STE WILLIAMS

THIS WEEK

Wednesday, Aug. 23 at 1 p.m. Eastern: Using Cyber Threat Intelligence Wisely, a Dark Reading webinar with Neal Dennis, senior ISAC analyst for R-CISC and Chris Pace, technology advocate, EMEA, for Recorded Future.

A wide range of threat intelligence feeds and services have cropped up to keep IT organizations up to date on the latest security threats. But without mechanisms in place to actually use the information, these alerts provide little benefit. Attend this webinar and learn how to: identify the threat intelligence sources most valuable — and least valuable — to your security efforts; develop processes to quickly analyze and digest threat data; and use threat intelligence when it counts most: BEFORE the attack hits.

NEXT WEEK

Wednesday, Aug. 30 at 1 p.m. Eastern: How to Talk to Your Management About IT Security, a Dark Reading webinar with Jim Hansen, COO of PhishMe and Josh Goldfarb, co-founder of IDDRA, former FireEye CTO of emerging technologies and author of Dark Reading’s popular “20 Questions” columns.

DOWN THE ROAD

Nov. 29 – Nov. 30: INsecurity – A Dark Reading Conference, For the Defenders of Enterprise Security. While “red team” conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the “blue team” will be the focus.

The event will mix traditional sessions with roundtables discuss hot topics with colleagues, on real-world challenges like “Preventing Lateral Movement in Your IT Environment,” “10 Ways to Stretch Your Security Budget,” and “Targeted Attacks: How to Recognize Them, From the Defender’s Point of View.” 

INsecurity will be held in the D.C. area, at the Gaylord National Harbor in Maryland, Nov. 29 and 30th. Have a look at the full schedule here and register today.  

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/coming-soon-to-dark-reading/a/d-id/1329688?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users’ caller information.

Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.

Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin’s spyware plugin, Hebeisen notes.

He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.

“It is an interesting vector and something we need to be on the lookout for in the future,” he says. “It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience.”

Piggybacking onto a legitimate developer’s work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.

Unraveling Igexin’s SDK

Igexin’s SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.

“This was over the line. It wanted personal data,” Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user’s location.  

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

But more importantly, Igexin’s ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.

Under normal circumstances, traditional app stores like Google Play and Apple’s App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.

“Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading,” Hebeisen says.

He says it’s unclear whether Igexin was collecting the information for its own benefit or for another party and why.

“If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak,” Hebeisen says.

Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.

“We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe,” a Google spokesperson told Dark Reading.

Google removed the 500 apps with Igexin SDKs that it deemed had “bad functionality,” but allowed other apps that used Igexin to remain in Google Play, says Google’s spokesperson.

Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says. 

Igexin was not immediately available for comment and did not respond to an email requesting information.

Unplugging the Plugin

Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed “clean” by Google Play and was now behaving suspiciously.

“This SDK was downloading large files and that is a classic behavior of malware,” Hebeisen says. Upon further investigation, Lookout discovered Igexin’s call data spyware plugin.  

In a sampling of eight to 10 apps that used Igexin’s advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin’s SDK.

Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin’s SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout’s blog post.

Although Igexin’s advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.

Related Content:

• The Apple App Store Incident: Trouble in Paradise?
• ‘AVPass’ Sneaks Malware Past Android Antivirus Apps
• Malware Pre-Installed On Over Two-Dozen Android Smartphone Brands
• 14 Social Media-Savvy CISOs to Follow on Twitter

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/google-removes-500-android-apps-following-spyware-scare/d/d-id/1329693?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

May and June 2017 saw the outbreak and rapid spread of WannaCry and NotPetya across the world. Though the initial infection vectors differed, both of these worms leveraged the same Server Message Block (SMB) vulnerabilities for lateral propagation and privilege escalation, though NotPetya added a couple of extra tricks to its bag. 

These SMB vulnerabilities – EternalBlue and DoublePulsar – stemmed from a leak of NSA-authored hacking tools released by The Shadow Brokers.  In both cases, the malware delivered was overt in nature, contributing to fast detection times and, in the case of WannaCry, the rapid discovery of a kill switch which was used to halt the attack.

When The Shadow Brokers dumped the cache of tools onto the Internet, Rapid7 reported that security researchers went from feeling “like kids in a candy store” to being disinterested as they realized that “the exploits were antiques and had all been patched.”  However, as time and ransomware actors would go on to prove, “even though we thought we were safe against these non-zero-day, unexciting attacks, we were not.” And although vulnerable servers should not have been “exposed to the public Internet in an unrestricted manner,” over 250,000 machines were infected by WannaCry within the first day. This was also not the first time that a cryptoworm had leveraged vulnerabilities that had been patched years earlier by the vendor.

As the WannaCry and NotPetya attacks progressed, we saw reports of breaches from the NHS, telecommunications service providers, critical infrastructure providers, vehicle manufacturers, airports and logistics companies, and even speed camera operators.  But for each of these thousands of companies, across many industry verticals, the impact could have been much worse, if the payload had have been different. What if it had targeted and exfiltrated NHS patient records? What if it had modified shipping or customer manifests?  What if it had disabled speed cameras or worse, moved laterally and modified traffic light sequences? What if the attack was more covert in nature? Would we have ever known?

Over the last six years, Mandiant analysts have reported a reduction in the median breach detection time from 416 days (2012) to 99 days (2017). And while, on the surface, this looks positive, it worryingly corresponds to an increase in the percentage of breaches reported by internal sources from 6% (2012) to 47% (2017), during the period in which we have seen a massive boom in ransomware innovation and activity. 

So, I wonder, if ransomware attacks are leading to an increase in the percentage of internal breach notifications, and driving the median breach detection time down, thanks to their sheer volume and overt nature, how long are the covert attacks going undetected, before ransomware actors start leveraging their Tactics, Techniques and Procedures (TTPs), alerting us to the failings of our security architectures and policies, forcing us to make a change?

Until we see broader adoption of machine learning for discovering new threats, more automated sharing of threat intelligence between security vendors and security products, and the ability to leverage the network to shut down attacks at the source, we have to ask ourselves – is ransomware the tripflare in the modern cyberwar that we can’t afford not to have?

Brett White is a Senior Security Specialist with Juniper Networks in Australia.  He is a trained pen tester and ethical hacker who is passionate about leveraging threat intelligence to help educate people on the current threat landscape, improve their cyber-hygiene, and … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/juniper/ransomware-the-tripflare-in-the-modern-cyberwar--/a/d-id/1329692?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thinking like a cybercriminal can help predict what methods attackers are likely to develop in the future, so we can proactively build effective countermeasures, as I’ve described in the past. Similarly, nation-state attacks can help security researchers predict attacks against enterprises: methods exhibit a clear trickle-down effect, with tricks first used in nation-state attacks being seen in enterprise-facing attacks soon after.

One of the most important recent security developments is the rise of sophisticated, politically motivated attacks, such as the one carried out against Hillary Clinton’s campaign chairman John Podesta during the 2016 presidential election. However, such attacks have been against a broad spectrum of victims, ranging from individual lawmakers and staffers to think tanks and nongovernmental organizations (NGOs). These attacks involved clever identity deception methods combined with techniques used to circumvent traditional content-scanning methods.

Another event is the sudden rise of ransomware attacks, whether targeting lawmakers, health care institutions, transportation, or small businesses. Whereas most ransomware attacks aim to extort money, some have recently demanded nonmonetary “payments,” such as forcing a government organization to make a political statement.

What do such attacks have in common? They’ve become increasingly sophisticated. For example, in the Podesta attack, the attackers cleverly obfuscated some words (such as “password” and “account”) by replacing some of their letters with Cyrillic letters that look the same to humans, but which thwart keyword-based filters. Another example was the post-election attacks on think tanks and NGOs, in which malware files were cleverly hidden from the view of traditional antivirus tools by sending the corrupted files in encrypted zip files. Without access to the decryption keys, the contents can’t be scrutinized by traditional mail-filter technologies.

The use of advanced techniques to circumvent security tools has recently become much more common. What’s interesting (and worrisome) is that not just nation-state attacks use such techniques. That’s where the techniques were first used, but there has been a notable trickle-down effect, and tricks first used in nation-state attacks have been seen in attacks against enterprises a few weeks later. In a sense, this trend mimics the flow of insights gained just as technologies developed for the space program found themselves spun off as commercial products. This is why companies in the private sector need to quickly determine whether they would be vulnerable to these advanced attacks.

Take Active Measures Now
The security community should quickly roll out detection and protection measures in anticipation of trickle-down versions. For example, obfuscation attacks can be detected by automatically spotting deceptive mixtures of character sets and blocking such messages. Encrypted zip files are easily detected, but since they have important legitimate use, they can’t be blocked. One possible solution is for a security system that can “wrap” them with a trusted executable as the messages are delivered. The task of the wrapper is to request a PIN or password, then use this to decrypt the wrapped file and perform a security check in real time. If the file is determined to be safe, the user is given access to the plaintext file.

From the user’s perspective, nothing is different, except maybe for a short delay caused by the scanning of the decrypted files. The wrapper approach also works for other file types, such as encrypted PDFs. With this approach, one can take back the advantage of time from the attackers, since this enables on-the-fly scans of plaintext data without requiring independent software vendors to coordinate the protection of an end user, which is always difficult.

Even better, the wrapper can include information about the sender as well. Was a malicious file sent by a trusted party? If so, then the trusted party has been compromised and should be notified. The more we use contextual information, the better our defenses get. And much of this context is to be found in early attacks — so unless we study nation-state attacks and learn from them, we implicitly help enterprise attackers.

Although the sophistication of online crime has changed in the last year, and there is clear evidence of trends toward fraud becoming just another business, other things have remained very much the same. For example, email remains the principal attack vector. Similarly, identity deception is still at the core of most attacks, be they phishing, business email compromise, ransomware, or other malware attacks where the stolen identity is usually from an authority figure, well-known brand, or a trusted party. While attackers constantly try new ideas, one thing is clear: they don’t mess with a winning formula.

Moving forward, the security community must pay close attention to the nature and strategy of nation-state attacks and quickly address them, because the same techniques will be repurposed to attack enterprises. In addition, we must expect that every newly found and disclosed vulnerability will be used in attacks, whether by nation-state actors or enterprise-facing attackers.

Finally, society must recognize that threats are constantly evolving — in reaction to new-found adversarial opportunities as well as existing security technologies — and traditional technologies are unlikely to address them. In other words, if you think a spam filter is the answer to your problems, you are mistaken.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

• Staying a Step Ahead of Internet Attacks
• 8 Most Overlooked Security Threats
• The Benefits of Exploiting Attackers’ Favorite Tools (video)
• Comparing Private and Public Cloud Threat Vectors

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company’s security research with a … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/why-you-need-to-study-nation-state-attacks/a/d-id/1329690?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nearly three out of four government agencies experienced a security issue last year and 100% cite employees as their largest security threat, according to the 2017 IT Risks In Government survey released this week.

Given their concern with employee-related threats, 57% of government agencies say they focus on endpoint security.

The survey also found only 14% of government agencies believe they are well-prepared to defend against IT risks. The areas where survey respondents are willing to invest in include intellectual property protection, 43%; data breaches, 29%; and fraud, 14%.

In sizing up the challenges their organizations face, survey respondents noted their IT departments are mainly restrained by lack of time, 57%; followed by insufficient budgets, 43%; and IT infrastructure complexity, 43%.

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/72--of-government-agencies-hit-with-security-incidents/d/d-id/1329699?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than 90% of Fortune 500 companies have not fully adopted Domain-based Message Authentication, Report Conformance (DMARC), leaving customers, business partners, and brand names exposed to phishing and other attacks that impersonate corporate email domains.

DMARC is a standard technology designed to verify whether an email is from the domain it claims to be from. It creates a whitelist of verified senders, and ensures only authenticated emails are delivered; fake messages are deleted before users see them. It can also be used to see how scammers are misusing corporate information in their attacks.

The email verification standard is the product of a 2007 experiment by Yahoo and PayPal to prevent account-credential phishing. A group of industry organizations including Google, Bank of America, Agari, and others scaled the experiment into what came to be known as DMARC in 2012.

Researchers at Agari recently analyzed public DNS records to learn about corporate DMARC adoption and policies. Their findings, published in the Global DMARC Adoption Report, reflect an overall failure to deploy DMARC across Fortune 500, FTSE 100, and ASX 100 companies.

There are multiple levels of DMARC adoption: Monitor, where unauthenticated messages are monitored but delivered to inboxes; Quarantine, where unauthenticated emails are moved to spam folders; and Reject, which blocks all unauthenticated messages from delivery to any folder

Two-thirds of Fortune 500 companies have not deployed any level of DMARC, according to the report. One-quarter has adopted the Monitor level, 3% have implemented the Quarantine policy, and 5% use Reject.

Monitor level watches for DMARC abuse but does nothing to prevent it, meaning companies can collect information but consumers are vulnerable. DMARC adoption is of little use unless companies use Quarantine or Reject, which is why Agari reports 92% of the Fortune 500 is not protecting customers even though 25% have adopted the Monitor policy.

Patrick Peterson, Agari founder and executive chairman, desecribes DMARC’s Monitor level for a healthcare consumer this way: “Until the organization she does business with says ‘quarantine the phish’ or ‘reject the phish,’ they’re not actually protecting her and she’s still vulnerable,” he says.

Two-thirds of the Financial Times Stock Exchange (FTSE) 100 have not published any DMARC policy, 26% use Monitor, 1% have adopted Quarantine, and 6% have implemented Reject. Of the Australian Securities Exchange (ASX) 100, 73% have not adopted any level of DMARC, 23% use Monitor, 1% use Quarantine, and 3% have implemented Reject.

“It definitely shocked me,” says Peterson of the low DMARC adoption rate.

There are several reasons companies are hesitant to pursue full DMARC adoption or haven’t deployed any level of policy. The dominant reason is education, he says. There are many security teams in the Fortune 500 that still don’t understand how DMARC works. Oftentimes these companies are wary of new tech and don’t want to be the first to try it. This is the case for DMARC, even though the technology has been around for more than five years, Peterson says.

“This is new and different,” he explains. “Whether it’s easy or hard or there’s playbooks or there aren’t … any time they have something new and different, a lot of them run for the hills because they tend to be more conservative. They don’t like new and different, they like tried and true.”

Some security teams understand DMARC but don’t fully grasp the harm and abuse going on in company email channels. Business employees see email as their highest ROI form of communicating with customers and prospects, says Peterson, but security teams often don’t.

When they learn how widespread email security problems are, they realize how much business process change is necessary before email is “no longer the wild, wild West,” he notes. Those without strong leadership will opt to wait on DMARC adoption and say, “let’s worry about this later.”

It’s time for more CISO leaders to “wade into the business” and take control of the situation, says Peterson. The take-charge mentality is necessary to push DMARC implementation, both within the business and across the industry. There is a majority adoption rate in the business services, financial, technology, and transportation sectors.

Peterson points to financial services as a “champion” for DMARC. Industry leaders Bank of America and JP Morgan, both involved in its creation, demonstrated its workability to other businesses and motivated them to use DMARC as well. If other organizations and industries took the same leadership profile, he says, DMARC adoption would increase.

Related Content:

• 72% of Government Agencies Hit with Security Incidents
• Comparing Private and Public Cloud Threat Vectors
• The Pitfalls of Cyber Insurance
• Battle of the AIs: Don’t Build a Better Box, Put Your Box in a Better Loop

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/phish-bait-dmarc-adoption-failures-leave-companies-exposed/d/d-id/1329702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple