STE WILLIAMS

Logowatch The British Army has launched yet another social media ‘n’ psyops unit and its logo will look remarkably familiar to anyone who’s watched 2001: A Space Odyssey – or Captain Scarlet.

6 (UK) Division is the new organisational home for the Army’s “asymmetric edge”, comprising all things “Intelligence, Counter-Intelligence, Information Operations, Electronic Warfare, Cyber and Unconventional Warfare”.

Launched this morning, 6 Div is a rebranding of the formation formerly known as Force Troops Command, which covered a hotchpotch of Royal Signals, Intelligence Corps and other units, including the infamous 77 Brigade.

Lieutenant General Ivan Jones proudly declared: “6th Division focuses on Cyber, Electronic Warfare, Intelligence, Information Operations and unconventional warfare through niche capabilities such as the Specialised Infantry Battalions.”

The new division is purely a rebranding exercise and will not result in an increase in manpower, equipment or “capabilities”.

The Ministry of Defence added: “This change will be integrated within broader Defence, national and alliance efforts and enable the Field Army to operate and fight more effectively above and below the threshold of conflict.”

Hello @Twitter

Nice to see you.#NotEverythingIsBlackAndWhite pic.twitter.com/AxC8rgSHkQ

— 6th (United Kingdom) Division (@6thUKDivision) August 1, 2019

This operates below and above the threshold of conflict, and in no way resembles Microsoft’s hated Cortana search/surveillance voice assistant.

Force Troops Command’s insignia was some kind of mythical sword-wielding beast on a blue and orange background. A reasonably warlike badge to wear in a, er, warzone.

This does not operate below the threshold of conflict and therefore must be replaced with a ring.

6 Div’s insignia looks a bit like murderous robot HAL9000 from the classic sci-fi film 2001: A Space Odyssey.

I’m sorry, Dave, I’m afraid I can’t do that

Nonetheless, General Jones informed, or possibly threatened us, by saying: “The speed of change is moving at a remarkable rate and it will only get faster and more complex.”

Alternatively, 6 Div’s new insignia could resemble half a Mysteron, the twin-ringed, never-actually-present Martians from classic kids’ telly puppet show Captain Scarlet.

Even Martians can’t resist copping an eyeful, it seems

There is no news on whether the new division has adopted Johnny Cash’s “Ring of Fire” as its official marching tune. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/01/british_army_shows_us_its_cyber_ring/

Palo Alto Networks has spotted a new cryptomining malware technique that not only wipes out any other miners present on the target machine but uses GitHub and Pastebin as part of its command-and-control (C2) infrastructure.

The malware, believed to originate from a Chinese cybercrime group nicknamed Rocke, targets cloud infrastructure in order to plant cryptocurrency mining software, potentially causing much larger metered usage bills for companies falling victim to it.

“Rocke, which primarily targets public cloud infrastructure for criminal gain, continues to evolve its tools and take advantage of poorly configured cloud infrastructures using vulnerabilities released in 2016 and 2017,” said Palo Alto, adding that the malware peddlers were “able to conduct operations with little interference and limited detection risk”.

It continued: “The group can gain administrative access to cloud systems using malware that is able to remain hidden from basic investigations. Compromised systems then perform predictable and detectable network actions to known Rocke hardcoded IP addresses or Rocke-owned domains.”

The basic compromise vector is, as ever, phishing. Once the target organisation has been successfully phished, the malware is deployed and executed from download and C2 sources including GitHub and Pastebin.

“The group’s first cryptomining operations were written in Python and used Pastebin or GitHub as the code repository from which the first-stage payload was downloaded,” said Palo Alto in a deep dive published today. “As of March 12, 2019, Rocke actors began to also use Golang.”

The first-stage payload directed the victim system to connect to a hardcoded Rocke domain or IP address which the researchers were able to use to trace and map the threat actors’ own infrastructure. The malware was also observed connecting to various cloudappconfig.com and heheda.tk URLs, as well as the IP address 104.238.151.101 among many others.

In mitigation terms, as well as (as you’d expect) buying their products, Palo Alto also recommended patching all cloudy wares within your organisation. Investigating cloud network traffic for connections to known dodgy domains and IPs is also a wise move to clear it out. Though it did not specify how many target organisations it looked at, Palo Alto reckoned that around a quarter had live Rocke infections in their cloudy boxen.

Last year Cisco Talos uncovered Rocke, attributing it to a person or persons unknown operating from China’s Jiangxe Province and deploying the Cobalt Strike malware. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/01/palo_alto_networks_rocke_malware/

Staying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.

Weak or stolen passwords are responsible for more than 80% of hacking-related breaches, according to research from Verizon. In response to the undeniable password problem, the nonprofit standards body FIDO Alliance is addressing traditional authentication issues and providing organizations with a framework that protects them from chronic risks, such as credential stuffing, password reuse, and phishing attacks. This past March, FIDO launched a new set of standards, FIDO2: WebAuthn and CTAP, which enables organizations to move beyond a reliance on passwords and shared secrets, and instead leverage common devices to easily authenticate to online services in both mobile and desktop environments.

With a greater emphasis on browser-based authentication (versus solely mobile, as seen in previous standards), FIDO2 standards support all major browsers with Secure Sockets Layer certificates, including Chrome, Internet Explorer, Firefox, and Safari. By allowing users to log in to Internet accounts using their existing, preferred device, the WebAuthn component of FIDO2 enables easier, safer login experiences via biometrics, mobile devices, and/or FIDO security keys. The CTAP component allows for external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also serve as authenticators to desktop applications and Web services.

Standardized Biometrics Provide Particular Value
FIDO2 standards are already bolstering the cybersecurity landscape, particularly via its standardized biometric capabilities. The majority of mobile phones, laptops, and desktops available for purchase today also boast facial recognition features, but FIDO2 provides a way to leverage the power of biometrics in a standardized manner. For instance, previously, organizations had to write their own unique code entirely from scratch to use any biometric sensor. Significant language and a common interface were required so sensors could communicate with one another. With FIDO2, this process has been standardized and browser support is built in, making it much easier for organizations to implement and adopt biometric technology.

Best Practices for Adopting FIDO2
To best take advantage of FIDO2 and all the benefits the standards can provide, organizations and their IT and security teams should abide by the following three best practices:

1. Follow a standardized approach. When implementing any component of FIDO2, it’s critical to refrain from incorporating any proprietary or black-box technology, even if it promises to adhere to applicable requirements. Standards have been established for a reason — they’re much easier to audit, more people can understand them, and they provide flexibility through interoperability. To achieve success and compliance over the long term, always opt for standards-based technologies. Additionally, make sure any previous versions of technology being used are interoperable so you don’t have to start from scratch when introducing any additional authentication standards.
2. Start with the highest-impact use cases. Rather than implementing too many changes too quickly and overwhelming security and IT teams (as well as end users), it’s important to start small and look for areas within FIDO2 that stand to make the most impact on your organization. For example, because these latest standards were designed to help eliminate passwords and shared secrets, perhaps it makes sense to start by incorporating FIDO2 into corporate workstation access processes. Rather than continuing to offer employees password login and reset features (which can easily be tampered with or stolen via malware), FIDO2 can seamlessly provide employees with secure, password-less workstation access through any Web-based application.
3. Evaluate current costs. To prepare for current standards like FIDO2 as well as the inevitable slew of additional, future standards, take the time to look at the hard costs associated with passwords and other shared secrets, because this is precisely where security standards can provide clear return on investment. For instance, any unnecessary expenses related to password resets and/or account lockouts should serve as a prime incentive for adopting standards like FIDO2 and beyond. Better yet, by pinpointing cost inefficiencies such as password resets, the time and resources required to incorporate new standards can be easily justified to all organizational stakeholders.

Long-Term Viability Requires Password-less Authentication 
Staying on top of all the latest cybersecurity risks and preferred attack methods can feel like an insurmountable task. In fact, even keeping abreast of all the latest security standards can be a challenge. What’s most important is that organizations and their IT and security teams recognize that standards like FIDO2 are designed to help relieve the burden of cybersecurity. Passwords and shared secrets no longer suffice in our high-risk, fast-paced digital landscape, so it’s paramount that organizations incorporate more secure methods of authentication. By adopting password-less standards like FIDO2 in a timely manner, organizations can confidently secure their most valuable assets, while also driving crucial initiatives like digital transformation projects by making their users immune to phishing attacks and account takeovers.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 9 Things That Don’t Worry You Today (But Should)
• CISOs Must Evolve to a Data-First Security Program
• 4 Network Security Mistakes Bound to Bite You
• Answer These 9 Questions to Determine if Your Data Is Safe

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration … View Full Bio

Article source: https://www.darkreading.com/endpoint/demystifying-new-fido-standards-and-innovations/a/d-id/1335381?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An unprotected database, now secured, contained information on every computer owned by the automobile giant.

A researcher using Shodan — one of the basic search tools used by those hunting vulnerable systems and servers — found an ElasticSearch database holding more than 134 million rows that had no authentication requirement. The interaction between the researcher, xxdesmus, and the database’s owner, Honda Motor Co., highlights the way responsible disclosure is supposed to work and the difficulties that can stand in the way of responsible behavior.

Justin Paine, director of trust and safety at Cloudflare, tweets and blogs under the name “xxdesmus.” In his personal blog post on the incident, he writes of finding the open database through a Shodan search on July 4. The database, which appeared to be a catalog of all Honda internal computers, including the laptop computers used by the CEO and other executives, contained information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. While the database didn’t contain personally identifiable information (PII), Paine says the information could have formed a very complete “road map” for an attacker planning an assault on Honda — an assault that might target PII. 

Paine wanted to alert Honda to the vulnerable database, but it took him two days and a request made through Twitter to finally find someone at Honda who could take action.

Once contact was made, Paine reports the database was secured within about 10 hours. 

Read more here. 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/researcher-find-open-road-map-to-honda-computers/d/d-id/1335413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

South Korea is the largest victim of card present data theft at a time when criminals are ramping up cyberattacks in the Asia-Pacific region.

Researchers have detected a significant uptick in the amount of South Korean-issued payment card records, with more than 1 million posted for sale on the Dark Web since May 29.

The entire Asia-Pacific (APAC) region is seeing an increase in cyberattacks against brick-and-mortar and e-commerce businesses, report Gemini Advisory’s Stas Alforov and Christopher Thomas. But South Korea is the largest victim of “card present” data theft “by a wide margin.”

During the month of May, Gemini Advisory saw 42,000 compromised South Korean-issued card records posted for sale on the Dark Web; this was “generally in line” with what the company had seen over the past two years, the researchers say. However, in June it saw 230,000 records, or an increase of 448%. July brought an even greater uptick, with 890,000 records, or a 2,019% spike from May. Overall, growth amounted to more than 1 million compromised records for sale.

Card present fraud involves collecting payment data from in-person transactions, either by installing malware on a point-of-sale (POS) device or using skimmers on ATMs or POS terminals. It’s unlear which POS device led to this spike. Researchers say the records may be from the breach of a parent company that operates in several locations or a POS integrator was breached, granting an attacker access to a single service that connects with multiple merchants.

The APAC region is becoming a hotter target for cybercrime as financially motivated attackers seek victims outside of the United States. While the US remains the most targeted country, its adoption of EMV technology in 2015 has forced criminals to find more vulnerable businesses. EMV chip adoption typically leads to a decline in card present fraud; however, in the US and South Korea, which also introduced EMV in 2015, a lack of merchant implementation has meant card present fraud remains high.

Read more details here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/1m-payment-cards-exposed-in-south-korea-breach/d/d-id/1335415?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An alliance of national intelligence partners known as the Five Eyes – Australia, Canada, New Zealand, the UK and the US – is demanding encryption backdoors in apps such as Facebook’s WhatsApp.

As reported by the Telegraph on Wednesday, the UK’s new Home Secretary, Priti 
Patel, accused Facebook of helping out child abusers, drug traffickers and terrorists plotting attacks with its plans to help them hide messages behind the end-to-end encryption it plans to spread across all of its messaging services.

In March, Facebook CEO Mark Zuckerberg announced what he framed as a major, more privacy-focused strategy shift, with end-to-end encryption being a key component. He said at the time that the company would develop a highly secure private communications platform based on Facebook’s Messenger, Instagram, and WhatsApp services.

The prospect is unanimously seen as bad news by the Five Eyes nations. Patel’s warnings come on the heels of a two-day Five Eyes meeting she hosted in London along with Geoffrey Cox, the UK’s Attorney General. In attendance were security and law enforcement officials from the Five Eyes nations who said that they were worried about high-tech companies moving to “deliberately design their systems in a way that precludes any form of access to content, even in cases of the most serious crimes.”

In a communique that reportedly came out of the meeting, the Five Eyes nations called for backdoors:

Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.

In September 2018, Five Eyes governments had called on their governments to demand that tech giants build encryption backdoors – by force, if necessary.

From a memo that the Australian government issued on behalf of the pact at the time:

Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

Reuters spoke with a former senior European security official who said that the Five Eyes is using “very general” language, at best, in its demand for government access in telecoms systems.

He or she noted that there’s been a proposal floated recently by some British officials that wouldn’t drill a hole through encryption, per se. Rather, it would entail the equivalent of wiretapping encrypted systems, as in, secretly slipping a law enforcement agent into encrypted calls so they could tap a device at one end of the conversation after a message is decrypted.

The ex-official:

It doesn’t mean weakening encryption, just going around it.

Facebook has pointed out that it just doesn’t work that way. End-to-end encryption means only the sender and recipient can read encrypted messages. That excludes everybody else, including Facebook itself.

This option to insert a government body into encrypted conversations, which was proposed by the UK spy agency GCHQ, is known as the Ghost Protocol.

In an open letter to GCHQ published in May, a coalition of tech companies, privacy experts and human rights groups claimed that letting governments listen in “would undermine the authentication process …introduce potential unintentional vulnerabilities, [and] increase risks that communications systems could be abused or misused.”

While the Five Eyes nations may want to insert their agents into encrypted messaging, they most certainly want to keep that power to themselves. The Telegraph reports that the Five Eyes nations agreed that Huawei – a company that’s worried governments for years – should be kept out of the 5G phone network unless it can be guaranteed that the Chinese government wouldn’t get unauthorized access.

Experts say that governments’ reinvigorated anti-encryption push appears to be – no surprise here – directed not only at Facebook, but at Apple: the company that famously dug in its heels when the FBI was trying to decrypt the phone of the San Bernardino, California mass shooter in 2015.

Ben Wizner, an expert in national security law with the American Civil Liberties Union, echoed what backdoor opponents (including Sophos) have repeatedly pointed out: putting a backdoor in encryption means that you’ve broken it. Once there’s a hole, it will be found and exploited, and not necessarily by nations that (purportedly) have respect for innocent people’s privacy.

If the US and other nations get access to private messages, Wizner told Reuters, that means that adversarial nations, such as Russia, could demand that they get the same access.

This fight isn’t going away anytime soon. Last week, US Attorney William Barr – who attended the Five Eyes meeting – said that the proliferation of “warrant-proof encryption” was making it easier for criminals to evade detection.

The response from long-time privacy advocate and vocal opponent of government efforts to weaken encryption, Senator Ron Wyden, from the floor of the Senate:

[Barr has presented an] outrageous, wrongheaded and dangerous proposal. [The AG has] raised a tired, debunked plan to blow a hole in one of the most important security features protecting Americans’ digital lives.

Yea… What he said.

Sophos has always, and will continue, to defend end-to-end encryption. Paul Ducklin has explained why in this article.

SOPHOS STATEMENT ON ENCRYPTION

Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.

Full statement ►

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OwcXC3l1bLY/

The North Carolina county of Cabarrus, in the US, says that it’s managed to claw back only some of the $2,504,601 it paid to a scammer posing as a contractor working on building a new high school.

The crooks used social engineering – specifically, what’s known as a Business Email Compromise (BEC) scam – to pose as Branch and Associates, which is a general contractor that’s working on building a new school for the Cabarrus County Schools District.

The scam came to light after Branch and Associates sent a courtesy notice about a missed payment on 8 January. County staff confirmed that the electronic funds transfer (EFT) had, in fact, cleared the month before.

County officials next notified the bank to which the $2.5m was transferred, Bank of America. The bank managed to freeze $776,518.40 of the $2,504,601 that remained in traceable accounts.

The scam is still under investigation by the Cabarrus County Sheriff’s Office and the FBI.

What the investigation has revealed so far: In a series of emails that began on 27 November 2018, the imposters posed as representatives of Branch and Associates in order to spear-phish employees of Cabarrus County Schools and Cabarrus County Government.

Using what looked like valid documentation and signed approvals, they sent a request to “update” Branch and Associates’ banking information. Requests to update bank account information are “routine,” the county noted in its statement about the crime, so that wouldn’t have been enough to raise any red flags.

Next, the crooks waited for the county to transfer its next vendor payment. Once the money was deposited into an account that the swindlers controlled, the funds were then funneled into a number of other accounts.

A growing threat

Ransomware might be racking up the headlines, but in the meantime, BEC scams and the amount of profits they’re netting crooks are continuing to explode. In its 2018 Internet Crime Report, the FBI said that it received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year.

The scams typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.

They’re getting increasingly sophisticated. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

We saw an example of an EAC scam in the real estate sector earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.

As far as sophistication goes, these guys have it down to an art. In one whaling attack (one that’s targeted at the biggest fish in an organization, such as a CEO or CFO) against two tech companies a few years ago, the scammer came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of two tech companies.

The documents bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer: a total of more than $100,000,000.

A twist that the FBI saw in 2018: the scammers are increasingly requesting that their victims purchase gift cards. The victims get a spoofed email, phone call or text, purportedly from somebody in authority, who asks that the victim buy multiple gift cards for either personal or business reasons.

How to keep from being fleeced

There are safeguards that businesses can take to protect against BEC, and then there are those that are good for both businesses and individuals.

As we noted when the FBI busted 74 people in a global BEC takedown in June 2018, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.

Cabarrus County says it’s doing just that: it’s hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes and reviewing its vendor files. The county said that the consultant, Debra Richardson, is “one of the nation’s leading experts in reviewing and strengthening vendor setup and maintenance authentication techniques, internal controls and best practices to reduce the potential for fraud.”

That new vendor authentication process is now in place, and Cabarrus County says that it’s held training for staff. It’s also implemented external checks to validate data received by the county.

Don’t rely on email alone

As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. Rather, authenticate requests to send money with face-to-face or voice-to-voice communications.

FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

Also, here are more tips, for both individuals and businesses:

Watch your PsQs… and apostrophes.
As we saw in the case of crooks who nabbed the proceeds from that $150K home sale, the fraudster did what fraudsters often do: they made an (albeit tiny) punctuation/English usage mistake. Namely, they omitted a possessive apostrophe.

As Naked Security’s Paul Ducklin noted at the time in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.

Watch out for weird requests.
In that case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed to being sent via snail-mail. As Paul noted, that makes sense… for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.

Report it.
Law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h5cAeqdGji8/

Tampering with surveillance cameras is a common activity for Hollywood heroes and criminals alike. Now, researchers have shown how they can do it in real life.

Remember Speed, the 1994 movie where Keanu Reeves and Sandra Bullock had to keep a bus moving above a certain speed to stop Dennis Hopper blowing it up? Hopper’s character, Howard Payne, watches them with a hidden video camera. Any funny business, and he presses the button. To fool him, they persuade a local news crew to record the camera footage and then broadcast it in a loop, enabling everyone to escape while convincing Payne that they were still there.

Back then, cameras were analogue, but researchers at security company Forescout have demonstrated how to do the same thing with digital cameras over a network.

They conducted the project, which they described in a technical paper, to see how easy it would be to attack internet-connected smart building environments rather than save speeding buses. They set up a test network incorporating smart lighting, IP surveillance cameras, and an IoT device that connected energy consumption and space consumption sensors.

Technology may make things more functional, but it also makes them more hackable. Many IP cameras come with weak protocols such as Telnet and FTP enabled by default, they pointed out – even when their users don’t need them. This needlessly increases the devices’ attack service. They also stream video using unencrypted real-time transport (RTP), along with the real-time streaming protocol (RTSP).

There are secure versions of RTP and RTSP, but Forescout’s report said that it rarely sees them used in real-world deployments. You could tunnel the RTSP stream through an encrypted protocol such as a Transport Layer Security (TLS) stream, but again, vendors typically don’t bother.

Forescout’s team verified that they could gain access to the network by compromising an existing device. Given the reliance on default login credentials, this is all too common. Hackers can then use a compromised device to attack other devices on the network.

In this case, they mounted a man in the middle (MiTM) attack by using ARP (address resolution protocol) poisoning to convince devices on the network that their hacked device was actually at a different IP address. They used this to impersonate the camera when talking to the network video recorder, and vice versa.

