Enterprises must regularly validate their security efficacy based on real-time conditions, not compliance criteria, says John Weinschenk, General manager, Enterprise Network and Application Security of Spirent. That sort of testing returns actionable data to tune devices, update policies, and fortify defenses before they are compromised, he adds.
Oh, the Monday blues. You start the week moody because the weekend is over, though the feeling typically subsides once you’re in the office. But for the 106 million people with stolen data affected by the Capital One data breach, the Monday blues on July 29 were dark indeed.
That’s when Capital One first announced it had determined “there was unauthorized access by an outside individual who obtained certain types of personal information” relating to its customers on July 19, 2019. The compromised data included names, addresses, phone numbers, self-reported income, credit scores, and payment histories, among other personal information belonging to approximately 100 million customers in the United States and 6 million in Canada. The alleged perpetrator of this breach, Paige Thompson, has already been arrested by federal law enforcement.
The team at Digital Shadows has been closely following the indictment and the resulting fallout, including the media coverage. Using the MITRE ATTCK and PRE-ATTCK framework, we’ve identified what we know and a number of practical steps to help security teams avoid similar situations.
What We Know
On July 17, 2019, an email was received by Capital One’s responsible disclosure inbox claiming that internal data was posted to GitHub. Capital One’s investigation revealed a file time-stamped April 21, 2019, containing the IP address of one of Capital One’s cloud instances. Upon review, there were indications that its cloud environment had been compromised by an attacker who subsequently exfiltrated data from it.
Here is what we know about the attacker’s process:
1. Initial Access: T1190 Exploit Public-Facing Application, T1133 External Remote Services
Execution: T1059 Command-Line Interface
“A firewall misconfiguration permitted commands to reach and be executed by that server,” according to the indictment. It is unclear precisely which misconfiguration was used to compromise the cloud instance but there are some possibilities:
Mitigation: It’s critical to continuously assess cloud environments for security issues, especially those at risk of external access from the public Internet. Reviewing security group configurations regularly can help ensure that services are not accidentally exposed and access controls are correctly applied.
2. Credential Access: T1098 Account Manipulation
The attacker was able to gain unauthorized access to temporary role credentials once in Capital One’s cloud instance. Three commands were retrieved from the GitHub file, according to the indictment, which the attacker used for post-exploitation activities. Temporary credentials were generated by the first command.
Mitigation: When an authorized entity, such as a user or an application, requires access to an AWS service, the identity access management (IAM) system issues a set of temporary credentials. However, continuously monitoring these credential sets is challenging in complex cloud environments due to their dynamic nature. Although it does take significant effort to make this mitigation technique work effectively, it can prove effective when dealing with an infiltration.
3. Discovery: T1007 System Service Discovery
The second post-exploitation command was to list the Amazon S3 buckets that the attacker assumed they had access to given their identity.
Mitigation: While real-time alerting is an issue, AWS CloudTrail logging can help an organization track this type of activity. CloudTrail keeps a log of activity on your AWS account and stores it in an S3 bucket for you for further analysis.
4. Exfiltration: T1048 Exfiltration Over Alternative Protocol
According to the indictment, syncing the S3 bucket contents with an attacker-controlled server was the third post-exploitation command executed. This relied on access granted via the assumed identity providing the attacker with access to more than 700 buckets.
Mitigation: As with the previous issue, AWS CloudTrail logging can help an organization track this type of activity, despite the real-time alerting issue.
5. PRE-ATTCK Establish and Maintain Infrastructure
T1329 Acquire and/or Use Third-Party Infrastructure Services
The attacker used a combination of Tor and IPredator (a paid VPN provider) to hide her network identity when attacking the Capital One cloud environment, as stated in the indictment.
Mitigation: Whitelisting access to resources from a set of known-good IP addresses, if possible, can help prevent unauthorized access. IP whitelisting should only be used in conjunction with other, strong authentication mechanisms — it can only be applied in environments where it is known from where an authorized user will be accessing an environment.
What We Don’t Know
The attacker worked for Amazon in the past so the “insider” angle has been played up in the media. However, the indictment does not imply that the attacker had any privileged access based on previous employment. Instead, it appears that the attacker used her knowledge and experience to exploit a vulnerability in the misconfigured firewall.
The attacker’s motives remain unconfirmed. While many data breaches conducted against banks are financially motivated, the Capital One hack was publicized by the attacker, a known member of a hacking club. It is possible that this hack was conducted for personal motives, but details are still unfolding.
Related Content:
Richard Gold is a hands-on information security professional who has over a decade’s worth of experience in understanding and securing computer networks. With his background as a Certified SCADA Security Architect and a Ph.D. in computer networking, Richard uses knowledge … View Full Bio
Article source: https://www.darkreading.com/endpoint/capital-one-breach-what-security-teams-can-do-now/a/d-id/1335475?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
VMware plans to acquire cloud-based endpoint security vendor Carbon Black in a cash offer of $26 per share, or $2.1 billion.
That is just one cloud-related mega-deal VMware announced today: It also plans to buy software development firm Pivotal Software, which originally spun out of VMware and Dell in 2013. Dell is the majority stockholder of VMware, which will acquire Pivotal via stock transactions valued at $2.7 billion.
“These acquisitions address two critical technology VMware, Inc. priorities of all businesses today — building modern, enterprise-grade applications and protecting enterprise workloads and clients. With these actions we meaningfully accelerate our subscription and SaaS offerings and expand our ability to enable our customers’ digital transformation,” Pat Gelsinger, CEO of VMware, said in a statement.
Carbon Black CEO Patrick Morley, in a blog post today, explained what the deal means technology-wise. “VMware has a vision to create a modern security platform for any app, running on any cloud, delivered to any device — essentially, to build security into the fabric of the compute stack. Carbon Black’s cloud-native platform, our ability to see and stop attackers by leveraging the power of our rich data and behavioral analytics, and our deep cybersecurity expertise are all truly differentiating.”
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Article source: https://www.darkreading.com/cloud/vmware-to-buy-carbon-black-for-$21b/d/d-id/1335624?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Containers, virtual machines, and the advent of DevOps as a software creation tool all put new pressures on organizations’ security strength, according to Dan Hubbard, CEO of Lacework. Cloud’s ability to offer scale, capacity, and processing power may even exacerbate the vulnerabilities unless properly managed, he adds.
GitHub has announced support for the Web Authentication (WebAuthn) security standard.
GitHub already supports two-factor authentication (2FA) via SMS texts (the least secure option, given that phone numbers can be hijacked and SMS messages intercepted), one-time password authentication apps, or U2F (Universal Second Factor) security keys.
U2F is an older standard, though, and in March this year the World Wide Web Consortium (W3C) approved the WebAuthn specification, part of the FIDO Alliance’s FIDO2 specification set.
The move to WebAuthn means GitHub supports physical security keys via browsers including Firefox and Chrome on Windows, macOS, Linux and Android, on macOS with preview versions of Safari, and on iOS with Brave and a YubiKey 5Ci.
Securing a GitHub account with a physical security key
You also now have an option to opt for a laptop or phone as a security key, using Windows Hello, Touch ID on macOS, or a fingerprint reader on Android.
GitHub currently only supports security keys as a supplementary option, available once you have already set up 2FA using SMS or an authenticator app. That said, GitHub is exploring making security keys a primary option, or even to enable passwordless login.
A potential hazard with 2FA is the risk of getting locked out of your account. GitHub offers a couple of ways around this, including recovery codes that appear when you set up 2FA, that you can print out or copy to a password manager, and a suggestion that you use an authenticator app that permits backup of your keys, unlike Google Authenticator or Microsoft Authenticator.
Securing GitHub accounts is a priority since compromise may enable a bad guy to insert backdoors, password stealers, or other malware into the code for an application, a website, or library code used by multiple developers. Malware was recently discovered in a Ruby Gem package, believed to be caused by a hacked developer account. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/23/github_upgrades_its_twofactor_authentication_with_webauthn_support/
Games giant Valve is attempting to make nice with the infosec bod who disclosed zero-day exploits for vulnerabilities in Steam after the corporation refused to pay out bug bounties for the flaws.
On Thursday, Valve said it would patch both of the holes discovered by bug-hunter Vasily Kravets, and will consider reinstating Kravets into the biz’s bug bounty program, run by HackerOne. “We have released updates to the Steam Client public beta channel to address these issues, and we have already pushed some initial fixes to all users,” the US corp told us.
This comes after Kravets dropped the second of two zero-day elevation-of-privilege vulnerabilities in the Steam client software. Both would have potentially allowed an attacker to inject malicious code into the application, which, depending on the games installed, may run with administrator-level clearance. Either way, it was possible to hijack Steam to run malware or install spyware, as long as you already have some access to the victim’s system: they basically turn a bad situation worse.
Initially, Valve, via HackerOne, declined to award any bounty or recognize the first vulnerability report, claiming that elevation-of-privilege holes did not qualify for the bounty program. When Kravets objected to the decision, he says there was an exchange that resulted in him being banned by Valve from its reward scheme.
That move prompted Kravets to publicly drop a second zero-day elevation-of-privilege exploit for Steam. This time, a .DLL injection oversight. “Since Valve decided to read a public report instead of private report one more time, I won’t take that pleasure away from them,” Kravets quipped.
The second security flaw report, it seems, along with condemnation from infosec professionals online, was enough to get Valve’s attention. Shortly after news broke of the second bug disclosure, the multibillion-dollar biz issued the press (including El Reg) a statement reversing its decision.
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user,” Valve said in a statement to The Register. “Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.”
It continued: “We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.”
Valve did, however, stop short of promising to reverse Kravets’ ban, saying, “we are reviewing the details of each situation to determine the appropriate actions.” ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/22/valve_bug_bounty_steam_u_turn/
Organizations that do not patch critical vulnerabilities in the software they use can remain exposed to attacks indefinitely.
A case in point is a new malware variant that researchers at Trend Micro discovered targeting vulnerabilities that were discovered more than six years ago in Adobe Acrobat, Adobe Reader, and Microsoft Office software. Both companies had issued patches.
The malware is a variant of the Asruex Backdoor associated with DarkHotel, a group known for targeting business hotel visitors via hotel Wi-Fi networks. Asruex has been around since at least 2015 and allows attackers to take complete remote control of infected systems. It infects systems via a shortcut file, which, when opened, executes a PowerShell command that ultimately results in Asruex being downloaded on the system. The malware is designed to spread through network drives and removable drives, Trend Micro explained in an advisory this week.
The variant using the patched vulnerabilities itself, however, only surfaced about a year ago. It seems explicitly designed to target organizations using unpatched versions of Adobe Reader 9.x up to before 9.4 and Acrobat versions 8.x up to before 8.2.5 on Windows and Mac OS X, Trend Micro says. “Because of this unique infection capability, security researchers might not consider checking files for an Asruex infection and continue to watch out for its backdoor abilities exclusively,” Trend Micro warned.
The impacted versions of both the Adobe and Microsoft software are no longer supported.
Trend Micro researchers found the variant in a PDF file that had been infected with Asruex. Their analysis showed the variant is designed to exploit two old vulnerabilities: a 2012 critical buffer-overflow issue in an ActiveX component in MS Office versions 2003, 2007, and 2010 that enabled remote code execution (CVE-2012-0158); and a 2010 stack-based buffer overflow in the Adobe products that could be used to inject code into PDFs (CVE-2010-2883). The Adobe flaw was a zero-day and was already being actively exploited in the wild when it was first disclosed.
In the advisory, Trend Micro described the Asruex variant as using infected PDF files and Word documents to drop and execute the malware on systems running unpatched versions of the vulnerable software.
When the infector is executed on vulnerable versions of Adobe Reader and Adobe Acrobat, it displays the content of the original PDF file while silently dropping the malware in the background. The malware contains several anti-bugging and anti-emulation features and can detect if it is running in a sandbox environment, Trend Micro says.
According to the security vendor, the Asruex variant it discovered uses a special template to exploit the Office vulnerability to infect Word documents. As with PDF files, the variant allows attackers to execute arbitrary files on a system, but with a Word document. When the Word infector is executed, it runs in the background while displaying the original content of the Word document to trick users into believing everything is normal, Trend Micro said.
The Asruex variant poses a challenge for organizations still using versions of the software the malware is targeting, Trend Micro said. “Understandably, this could pose a challenge for organizations as updating widely used software could result in downtime of critical servers, and it could be costly and time consuming,” the security vendor said.
Such malware highlight the need for organizations to follow best practices when it comes to patching and updating critical software, it added.
Related Content:
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “You Gotta Reach ‘Em to Teach ‘Em.”
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
When most CIOs talk about the speed of IT, they’re referring to release candidates under DevOps or a rapid hardware refresh cycle. When Gary Foote talks about the speed of IT, he’s often speaking in terms of the IoT at 350 kilometers per hour.
Foote, CIO of the Haas Formula 1 racing team, is responsible for the computers and networks that allow the young team, which first fielded a car in 2016, to be competitive in the 21 races that make up a season for the world’s most widely watched—and most expensive—auto racing series.
When you sit down with Foote at Black Hat USA, conversation naturally turns to the most visible part of the operation: the cars.
“In Formula One, the technology is really kind of in your face,” Foote said. The technology serves an amazingly complex machine. According to McLaren Applied Technologies, sole supplier of electronic control units (ECUs) to F1 teams, “The chassis is made up of around 11,000 components, the engine 6,000 parts, and the electronics another 8,500. That’s over 25,000 separate bits which are at risk of failing during a grand prix.”
The health and performance of those 25,000-odd separate bits are monitored by more than 300 sensors which report back to the pit area in real time via wireless network.
“[The data] comes from the car to the garage. Obviously, we distribute around the garage on a network, but then we also distribute that back to the UK base and to the US base,” Foote said. “So we have our race support functions in the UK and the US and that’s all done in real time.”
And how much does Foote worry about the security of those network communications?
“In terms of data there’s very heavy governance—much more than a ‘gentlemen’s agreement,” Foote said. In F1, each team provides its own data network, separate from the other teams, and Foote said that these links are protected by solid authentication and encryption protocols. Still, there are concerns about data security.
“I’m more concerned about people who aren’t the other teams using it as some kind of leverage or catalyst for their own gain, really,” said Foote. He said that the attacker could be a teenage hacker who just wants to get the information and put it on online forums or organizations that would like to use what is essentially a global platform to leverage their message.
Basic Manufacturing Cybersecurity
Away from race day at the track, Foote has the sort of security concerns common to many smaller high-tech manufacturing companies, made perhaps more challenging because of the nature of the employees. “We’re a manufacturing team. At the end of the day, an awful lot of time goes into polishing the products, but we’re still a manufacturing organization,” Foote said. He said that the engineering, manufacturing, and HR data generated by the company had to be protected through the same technologies and procedures that would apply at any high-tech firm.
Haas F1 is a manufacturing organization heavy with engineers and scientists, and those highly technical employees can make the IT staff’s job more difficult. “We try heavily to allow engineering staff to work as efficiently as they can, because the only thing that they’re limited by is their time,” Foote said. And because Haas is a small F1 team, minimizing those limitations can be the difference between a solid race result and one the team would rather forget.
Foote and his IT team try to keep security in the background, he said, enabling as much as possible while being invisible when they can be. If not…he explained, “These are guys who do doctorates and PhDs for fun. So they’re super clever. But that strength is also their weakness when it comes to technology because they’ll try and boost their own efficiency by circumventing obstacles.”
The manufacturing process is still filled with intellectual property, from CAD drawings to partnership agreements. And those partnerships are numerous for Haas because they are a smaller team. “We have a lot of conversations with companies that are, say, supplying fasteners and they might be 5 people. You know, we’re really good at making fasteners, but they don’t really know about IT and IT security.”
These smaller partners look to Haas, Foote said, to help guide them in making sure that the transit of data between sites is secure, that any kind of data protections that Haas insists on are built into the procurement process, and that regulations are followed.
In particular, Foote said that security was a key consideration in a recently deployed product lifecycle management (PLM) the company installed, which he described as a database for CAD data.
The regulations, like GDPR, are critical, because even as the CIO of a small team, Foote has to oversee the protection of data flowing between Haas facilities in England, the US, Italy (two sites), and wherever the race is taking place.
A Second Racing Team
And for him it’s more complicated because, while employed by the Haas Formula 1 team, Foote is also CIO of the Stewart-Haas Racing NASCAR team. “There’s quite a bit of tech behind the scenes in NASCAR. They kind of hide it a little bit, but it’s there,” he explained.
Ultimately, Foote said, it’s often most important to try to step away from the glamour of professional racing and look at the portions of the business that are common to any other manufacturing organization. “Data are moving between all those sites, between peripherals, machines, laptops, and to engineers working on BYOD devices,” Foote said. “All of those people introduce risk. All of those areas introduce risk. And so the idea is just to remove the glamour of the sport and break it down to its fundamentals. That’s how we try and keep on top of security.”
Related content:
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio
Against the backdrop of consolidation in the SIEM and SOAR sectors, infosec professionals are deploying some combination of analytics and security, according to Haiyan Song, Senior Vice President General Manager of Security Markets for Splunk. Analytics helps organizations make better decisions and detect anomalies faster, she adds.
Article source: https://www.darkreading.com/analytics-and-security-prove-effective-security-hybrid/v/d-id/1335611?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Social engineering remains the top vulnerability organizations face because humans remain the easiest way to access networks or databases, says Stu Sjouwerman, Founder and CEO of KnowBe4. Regular training sessions coupled with creation of a “human firewall” remain the most effective protections against social engineering and phishing, he adds.
Article source: https://www.darkreading.com/regular-user-training-most-effective-security-antidote/v/d-id/1335613?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple