STE WILLIAMS

The 10 Essentials of Infosec Forensics

Whether it’s your first investigation or 500th, review the basics of IT forensics to streamline and simplify your discovery.PreviousNext

(Image: AboutLife - stock.adobe.com)

(Image: AboutLife – stock.adobe.com)

Most infosec forensics investigators walk a fine line. They must adhere to specific institutional processes, which, in many cases, are state and federal requirements. But they must also use a certain amount of pragmatism since no two investigations are exactly alike.

So while there may be a corporate best practice of collecting log files from all systems, that approach doesn’t make sense if what you need is a single line of code from a log file to get you to the next level of the investigation, explains Richard Rushing, CISO of Motorola Mobility. 

“I need to know if this user account logged into that server. And that information may already be somewhere else that doesn’t require me to go through all the log files,” he says. “That’s the sort of thing people overlook sometimes.” Process and pragmatism can work in tandem to help peel back the layers, Rushing adds.

With that in mind, here are 10 tips and refreshers for forensics pros working on IT incidents, suspected or real.

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full BioPreviousNext

Article source: https://www.darkreading.com/edge/theedge/the-10-essentials-of-infosec-forensics/b/d-id/1335240?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Master Next-Level Network Defense Techniques at Black Hat USA

Brush up on new DDOS defense tricks, 5G network vulnerabilities, and applications of military strategy to cybersecurity.

Network technology advances at a blistering pace, so it’s critical that cybersecurity professionals stay on top of the latest network vulnerabilities, hacks, and exploits. There’s no better place to do that than Black Hat USA in Las Vegas this August, where an entire Network Defense track of Briefing is dedicated to keep you abreast of the latest happenings in network security.

Defense Against Rapidly Morphing DDOS offers a rare opportunity to learn from the sustained, rapidly-morphing DDOS attacks ProtonMail suffered in 2018. Researchers created an attack toolkit that mimics the ProtonMail attacks and used it to study the efficacy of various defenses against similar threats. What they found: a combination of an unsupervised machine learning algorithm to determine a baseline, perform anomaly detection and mitigation, and another machine learning algorithm to tune the performance of the first, yielded the most effective defense. Attend this Briefing to learn how to apply these lessons to your own cybersecurity work.

In Operational Templates for State-Level Attack and Collective Defense of Countries you will examine templates for attacking and defending nations. Militaries have long used doctrinal templates – models based on known or postulated adversary doctrine – to support traditional kinetic warfare training and warfighting. The same approach works well for defending in cyberspace. You’ll receive templates of ways threat actors could disrupt or defeat a country, considering various time horizons and degrees of attribution. Expect to leave this talk with a playbook for how nations might be attacked and defended, a methodology for creating templates and scenarios useful for your own defensive planning, and an enhanced understanding of our collective vulnerability and the need for teamwork to overcome the problem!

Finally, don’t miss New Vulnerabilities in 5G Networks if you’re at all curious about what to expect from the oncoming wave of 5G devices and networks. Researchers will break down the security features of 5G radio networks and reveal new vulnerabilities affecting both the operator infrastructure and end-devices (including mobiles, NB-IoT, laptop etc). You’ll also learn how these new vulnerabilities in the 5G/4G security standards can be exploited using low-cost hardware and software platforms and discover a cool new automated tool to carry out practical evaluation and share data-sets with the research community.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/master-next-level-network-defense-techniques-at-black-hat-usa/d/d-id/1335264?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Let’s open the Mystery Data Security Blunder box, and see what’s inside today… Ah! Hotel reservations and more

Internal hotel biz documents and guest bookings were exposed to everyone on the public internet from an unsecured database managed by tech provider AavGo, it is claimed.

Silicon-Valley-based AavGo hosts management software in the cloud that can be used by clients to juggle reservations and operations, from sorting out cleaning and repair jobs to room service.

We learned today that Daniel Brown, of infosec outfit WizCase, discovered one of AavGo’s ElasticSearch installations was set up to give anyone who found it access to its contents, and the server was inadvertently left facing the public internet.

As such, according to WizCase, anyone stumbling across the system on the ‘net would have been able to peruse and download records – including details of people’s room reservations – stored on behalf of hotels using AavGo’s technology. The ElasticSearch silo was removed from public view after WizCase alerted AavGo this month.

“The reason this happened is that there’s an ElasticSearch engine that’s installed on this server with no authentication mechanism activated and the server itself is accessible from the internet, making the ElasticSearch data open for anyone to look at – and this server has logs from production systems so it has a lot of sensitive information,” said WizCase’s Chase Williams in a write-up on Tuesday.

“Servers with ElasticSearch installed on them aren’t meant to be open to the internet – this engine was developed for use in closed internal networks. That’s why it doesn’t even have password authentication activated by default.”

Just what was exposed, and how much of it, are points of contention between AavGo and WizCase.

AavGo told The Register the exposed database did not contain any personal info beyond names, phone numbers, and email addresses. The biz also insisted no payment card details were stored, and nobody other than Brown is believed to have spotted the server before it was secured.

Meanwhile, WizCase claimed that among the eight million entries it found within the leaky database were collections of reservation details (how long people stayed in rooms and when, how many people stayed per room, their personal details, check-in information, payment type, and so on) as well as corporate information (such as per-room revenues, work orders, and cleaning crew information.)

Man opens hotel room with key card

Marriott’s got 99 million problems and the ICO’s one: Starwood hack mega-fine looms over

READ MORE

“Over eight million entries are available in this data leak, with a combination of company, client, and guest details included,” said Williams. The databases were, we’re told, managed on behalf of Guestline Property Management, and Equinox Solutions, which in turn provide online management tools to hoteliers. Think of AavGo as a software-as-a-service backend provider, with other suppliers building services on top of it that are then used by hotels.

AavGo, meanwhile, claimed the number of customers actually exposed by the misconfigured server was far lower: apparently as low as just 300 rooms. And it claimed no one other than WizCase staff accessed the database because, er, it saw no automated siphoning off its content.

“Based on our investigation we have determined there was no data breach; however, we did find a potential vulnerability. We have taken all steps to close the vulnerability,” AavGo said in a statement to El Reg.

“We do not take any payment information from any of our customers or our partners and we don’t process any payments for any guests. The scope of this vulnerability was limited to only 300 hotel rooms’ data – name, address, phone number, email for the guest. No other assets had any PII [personally identifiable information] data. Based on our detailed IP investigation, we have not seen any scripted events in our logs, allowing us to reaffirm that there was no data breach.”

Chalk this up as yet another almost-daily embarrassing database exposure caused by a poorly configured internet-facing server.

While locking off sensitive information from public access seems like a no-brainer, it’s all too easy for developers to spin up cloud instances, misconfigure them, and leave information laying around on the web for anyone with a Shodan.io account, or access to a similar search tool, to find. Folks, at the very least, firewall off your databases from the outside world. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/aavgo_hotel_data_breach/

It was totally Samsung’s fault that crims stole your personal info from a Samsung site, says Samsung-blaming Sprint

Sprint has told some of its subscribers that a piss-poor Samsung website exposed their personal details to the internet.

The North American mobile carrier is right now sending out letters (PDF) to unlucky customers whose account and device details were leaked onto the web thanks to, apparently, dodgy Samsung coding and miscreants.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website,” Sprint wrote in its missive to aggrieved subscribers.

“The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services.”

Here’s what happened: fraudsters somehow obtained and used some Sprint customers’ account information to log into the Samsung add-a-line website and, from there, gathered additional personal details on Sprint accounts. Add-a-line is or was, from what we can tell, a means to add additional services to your phone’s postpaid monthly voice plan.

PIN pointed

The disclosure notice did not specify whether those Sprint customer details were used for any further shenanigans, but Sprint did say it was resetting customer PINs in at least some cases. The carrier did not say how many of its customers were affected.

“No other information that could create a substantial risk of fraud or identity theft was acquired,” Sprint added.

Samsung, for its part, admits its site was the source of the leak, but said the credentials used by the attackers were gathered elsewhere.

“Samsung takes security very seriously. We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung,” a Sammy spokesperson told El Reg.

“We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts.”

While Sprint did not say it would be offering any identity protection services, the carrier is advising customers to keep a close eye on their accounts and consider placing a credit fraud alert and notifying authorities if any suspicious activity is found. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/sprint_loses_customer_data_blames_samsung/

Security Snapshot: OS, Authentication, Browser & Cloud Trends

New research shows cloud apps are climbing, SMS authentication is falling, Chrome is the enterprise browser favorite, and Android leads outdated devices.

As cloud and mobile adoption skyrocket, businesses seek new and stronger ways to protect applications and data. In some ways, many have grown smarter about data access and security. In others, research shows they still have some work to do.

The 2019 Duo Trusted Access Report amasses data from 24 million devices, 1 million applications and services, and 500 million authentications across North America and Western Europe to unearth trends in technology and cybersecurity. Its findings show a rise in Windows 10, greater biometric adoption, and an increasingly mobile workforce reliant on cloud. But researchers also found businesses running outdated operating systems and popular browsers.

Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%. Remote access rose 89% as more people work outside the office but still need application access: Nearly half (45%) of requests for protected apps came from outside the organization.

The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. “It was a big explosion of shadow IT,” he adds. “It really got away from a lot of the organizations.” Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.

Inside Authentication Trends

SMS-based authentication has continued to fall. Less than 3% of businesses use SMS authentication in 2019, compared with 6% to 8% in 2016. At the same time, biometric authentication saw its fourth year of growth: 77% of devices scanned have configured biometrics including Apple Touch ID and Face ID, Android fingerprint scan, and Windows Hello.

“It’s good to see where people have alternatives, they’re using less direct SMS authentication,” says Wendy Nather, director of advisory CISOs at Duo Security. While most businesses (68%) surveyed rely on Duo Push for primary authentication — researchers scanned Duo customers to collect their data — she notes it’s interesting to look at secondary methods across industries.

The profiles and percentages of authentication methods tend to vary across different verticals depending on the circumstances, Nather continues. Heavily regulated areas such as the federal government are more likely to use a hardware token to establish trust, while phone calls are common among healthcare, higher education, and non-federal government organizations.

Hardware tokens are “generally still seen in high-discipline environments, where the risk case makes sense and where they can afford it,” she explains, pointing to government and finance. Healthcare’s reliance on phone calls “has a lot to do with the situation in healthcare institutions and clinics,” she adds. “From a logistics point of view, it’s easier for a doctor or nurse on staff to pick up a phone line rather than try to fumble for any number of mobile phones.”

Businesses are tightening control on access from specific places. At least 3 million authentications have been denied in 2019 due to location restrictions, and 178 countries have denied access. The top five restricted locations are China, Russia, United States, India, and France. Duo says the US is the third most restricted location due to companies based outside the US not allowing authentication outside their home country.

More than half (51%) of companies using Duo have blocked at least one authentication from a restricted location. Other common enterprise policies include requiring users to have a screen lock (27%), disk encryption (22%), and disallowing access from anonymous IP addresses (20%).

OS and Browsers: Windows 10 Grows, Android Outdated

Since 2017, Windows 10 has grown from 48% to 66% adoption as Windows 7 has fallen from 44% to 29%. While Windows 7 is declining overall, some industries are still hanging on. Those fastest to adopt Windows 10 are wholesale and distribution (86%), business services (80%), and nonprofits (70%). Those still mostly relying on Windows 7 include transportation and storage (62%), computer and electronics (54%), and healthcare organizations (52%).

As work goes mobile, it’s shifting the balance for OS popularity: Windows remains the dominant enterprise OS, but its usage fell 8% year-over-year to hit 47%. In the same time frame, iOS usage jumped 7% to hit 23%, and Android rose 2% to hit 10% usage. MacOS use fell by 1%, hitting 17%.

“When we see more adoption and more use of mobile devices, we may be seeing an ergonomic trend,” Nather says of Apple device popularity. “When users have a choice of what device they’re going to use on a particular task, this is what they tend to pick.”

Android was the leader for out-of-date devices; 58% are not running the latest security patch. Overall, operating systems are more frequently updated in 2019 than in 2018, but Android continues to be the least updated, followed by macOS (51%), Chrome OS (39%), and iOS (38%).

Google Chrome is the most popular enterprise browser; Internet Explorer comes in last. A Chrome zero-day discovered in March 2019 has motivated businesses to improve browser security. Following its disclosure, Duo saw a 30x increase in denied authentications and 79% increase in policies limiting access to data and applications from the latest browser versions.

“What this says to me is organizations are using this as part of their incident response process,” says Nather. “They were protecting themselves even if they couldn’t control devices, and saying everyone has to update. It’s a great step forward in terms of giving control back to CISOs.”

Microsoft Edge is the most out-of-date browser, with 73% of devices running an outdated version. Internet Explorer is the most up-to-date version; however, since the latest version of IE was released in 2013, businesses still relying on it should consider switching to another browser. Still, as Nather points out, IE remains a “mainstay” in many organizations.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/security-snapshot-os-authentication-browser-and-cloud-trends/d/d-id/1335262?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Lenovo NAS Firmware Flaw Exposes Stored Data

More than 5,100 vulnerable devices containing multiple terabytes of data are open to exploitation, researchers found.

Thousands of users of Lenovo network-attached storage devices are at risk of data compromise via a firmware-level vulnerability.

The flaw, which is present in certain models of the NAS products, allows unauthenticated users to view and access data stored on the devices, and is trivially easy to exploit via the Application Programming Interface, researchers from Vertical Structure and WhiteHat Security said this week.

An initial investigation of the issue uncovered at least 5,114 of the devices exposed on the Internet with over 3 million files vulnerable to the issue. But the total number of such at-risk Lenovo storage systems could be higher.  

The researchers found that Google had already indexed several of these exposed devices, resulting in some 13,000 spreadsheet files with 36 terabytes of data available on the Web. Many of exposed files had sensitive data in them, including credit card numbers and financial records.

“The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner,” says Simon Whittaker, director at Vertical Structure. “It is similar to thousands of open [AWS] S3 [storage] buckets being discovered.” 

The devices impacted by the issue include several models of Iomega’s StorCenter and LenovoEMC’s series of NAS systems. Several of the impacted models have reached end-of-life status, so Lenovo is no longer supporting or maintaining them.

High Severity Issue

In an alert Tuesday that lists all impacted devices, Lenovo described the vulnerability as high severity because it allows unauthenticated access to files on NAS shares via the API. The company urged users of vulnerable devices to immediately update their firmware to the latest available version.

In situations where a user might not be immediately able to update the firmware for any reason, they should remove any public shares and use the device only on trusted networks, Lenovo said. By taking this measure organizations can achieve “partial protection” from the vulnerability, according to the vendor.

Whittaker says Vertical Structure uncovered the issue last fall when a routine Shodan scan unearthed a collection of unmarked files that researchers were later able to trace back to external hard drives from Iomega. After some investigating, the researchers found the external hard drives would leak information through specially crafted requests via an API, but not through their Web interface, he says.

Researchers from Vertical Structure then worked with counterparts from WhiteHat Security to confirm the vulnerability and later inform Lenovo about it.

In the devices found directly accessible from the Internet, all that an attacker would need to grab data from them is knowledge of the NAS’s IP address, Whittaker says. And for devices not directly accessible from the Internet, an attacker would need to be on the same network in order to exploit the vulnerability, he says.

When Lenovo itself was first informed of the issue, the company pulled three versions of its NAS software out of retirement so users could continue to utilize their product while a fix was being readied, Vertical Structure said.

The firmware update the company has released fundamentally changed the API and the Web interface, in order to secure it, Whittaker explains.

The data in the vulnerable devices presents a treasure trove of information about people and organizations, he notes. “By putting this information online they assumed it would be secure and protected by the username and password,” Whittaker says. “But this was incorrect.”

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/lenovo-nas-firmware-flaw-exposes-stored-data-/d/d-id/1335263?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

GandCrab ransomware revisited – is it back under a (R)evil new guise?

Remember GandCrab?

It was a well-known strain of ransomware that was sold as a ‘service’ on the cyberunderground.

The idea of CaaS, or crimeware-as-a-service, is borrowed from the outsourcing and cloud computing models that regular businesses use.

These days, for example, if you want to publish your own videos, you don’t have to learn about video compression, colour gamut, pixel formats, transcoding, bitrates, how to run a live streaming server, or any of that stuff…

…you just press [Record] on your phone, capture your video footage and then click a button to share the video with anyone you like via a whole range of free video hosting networks such as YouTube.

CaaS works in a similar fashion – if you want to have a go at making money out of ransomware, for example, and you know the right places to go in the cyberunderground, you can get someone else to take care of the technical side in return for a cut of the takings – no upfront fees.

Instead of learning about malware, teaching yourself how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, and so on…

…all you have to do is sign up, download your malware samples as needed, and victimise individual and organisations with your ready-made ransomware.

The crooks behind the service collect the ransoms, distribute the decryptors, even offer online ‘tech support’ to victims to make sure they know how to buy bitcoins, how to make payments, what to do after they’ve paid, and so on.

You take the front-line risk of getting caught red-handed using the malware; the crooks run the back-end systems in comparative anonymity and take a cut of the proceeds in return.

Notorious ransomware-as-a-service (RaaS) platforms have gone by names such as Satan, Philadephia and RaaSBerry.

And, until this year, there was GandCrab, a crimeware group that claimed to have shut up shop at the start of June 2019:

All the good things come to an end… Earnings with us per week averaged $2,500,000. We personally earned more than 150 million dollars per year. […] We are leaving for a well-deserved retirement.

The crooks even finished their announcement with a series of ‘testimonials’, publishing quotes from organisations including Microsoft and Europol to brag to the world just how criminally disruptive they had been:

However, according to cybersecurity journo-sleuth Brian Krebs, the gang may well have shifted sideways within, rather than moved out of, the RaaS game.

Krebs argued in a recent article that similarities between a recent ransomware strain that dubs itself Sodinokibi suggest that the GandCrab crew never really went away.

Sodinokibi is also known more catchily as REvil, and as Sodin for short. Sophos products block the samples mentioned in this article as Mal/Kryptik-DJ, if you want to look through your logs for detections.

Krebs describes how an underground forum operator known only as Unknown announced a new ransomware project, months before the GandCrab “goodbye’ message.

Unknown was seeking a small number of affiliates (the legitimate-sounding name callously given by crooks to their online partners-in-crime) to join a low-key malware distribution network that aimed to “go under the radar”.

Affiliates would pocket 60% of the ransom revenue for their first three payments, said Unknown, followed by 70% thereafter.

The core crooks keep 30% for running everything behind the scenes – a ‘royalty’ fee that is eerily copied from mainstream cloud services such as iTunes.

Sodinokibi samples have already appeared in real-world attacks – Cisco Talos researchers documented a case they investigated earlier this year where the attackers used an web server exploit against the Oracle WebLogic product to initiate their attack.

The malware was deliberately implanted by the attackers after they’d broken into a network rather than mass-mailed as attachments or spammed out as download links.

Many modern ransomware attackers follow this approach – sadly, the theory seems to be that if you attack one organisation at a time and encrypt some, most or all of their network in one go, then it’s easier to to blackmail your victims that if you try to squeeze money out of hundreds or thousands of scattered, individual victims, each with one infected device.

It’s also easier to “go under the radar”, to borrow Unknown’s words, if you deploy your malware samples one-at-a-time, playing your ransomware cards close to your chest by targeting just one organisation with each sample.

What an attack looks like

Once the Sodinokibi ransomware detonates, you’ll see a README file on your Windows desktop, telling you what to do next:

The pay page itself is surprisingly professional looking, with the clean, clear appearance of many modern corporate websites, but with a very different sort of sales pitch.

The price when we checked was $2500, converted to Bitcoin at the current rate, but we were warned it would double to the equivalent of $5000 after four days:

What to do?

Sadly, ransomware attacks show little sign of abating, and whether the Sodinokibi crew are just the GandCrab crooks back for more or a new wave of criminals doesn’t change the defensive strategies you need to take.

So, our usual anti-ransomware advice applies, including the rather obvious reminder that “the only backup you’ll ever regret is the one you didn’t make.”

In short:

  • Patch early, patch often. Don’t make it easy for the crooks to get in through the back door.
  • Pick proper passwords. Don’t make it easy for the crooks to get in through the front door.
  • Use two-factor authentication. Lock the front door, and bolt it too.
  • Make regular backups. Ransomware isn’t the only way you can lose your files, so don’t risk keeping only a single copy.
  • Keep an off-site backup. Ransomware often tries to find and wipe out any online backups first – so offline backups are your backup’s backup.
  • Think before you click. Never open attachments or click through to web links just because an email tells you to.
  • Use an up-to-date anti-virus, web filter and exploit blocker. Ransomware that can’t run can’t even read your files, let alone overwrite them.

For more advice, please check out our END OF RANSOMWARE page.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VQ3JxNkh-FU/

Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet

Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.

Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in Silicon Valley, together found and reported the vulnerability to Lenovo, we’re told. If you’re thinking, wow, Iomega, I didn’t know they were still going: EMC bought it in 2008, and in 2013, a Lenovo-EMC joint-venture rebooted the brand as LenovoEMC gear.

We’re told this file-leaking flaw was discovered last autumn by a Vertical Structure employee who found a strange bunch of files showing up in search results on Shodan.io, a website for finding all sorts of public-facing systems, from bog-standard web servers to power plant equipment and Internet-of-Things gizmos.

After some digging, Vertical Structure concluded the documents were being offered to the internet, without any password or other authentication checks, via an unprotected API call: an interface used by software to talk to each other. That means anyone aware of the API and its security shortcomings could have searched Shodan for vulnerable public-facing Iomega NAS drives, and siphoned off strangers’ file systems.

“The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner,” Vertical Structure director Simon Whittaker told El Reg on Monday. “It is similar to millions of open [AWS] S3 buckets being discovered.”

Amazon’s answer to all those leaky AWS S3 buckets: A dashboard warning light

READ MORE

The API was eventually tracked down to an older set of Iomega NAS boxes that were, via the dodgy interface, leaving millions of files exposed to the web. It appears the API is provided to share files over the network, as you’d expect from a network-attached storage device. Unfortunately, however, this API can be accessed without any password, which is super-bad news for those facing the public internet, as many were and still are.

“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106,” Vertical Structure and WhiteHat said in a summary of the bug, shared with El Reg ahead of its public distribution on Tuesday.

“Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded LenovoEMC in a joint venture.”

Of those three million files, Whittaker said 405,398 were images, 20,055 were documents, 13,677 were spreadsheets, and 13,972 were text documents.

After realizing the extent of the exposure, Vertical Structure called in WhiteHat, who ran their own investigation on the leak, and confirmed that public-facing Iomega-LenovoEMC devices were in fact spewing data onto the internet.

The two companies then alerted Lenovo to the problem, and the vendor responded by bringing the software out of retirement to address the bug. Details of the API flaw were not shared as the patch for the hole has only just landed, we understand.

In short, check you’re running the latest firmware on your Iomega or LenovoEMC NAS box in order to protect against attack. Lenovo declined to comment, although a spokesperson told us it will release customer advisory on Tuesday with more information. We imagine the memo will appear here at some point. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/iomega_nas_boxes/

Maybe double-check that HMRC email? UK taxman remains a fave among the phisherfolk

The UK’s National Cyber Security Centre (NCSC) has had another busy year trying to disrupt cybercrime.

The government agency today reported that in the past 12 months, it stopped 140,000 phishing attacks and took down more than 190,000 fraudulent sites and services.

Impersonating the taxman remained phishers’ favourite pastime, with 6,752 attacks involving HMRC stopped in 2018 – more than any other public sector department.

The second favourite was the government portal (Gov.uk), followed by the (now defunct) Government Gateway identification service, DVLA and the TV Licensing service. The top 10 was rounded up by the BBC, Student Loans Company and three unnamed universities.

The report called this a marked improvement on 2017: “The number of groups we’ve taken down targeting HMRC has fallen by 46 per cent when comparing 2017 and 2018.

“As a proof of principle, it seems that we can affect the return on investment for criminals and demotivate them from attacking things we care about.”

The NCSC also discovered that at least 318 public sector networks and 168 unique organisations were still using Windows XP – the OS that hasn’t seen a single security patch since the middle of 2014.

These and other public sector close calls were disclosed in a 84-page sequel to last year’s report, imaginatively titled “Active Cyber Defence – The Second Year” [PDF].

The Active Cyber Defence programme was launched in 2017 to “protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time”.

In reality, it appears that its primary purpose is to protect the government against reputational damage that manifests when its websites and services are implicated in cybercrime, and safeguard public sector employees against fraud.

The responsibility for these tasks was laid on the shoulders of NCSC, a relatively new government body established under the auspices of the Government Communications Headquarters (GCHQ) in 2016.

Its duties include using automated tools to discover illegitimate websites, then informing ISPs and “asking, very nicely, if they wouldn’t mind awfully removing it”. The agency doesn’t serve legal papers on the hosters because of the length of the process.

Not everyone complies with these voluntary requests fast enough: the agency singled out French hoster OVH and American giant GoDaddy as increasingly tardy. “We are in discussions with GoDaddy to help optimise the interaction between our takedown processes,” the agency said.

The report also noted that NCSC prevented 1.4 million employees in the public sector from visiting malicious sites. As part of the effort, the agency used something called PDNS, a protected DNS service that refuses to query domains previously found to be engaged in suspicious activity.

This system was able to block 57.4 million malicious queries in 12 months. These included 13,800 queries for at least 20 named (i.e. famous) botnet CC systems, including Betabot, Graybird, Katrina, Lokibot, StealRat and Godzilla.

“The PDNS service has proven its value already, providing a real protective effect at scale to the subscribed customers. In the next year of service, we are intending to retender the service and look to onboard more public sector customers,” the report said.

Surprisingly, a few queries identified by PDNS were related to the infamous Conficker worm. “Yes, Conficker,” the incredulous authors wrote in a footnote. “The same one from 2008. It’s still active somewhere in public sector.”

The Second Year also detailed a sophisticated phishing operation that involved emails sent from a fake gov.uk address, purporting to be from an organisation in the aviation sector. The campaign took place in August 2018, involving 200,000 emails in an attempt at advance fee fraud.

The NCSC discovered and stopped the attack by using Synthetic DMARC (Domain-based Message Authentication, Reporting and Conformance), a system developed by the agency to analyse and vet non-existent subdomains like theregister.gov.uk.

“Be clear though: this remains an evil hacky kludge and we need a better way to express policy ownership in domain hierarchies,” the report admitted.

“The problem with DMARC is that it only protects against a small fraction of the threats on email,” said Tim Sadler, CEO at cybersecurity firm Tessian. “Businesses and government agencies should be aware that a high percentage of emails employees receive are still not DMARC authenticated. This means that while their own domain may be protected from direct impersonation, their employees remain vulnerable to direct impersonation of their external contacts.”

And finally, the NCSC detailed all the new initiatives it started in 2019, the results of which will be published in 2020. These include removal of web shells in the UK, notification of “non-consensual” crypto-mining on UK sites, managing advance fee fraud related to the UK legal system, and compromise of UK-based Magento shopping carts with credit card skimming code. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/doublecheck_that_hmrc_email_british_tax_man_remains_phishers_favourite/

Is 2019 the Year of the CISO?

The case for bringing the CISO to the C-suite’s risk and business-strategy table.

PwC reported that 81% of investors and analysts responding to its 2018 Global Investor Survey ranked cybersecurity among the top three threats to business; more than half of those said that cybersecurity was the No. 1 biggest threat to business. The natural upshot should be that the CISO is more important to business strategy — but in many cases, that’s an uphill climb.

The traditional view of the CISO is that of a specialized mini-CIO — existing to achieve compliance, put out security fires, and stand in as a scapegoat for when something inevitably goes wrong so the CIO doesn’t have to take the heat. A case in point: Target had no CISO when it suffered its infamous point-of-sale mega breach in 2013; consequently, it was Target’s then CIO who was compelled to resign shortly thereafter. Only then did Target create and fill a CISO position, answering to the new CIO.

Across both the private sector and the public sector, the plurality of CISOs report to the CIO. A subset of enterprise organizations, however, are increasingly realizing that this is a suboptimal approach.

For starters, many have recognized that a CIO having a CISO answer to him or her presents a conflict of interest because the CIO and CISO each have different budgetary interests and are measured against different objectives. Whereas CISOs are so security-driven that “security” is right in their job titles, CIOs are pressured to make decisions that favor business agility above all else; security is an afterthought compared with functional viability. Meanwhile, CISOs have “security” in their job titles for a reason — but a CISO who reports to a CIO or other IT operations manager is unlikely to report his or her boss to the legal department for inevitable compliance failures.

Over the past few years, Congressional staffers, federal, and state regulatory bodies, and industry collaboratives alike have made these same observations — specifically dictating that CISOs report to a risk officer, the general counsel, the CEO, or even straight up to the board of directors. Lately, these recommendations and requirements have begun to take hold. A May 2018 industry report from Dark Reading about the role of CISOs notes that the CISOs have at least a “dotted reporting structure” — if not a direct one — to boards and/or CEOs. And this reporting structure is crucial when it comes not only for mitigating liability and compliance risks (i.e., so that, after an inevitable data breach, the company can show regulators that its board of directors and CEO met with the CISO on cybersecurity issues x number of times every year), but also for crafting cybersecurity and data-stewardship solutions for effective business strategy going forward. Without the CISO, boards and CEOs may not even be able to identify the right questions to ask or the right problems to solve in the first place.

The whole concept of a CIO indicates that that person has full control of the company’s infrastructure and IT decisions. A CISO would typically be a part of that, but that’s not necessarily reflective of what the pecking order should be. Just because the CISO will work extensively with the CIO doesn’t mean that the CISO should report to the CIO — just like the general counsel shouldn’t report to the executive vice president of sales just because the legal department has to work extensively with the sales teams. These are separate entities working together incidentally — and the IT team and the information security team are likewise separate from each other.

This is because the CISO position is no longer a niche technology role. Cyber presence is sufficiently ubiquitous today that, for many enterprise organizations, the Internet is their primary (if not only) go-to-market platform. In this environment, the CISO’s job must be one to step to the forefront and evangelize the following bullet points:

All of these bullet points combined make for a grander and more important message, which is one that investors already know: “Cybersecurity is about extreme monetary risk.”

And there you have it. CISOs deal with far heavier risk assessment and risk management issues than do generalist IT leaders — to the point where their job is all about risk and only incidentally about IT, rather than the other way around. The CISO job therefore needs to just be part of the organization’s risk hierarchy instead of the IT department. The CISO is, first and foremost, a risk manager — a digitally present risk manager, but a risk manager nonetheless.

Let the CISO answer accordingly.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Terry Ray has global responsibility for Imperva’s technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for … View Full Bio

Article source: https://www.darkreading.com/risk/is-2019-the-year-of-the-ciso/a/d-id/1335192?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple