sold use to do fresh installs of their operating systems. The act of omission was spotted by a third-party who stands accused of using it to spread malware.

The domain in question is www.dellbackupandrecoverycloudstorage.com, which offers anodyne information about Dell’s data protection products. The site is also used by an app called the “Dell Backup and Recovery Application”, a program bundled with Dell PCs and which the company bills as “a safe, simple, and reliable backup and recovery solution that can protect your system (OS, applications, drivers, settings) and data (music, photos, videos, documents, and other important files) from data loss.”

The program also helps Dell PC owners who want to do a factory reset.

Krebs On Security reports that the domain is administered by a third party, which forgot to re-register it in June 2017.

Enter an alleged typosquatter, who acquired the domain. Not long afterwards, Krebs alleges the domain redirected to sites hosting malware.

Dell confirmed it lost control of the domain to The Register, in the following statement:

A domain as part of the cloud backup feature for the Dell Backup and Recovery (DBAR) application, www.dellbackupandrecoverycloudstorage.com, expired on June 1, 2017 and was subsequently purchased by a third party. The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed.

We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device.

Krebs makes no allegation that malware-slingers attempted to have Dell’s application download something nasty, so Dell is probably in the clear. Albeit with plenty of egg on its face. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/dell_forgot_to_renew_pc_data_recovery_services_domain/

Android users might get better protection for their browsing records, if a Google experiment takes off.

XDA-developers.com spotted the entry in the Android Open Source Project, which adds DNS over TLS, along with an option to turn it off.

The idea of sending DNS queries over TLS is simple: it’s in line with the IETF’s (and the Internet Architecture Board’s) belief that standards need to protect users from snooping by default.

DNS-over-TLS is described in RFC 7858. It proposed using TCP port 853, an implementation would establish a TLS tunnel, and send the DNS query over that encrypted tunnel (with fallback mechanisms if client or server can’t support it).

That would protect DNS queries from snooping by prying spies.

Few implementations exist at the time of writing. Google has an implementation for its resolvers, described here, and in November getdns published their own “Stubby” project.

Such efforts are important because if your ISP doesn’t offer TLS protection, your DNS queries are visible to it – but if you’re calling on an upstream resolver which does encrypt, then the ISP will only see you querying (for example) 8.8.8.8.

Unlike the developer-grade Stubby, for example, baking the standard into Android would mean users don’t need to bone up on IETF documents to protect themselves.

The XDA-Developers post speculates that with the feature now offered to developers, Google could have it in mind for a future version of Android. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/android_testing_dns_over_tls/

Research While messaging apps, social media, fake websites and phone calls can all be used to carry out phishing attacks, in the business world, fake emails are the most common and dangerous method.

The wave of mass-mailing phishing attempts appears to be subsiding but that doesn’t mean business and IT managers can allow themselves to be lulled into a sense of security. Attackers are focusing their efforts on well-focused “spear-phishing” campaigns using cleverly crafted messages that bypass traditional email security measures. It is estimated that perpetrators have so far tricked unsuspecting businesses out of $5bn.

This Temperature Check of 330 IT professionals reveals that attackers are regularly impersonating senior managers and targeting specific business departments. So, what’s to be done?

Let’s start by sizing up the problem and looking at how organisations are responding to this threat.

Impersonators, imposters, and thieves sneak past email security checkpoints

Love it or loathe it, there’s no escaping email. Your organisation may be using enterprise social networks and chat-based platforms to reduce the volume of emails, and some companies are even starting to shift their customer communications to apps and chatbots, but none of these has the same reach and range as email. If you have customers, partners, investors or suppliers, you still need to use it.

Email protocols, standards and architectures have evolved over the decades to address privacy and security issues. An ecosystem of ancillary products and services has also grown up to address specific problems and business requirements.

If you work in IT and run email servers on-premises you’ll be aware of the many products and services that wrap around the corporate email system to provide in-bound and out-bound hygiene and security. And if you’ve outsourced your corporate email, as many organisations have, then your service provider is likely to use an even bigger mix of products and technologies to protect your inbox.

We will provide an insight into how widely these technologies are used a little later in this Inside Track, but first we need to assess the threat that phishing poses to your business.

The survey data (Figure 1) indicates the scale of the phishing problem, with about 40 per cent of respondents reporting an incidence of at least daily phishing attacks. Although larger companies are more at risk firms of all sizes can be targeted, and there’s only slight variation across industries. The survey results also show that well-protected and well-prepared organisations receive phishing reports from end users, so every business and institution is a potential target.

Figure 1 – Click to enlarge

Every phishing attack reported by an end user is evidence of at least two things. First, it proves that a well-crafted phishing attack can sneak past almost any security checkpoint or email filter. Secondly, it shows that some users are savvy enough to spot an attack and know how and where to report it.

What this chart doesn’t show us, however, is the number of phishing emails that go unnoticed or unread, or hit their target. While scattergun attacks are declining according to security industry reports, spear-phishing targeting specific businesses and individuals is on the increase. So, who is being targeted?

Follow the money

The FBI started tracking business email compromise (BEC) attacks in 2013. Is 2016 Internet Crime Report (published June 2017 (PDF)) stated that organised crime groups had targeted large and small companies and organisations in every US state and more than 100 countries around the world, with losses now in the billions of dollars. In the UK, the 2016 Cyber Security Breaches Survey found that 32 per cent of breaches or attacks involved impersonation of someone in the organisation.

BEC can take a variety of forms, with fraudsters most commonly tricking employees who have access to company finances into making fund transfers to bank accounts controlled by the criminals. But spear-phishing attacks also target those who manage business processes and IT (Figure 2). This opens organisations up to a range of vulnerabilities, including ransomware attacks and good old-fashioned extortion.

Figure 2 – Click to enlarge

BEC perpetrators are not amateur mischief makers but sophisticated groups with access to significant resources. The FBI reports that lawyers, linguists, hackers, and social engineers are often used to craft a spear-phishing attack, so it’s not surprising that companies can easily be fooled.

How do the fraudsters do it exactly, and what can your organisation do to guard itself against an attack?

Masters of disguise

The fraudsters know there are plenty of “phish” in the sea and scam emails impersonating a senior manager or executive can help them land the big one. In a “whaling attack”, perpetrators are willing to go to considerable lengths to study an organisation’s processes and systems, collect email samples, and even monitor company events in search of an upcoming business trip that might present them with an opportunity.

A typical spear-phishing attack plays out like this: when the time is right a maliciously crafted email is sent to the victim. The fraudsters spoof a familiar trustworthy account, belonging for example to an executive, senior manager or supplier, and instruct the recipient, such as a finance officer or accounts clerk, to carry out some routine financial transaction.

More than half of the respondents in our survey confirm that senior managers in their organisations have been impersonated in spear-phishing attacks (Figure 3). Targeted employees usually believe they are sending money, or commercially sensitive information, to a familiar account, but the details are used to deposit the funds in the scammer’s account.

Figure 3 – Click to enlarge

Professional fraudsters know what they’re doing and use money laundering techniques to cover their tracks. It is usually too late to recover the money if the transaction goes through. If it’s commercially sensitive information that has been sent, the perpetrator might use it for immediate commercial gain or to trick another individual in the organisation or supply chain.

This all might sound like a plot line for a glamorous heist movie, but it’s fast becoming a very common and run-of-the-mill business story.

As phishers and whalers become more adept, what can your organisation do to protect itself?

Forewarned is forearmed

As with all things IT, technology on its own is not enough. Policies and processes are just as important, with regular testing and refinement to ensure a good business fit.

Even the most diligent of employees is fallible so you need to implement anti-phishing solutions alongside security products to protect your corporate email systems. End-point solutions add a layer of protection at the email client on desktop and laptop PCs.

More than 60 per cent of the respondents to our survey said they had already implemented anti-phishing protections or are “well advanced” when it comes to dealing with email-based phishing attacks, but this still leaves a sizeable proportion exposed (Figure 4).

And given the survey audience has an interest in security and data protection topics, these figures are likely to be somewhat optimistic for organisations in general.

Figure 4 – Click to enlarge

Having IT security products and policies in place is only part of the solution. There’s no escaping the fact that humans are the weakest link when it comes to security, so is is crucial to consider staff training, especially for employees working in accounting and finance departments, as well as in administration, management and of course IT (remember what we saw in Figure 2).

A one-off training course can be little more than a box-ticking exercise, so consider how employees will be kept on their toes, with simulation testing being one obvious option.

If you’ve attended to all the above, well done, but it doesn’t end there. We’ve already agreed that since humans are fallible no security system can ever be perfect, so what happens when things do go wrong?

The cybersecurity playbook

There are hundreds of thousands of cyber-attacks on businesses like yours every day, attempting to steal your company’s information and its money or to disrupt operations. You might be well prepared but even the best defended company can never be totally safe.

So what happens if a spear-phishing or whaling attack hits its mark? Do you have a response plan?

Less than a quarter of those we surveyed said they had a specific playbook for dealing with sophisticated targeted email threats and exploits (see Figure 5). And while 38 per cent said they are “getting there”, the remainder have only a very general approach at best for dealing with this kind of incident.

Figure 5 – Click to enlarge

If you don’t yet have a response plan, it might be a good idea to get executives to back the design, development and testing of one as part of their fiduciary responsibility. There are plenty of sources of good practice, as well as specialist consultants who can advise if your budgets can be made to stretch.

Think too about who you to turn to for support if your organisation falls victim to a financial phishing attack. Your audit firm or banking provider might be able to help here. If you suffer an IT service attack or disruption, think about what your recovery procedures will be and how you could keep your core business operations running.

Let’s now look at what organisations can do to mitigate the risks of phishing attacks.

Stay clear of the risks

The adoption rate of anti-virus and anti-spam solutions is nearly 100 per cent, but much smaller numbers say they have anti-phishing measures, spoofing detection, URL protection and data loss prevention in place (Figure 6).

Figure 6 – Click to enlarge

We can assume that our survey group of IT professionals has good insight into security and risk mitigation measures, so it’s somewhat disconcerting that anti-phishing, URL protection and spoofing protection are not more widely used. Some organisations may think they’re better protected than they are (especially in the SMB space, where email is generally outsourced), but budgets – or lack thereof – are also likely to be an issue.

Popular cloud-based communication and collaboration platforms, such as Microsoft Office 365 and Google’s G Suite, can help organisations shoulder the burden of corporate email, but both have been the focus of targeted phishing scams.

Third-party anti-phishing solutions are available from vendors, but this still leaves the most vulnerable element – the end-users – left to their own devices (quite literally in many cases). If you were to receive an out-of-hours email on your device from your boss marked “URGENT”, albeit to your personal email account, would you open it?

All-round protection

Training staff to spot phishing attacks, and testing them periodically, is likely to have a positive effect but it will never make for a totally safe working environment. Likewise, it’s impossible to mitigate every risk using technology, no matter how much money and expertise is thrown at it. A combined approach is required: one that is layered, multifaceted and adaptive.

We’re starting to see machine learning and artificial intelligence being employed to counter phishing attacks but it will take a while for these technologies to enter the mainstream. In the meantime, organisations can reduce risk security by following best practice.

• Commit to educating, training and testing employees. Good security habits take time to establish, so simulation and periodic testing should be part of your regime. IT security firms, industry bodies and government agencies can offer tips and best practice advice.
• Advise employees to be wary of emails appearing to originate from C-suite executives. If the message requests an immediate payment or funds transfer, or the sending of commercially sensitive information, make sure payment policies and procedures are followed.
• Consider the use of digital signatures for executives using email, and the use of two-factor authentication procedures such as a phone call or text message when immediacy is required. Staff need to know that if something smells a bit “phishy” they should pick up the phone and speak directly to the person requesting the transaction or information.
• Evaluate modern email protection services, such as anti-phishing, URL protection/detonation, spoofing protection and user activity profiles for unusual or out-of-policy activities.
• Produce a playbook that details what to do when a spear-phishing attack penetrates your organisation, and if you suspect that you’ve been targeted by a phishing email, report the incident immediately to the relevant authorities.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/phishing_temperature_check/

Analysis The NSA staffer who took home top-secret US government spyware installed a backdoored key generator for a pirated copy of Microsoft Office on his PC – exposing the confidential cyber-weapons on the computer to hackers.

That’s according to Kaspersky Lab, which today published a report detailing, in its view, how miscreants could have easily stolen powerful and highly confidential software exploits from the NSA employee’s bedroom Windows PC.

Earlier this month, it was alleged Russian intelligence services were able to search computers running Moscow-based Kaspersky’s antivirus tools, allowing the snoops to seek out foreign intelligence workers and steal secrets from their hard drives.

The NSA employee’s home PC was one of those tens of millions of machines running Kaspersky antivirus. Kaspersky was, therefore, accused of detecting the American cyber-weapons on the PC via its tools, tipping off Kremlin spies, and effectively helping them hack the machine to siphon off the valuable vulnerability exploits.

Well, not quite, says Kaspersky.

According to the Russian security giant, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with malware from a product key generator while trying to use a bootleg copy of Office.

Later, once reactivated, Kaspersky’s software searched the machine as usual, removed the trojanized key-gen tool, found the secret NSA code during the scan, and uploaded it to Kaspersky’s cloud for further study by staff. Kaspersky’s technology is always on the lookout for the NSA’s secretive surveillance tools in the wild – such as the hard drive firmware spyware it revealed in 2015 – so it’s no surprise the archive of source code and other files was detected and copied for analysis.

Users can configure Kaspersky’s software to not send suspicious samples back to Mother Russia for scrutiny, however, in this case, the NSA staffer didn’t take that option, allowing the highly sensitive files to escape.

Once in the hands of a reverse-engineer, it became clear this was leaked NSA software. The CEO Eugene Kaspersky was alerted, copies of the data were deleted, and “the archive was not shared with any third parties,” we’re told.

Kaspersky’s argument is that anyone could have abused the backdoored key generator to remotely log into the machine and steal the secrets the NSA employee foolishly took home, rather than state spies abusing its antivirus to snoop on people.

Kaspersky does share intelligence of upcoming cyber-security threats, such as new strains of spyware and other software nasties, with its big customers and governments. However, in this case, it is claimed, the American tools went no further, the argument being that if the Russians got hold of the leaked exploits, it wasn’t via Kaspersky Lab.

That the biz deleted the archive almost immediately raised eyebrows in the infosec world.

I might dream about telling everyone that I deleted it.

— Mikko Hypponen (@mikko) October 25, 2017

Here’s a summary of what Kaspersky said happened:

Timeline

On September 11, 2014, Kaspersky’s software detected the Win32.GrayFish.gen trojan on the NSA staffer’s PC. Some time after that, the employee disabled the antivirus to run an activation-key generator designed to unlock pirated copies of Microsoft Office 2013. The malicious executable was downloaded along with an ISO file of Office 2013.

As is so often the case with rogue key-gens, the software came with malware included, which was why the employee had to disable his AV. Fast forward to October 4, and Kaspersky’s software was allowed to run again, and the fake key-gen tool’s bundled malware, Win32.Mokes.hvl, which has been on the security shop’s naughty list since 2013, was clocked by the defense software.

“To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine,” Kaspersky Lab said in its report.

“Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the antivirus enabled.”

The user was warned his computer was infected, so he told the toolkit to scan and remove all threats. The antivirus duly deleted the Mokes malware, but also found several new types of NSA code – which appeared to be similar to the agency’s Equation Group weapons that Kaspersky was already familiar with – which were pinged back to Russian servers for analysis.

According to the security firm’s account, one of its researchers recognized that they had received some highly advanced malware, and reported the discovery to Kaspersky’s CEO Eugene:

One of the files detected by the product as new variants of Equation APT malware was a 7zip archive.

The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.

After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

Kapsersky said it never received any more malware samples from that particularly user, and went public with its Equation Group findings in February 2015. It says that after that disclosure, it began to find more Equation Group malware samples in the same IP range as the original discovery – honeypots to snare whoever may have stolen copies of the cyber-weapons, presumably.

“These seem to have been configured as ‘honeypots’, each computer being loaded with various Equation-related samples,” Kaspersky Lab said. “No unusual (non-executable) samples have been detected and submitted from these ‘honeypots’ and detections have not been processed in any special way.”

As for claims Russian spy agency the FSB romped through Kaspersky’s backend systems to infiltrate computers using the company’s antivirus, not so, said the software maker. Its investigation found that, apart from a Duqu malware infection in spring 2015 that waylaid its servers, the firm has suffered no intrusions by third parties.

That seems surprising. Security vendors are at the top of hackers’ list of targets to subvert, The Register was told by Michael Viscuso, CTO of security shop Carbon Black and a former member of the NSA’s elite hacking crew, the Tailored Access Operations team. Compromising anti-malware tools gives tremendous low-level access to a target’s computer, so you’d expect Kaspersky to come under repeated attack, some of them being successful. On the other hand, the lab may not know it was infiltrated.

US Congress to the rescue a la Keystone Kops

Kaspersky’s report was published online shortly before the US House of Representatives Committee on Science, Space and Technology held hearings to assess the risks – if any – posed by Kaspersky software.

The hearings followed the US federal government banning Kaspersky software on its computers, a decision that led to Best Buy pulling the code from its shelves and offering customers free removal of the code. As you’d expect with Congress and technical stuff, the hearing didn’t go well.

Youtube Video

Oversight subcommittee chairman Darin LaHood (R-IL) set the tone by repeatedly referred to the firm as “Kapersky Lab,” showing the in-depth knowledge and high-end security chops we’ve come to expect from our elected leaders.

One of the witnesses, Sean Kanuck, director of future conflict and cyber security at the International Institute for Strategic Studies, said that two foreign powers had penetrated Kaspersky servers. Presumably one was the Israelis, who reportedly hacked Kaspersky Lab and spotted Russian spies using its product as a global search engine of computers, but the other was unnamed – presumably either the FSB or possibly America’s own NSA.

Asked if other security vendors were equally at risk from hacking, Kanuck declined to answer, saying that these hearings were about Kaspersky, not other vendors. Another fact – that yet another NSA staffer took top-secret work home and lost it, which is a criminal felony – was outside of the committee’s remit, according to Representative Barry Loudermilk (R-GA).

Overall, the hearing was a bit of a dead loss. David Shive, CIO of the US General Services Administration, confirmed that Kaspersky software was off its PCs but also added that it hadn’t seen any evidence of nefarious use, and was just acting on what Homeland Security had told him.

So there we have it: the he-said, she-said war of words goes on. Kaspersky has put its evidence on the table, and it’s up to the US government to see if it’ll do likewise to justify stripping the otherwise decent antivirus from its computer systems. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/25/kaspersky_nsa_keygen_backdoor_office/