Inserting themselves in the communication stream between the two devices enabled them to mount two kinds of attack. The first, a denial of service, interfered with the connection between the network video recorder and the surveillance camera. The researchers dropped command requests from the recorder, and did the same with responses from the camera. They could also tamper with the recorder’s requests, forcing it to listen on a different network port, meaning that it wouldn’t see the camera’s video.

They applied some of these techniques in the other attack, which will appeal a bit more to fans of Hollywood movies. They forced the recorder to replay fake footage instead of showing the real live footage from the camera. To do this, they captured video traffic sent from the camera to the recorder. They’d only need a small sample because the images in most surveilled rooms move even less than the inside of a speeding bus.

Then, they forced the camera to end its current session by tampering with a periodic RTSP command that the recorder sends to check that the camera is still there. This causes the camera to stop streaming immediately and makes the recorder establish a new session. At this point, the researchers intercept the session setup command and change the communications port specified by the recorder. The camera begins streaming live video to that incorrect port. Meanwhile, the researchers sent the fake, prerecorded video traffic to the recorder on its original port.

A lot of theoretical attacks are just that, but this one has real potential. You could see how someone might use it to cover up a burglary in a secure facility. Of course, they’d also have to neutralise the other physical protections like burglar alarms and door locking systems first.

The Forescout team also succeeded in hacking smart light bulbs and the IoT gateway. They’ll be presenting their findings at DEF CON next week.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/t4JcdCzKtZI/

Backgrounder Crime doesn’t pay? Tell that to the small businesses that fall victim to cyber-attacks every year and have to fork out cash to crooks. According to a 2018 survey from the UK’s Federation of Small Businesses, 5.4m of their members were attacked by cyber criminals, resulting in a loss of more than £5bn.

According to a report by insurance company Beazley, 71 per cent of ransomware attacks were aimed at SMEs, with a mean ransom demand of $116,234 (£91,493). What’s galling for these businesses is that 93 per cent of them had implemented some type of cyber protection but it all proved to be ineffective. The European Union Agency for Network and Information Security (ENISA) runs an annual survey looking at computer threats, and found email is the dominant vehicle for delivering such attacks, responsible for 92.4 per cent of malware infections.

ENISA’s report also indicated that phishing attacks have become much more targeted. Gangs are tailoring emails for specific individuals by carefully identified people’s interests and by aiming emails at those with privileged access to valuable data, such as financial records. Business Email Compromise is a growing form of attack: this is a scam targeting organisations that conduct wire transfers. Typically, crooks send invoices that appear to be legit to finance department staff in an attempt to persuade them to wire money to the fraudsters’ bank accounts on the paperwork. Alternatively, emails appearing to come from the CEO or other high-ranking employees are sent to lower-level finance staff convincing them to wire money to a particular account or grant the impostors access to workers’ personal files that are then stolen by the crooks.

The more convincing or appealing the email, tapping into an employee’s foibles or weaknesses, the greater the chance of they fall for the scam. It is quite possible workers are completely unaware of how easily they can be manipulated or exploited, and how great a role they will unwittingly play in the fraudsters’ schemes.

As an example of criminals tailoring their messages to snare specific well-placed staff, social-engineering security consultant Jenny Radcliffe tells a story of a cat lover who was targeted with an email containing a PDF about a cat for adoption. Unfortunately, the PDF was booby-trapped with malware that, when opened, handed criminals access to the entire network of the cat-lover’s employer.

‘Common forms’

The humble PDF has become one manifestation of a growing form of malware attack being employed by cyber criminals: fileless malware. This is a type of software nasty that executes purely in the infected computer’s RAM, and does not touch any storage, making it potentially tricky to detect. ENISA calls such fileless infiltrations the “new norm,” with 77 per cent of successful attacks using fileless malware. Security consultant Brian Honan supports ENISA’s findings. “It’s still one of the most common forms of attacks that we’re seeing,” he told us.

Attack via email and PDF is dangerous because both email and PDFs are such a staple of day-to-day business and because people can be inclined to drop their guard when receiving and opening them. “The problem is that a lot of these businesses don’t think they’re worth hacking. What they forget is that they’re part of a chain and they have to be aware that any information they give is just part of the total picture,” said Radcliffe.

Criminals have benefited from staff who have posted links about themselves or the company that seem trivial: “Where do staff members like to drink? What are the transport links like? When the criminals know this information like this, it makes approaches to the company more credible,” noted Radcliffe.

It’s not just individuals who put information like this online. Businesses do it, too, on their websites. “These can be things like photos of a staff team-building day or information about a major order. I’ve seen photos with a computer background, so I can find the operating system they use from that, or the correct form for their email addresses,” Radcliffe said.

Cyber criminals have, therefore, evolved: not simply content with launching malicious code at vulnerable services, they are carefully targeting the people operating them. What’s a small or medium-sized biz to do? Yes, you can patch a system against malware and known vulnerabilities, but how should you respond when it’s your valuable employees opening the stable door?

You can train staff – tell them what to look for

The cat example was a good demonstration of the way malware slingers rely on feelings (as well as felines). “There are key red flags that organisations should be looking out for,” Radcliffe told us. “Emails that play on emotions: anything that can make you sad or happy. Emails that say that you’ve won something are popular. Or it could be a threat: you’ve been found speeding, for example – these are type of emails that act as a trigger.”

But Honan emphasized the need to go beyond this. “Look at the way that cars are designed,” he said. “They are designed to react to human mistakes. For example, the airbags protect drivers when something goes wrong. But we don’t often implement the same sort of protection when it comes to email. Many of the email platforms don’t have safety measures by default. If we want to protect businesses, we have to make the extra effort to provide enhanced protection.”

Translated: cyber protection demands technological changes, which may be the last thing small businesses want to hear given they are usually short on time, resources, and knowledge.

Fortunately, tools do exist to help, of course: the Virus Total community‘s range of antimalware toolkits will attempt to identify malicious code within attachments and downloads as they arrive.

IT teams can also take some relatively simple measures. These include the adoption of a more rigorous approach to configuring their email systems. One approach that should be employed as standard is TLS cryptography, which provides a way of verifying any mail is secure before its received and opened by the human recipient. It’s possible to provision an email system such that it will reject non-TLS messages.

You can verify mail services. Techniques include setting up domain key identified mail (DKIM) as anti-spoofing, which will ensure all mail received has been sent by the domain it purports to be and has not been interfered with en route. The system works by adding an encrypted element to a mail header that is used to check the DNS record of the sending domain.

‘Clear guidelines’

Finally, you can check the integrity of a sender using domain-based message authentication reporting and conformance (DMARC). This also uses DKIM to verify a user’s identity but also advises any sender that DMARC is in operation, adding another layer of protection.

As to how SMEs handle attacks, there’s a universal agreement that talk of punitive measures against employees is counter productive. “Companies should be setting clear guidelines,” said Radcliffe. “Staff should know what to do if someone is suspicious about a particular email or phone call. They need to know to report it and where to report it. And make it clear that staff won’t be punished if they accidentally open malware.”

Punishing staff, as some might, can create a climate of fear will deter employees admitting that they’d made a mistake, making it harder to take action against malware until it’s too late.

Social engineering by hackers has become as complex and devious as the code they write. Email-based attacks are not going away, as hackers have recognized the value of this most trusted and ubiquitous of business tools. It’s time, therefore, for SMBs to take stock and work to counteract the rise of email-based malware using basic technology practices and some social engineering of their own.

Supported by SonicWall.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/01/countering_email_threats/

Security teams often look to technology to solve their security challenges. Yet sometimes investing in new products can create more issues.

When security teams are challenged with how to mitigate risks, they often look to technology for solutions. Yet sometimes investing in new products can create more issues in the greater security ecosystem of their organizations.

In practice, not all tools and technologies can work together. In many cases, organizations already have dozens or hundreds of different tools and technologies and are often not even aware of all the technologies they are running, let alone what their capabilities are, according to Stephen Cavey, co-founder of Ground Labs.

“It’s not uncommon for organizations looking down the barrel of a skills shortage to scratch their heads and wonder how they are going to overcome that,” Cavey says. “Using technology to overcome that problem is very attractive.”

So how can organizations manage expectations and establish a clear and effective path for moving forward with the promises of security orchestration and automation?

Over the Crest and into the Trough of Disappointment
The idea of security orchestration and automation is itself “the shiny new thing on the block,” Cavey says. However, investing in more technology to solve the problem of disparate tools not working in orchestration is not a silver bullet.

Keeping infrastructure and data secure across the entire organization requires staffing, which is one reason why Cavey says he anticipates a number of failed implementations on the horizon. Many companies have unrealistic motivations when they are investing in these platforms, he says. 

Those motivations are coming from the pain points an organization is feeling, according to Cavey: “There’s incredible pressure coming down from the board for these security teams to be able to say, ‘Tell us you have this; tell us we are in good shape. We have an interest in IT security and knowing that we as a company are not going to be the next headline.'”

Take data loss prevention (DLP), for example. When introduced nearly a decade ago, DLP’s promise to the average CISO was its implementation would protect data and prevent it from being stolen, Cavey explains. “Yet the reality that organizations quickly learned was that they can’t just install the solution and have it achieve what the marketing people promised,” he says. “There’s a lot more devil in the detail.”

For those large, complex infrastructures with lots of different platforms, data sources, and processes that need to be looked at in different ways, one multisuite solution isn’t going to provide a quick fix.

“It wasn’t until 10 to 12 months after purchase that companies started realizing DLP wasn’t perfect. There were caveats to every marketing promise that was made,” Cavey says. “I think we are looking at a repeat of that in this new space of security automation.”

Can Security Tools Work in Harmony?
What many organizations need most is trained engineers who are able to run the programs in today’s complex environments, says Lamar Bailey, senior director of security research at Tripwire. 

He agrees that when struggling with staffing resources, many organizations look to technology solutions. Even solutions from the same vendor may have different user interfaces and workflows that are common across a suite of products, he says. 

A potential solution that can help address staffing challenges while also ensuring a cohesive environment is to look at software-as-a-service (SaaS) or managed services, Bailey says. “These services help solve the skills gap because the vendor is supplying the manpower and expertise needed to run the services, and the customer can work with them to define what they want delivered.”

Another solution is to look for products with robust APIs to allow for these integrations, says David Vergara, director of security product marketing at OneSpan. “Modern security platforms utilize common APIs like REST that provide the ability to leverage broader third-party data for fraud analysis,” he says. 

Open architected, centralized, cloud-based platforms improve visibility across digital channels, such as online and mobile. In addition, many companies will also offer apps or professional services to create and support the needed integrations. 

Because static, binary authentication security simply doesn’t cut it anymore, Vergara advises the level of security be aligned with the level of risk. “Authentication technology and methods with orchestration dynamically utilize the right authentication method for the associated transaction risk,” he says. “When this occurs, businesses meet security, user experience, and also regulatory compliance goals.”

Managing Orchestration Expectations
The best security orchestration is completely invisible to the end user, according to Vergara. Take the example of a mobile banking transaction that is regularly repeated. In time, it becomes a normal behavior and the risk is low. 

“If any variables change, such as transaction amount, location, unknown device, jailbroken/rooted phone, etc., the risk increases,” Vergara says. “For the low-risk transaction, user authentication can be seamless — i.e., fingerprint scan; however, as the risk increases, additional authentication steps can be required — i.e., face recognition, PIN, behavioral biometrics and others).”

Several technologies are working in the background to make this work. Risk analytics generates an accurate risk score, mobile security assesses risk of the device and mobile apps, authentication methods, and orchestration based on the level of risk, dynamically execute a precise authentication workflow for each unique transaction. As a result, “the exact level of security is applied to each transaction,” Vergara explains.

In order to achieve this level of security orchestration using automation, Vergara says companies should begin with an honest evaluation of what works and doesn’t work across the security ecosystem. “Look at what tools cause friction for business customers, partners, and vendors, as well as those that decrease visibility in key channels, like mobile,” he says. “Identify lower efficiency, such as those that require manual fraud review or produce increased false positives.”

What an organization first needs to have, according to Ground Labs’ Cavey, is a set of mature, establishes processes. Doing a true assessment of where orchestration and automation can realistically help the business and add benefits will help to identify the actual processes that can work. 

“If you take it in bite-size chunks and be very realistic about what you can achieve at the outset and not allow the vendor to promise the world, I think you are in for a much more positive experience as you go on this orchestration and automation journey,” Cavey says.

Related Content:

• A Security-First Approach to DevOps
• How to Create Smarter Risk Assessments
• Frank Taylor: Better Processes Lead to Tighter Security
• 6 Ways Mature DevOps Teams Are Killing It in Security

Image Source: Elnur via Adobe Stock

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/a-realistic-path-forward-for-security-orchestration-and-automation/b/d-id/1335372?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple