STE WILLIAMS

PC security has become a priority for security leaders following global ransomware attacks earlier this year. If they didn’t before, everyone from CISOs to everyday consumers knows it’s a bad idea to ignore security updates or use simple, breakable passwords.

This heightened awareness does not extend to printers, however, and hackers are exploiting poor printer security practices.

“Unlike PCs, where there’s a full appreciation for the need to secure those devices, there’s much less awareness to the need to secure print devices,” says Ed Wingate, VP and GM for HP’s JetAdvantage Solutions, noting that strong security practices for protecting PCs and other nodes on the network are not consistently deployed to printers.

Weak link in the IoT

Sam McLane, who runs the security engineering team at Arctic Wolf, says he is far less concerned about today’s printers than about yesterday’s printers. Many organizations, especially smaller ones, use printers around five to eight years old, and haven’t updated them.

“Printers, specifically, have a much longer shelf life than any of the other IoT devices, and they were the earliest of the adopted devices,” he explains. “People will run them into the ground and then some before they start replacing them.”

This poses an especially big problem to small offices using consumer-grade devices, McLane continues. SMBs don’t have the need or budget for high-end enterprise level printers, and make the mistake of sending corporate data into the cloud with lower levels of protection on a device meant to be in someone’s house and not necessarily in a corporate environment.

“Someone could get into a computer via malware; printers advertise themselves well,” says McLane. “If a laptop or desktop gets compromised, a printer is a great spot to put malicious code that everyone talks to … it’s a built-in platform to launch attacks.”

Common printer slip-ups

Most frequent mistakes include employing weak or default passwords, and neglecting to update firmware. “Printers are not always updated with the latest firmware,” HP’s Wingate adds. “In fact, we see heavy use of old firmware with printers, some with known vulnerabilities that are not being patched to the latest version. That represents an opportunity for hackers to come in.”

Mismanagement of printer settings and ports leaves the door “wide open” for remote entry onto devices and into corporate infrastructure, he continues. Lack of active monitoring for printers also leaves businesses vulnerable to unauthenticated actors.

When overlooked, these errors can put full organizations at risk. Earlier this month, security researcher Ankit Anubhav found nearly 700 Brother printers exposed online, granting full access to their administration panels over the Internet. Devices on university, corporate, and government networks could be found via IoT search engines like Shodan and Censys.

One of the factors behind this exposure was the decision to ship printers with no administrative password. Researchers believe most businesses likely connected vulnerable machines to their networks without recognizing their administrative panel was exposed.

Vendor responsibility

As Wingate points out, it’s not enough to simply protect a network from initial penetration. Firewalls are helpful “but not sufficient,” he explains. CISOs must assume their network has already been breached and ensure there is no lateral attack on the network.

“What we’ve discovered in our research is that certain malware packets are able to enter the network by being sufficiently small and low profile – effectively entering under the radar,” he explains. Once inside, it needs to contact the master command-and-control server to know what to do next. The way it does this is characteristic of that type of malware attack.

HP is addressing modern printer risks like this with a tool called Connection Inspector, which analyzes outbound network connections typically targeted by malware. It detects anomalous behavior and, if necessary, triggers a reboot to go back to a known version of the BIOs. This accelerates response speed, Wingate says, which is important given the security skills gap.

“If you have a human in the loop, who needs to be notified that there’s a malware penetration, and he or she delays the response on solving the issue that undermines the security of the entire network,” he explains.

Other new tools aim to improve security amid cloud growth and the rise of remote work. HP Roam, a Pull Print solution built in the cloud, lets mobile workers hand off documents and print them, then erases the job off the printer once the job is complete.

“Whether it’s a sales rep in the field, an insurance agent, or any other ‘road warrior’ in the field, they sometimes must print,” says Wingate. “And if they’re not at home, and they’re rarely at the office, where do they securely print? They don’t securely print.”

[Hear Arctic Wolf’s Sam McLane discuss “Targeted Attacks: How to Recognize Them From the Defender’s Point of View” at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]

Related Content:

• Getting the Most Out of Cyber Threat Intelligence
• 10 Major Cloud Storage Security Slip-Ups (So Far) this Year
• Ransomware Grabs Headlines but BEC May Be a Bigger Threat
• IoT: Insecurity of Things or Internet of Threats?

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/printers-the-weak-link-in-enterprise-security/d/d-id/1330127?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

While passing through a particular city recently, I stopped in to a security conference that happened to be going on that same day. I enjoyed the opportunity to catch up with old colleagues and network with new ones. But as I listened to some of the presentations, I was reminded of how underwhelming and disappointing many can be. Speaking as both a sometime presenter and sometime attendee, here are 20 questions speakers should ask themselves before giving a security conference talk:

1. Is the material fresh? No one is particularly interested in sitting through a talk rehashing ideas from 5, 10, or even 20 years ago.
2. Is the topic relevant? That’s despite the fact that I’ve seen some pretty interesting talks that have little to no relevance or practical application.
3. Is the material clear and easy to understand? It’s always a bit uncomfortable when you find yourself in the middle of a talk where you literally have no idea what is being discussed.
4. Is the talk focused? If you are planning on laying out a potpourri of different topics with no unifying theme connecting them, don’t be surprised that listeners tune out.
5. Does the talk converge? I want you to lead me through a logical progression toward a conclusion.
6. Are the slides concise? There is nothing I hate more than to see slides overloaded with a cacophony of words. It’s even worse if you read me the slides. If you want me to read, then hand me a white paper. It saves us both a lot of time.
7. Will attendees need to check their eyeglass prescription before they come to your talk? As much as I love diagrams, if your diagrams require a telescope to see, you’re doing it wrong.
8. So what? Have you answered the most fundamental of all questions? If you’re going to talk for 30 to 60 minutes, make sure there is a point to it.
9. Who cares? Perhaps this question sounds a bit harsh, but if no one identifies with or finds relevance in your talk, it missed the mark.
10. Do you do more than rehash old points? Yes, I know that lots of organizations still don’t use multifactor authentication for whatever reason. Unless that data point (and others like it) is critical to the logical argument you’re building or you have a solution to the problem, I don’t need to hear about it yet again.
11. Do you do more than simply ask questions? Asking the right questions is important, but it can’t be all you do during the course of your talk. (And yes, perhaps it is a bit ironic that this is one of the 20 questions I am asking.) 
12. Do you merely highlight problems? All of us are capable of sitting around and generating a long list of everything that is wrong in security. There is really nothing novel or illuminating in that.
13. Do you offer solutions? If you ask people what they are really interested in hearing about, they will likely tell you that they want to learn about how they can solve problems. Talks that highlight problems without offering solutions don’t really answer the call.
14. Do you provoke thought? Pushing people outside of the box and outside of their comfort zone is a good thing, as long as it is done constructively and respectfully. Problems don’t get solved by doing nothing, or repeatedly trying the same failed techniques. Dialogue around non-traditional approaches can be a great way to jumpstart these types of efforts.
15. Do you provide fresh content? I’m talking about new ideas, lessons learned from experience, and interesting data or results. These are quite meaningful as far as content goes. Showing a bunch of stuff anyone could have found with Google and Wikipedia, less so.
16. Will anyone remember your talk? Have you succeeded in leaving audience members with a meaningful takeaway that they can bring home with them and reflect upon for a year, a month, or even a week?
17. Have you stayed away from the shiny object of the day? Everyone might be talking about the latest breach, that critical new vulnerability, or that hot new security buzzword. But if all you’re doing is regurgitating the same talking points that everyone else is, the presentation will surely be forgettable.   
18. Do you produce buzzword bingo champions? Buzzword bingo is an old sport at security conferences that has long outlived its purpose (if there ever was one)!
19. Are you an alarmist? I can guarantee you that this approach will not be effective with anyone who is a serious security professional. It may land you a quote or two in the press, but that’s about all.
20. Are you condescending? You may have knowledge or experience that is rare, sought-after, and valuable, but if you want others to appreciate, respect, and learn from that knowledge or experience, don’t talk to them like there is no way they could possibly grasp it.

Related Content:

• 20 Questions to Help Achieve Security Program Goals
• 20 Tactical Questions SMB Security Teams Should Ask Themselves
• 20 Questions for Improving SMB Security

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/20-questions-to-ask-yourself-before-giving-a-security-conference-talk/a/d-id/1330124?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Although the European Union’s General Data Protection Regulation (GDPR) has been in effect since 2016, and although enforcement actions kick off a mere seven months from now, many companies didn’t really appreciate the magnitude of the new privacy legislation until the Equifax breach.

An American company exposed the sensitive private data of 700,000 citizens of the United Kingdom (still part of the European Union); “sensitive, private data” that is, by the American definition. The European Union’s definition is significantly broader, and in all Equifax exposed 12.5 million UK clients’ records. It is possible that European data authorities might do different accounting.

Monetary penalties for GDPR are up to 20 million Euros or 4 percent of annual turnover (similar to revenue), whichever is higher. Data privacy authorities can also ban companies from processing certain kinds of data entirely, which can massively disrupt entire business models. Organizations must also consider the costs of defending themselves in the many lawsuits that citizens and data authorities might bring against them.

With retributions like that looming overhead, it’s no wonder that organizations are waking up to the importance of GDPR preparation. Here are a few places to start.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/endpoint/gdpr-compliance-5-early-steps-to-get-laggards-going-/d/d-id/1330118?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Adobe released a patch for a critical, remote code execution zero-day vulnerability in Adobe Flash Player today. Kasperksy Lab discovered the vulnerability when it saw the BlackOasis threat group using the FINSPY (aka FinFisher) surveillance tool to exploit the bug in attacks last week, according to a Reuters report; Adobe acknowledged Kaspersky researcher Anton Ivanov in its advisory.

A type confusion vulnerability in Flash, CVE-2017-11292 impacts Flash running on Windows, Macintosh, Linux and Chrome OS. The attacks witnessed in-the-wild were targeted and against Windows machines. 

FINSPY can be bought by law enforcement and nation-state intelligence agencies as part of “lawful intercept” surveillance tools. Last month, Microsoft patched a zero-day vulnerability in Office, discovered by FireEye, that was also being used to spread FINSPY. It was the second zero-day being used to spread FINSPY that FireEye had discovered this year.  

For more information see the Adobe release and Reuters. 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/adobe-patches-flash-zeroday-used-to-plant-surveillance-software/d/d-id/1330138?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A wave of cyberattacks early this year that resulted in the theft of hundreds of millions of dollars from banks mostly in Eastern Europe began with villagers in nearby regions being recruited to open their first bank accounts and receive debit cards.

Dozens of these so-called “mules” set up their accounts with phony documents provided by an organized crime gang that paid them off and later used other “mules” to cash out those accounts in ATM machines in various cities in the region, hitting five banks in Eastern Europe and one in Africa and stealing anywhere from $3 million to $10 million from each.

The well-orchestrated bank heist campaign appears to be the handiwork of an Eastern European crime gang that blended the physical fraud actions of money mules and phony documentation with a cyberattack that began with spear-phishing emails. Those emails got the criminals access into low-level bank employee user accounts, and then ultimately, to bank employees with domain administrator accounts, says Brian Hussey, Trustwave’s vice president of cyberthreat protection and response. Trustwave helped investigate the attacks after a payment-card processor in February of this year spotted a series of sketchy ATM withdrawals from the banks’ customer accounts.

Trustwave says the attack campaign “represents a clear and imminent threat to financial institutions in European, North American, Asian and Australian regions within the next year.”

Although the attack campaign was limited to nations in Eastern Europe and Africa, it could be deployed against banks in other geographic areas as well, Hussey says.

“This is a bit of warning to banks in western countries, as well as Eastern Europe and Russia,” Hussey says. “It’s really interesting how they combined the physical element with the cyber element, in a very organized fashion.”

Trustwave’s incident response team was hired by a third-party payment processor in March whose network had been infiltrated by the attackers as part of the heist. “They [the cybercriminals] took out 4G of data over a month. They had all the domains, administrator credentials … and access to the payment processor,” says Hussey, a former FBI cybercrime investigator.

The heist went down this way, according to Trustwave:

Physical Stage I Recruit of mules to open bank accounts and issue new debit cards

Cyber Stage I Obtain unauthorized privileged access to the bank’s network

Cyber Stage II Compromise third-party processor’s network

Cyber Stage III Obtain privileged access to Card Management System

Cyber Stage IV Activate overdraft on specific bank accounts

Physical Stage II Cash-out from ATMs in multiple cities and countries

Source: Trustwave

The criminals needed access to the bank employee accounts to set overdraft features to the debit-card accounts the mules had opened. That’s where a low-risk debit card account can be converted to a credit card so a customer can withdraw cash even if he or she doesn’t have the requisite balance. Once they stole those bank credentials, they altered the debit cards to low risk and high-overdraft levels and eliminated existing anti-fraud parameters set for the accounts. With the overdraft feature, “you can take $25,000 to $30,000” out of the ATM per card, Hussey notes.

“In a very coordinated fashion, people in Eastern Europe were at ATMs and taking out as much money as they could from as many ATMs as they could … In video footage, you could see them walking out and handing over the cash,” he says.

He says his team hasn’t had enough information to publicly say the attacks were aligned with a specific cybercrime gang, although it is possible it could be the infamous Carbanak/aka FIN7 group out of Russia. “But we haven’t found any technical clues” to determine that, he says.

Weak Links in the Chain

The attacks took advantage of several configuration and management holes in the banking systems. According to Trustwave, because the core banking systems and card management software weren’t integrated, there were no red-flag detections of fraud, which gave the criminals more time and leeway to pull off the heist.

User authorization controls was another weakness: a single bank employee user could both request changes to and approve changes to debit card account, and domain administrator privileges were easily stolen via the Windows Domain administrator, Trustwave said in its report.

Interestingly, malware was not the centerpiece of the campaign. “They were living off the land using tools used by real users, such as network scanning and some administrative tools,” Hussey says. “They did as much as they could not using malware” so as not to raise any alarms, he says.

With all of the banks hit, Trustwave’s investigators saw the same MO that led them to conclude the campaign originated out of an organized crime operation. And there are likely more victim banks that haven’t yet discovered they were breached, Hussey says.

“We think this is just one [instance] of many attacks,” he says.

Ilia Kolochenko, CEO of Web security firm High-Tech Bridge, points out that the attacks’ techniques are less sophisticated than those that Western banks experience. “This can probably be explained by practicality and a pragmatic approach from attackers – banking infrastructure and enacted security controls in developing countries are much less sophisticated than in the Western World,” Kolochenko says. Even so, Western banks should be on alert for this type of campaign, however, he says.

Related Content:

• Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
• Carbanak’s Back And Using Google Services For Command-and-Control
• Top Russian Banks, Payment Service Providers Targeted By Tinba
• GDPR Compliance: 5 Early Steps to Get Laggards Going

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-cybercrime-campaign-a-clear-and-imminent-threat-to-banks-worldwide/d/d-id/1330139?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple