STE WILLIAMS

Newest version of iOS contains a critical bug that the company had previously already patched.

In a somewhat uncharacteristic blunder, Apple has left iPhones running iOS 12.4, the latest version of its mobile operating system, open to a security bug that the company previously had fixed.

One security researcher has quickly taken advantage of the opportunity to develop and publicly release an exploit for jail-breaking iPhones running iOS 12.4.

This is believed to be the first time in several years that a jailbreak for the most updated version of iOS has become publicly available before a patch for it has been released. Typically, such unpatched Apple exploits can fetch hundreds of thousands of dollars and sometimes, even millions of dollars in dark markets.

Jailbreaking gives iPhone users a way to get past Apple’s restrictions and install unapproved applications and services on their devices or to change settings that they normally wouldn’t be able to change.

Some security researchers are concerned that attackers could use the unpatched exploit to try and launch attacks on iPhone users via tainted apps, remote exploits, and other methods. Others believe such concerns are overblown.

Apple did not respond immediately to a request seeking comment on the issue or on what the company is doing to address it. But some believe it will issue an update quickly, considering the risks to iPhone users.

News of the latest issue somewhat ironically comes just days after Apple announced a major bug bounty program with big incentives for researchers who find bugs in some of the company’s products.

“Apple has historically been very expedient in patching vulnerabilities, so I would expect to see an update pretty soon,” says Terence Jackson, chief information security officer at Thycotic. “But until then, iPhone users should exercise a little extra discretion when downloading applications and opening links in email, iMessages, or a browser.”

According to Motherboard, the first to report on the issue, security researchers recently discovered that in developing iOS 12.4 Apple had inadvertently reopened a remote code execution bug (CVE-2019-8605) that the company had patched in the previous iOS 12.3 version.  Google Project Zero researcher Ned Williamson reported that issue to Google earlier this year. Apple had described the bug as a “use after free issue [that] was addressed with improved memory management.”

Apple’s iOS 12.4 among other things contained a fix for another critical vulnerability that allowed attackers to gain access to iPhones via a malicious iMessage.

Muted Risk

Aaron Zander, head of IT at HackerOne, says that the new jailbreak is a “very cool thing” considering how unusual they have become. However, since the vulnerability and the exploit are now public, the associated risks are more manageable. “This is way different than Apple being completely unaware of the vulnerability and allowing exploits to run wild,” Zander says.

The bigger issue is how frequently such missteps happen, he says. Typically, companies develop their major software versions separately from their minor releases – for instance, an X.4 version versus an X.4.1 release. In merging minor and major releases, sometimes changes get missed. “This unfortunately happens all the time, which demonstrates why retesting is so important,” Zander notes.

Chris Morales, head of security analytics at Vectra, says some people are likely more excited that they can jailbreak their iPhone while still having the latest version of iOS, and aren’t worried about the security risks. “The risk here is that a malicious app can get into the Apple store and exploit a vulnerability. While feasible, it is most likely not a regular occurrence or any more of a risk than already existed,” Morales says.

Related Content:

• Apple iOS Flaw Could Give Attacker Access via iMessage
• Apple’s New Bounty Program Has Huge Incentives, Big Risks
• Turn Off FaceTime in Apple iOS Now, Experts Warn
• 5 Ways to Improve the Patching Process

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Ways to Improve the Patching Process.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/apple-misstep-leaves-iphones-open-to-jailbreak/d/d-id/1335583?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thanks to Graham Chantry of SophosLabs for his help with this article.

Here’s an interesting phishing trick with a lot to teach us.

Microsoft tweeted about it last week:

The 404 Not Found page tells you that you’ve hit a broken or dead link – except when it doesn’t. Phishers are using… twitter.com/i/web/status/1…

—
Microsoft Security Intelligence (@MsftSecIntel) August 13, 2019

Note the bit about how this trick was “giving phishers virtually unlimited phishing URLs”, a detail that caught our eye.

Here’s our take on it.

Imagine you’re a crook

If you’re a crook who wants to run a web-based phishing attack to harvest account passwords, you usually do something like this:

• Set up a web server that looks just like the account’s regular login page. You can copy the images, rip off the HTML and the bits of JavaScript you need from the genuine site, or use carefully-taken screenshots, so that a regular user will think it looks like the real deal.
• Send out an email or instant message advising, asking, cajoling or demanding the recipient to login right away. For verisimilitude, you can copy text and logos from a recent email from the brand you are targeting.
• Include a handy link in the email that goes straight to the fake login page. You need to use your own server name and URL, but you may be able to come up with links that are legitimate-looking enough to trick a hasty user.

The hardest bit in all of this is getting hold of a server to use in the first place.

You could set up your own server, but in today’s cloud-centric world, that’s expensive, time-consuming and might leave an enticing trail for law enforcement to follow.

Nevertheless, if you control the server completely then you can make it do whatever you want.

You are stuck with the server name, e.g. example.com, but you can program it to respond to any URL you like, so that example.com/brandrip7/login is as easy to arrange as, say, example.com/account/reset?user=jimbo.

That means you can use the same server to phish several different brands at the same time.

You could hack someone else’s server, or buy access to a hacked server, but that might leave you with a weird and improbable web link – a purported email login that goes to an online clothing store, for example, which doesn’t really add up.

You can bask in the existing reputation of the hacked server, which is often advantageous, especially if the domain name is a few years old and the site hasn’t been hacked before – that means it’s probably not yet on anyone’s blocklist.

But you might not get much flexibility in the URLs you can use – for example, if the hack relies on a security hole in the site’s image gallery, you might be stuck with example.org/media/files/thumbs.php or similar.

Or you could create a free (or trial) account on a web hosting service, giving you a trusted platform – together with a handy TLS certificate that will put a padlock in your victim’s browser.

Although you end up with a server name that is clearly not the site you want to look like, such as hosted.example, the service may add your username, or a nickname you can choose, at the left-hand end.

So you might end up with something like this, which looks surprisingly realistic despite the shouldn’t-be-there domain name at the end:

https://well-known-credit-card-company-name-com.hosted.example
https://webmail.service.name.rippedoffvendor.com.hosted.example

Left-stuffed domain names

By stuffing a domain name with additional components at the left-hand end, you push the true domain name – often an obvious giveaway that the site is not what it claims to be – off to the right.

On a mobile device, or a laptop with limited screen space, browser windows often end up truncating URLs in the address bar so that you only see the start of the URL.

In other words, the giveaway that the page is hosted on a popular cloud service is hidden away, while the implication that the page is an official page belonging to a completely different brand is clearly visible.

Here’s an example of how you may end up seeing less than the truth, but enough to look real.

The real Naked Security site looks something like this, viewed in a slighly cramped browser window:

Firefox has turned the nakedsecurity part of the server name grey, to remind you that it’s not the final, officially registered part of our domain name – that is, of course, sophos.com, which won’t fit in the address bar here.

If you’re cautious, you can click on the padlock to reveal more details about the web certificate sent back by the site:

Interpreting the certificate you see here isn’t easy, but you can at least see which web certificate company vouched for us, and how much detail about our address they were prepared to attest to.

My home site (these images have been retouched to change the domain name to acme.example), in contrast, looks like this:

The certificate is issued by a different authority – in this case, it’s a free Let’s Encrypt basic validation certificate, vouching only for the fact that I can login to my own web server and edit its content. (Basic validation, as the name suggests, does a minimum of automated checking to see whether you have access to the relevant server, but doesn’t try to verify that you have the authority to access it.)

So, if I create a subdomain of my own called nakedsecurity.sophos.com.acme.example then I can serve up a vaguely passable fake of the real site, like this:

There’s a lot wrong here, notably that the text sophos.com is greyed out by Firefox to remind me that it is part of the server name but not the actual domain name, which won’t quite fit in the address bar.

Also, the site is a bit iffy – I used a poor-quality screenshot instead of real HTML, for a quicker but less precise result, and you can just see the text acm... in the address bar.

Even though it’s faded out at the far right end, the darker a nevertheless acts as a handy indicator that there is a domain name at the end of the address, and therefore something is not what it seems.

Bringing up the certificate is a dead giveaway, because it’s clearly isssued for a domain that does not end in sophos.com, and this certificate says nothing about the site owner’s connection with, or authority over, any sophos.com web properties:

You could also click in the address bar and scroll to the right to expose the left-stuffing trickery going on here.

In other words, with a bit of care, even passable fake websites are often easy to spot.

Phishing in the cloud

In the example mentioned in Microsoft’s tweet above, the crooks decided not to run a server of their own.

Instead, they created a number of server instances on Google’s web.app platform, a web hosting service based on Google’s Firebase product.

If you visit the main web.app page, you will see:

By creating a web presence on this platform, you can easily acquire a site name that is a subdomain of Google’s cloud property, complete with Google’s own HTTPS certificate derived from the top-level site.

In fact, all (or at least most) subdomains automatically seem to resolve via DNS, produce default responses from the Firebase servers, and are covered by the master web.app certificate, as you can infer from these screenshots.

A randomly-chosen set of web.app subdomain names all produce the same two IP numbers when looked up using DNS:

Picking any of the random subdomains from this list leads to a default “holding page”, commonly seen when you visit a hosting server and try to acess content that hasn’t been created or domain names that no one has claimed yet:

Clicking on the padlock and drilling down to view the web certificate details shows that Google has taken responsibility for all subdomains of web.app, using what’s known in the jargon as a wildcard certificate.

The * (asterix) character is known as a wildcard and is commonly used in filenames and domain names to denote that ‘any legal text can go here’.

The Subject Alternative Name in a web certificate allows the owner of a domain to use the same certificate to cover a number of different domains, as well as covering all possible subdomains of those various names by use of the wildcard character, as you see here:

Failure used for success

The crooks apparently created a whole slew of similar but different web.app domains.

We examined 56 different ones that were reported via Google’s VirusTotal service, a site through which users and researchers can submit (and the cybersecurity industry can automatically share) suspicious programs and websites.

Of those, four domains gave HTTP 451 errors, a web return code that denotes ‘blocked for legal reasons‘:

The remaining 52 domains gave HTTP 404 errors, denoting ‘page not found’, but only 43 produced a ‘Site not found’ holding page (as shown in the screenshot above), which is what you might expect for a page that supposedly denotes a page that doessn’t otherwise exist.

Nine of the 52 ‘page not found’ domains had indeed already been set up, and were configured so that their default ‘page not found’ content was a phishing page:

Note that although HTTP 404 means ‘page not found’, the web traffic that reports the offending error code is itself a regular HTTP reply, and can include a web page in its reply body.

For a user looking at a browser window, a ‘page not found’ page shows up in just the same way as a reply that’s flagged with an HTTP 200 code, which means ‘OK’.

In other words, and the irony is not lost on us, a ‘page not found’ is reported by means of a page that was found.

The Apache web server even has a special 404 page to tell visitors that your official 404 ‘page not found’ page wasn’t found. We don’t know what happens if the ‘page not found page not found’ page itself suffers a ‘page not found’ error.

In case you’re wondering, the look that the crooks have come up with on their phishing site is surprisingly close to the real thing.

Here’s what the official Microsoft website looked like in the same browser at the same time as the fake screenshot above was taken:

Why use a holding page as a phishing page?

As Microsoft mentioned at the start, using a HTTP 404 as a genuine page is a neat trick for the crooks, because it means that any URL that lands on the phishing site will work, without the need for the crooks to go into their various web.app accounts and set up a new URL for each new phishing campaign.

Sure, the domain names, so far anyway, are limited to the nine that are already active (with 43 left up the crooks’ sleeves for later, it seems), but each of these nine domains can be combined with any sort of URL path – that’s the stuff in the URL that follows the slash that follows the domain name.

Any of the following URLs would work without needing each URL to be configured separately, and therefore without needing any advance planning:

https://outlookloffice365userxxxxxxxx.example/ue10kfsuja8ur/hee8rjmn1il5ngeg159
https://outlookloffice365userxxxxxxxx.example/t7f95d225an169lousbhfk1ocp72vigg
https://outlookloffice365userxxxxxxxx.example/2019/08/19/important-note.html
https://outlookloffice365userxxxxxxxx.example/v5a5eflkm6vhglru
https://outlookloffice365userxxxxxxxx.example/login.aspx
https://outlookloffice365userxxxxxxxx.example/reactivate-your-account?user=dpk6n69

(Actually, we concocted these URLs following RFC 6761, so they aren’t real.)

Simply put, the crooks have found a way of using an uncomplicated web hosting platform to serve up as many different phishing URLs as they like, with no programming or complex configuration scripting needed.

By the way, if you were to fill in the fake login page and submit it, then the web form, containing your username and password, would be uploaded via a hacked page on a hotel website in East Africa.

The hotel’s server uses HTTPS, as you would expect these days, so your browser won’t produce a warning to tell you that you are about to send a password over insecure HTTP.

With both the web.app landing page and the hotel’s data exfiltration page using encrypted connections, the crooks have wangled themselves HTTPS servers without needing to apply for certificates themselves, simply by sticking to the cloud and using servers that were already encrypted.

Fortunately, it looks as though the ‘upload server’ that’s been co-opted by the crooks was compromised via a vulnerability that hijacked a specific server-side script in a specific directory.

In other words, for all that the crooks have 52 different domain names prepared for the phishing links themselves, and a practically unlimited supply of URLs to use with each of those 52 domains…

…they’re stuck, in this attack anyway, with a single, inflexible, easily blocked URL to use for exfiltrating your passwords.

That makes the final part of this scam – the last click without which the crooks come away with nothing – comparatively easy to protect against.

A chain, as they say, is only as strong as its weakest link, and that adage works to help us keep the crooks out as much as or more than it helps them sneak in.

Sophos products block access to the booby-trapped phishing pages
and to the hacked site where stolen data gets uploaded.

What to do?

• Avoid login links that arrive in a messsage. If you need to login to one of your online accounts, use a link that you figured out yourself. Reputable services may ask you to login, but they generally avoid sending you a link simply because they wouldn’t expect you to click it, and indeed would advise you not to.
• Consider a password manager. In an attack like this, your password manager wouldn’t put your Outlook password into the East African hotel website because it would have nothing to relate the two services.
• Use 2FA on every account you can. 2FA codes are usually sent to or generated on your phone every time you login, making your password alone much less useful to a crook. Even if a phishing site asks for a 2FA code and you have one ready to supply, the extra step gives you a chance to stop and think before you connect.
• Use an anti-virus with built-in web filtering. A product like Sophos Home, for example, not only blocks malware that tries to infect your computer but also keeps track of the websites you are about to send data to. Therefore it can stop you leaking your password in cases like these, as well as alerting you to the danger.
• Pay attention to the telltales in your browser. Sometimes, even the most carefully concocted phishes are obvious if you take the time to check the indicators that your browser provides. The greyed-out part of a URL in the address bar can help you spot a left-stuffed domain, and stopping to examine web certificates helps you rumble fake or hacked sites.
• Know where your cloud assets are. Cloud servers are easy to set up in a hurry, and just as easy to forget about afterwards. A product like Sophos Cloud Optix can help you keep track of your cloud usage, so you aren’t putting data where it shouldn’t be, and you aren’t inadvertently providing free ‘cybercrime hosting’ for sneaky crooks.
• Keep your users informed. Phishing pages like the one shown here are easy to fall for because of their elegant simplicity – by copying distinctive pages from well-known brands, the crooks keep your suspicions low. Sophos Phish Threat lets you train and test your users using realistic but safe phishing simulations.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YJwPC_v71rM/

Another security problem has been spotted in voice assistant platforms. However, this one has nothing to do with the recent controversy over private conversations being listened to by contractors without users’ knowledge.

As reported by the Better Business Bureau (BBB), scammers have worked out how to game the search results for company customer support telephone numbers.

It’s a simple con where scammers create fake support numbers for well-known brands, paying for these to be bumped to near the top of search results.

A person sitting at home asks their voice assistant (or smart device embedding that technology) to find that company’s telephone number and instead of the correct one, a scammer’s phone number is returned to them to auto-dial.

The report cites real victims, including a woman who tried to phone a large airline to change her seat, only for the unnamed voice assistant to put her through to criminals impersonating that company.

The result? They tricked her into paying for $400 in gift cards after convincing her that the airline was running a promotion.

In a second example, Apple’s Siri put someone through to a tech support scam when the user believed he was phoning for help with his printer.

Achilles heel

Deceptive advertising has been a problem on conventional web searches for years – a polite way of saying that this issue was utterly predictable.

Arguably voice assistants inadvertently make this worse, because the user has no visual information to judge the reliability of what they’re being sent to (a dodgy domain, say) and no alternatives for comparison.

And there’s no easy way to counter these through the platforms themselves because assistants depend on search engines to deliver reliable results.

Search engines such as Google say they devote resources to rooting these fakes out as quickly as possible, but it’s not always that simple when scammers set up paid accounts to promote their cons.

Even when they are noticed by search engines, they can quickly be resurrected through new accounts pushing the same fakery.

What to do

The BBB’s sensible advice is mildly paradoxical – don’t rely on voice assistants for anything as risky as customer support numbers. Always manually check these on the web.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3nK_drrO_gM/

If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?

Presumably, the answer is ‘change it immediately’. And yet, according to Google, only one in four users of its Password Checkup Chrome extension decided to do just that when told the same bad news.

Introduced in February, Password Checkup compares a hashed version of every user password entered against a database of four billion that Google knows to have been compromised in breaches.

If it notices a match for a password and username combination, the user can either continue to log in (i.e. ignore it but be warned the next time), log in and change it, or ignore the warning by clicking ‘close’.

Doing the password comparison securely is more technically complicated than it sounds but suffice to say Google went to some lengths to solve the problem.

What it hasn’t yet managed to solve is the bigger problem of user apathy.

The most surprising part of Google’s finding is that these users were among the 650,000 who were motivated enough about security to download the tool in the first place.

In month one alone, Google says it scanned 21 million usernames and passwords, flagging 316,000 or 1.5% as having been part of a breach (a stat that excludes trivial passwords such as ‘12345’, which the tool doesn’t warn against to avoid overstating the obvious).

There is some good news – 60% of those who changed their potentially compromised passwords chose ones that would be hard to guess.

Password reuse

The question is why a significant number of people among the early adopters of a password advice tool choose to ignore its warnings.

The answer seems to be that even relatively cautious users hugely underestimate the danger of password re-use.

There is no doubt that a lot of people still re-use passwords despite being warned not to, but it seems they re-use some more than others.

Google found that people are less likely to re-use passwords across well-known sites, such as government and finance (0.2% and 0.3% reuse respectively), and email (0.5%).

By the time you get to shopping (1.2%), news (1.9%) and entertainment (6.3%), things start to deteriorate.

Unfortunately, from the attacker’s point of view, this matters not. Once criminals have access to a reused password (specifically, weak ones), the power of credential stuffing means that the clock is ticking on another site somewhere.

Beyond simply abolishing passwords altogether as a form of authentication, the brave answer might be for tools such as Password Checkup (and Firefox’s equivalent-but-not-identical, Firefox Monitor) to start nagging users more assertively.

It’s unlikely that browser makers have the stomach for this yet but if it comes to pass, the pestering could push more users to better alternatives such as password managers and two-factor authentication.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4HvdcwUNkIs/

An internal memo to Huawei staff sent by boss Ren Zhengfei is long on military metaphors and warns that the company needs to go into “battle mode” to counter trade barriers put up by the United States.

Ren said that although first-half results were pretty healthy, some of this was due to sympathetic early payments by some Chinese firms.

“The company is facing a live-or-die moment… If you cannot do the job, then make way for our tank to roll. And if you want to come on the battlefield, you can tie a rope around the ‘tank’ to pull it along, everyone needs this sort of determination!” The memo was seen by Reuters but Huawei confirmed that it was genuine.

He called on staff to ensure accounts were paid on time to give the company a stable cash flow. He said they should continue to aim at pre-ban sales targets. Huawei was on track to become the world’s largest handset maker before Trump’s ban and unban of trading with the company. Now it all looks uncertain.

Ren said that after three to five years, Huawei “will be flowing with new blood… After we survive the most critical moment in history, a new army would be born. To do what? Dominate the world.”

Yesterday Trump seemed to have blinked again when the US once mor extended the Huawei ban for another 90 days while simultaneously adding 40-odd Huawei-connected companies to the Entity List.

Trump originally claimed the ban was made on national security grounds, but then said that the freeze on trading with Huawei could be relaxed as part of a larger trade agreement between the two countries.

Talking to Sky News last week, Ren cited Emperor Wu of the Western Han Dynasty, who as a military campaigner led China through a vast territorial expansion. He also said the company would make 60,000 5G base stations this year and 1.5 million next year, claiming they were 30 per cent more efficient than its previous generation and no longer required US components. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/20/huawei_goes_all_sun_tzu/

So many software vulnerabilities, so little time. But failure to patch them can have serious consequences. Here’s help for overwhelmed security teams.

In theory, anyone who depends on software should patch a vulnerability as quickly as possible. That goes for consumers as well as enterprises. In hindsight, Equifax would likely agree. The major breach of 2017 was, in part, the result of a failure to patch in a timely manner, writes security thought leader Kevin E. Green. But there are many reasons why patching doesn’t happen quickly. Or at all. 

According to the “2019 Vulnerability and Threat Trends Research Report,” published by Skybox Security, part of the problem is security teams are overwhelmed by the number of new vulnerabilities — 16,000 were reported last year — making patching rather unmanageable. Some organizations can’t patch quickly because the risk of downtime far surpasses that of the vulnerability. Still others don’t have a patching policy in place that identifies who is responsible for patching what and when.

“When you consider that [quality assurance] testing should take place before a patch is rolled out, and that many organizations have to work around defined ‘downtime windows,’ it becomes clear that every organization, every day of the year, is vulnerable to known attack vectors,” says Bob Noel, VP of strategic relationships for Plixer.

So how can security teams make patching a smoother process? Here are five ways. 

Image Source: MyCreative via Adobe Stock

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/5-ways-to-improve-the-patching-process/b/d-id/1335555?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Payment card giant creates a ‘cyber fraud system’ to thwart transaction abuse.

Visa now is adding fraud disruption to supplement its transaction fraud detection and remediation efforts. The company today at the Visa US Security Summit 2019 in San Francisco outlined five new capabilities it now uses to prevent fraudulent transactions.

“We’re looking to identify and disrupt fraud before it happens,” says David Capezza, senior director of payment fraud disruption at Visa. “We want to take a more proactive approach and identify these attacks and shut them down before they occur.”

Rivka Gewirtz Little, research director for global payment strategies at IDC, says Visa’s new approach blends both its cyber and fraud units.

“Typically, organizations are focused on the transaction,” Gewirtz Little says. “What’s interesting here is that Visa is creating a true cyber fraud system where the cyber team and fraud teams are integrated: the cyber team focuses on the attack against the enterprise and the fraud team looks at ways of preventing the attack. It’s not always the same set of tools, the same team and objectives.”

The five new fraud capabilities Visa will offer include:

Vital Signs: Monitors transactions and alerts financial institutions of potentially fraudulent activity at ATMs and merchants that may indicate an ATM cashout attack. To limit financial losses for financial institutions, Visa can automatically or in coordination with clients, step in to suspend malicious activity.

Capezza says Visa looks to understand the methodologies behind ATM cashout attacks, looking for anomalies in withdrawals and then notifying clients.

Account Attack Intelligence: Applies deep learning to Visa’s vast number of processed card-not-present transactions to identify financial institutions and merchants that hackers may exploit to guess account numbers, expiration dates, and security codes. By using machine learning, Visa looks to detect sophisticated enumeration patterns, eliminate false positives, and alert affected financial institutions and merchants before follow-on fraud transactions begin.

Payment Threats Lab: Visa will create an environment to test a client’s processing, business logic, and configuration settings to identify errors leading to potential vulnerabilities. Capezza says working directly with clients, Visa can run red-team tests to walk through the methodologies hackers use to launch attacks. They can replicate how various attacks occur to understand them better and look out for new ways hackers can potentially attack financial systems.

eCommerce Threat Disruption: Capezza says the success of EMV cards has shifted cybercriminals’ focus to ecommerce merchants. Visa’s threat disruption capability uses sophisticated investigative techniques to scan the front-end of e-commerce websites for payment data skimming malware. By identifying potential website compromises, Visa hopes to limit the amount of time malware might be present on a merchant website and significantly reduce exposure of customer and payment data.

Payment Threat Intelligence: All of Visa’s new disruption capabilities will enhance Visa’s threat intelligence reports, which go out to Visa’s brick-and-mortar and online clients and the broader financial community. The reports include alerts, analysis, technical indicators, and mitigations for potential cybercrime threats, account compromises and fraud.

Meanwhile, Forrester Research today published a new fraud study commissioned by Visa. According to the new Forrester report, 68% of respondents expressed concerns about fraud in mobile banking payments; 60% for mobile wallets; and 58% for peer-to-peer payments. However, Forrester also found that 77% are ready to invest to meet these challenges head-on.

Related Content: 

• 4 Payment Security Trends for 2019
• More Focus on Security as Payment Technologies Proliferate
• Visa: EMV Cards Drove 70% Decline in Fraud
• Fraud Drops 76% for Merchants Using EMV, Visa Says

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: Modern Technology, Modern Mistakes. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/risk/visa-adds-new-fraud-disruption-measures/d/d-id/1335570?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Let’s begin by re-evaluating IT infrastructures to determine who has access to what, why, and when.

When we evaluate the most significant data breaches, such as the ones affecting Marriott, Microsoft Outlook, Equifax, the US Office of Professional Management, and Yahoo, each one has a common theme: stolen administrator credentials. In the past year alone, there has been a 98% increase in web-based email account compromises due to stolen credentials and 80% of hacking-related breaches are still tied to passwords, causing us to question what’s falling short with existing identity and access management tools.

Historically, privileged access management (PAM) has focused on giving the least amount of privilege possible and eliminating privilege for users who don’t need it. While that approach may have worked 20 years ago, hackers have found workarounds to steal credentials and move laterally across organizations to find and exfiltrate sensitive data. So, how do we modernize our approach to PAM? One of the first things we can do is begin re-evaluating IT infrastructures to determine who has access to what, why, and when.

Continuously Monitor for Credential Abuse to Prevent Lateral Movement
Credential abuse puts admin credentials at risk and can wreak havoc in your network. For example, when users in a company network get infected with a virus, they usually call the support desk for help. Often, though, the IT support person unintentionally puts his or her credentials at risk trying to help remedy the situation, offering the attacker an easy entryway to further compromise the network. Now the attacker can use the IT admin’s credentials for legitimate and illegitimate purposes on the network, causing it to be hard to tell the difference.

Therefore, companies must carefully monitor logins by managing all types of authentication events in a centralized location. The collection and regular review of event logs plays a vital role in understanding regular versus abnormal network activity while also helping to identify and prevent attacks.

As another rule of thumb, domain administrators should only log in to domain controllers. Domain controllers in Active Directory hold accounts for everyone in the entire company and are ultimately seen as the box that holds the keys to the kingdom. If that domain controller gets compromised, the hacker gets the domains for everyone in the company.

Identify Levels of Access, Including Nested Administrator Groups
To defend against credential-based attacks, it’s especially crucial to identify the various levels of IT admin access, determining who has what amount of privilege across the network. This is important because 94% of Microsoft vulnerabilities can be mitigated by simply turning off admin rights.

Tracking administrator credentials becomes a problem for companies that struggle to gain visibility into who — and where — their administrators are because every system on a company’s network can have a different configuration for administrators.

This can be easier said than done, especially with nested groups found within Active Directory. The nested group structure means that there are groups that can also be members of multiple other groups. While nesting can be helpful, it can also create overlap and cause IT admins and security teams to lose visibility into what access is given and to whom. Some organizations have moved away from using multiple nesting groups altogether because of these management challenges.

When people create such groups, they don’t understand the upstream challenge they have from an IT admin perspective. Admin rights start growing and increase exponentially over time. No one has real tools to understand and see how small changes can grant access to thousands of nested systems.

The risks of data exfiltration, breaches, and credential theft attacks dramatically increase when companies add users and admins into these nested groups, where they get full, uncompromised access to files, folders, and other systems that they don’t need.

Rethink How Enterprises Limit IT Admin Access
There are many IT administrative functions within any given organization. IT plays a critical role in securing business continuity and operations across the organization. Administrators need to be able to reset passwords, update software, troubleshoot latency issues, answer help desk calls — the list goes on and on. However, when companies give IT administrators 24/7/365 access to most or all of their infrastructure, it only takes one compromise for an entire company’s network to be breached. Hackers know this, and they are exploiting it quite successfully.

Making admin access more dynamic — granting it only when and where it’s needed — prevents persistent access that can open the door for data breaches. Just-in-time administration is a new approach that allows system administrators to grant users privileges to resources for a limited period of time, in order for them to log in and address an issue, and then rescind that permission. To add another layer of protection, this just-in-time approach should ideally be paired with two-factor administration.

With credential-based attacks at an all-time high, we truly need a shift in our security strategy. Companies can gain the upper hand in cybersecurity defense once again by changing their perspective from not just who should have access to who, when, and for how long they should have access.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 9 Things That Don’t Worry You Today (But Should)
• Better Behavior, Better Biometrics?
• Shhhhh! The Secret to Secrets Management

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Ways to Improve the Patching Process.”

Tim Keeler is the Founder and CEO of Remediant, a leading provider of privilege access management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided … View Full Bio

Article source: https://www.darkreading.com/operations/identity-and-access-management/who-gets-privileged-access-and-how-to-enforce-it/a/d-id/1335495?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Financial institutions interacting with customers online must prepare for a broader, more sophisticated variety of threats.

Financial organizations increasingly turn to online portals, social media, and mobile apps to better engage with customers. However, the same digital platforms’ low cost and low barrier to entry make it easier for cybercriminals to exploit them and target a larger pool of financial victims.

ZeroFOX’s “Financial Services Digital Threat Report 2019,” released today, reports a 56% year-over-year increase in digital threats targeting the financial space. Researchers scanned 2.9 billion pieces of content and found more than 8.9 million security events in a 12-month period. Brand abuse and manipulation was the most common threat, with more than 250,000 events. Ninety percent of these were name impersonations, often not easily detected due to disguising tactics.

Financial services firms are more prone to corporate social media account takeover, researchers found: Attempts occur nearly 30 times per year on average for each company. Each executive is hit with an average of four credential compromises per year, 2.3 of which stem from breached databases. Each financial services company has an average of 30 targeted execs.

Fraud made up 40% of all cyberattack activity against financial services firms, analysts report, and 75% of those scams occurred on mobile apps and social media. Of the 87,900 fraud scams detected, 37% were money-flipping schemes, 28% were customer giveaway scams, and 27% were scams related to cryptocurrency. Researchers also discovered 489 fake mobile apps.

Read more details and check out the full report here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Ways to Improve the Patching Process.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/cyberthreats-against-financial-services-up-56-/d/d-id/1335574?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Twenty-three towns in Texas have been targeted with ransomware in what appears to be a coordinated attack.

On Friday, the Texas Department of Information Resources (DIR), which handles state IT operations, said at least twenty local government entities had been affected.

The following day, the DIR said reports from local governments came in Friday morning and the State Operations Center began operating day and night to deal with the crisis.

“At this time, the evidence gathered indicates the attacks came from one single threat actor,” the DIR said in a statement. “Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online.”

Ransomware involves malicious code that encrypts an organization’s files and demands payment for access to the encryption key that will – possibly – unlock the files.

In response to an inquiry from The Register, a spokesperson for the DIR said the agency has not named the affected entities or the attack vector used. Reports have suggested attack employed the Sodinokibi ransomware; the DIR declined to confirm this.

The DIR spokesperson had no information to provide about whether the towns in question have access to data backups.

On Monday afternoon, the City of Borger, Texas, said in a statement that it was among the municipalities affected by the attack. The statement says City operations have been affected but the City has activated its continuity of operations plan to assure continued delivery of basic and emergency services. Work is underway to restore affected systems but it’s not yet clear how long that will take.

Ransomware attackers have gone from ‘spray and pray’ to ‘slayin’ prey’

READ MORE

“Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments,” the City said. “Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off.”

No customer credit card or personal information has been compromised, the City said, adding that no further information about the origin of the attack will be released until the investigation is complete.

Ransomware attacks have hit government entities in all US states except for Delaware and Kentucky, cybersecurity biz Recorded Future said in May. Examples of such incidents have occurred in Florida and Maryland, as well as cities in other countries, such as Johannesburg, South Africa last month.

The security shop said ransomware attacks on state and local governments are on the rise, though it conceded that its metrics may be incomplete because such incidents are not necessarily reported.

In a phone interview with The Register, Sean Curran, a senior director with West Monroe Partners, a management and technology consultancy, said there has been a shift over the past few years in the way attackers go after data.

“Ransoming data has a bigger impact and a bigger payday than trying to resell stolen personal information,” he said. “It’s a more direct, immediate return.”

Curran said ransomware appears to be extremely profitable and many organizations haven’t yet revised their security posture to account for the possibility. “Many companies don’t test their backups to make sure they’re functional or move them off-site so they can’t be deleted,” he said, noting that the first thing ransomware attackers do is delete accessible backups.

Organizations, he said, should make sure they’ve stored their data somewhere safe. “Sometimes old school is best,” he said. “Tapes are really hard to steal from.”

He also advised organizations to inform employees about the dangers of phishing, which is often how malware gets onto an organization’s network.

“In almost every ransomware attack we’ve looked at, the company was been compromised six to nine months before the attack was launched,” he said, noting that allows the attacker to conduct reconnaissance.

When the attack occurs, he said, it tends to happen at a time when few people are around monitoring IT systems, because it can take time to encrypt large amounts of data. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/20/texas_towns_ransomware/