STE WILLIAMS

Super Free Music Player in Google Play is malware: a technical analysis

Take a good look at this find in Google Play. It goes by the name Super Free Music Player and has so far attracted between 5,000 and 10,000 downloads:

Now that you’ve had a good look, take our advice and don’t download it. It’s malware.

According to SophosLabs researcher Rowland Yu, the application was uploaded to Google Play on March 31, and uses sophisticated techniques formerly found in BrainTest malware to bypass detection by Google and security researchers. Those techniques include:

  • Use of time bombs
  • Domain and/or IP mapping
  • Use of dynamic code loading and use of reflection
  • Use of multiple layers

The malware is able to download additional payloads from remote websites and upload device information, including installed applications and the country, language, manufacture, model, SDK version, and so on, Yu said.

Check Point discovered BrainTest on a Nexus 5 smartphone in 2015. It used multiple techniques to avoid Google Play malware detection and to maintain persistency on infected devices. Google Play removed it, but attackers simply repurposed it, Yu said, adding:

It came back to Google Play as Super Free Music Player and attracted 5,000 – 10,000 Downloads. Sophos has detected them as Andr/Axent-DS.

Technical analysis

 SophosLabs has identified the following characteristics of Super Free Music Player:

  • The dropper downloaded from Google Play is named com.superfreemusic.songapp. 
  • The payload is decrypted and planted on Android devices by the dropper.

First, the dropper starts a service called com.hole.content.Erpbiobuft to decrypt and drop the payload. It will continues running this service every hour:

It decrypts and drops the payload:

It then continues running this service every hour. The dropper then uses dynamic code and reflection to load the payload method (com.fb.content.core.enter):

To avoid detection from Google Play, the payload will verify if a device is an emulator by checking several properties such as the emulator phone number (15555215554, 15555215556…) and specific strings such as (/system/lib/libc_malloc_debug_qemu.so, /sys/qemu_trace …). Moreover, it is able to check if a popular Android research sandbox, TaintDroid, is used. Also, another time bomb is used to avoid detection.

Com.fb.content.core. is entered into the payload:

A string checklist for the Android emulator is added:

It then checks to see if an Android research sandbox or TaintDroid exists:

The second time bomb will wait for eight hours to start the malicious payload. The malicious app is able to download more encrypted payloads from remote websites:

It will then submit a list of device info to hxxp://s1.deepcups.com/s2/ and hxxp://s1.deepcups.com/s1/:

Defensive measures

As we mentioned above, SophosLabs has identified this as Andr/Axent-DS and protected Sophos users against it.

Our advice to non-Sophos customers is not to download this app if you see it in Google Play. We’ve told Google Play about our discovery.

The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.


 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wjQbbg7mygE/

  • 02/05/2017
  • adm

Welsh Linux Mint terror nerd jailed for 8 years

Linux Mint terrorist Samata Ullah has been jailed for eight years by Cardiff Crown Court.

Ullah, as we reported on Friday, was caught with, among other things, a USB cufflink loaded with a copy of the Linux distro.

The former insurance worker pleaded guilty to five terrorism charges, including being a member of Islamic State and two charges of possessing terrorist material.

Vice’s Motherboard offshoot had a look round his “basic WordPress” blog aimed at promoting Islamic State propaganda. They noted that police investigators seized more than 6.1 terabytes of data from his Cardiff home.

Excitable folk on the internet started asking whether the UK was trying to outlaw basic HTTPS security when Ullah was first arrested last year, thanks to one of the original charges against him being that he was running an encrypted version of his blog.

It turned out that his blog was partly hosted on ZeroNet, a peer-to-peer service that keeps websites online without a central server.

Ullah’s extended sentence includes a further five years on extended licence after his release, meaning he will be subject to close supervision by the British authorities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/samata_ullah_linux_mint_terrorist_jailed_8_yrs/

  • 02/05/2017
  • adm

New Free Shodan Tool Roots Out RATs

Shodan teams up with Recorded Future to crawl the Net for computers serving as command-and-control (C2) for remote access Trojans (RATs).

Famed Internet search engine Shodan now offers a free scanning tool that hunts down systems on the Internet that are controlling malware-infected computers.

The new Malware Hunter crawler, unveiled today, is the result of a project that began in 2015 by Recorded Future and Shodan that roots out remote access Trojan (RAT) operations by detecting computers on the Internet that are serving as RAT command-and-controllers (C2s) in botnets. It’s an alternative to the traditional, more passive collection approach of honeypots, VirusTotal, and some malware analysis, to extrapolate cybercrime and cyber espionage malware attacks.

RATs are the backdoor malware used by attackers to remotely control infected machines. They log keystrokes and can record audio and video of the machine.

Shodan Malware Hunter scans ports on the Internet for servers, routers, webcams, and other connected devices in search of RAT controller IP addresses with the goal of catching them before they infect their victims. The tool employs RAT controller probes that then are matched against known RAT signatures. To date, Malware hunter has identified one large global network of thousands of GhostRAT controllers as well as the C2s of other infamous RATs such as Dark Comet, njRAT, and Poison Ivy.

“It’s sending specific requests to hosts on the Internet and looking for a specific response back” that detects a RAT controller, explains Levi Gundert, vice president of intelligence and strategy at threat intelligence firm Recorded Future.

Shodan itself basically crawls the Internet for publicly accessible computers and devices, and is a popular tool among security researchers. John Matherly, founder of Shodan, launched the search engine in 2009 as an open-source project for searching devices on the Internet. 

Matherly explains that Malware Hunter poses as a newly infected client machine while searching the Internet for command-and-control servers, and makes rooting out C2s much faster than passive methods.

“We’ve already seen that this technique can help identify malicious operations before they’re widely deployed,” Matherly said via an email interview. “However, there’s still a lot of work that has to be done after a C2 has been identified, which is what I assume a lot of law enforcement time is spent on.”

Renowned researcher HD Moore says Shodan’s new Malware Hunter could streamline the detection of Internet-connected command-and-control systems. “It has the potential to find all of the Internet-connected C2s in one shot as opposed to waiting for the installations to download new lists,” Moore says.

But more sophisticated attackers are adopting obfuscation techniques to evade detection by these types of scans, he says. “I would expect this [Malware Hunter] to work pretty well in the short-term and less so as the malware operators get more sophisticated.”

Moore worked on a similar scanning project with an antivirus company while he was with Rapid7, and the scans were lucrative for spotting C2s. But attackers started to hide their tracks once they got caught up in Rapid7’s scans, he says. “This kind of scanning is decent for the status quo, but we are seeing C2s move towards more complicated and obfuscated backends to avoid scans,” says Moore, who pioneered much of the Internet-scanning research looking for exposed devices and systems. His research led to Project Sonar, a community project founded in 2013 for sharing Internet-scanning data, tools, and analysis. 

Recorded Future’s Gundert notes that some of the RAT families listed in Shodan employ obfuscation, so the tool can spot even the stealthy C2s. “The project started with the low hanging fruit – Black Shades, Dark Comet, njRAT – and more recently. families like Gh0st RAT were added, which involved longer analysis,” Gundert says. ‘Ultimately, every family is possible to emulate to elicit a controller response; it’s just a matter of time and persistence.”

Shodan finds between 400- and 600 RAT controllers per day, according to data compiled by Recorded Future.

“Not all RAT operators are super-sophisticated,” however, Gundert notes. “Some run command-and-control from their home computers; we see … IP addresses sitting on residential networks worldwide.”

Meanwhile, the new tool is yet another example of how Shodan is evolving its search engine to provide more intelligence and insight into Internet-connected devices. “We’ve done similar things in other areas – Tor, ICS, BitTorrent – and this is another part of the ongoing mission at Shodan to provide greater insights about the Internet,” Matherly says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/new-free-shodan-tool-roots-out-rats/d/d-id/1328776?_mc=RSS_DR_EDT

  • 02/05/2017
  • adm

Pen-tester gets past Microsoft VB macro barriers

A bunch of white-hat researchers have turned up a nasty new vector for attacking Microsoft Outlook: a forms creation feature that bypasses macro rules so attackers can get to the victim’s shell.

Sensepost says its interest in looking for an attack angle arose because Microsoft blocked older weak spots in a patch for Outlook 2016, which prevented the company’s “Ruler” attack tool from getting in, and because “more and more organisations are (finally) moving towards a ‘block all macros’ policy”.

Sensepost’s Etienne Stalmans found is that Outlook has a “forms” capability that with a lot of work can embed VB code – and the forms script engine is separate from the VM macro script engine, so the attack works even if macros are blocked.

Stalmans points to this explanation of how forms macros work. The Register notes that the Outlook Forms documentation dates from 2008 – so apparently the capability has been lying around, apparently unexploited, for nearly a decade.

The upshot of Stalmans’ long post is that via Outlook Forms, “we have a full VBScript engine available to us”, something he demonstrates with the conventional test payload opening Calc.exe:

Function Item_Open()
     CreateObject("Wscript.Shell").Run "calc.exe", 0, False
End Function

More work identified where forms are stored (necessary to know how a form is accessed via MAPI), along with one of the banes of security pros – undocumented features.

For example: “For example, setting the PidTagSendOutlookRecallReport to true would hide the form from the user interface. This means the new form won’t show up under custom forms in the new item menu. To discover the new form, a user would need to go into the advanced options tab in Outlook, navigate to forms, select the inbox and view the list of forms (unlikely).”

Stalmans ended up with a form template that looks pretty straightforward:

Function P()
MAGIC
End Function

Function Item_Open()
Call P()
End Function

Function Item_Reply(ByVal Response)
Call P()
End Function

Function Item_Forward(ByVal ForwardItem)
Call P()
End Function

Function Item_Read(ByVal Response)
Call P()
End Function

This makes multiple triggers available to the attacker, he says: so long as a reader has at least previewed a message, reading, opening, replying or forwarding trigger the payload. “You need a slight amount of social engineering, where the attacker needs to either get the user to open the message or to reply to it. A nice side affect [sic] is that the user will inadvertently trigger the payload if they try “forward” it to the incident response team”, he writes.

Accessing the shell from the form is demonstrated in the YouTube video below.

Youtube Video

Microsoft, however, isn’t convinced that this should be treated as a vulnerability. The company told The Register in a statement:

“The technique described in the blog is not a software vulnerability and can only be leveraged using an account that has already been compromised by another method. We encourage customers to set strong passwords, not share those passwords across multiple services and enable security features such as multi-factor authentication to help keep them protected.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/microsoft_vb_macro_cracked/

  • 02/05/2017
  • adm

Eurocrats prep white-box crypto capture-the-flag

Defender or attacker, it’s less than a fortnight away from the WhibOx Challenge, a capture-the-flag (CTF) competition operated by the EU-supported ECRYPT.

If you’re on the defensive side, the CTF asks for white-box implementations of AES-128 (using keys of your own choice), to see how long you last against an attacker.

The challenge for attackers is simple: extract the hard-coded encryption key – and attackers can work either anonymously or under their own names. Moreover, attackers aren’t asked to release their designs, merely to provide the resulting C code.

ECRYPT explains that it’s observed increasing use of homebrew (white-box) crypto for DRM and mobile applications, which means their security relies on keeping their techniques secret “rather than to rely on academic designs”.

Crypto solutions are judged simply against how long they last (measured in “strawberry points”, apparently for no better reason than to call attackers’ scores “banana points”).

Attackers inherit those strawberry points at the point they crack the system, so a system that lasts longer is a better prize, but an attacker that cracks more easy systems faster isn’t denied their advantage.

The submission server opens on May 15. After that, the key dates are:

CryptoExperts wrote the submission server (code here), and during the competition, the server will be operated by the Technical University of Eindhoven. ®

Bootnote: Before commentards rain down “security by obscurity” and “don’t roll your own encryption”: we agree. However, if such things are going to exist – and they are – a hackfest is probably as good a place as any in which to ventilate them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/whibox_challenge/

  • 02/05/2017
  • adm

Red alert! Intel patches remote execution hole that’s been hidden in biz, server chips since 2008

For the past nine years, millions of Intel workstation and server chips have harbored a security flaw that can be potentially exploited to remotely control and infect systems with spyware.

Specifically, the bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows “an unprivileged attacker to gain control of the manageability features provided by these products.”

That means hackers can exploit the flaw to log into a vulnerable computer’s hardware – right under the nose of the operating system – and silently snoop on users, read and make changes to files, install virtually undetectable malware, and so on. This is potentially possible across the network because AMT has direct access to the network hardware, as well as being possible with local access.

These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to this year’s Kaby Lake Core parts. Crucially, the vulnerability lies at the very heart of a machine’s silicon, out of sight of the operating system, its applications and any antivirus.

The programming blunder can only be fully addressed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.

The vulnerable AMT service is part of Intel’s vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the at-risk computer and hijack it. If AMT isn’t provisioned, a logged-in user can still potentially exploit the bug. If you don’t have vPro or AMT present, you are in the clear.

Intel reckons this vulnerability affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary folks, which typically don’t. You can follow this document to check if your system is vulnerable.

Basically, if you’re using a machine with vPro and AMT features enabled, you are at risk.

According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you’ll have to pester your machine’s manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks, and should be installed ASAP.

“In March, 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT),” an Intel spokesperson told The Register.

“Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible.”

Specifically, according to Intel:

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

Apparently, the Small Business Technology is not vulnerable to privilege escalation via the network. Whether you’re using AMT, ISM or SBT, the fixed firmware versions to look out for are, depending on the processor family affected:

  • First-gen Core family: 6.2.61.3535
  • Second-gen Core family: 7.1.91.3272
  • Third-gen Core family: 8.1.71.3608
  • Fourth-gen Core family: 9.1.41.3024 and 9.5.61.3012
  • Fifth-gen Core family: 10.0.55.3000
  • Sixth-gen Core family: 11.0.25.3001
  • Seventh-gen Core family: 11.6.27.3264

“The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole,” explained semiconductor industry journo Charlie Demerjian earlier today.

“Even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network.”

Demerjian also pointed out that it’s now up to computer makers to distribute the digitally signed patches to people and IT admins to install. That means if your supplier is a big name like Dell, HP or Lenovo, you’ll hopefully get an update shortly. If it’s a white box, no-name hardware slinger, you’re likely screwed: things like security and cryptography and firmware distribution is too much work in this low-margin business. You may never get the patches you need, in other words.

What is AMT?

AMT is an out-of-band management tool: it lays bare complete control over a system to the network, allowing IT bods and other sysadmins to reboot, repair and tweak servers and workstations remotely. God help you if this service is exposed to the public internet.

It is supposed to require an admin to authenticate themselves before granting access, but the above bug allows an unauthenticated person to freely waltz up to the hardware’s control panel. Even if you’ve firewalled off your systems’ AMT access from the outer world, someone or malware within your network – say on a reception desk PC – can potentially exploit this latest vulnerability to drill deep into AMT-managed workstations and servers, and further compromise your business.

AMT is part of Intel’s Management Engine (ME), a technology that has been embedded in its chipsets in one way or another for over a decade, since around the time the Core 2 landed in 2006. This software runs at what’s called ring -2, below the operating system kernel, and below any hypervisor on the box. It is basically a second computer within your computer, and it has full access to the network, peripherals, memory, storage and processors. Amusingly, it’s powered by an ARC CPU core, which has a 16- and 32-bit hybrid architecture and is a close relative to the Super FX chip used in Super Nintendo games such as Star Fox. Yes, the custom chip doing the 3D math in Star Fox is an ancestor of the ARC microprocessor secretly and silently controlling your Intel x86 tin.

Details of Intel’s ME have been trickling out into the open over the past few years: Igor Skochinsky gave a super talk in 2014 about it, for instance. The ARC core runs a ThreadX RTOS from SPI flash. It has direct access to the Ethernet controller. These days it is built into the Platform Controller Hub, an Intel microchip that contains various hardware controllers and is connected to the main processors on the motherboard.

The ME is a black box that Intel doesn’t like to talk about too much – although it is partially documented on intel.com – and it freaks out privacy and security conscious people: no one quite knows what it is really doing, and if it can be truly disabled, as it runs so close to the bare metal in computers.

On some chip families, you can switch off ME with extreme prejudice by strategically wiping parts of the system flash.

For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel’s AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse.

Finding a bug like this is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password ‘hackme’, in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers.

Is a big deal? “Yes,” said Linux kernel guru Matthew Garrett, who posted some more technical information about the vulnerability, here.

“Fixing this requires a system firmware update in order to provide new ME firmware, including an updated copy of the AMT code. Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix.

“Anyone who ever enables AMT on one of these devices will be vulnerable. That’s ignoring the fact that firmware updates are rarely flagged as security critical (they don’t generally come via Windows update), so even when updates are made available, users probably won’t know about them or install them.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

  • 02/05/2017
  • adm

Financial Services Sector the #1 Target of Cybercriminals

New IBM report finds the most frequently targeted industry in 2016 was financial services – where attacks increased 29% year-over-year.

Cybercriminals go where the money is. More attackers are launching attacks on financial services institutions, which saw an increase in breached records, vulnerability disclosures, and DDoS attacks via IoT botnets in 2016.

The IBM X-Force Threat Intelligence Index discovered financial services topped the list of industry-specific targets, with 65% more attacks than the average organization across all industries. Attacks on the sector increase 29%, from 1,310 in 2015 to 1,684 in 2016.

“The primary goal is money,” says Dave Hylender, senior network engineer at Verizon. “That is the driving force behind most of these attacks.”

Financial services organizations cut the intermediary step between cybercriminals and the funds they seek. Hackers can obtain troves of data in attacks on healthcare organizations, but they have to take additional steps to monetize that information and open fraudulent accounts.

However, money is more easily accessible if you can get malware onto bank systems, he explains. Threat actors can access usernames and passwords, withdraw money, and create fake debit cards, among other illicit activities.

“Financial services targets will always be a lucrative reward if successfully compromised,” says Michelle Alvarez, threat researcher at IBM X-Force. “Healthcare and retail targets can be profitable, but with financial services, they’re going straight to the source.”

In 2016, financial services companies saw the number of compromised records skyrocket 937% to exceed 200 million. There are many motivators behind cybercrime; in addition to financial gain, threat actors may seen intellectual property and trade secrets, says Hylender.

Where are attacks coming from? IBM’s data shows there are more insider-born attacks (58%) than outsider attacks (42%) on financial services — but most insiders don’t know they’re causing harm.

More than half (53%) of insider attacks come from are “inadvertent actors” compromised via phishing attacks, or internal attacks from another networked system. Financial services experienced the highest level of threat from inadvertent actors, the report states.

Denial-of-service attacks and Web attacks are other top concerns, says Hylender. Verizon’s Data Breach Investigations Report (DBIR), released last week, found financial and insurance companies suffered about six times as many breaches (364) from Web application attacks compared with information services companies.

Some businesses can afford to have their website go down for a day. Financial services organizations cannot, especially major banks with a prominent Web-facing presence, he continues. Web application attacks against banks started growing about three- to four years ago, and they remain a top threat to the industry.

“If you’re a financial services organization, you need to be protecting your Web presence,” says Hylender. “That’s where the bulk of your assets are, that’s where your business is. You need to be putting controls around those.”

Malware researchers at IBM X-Force also discovered an increase in malware used to target business banking accounts. Commercial malware made a comeback, and IBM monitored clients frequently targeted by SQL injection and shell-command injection attacks.

“We saw this trend begin to pick up speed in mid-2014, with malwre such as Dyre, Dridex, GozNym, and TrickBot to target business banking services,” says Alvarez.

She advises companies to evaluate their cybersecurity “immune system” to find their weaknesses and ask questions like: Are your endpoints secure? Is there sufficient understanding of current threats? Do you have the appropriate identity management solution in place?

Hylender encourages keeping a close eye on employee activity to ensure everyone only has access to information they really need. Businesses should also implement multi-factor authentication for all web applications, he says.

Employee training is also key, Alvarez adds. They should be taught to identify suspicious emails so businesses can avoid falling victim to phishing scams and minimize their risk of attack via inadvertent actors.

Related Content

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: http://www.darkreading.com/endpoint/financial-services-sector-the--1-target-of-cybercriminals/d/d-id/1328775?_mc=RSS_DR_EDT

  • 02/05/2017
  • adm

Cybersecurity Training Nonexistent at One-Third of SMBs

But nearly half of US SMBs in a new survey would be willing to participate in security awareness training at their workplace – even if it was optional.

Employees at small-to midsized (SMB) organizations often do not receive any form of cybersecurity awareness training, according to a new survey.

Some 33% of SMBs surveyed by security firm ESET don’t get training for security. The stakes are high for SMBs because the impact from a security breach can be far more detrimental to the survival of a smaller company than a larger one. “A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater,” says Stephen Cobb, ESET senior security researcher, noting that a security breach potentially could put an SMB out of business.

Large enterprises with a dedicated security team also have reason to care about the security profile of SMBs. SMBs can be supply-chain vendors or service providers to large firms. For example, the massive and high-profile security breach at retail giant Target is believed to have orginated from its HVAC contractor getting compromised.

Cobb says he was surprised that 49% of the roughly 600 US respondents of the ESET Cybersecurity Training in the Workplace survey noted they would be willing to take a cybersecurity training course at their workplace, even if it was optional. He added that in the past it would like “pulling teeth” to get employees to take cybersecurity training, but now employees want to not only learn how to secure their work-related IT, but also their home devices and email.

Large v. Small

SMBs are increasingly catching the attention of cybercriminals undertaking a spear-phishing attack, but those types of attacks are also converging on fewer organizations, according to the 2016 Symantec Internet Security Threat Report.  

“SMBs are a sweet spot for attackers. While large companies have more to steal, they are better defended. While consumers are less well-defended, they have less to steal. This puts SMB in the bullseye,” says Kevin Haley, director of Symantec Security Response. But he also noted that the overall risk for SMBs is usually lower than large companies because there are so many more SMB companies than large ones to target.

Images' Source: Symantec

Regardless of the lower risk for SMBs, large companies are pushing the issue for small vendors and service providers to ensure their employees undergo cybersecurity training.

Over the last two years, Christopher Hadnagy, chief human hacker at Social-Engineer LLC, has seen this mandate. Social-Engineer, a security firm of 11 employees, is required by some of its clients to provide cybersecurity training to its own workers at least once every year, says Hadnagy, whose firm already as a policy does so several times a year.

Most security awareness programs today are fairly rudimentary. “The way security training is currently done at companies is crappy. They show you a 20-minute video and test you afterwards. If you were being trained in martial arts or boxing, do you think watching a 20-minute video will prepare you to immediately step into the ring? That is what we are asking employees to do with the way cybersecurity training is handled,” Hadnagy says.

A better approach is to provide regular, mock-phishing training, he notes. Once a month, he sends a mock-phishing email to his employees. The monthly training provides consistency and repetition, he notes.

One of his clients that has 300,000 employees carried out a similar regiment with its employees and after three years reduced the malware incidents on its networks by 89%, Hadnagy notes. SMBs would likely benefit by taking similar measures, according to Hadnagy.

A recent update of the National Small Business Association survey found that 42% of its 845 survey respondents acknowledged they were a victim of a cybersecurity attack in 2015.

Of those 2015 survey respondents:

  • 63% were hit with a cyberattack within the past 12 months
  • 58% needed up to three days to resolve the cyberattack
  • 48% stated their service was interrupted due to the attack (respondents could select more than one issue)
  • 25% suffered a down website because of the attack (respondents could select more than one issue)
  • 22% found false information was sent from the company’s domain. (respondents could select more than one issue)
  • $7,115.26 was the average estimated business cost because of the attack

Despite these figures, SMBs clearly are not yet at the point of jumping on the bandwagon to get their employees cybersecurity training. According to an NSBA spokesperson, the lack of training is likely due to the cost and logistics involved. It’s also unclear whether SMB owners would expect their cybersecurity to vastly improve if their employees received training, the spokesperson says.

Free SMB Cybersecurity Training 

Meanwhile, ESET today also rolled out free online employee training modules including phishing, social engineering, and mobile security.

Other free SMB training and information is available from the US Small Business Administration’s Cybersecurity for Small Businesses and the Federal Communications Commission’s 10 Cybersecurity Tips for Small Businesses

In addition to addressing the knowledge gaps SMB employees said they were lacking in the ESET survey, Symantec’s Haley also advises training on best practices for cloud computing and password management.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766?_mc=RSS_DR_EDT

  • 01/05/2017
  • adm

The Cyber-Committed CEO & Board

Here is what CISOs need to communicate to upper management about the business risks of mismanaging cybersecurity.

CEOs and corporate board members are awash in threat alerts and advice about cyber-risk. None of us can go a day without reading about an enterprise that was attacked or breached by cybercriminals. What’s interesting, though, is that CEOs and corporate directors most often hear about security only in the context of technology.

I’m a cyber technologist at heart, but I encourage them to see cyberthreats as a risk management issue — with an emphasis on management. Yes, technology matters, but it’s only one component of an effective cyber defense.

CEOs can start by considering the business relevance of cyber-risk in their unique enterprise context and then focus on how they work with their leadership team to address the issue. CEOs need to be more than just involved in cyber-risk management. They need to engage personally. Board members should follow this advice as well. They all need to engage more to understand the business risk management issues.

To be an effective cyber-committed CEO or corporate director, you should roll up your sleeves, shoulder-to-shoulder with your chief information security officer (CISO), and assess the business risk in business terms. CISOs can help make this happen. It requires a partnership — and that partnership is needed right now.

In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that “cybersecurity at our organization is a board-level concern and supported by our highest-level executives.” While this top-level concern is encouraging, especially considering what’s at stake, how do you create a cyber-committed CEO and board? CEOs and boards should do these three key things:

  • Capture the strategic picture of cybersecurity in the business.
  • Speak the language of business impact in all cybersecurity communications.
  • Build “muscle memory” for threat response at the CEO and board level.

To get a strategic picture of cybersecurity in the business, management should address four key elements in the enterprise.

  • What are the threats to our most important lines of business — and how are they changing?
  • What are we doing in response, and how effective is it?
  • What are the strategic options and initiatives across our business? What are we doing to manage the risks they pose?
  • What are the remaining risks, and what do we need to do about them?

These four elements need to arrive at a critical conclusion: What decisions or actions are we requesting from the board? The key is to focus on threats that create real risks for the business.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

My second principle for CEOs and boards is to make sure everyone addressing cyber-risk issues speaks the language of the business. Use of technical jargon can stymie your alignment and the effectiveness of your cyber defense.

Accenture research shows that only one-third of cybersecurity executives believe their organizations effectively monitor business-relevant threats. I believe that’s due in large part to inadequate communication and understanding of what makes a threat business-relevant from the start.

Most CEOs and boards receive scorecards and updates regarding cyber-risk, but are they tabulating the number of software patches installed (a technology hygiene metric) or addressing the larger business issue? Do we have business integrity in our foundational IT systems?

Although IT management metrics often report in technology terms, I believe CEO- and board-level cyber-defense scorecards and metrics need to be business-relevant, as do the explanation and communication of what they reveal.

Effective communications on cyber-risk for the CEO and board should address risk management issues such as: Can the business protect online customers so they continue to buy? Can we safeguard our most important assets such as contracts, pricing sheets, and MA data? Can we prevent employees stealing from the company? Can we protect our intellectual property from the devastating impact its theft would have on business goals?

We often make significant investments in IT audits. We read the reports on the vulnerabilities that are revealed but fail to communicate and convey the impact for the business. That approach renders a meaningful response by the CEO and the board next to impossible. It also makes the eyes of CEOs and board members glaze over as they try to assess what the CISO is reporting to them. The lesson here is to report on business risk and potential business impact on all cybersecurity matters.

Finally, an engaged CEO and board are a prepared CEO and board. As with any team sport — an enterprise cyber defense is a team effort where the CEO must be a player-coach — you have to practice and prepare for game day. I advise CEOs and boards to build “muscle memory” for threat response. To do this, CEOs and boards should get hands-on in cybersecurity crisis drills, simulations, and tabletop exercises. There may be no better way to establish the business relevance of cybersecurity than to drill, review, and, drill again.

The benefits here are threefold. First, the CEO and board get a sense of what can go wrong. Second, everyone involved gets a sense of the breadth and scope of the cyber-risk issue. Third, there is a clear focus on what the CEO’s role is in shepherding the company through a cyber crisis and where the board will need to participate.

CEOs are comfortable with risk: They manage risk all the time. They understand how to deal with financial risk, regulatory risk, and fraud. Cyber-risk may be new and novel, but CEOs shouldn’t be uncomfortable managing it. The CISO can help: Think business relevance. Speak in business terms. And practice and prepare. The efforts will pay off with an engaged and cyber-committed CEO and board.

Related Content:

As the Accenture Security Transformation Services lead, Ryan LaSalle playsa strategic role in helping clients adapt and thrive in an evolvingsecurity threat landscape. He drives the offering and innovation strategy,people agenda, industrialization of solutions, and global … View Full Bio

Article source: http://www.darkreading.com/risk/the-cyber-committed-ceo-and-board-/a/d-id/1328717?_mc=RSS_DR_EDT

  • 01/05/2017
  • adm

OSX.Dok: New & Sophisticated Mac Malware Strikes

What’s This?

Phishing-deployed malware can capture account credentials for any website users log into.

A surprisingly sophisticated new piece of Mac malware, called OSX.Dok, uses sophisticated means to monitor—and potentially alter—all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data.

The malware was discovered by Check Point, in the form of a file named Dokument.zip, which was found being emailed to victims in phishing emails. Victims primarily have been located in Europe.

This “document” is, of course, actually an application. The app will obscure the entire screen with a fake update notification.

Image Source: Malwarebytes

If the user clicks Update All and provides an admin password, the malware will finish installing, though it will take some time.

Among other things, two files will be installed in the user’s LaunchAgents folder to redirect this traffic. These are named com.apple.Safari.pac.plist and com.apple.Safari.proxy.plist. These files will help the malware redirect all web traffic through a malicious proxy server.

Once all this is complete, the malware deletes itself, leaving behind few obvious signs of its presence beyond the two deceptively-named launch agents.

Removal
Removing the two aforementioned LaunchAgents files is sufficient to disable the malware, but there are many leftovers and modifications to the system that cannot be as easily reversed, including:

  • Changes to the sudoers file
  • Installation of an untrustworthy root certificate
  • Installation of a legitimate LaunchAgents file named homebrew.mxcl.tor.plist
  • Installation of numerous legitimate command-line tools, consisting of tens of thousands of files

Malwarebytes Breach Remediation for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes, which introduce vulnerabilities and potential behavior changes that are not easily reversed, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.

The impact on business could be severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if an infected employee visited an internal company page providing instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server.

If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them.

Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to be infected by it.

Read the full post on Malwarebytes Labs

Thomas Reed is a self-trained developer and Apple security expert, and is director of Mac offerings at Malwarebytes. View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/malwarebytes/osxdok-new-and-sophisticated-mac-malware-strikes/a/d-id/1328767?_mc=RSS_DR_EDT

  • 01/05/2017
  • adm