STE WILLIAMS

A penetration testing and consulting firm plans to release a free penetration testing toolkit next month at Black Hat Asia; the toolkit includes privilege escalation and network attack functions.

Paula Januszkiewicz, CEO of CQURE, says she and her team at the security firm are rolling 39 of the company’s 200 homegrown hacking tools — plus five new ones — into the freebie CQTools kit that they will demonstrate and offer during their talk at the conference in Singapore.

“This toolkit allows a cybersecurity specialist to deliver complete tests within the infrastructure, starting with sniffing and spoofing activities, going through information extraction, password extraction, and custom payload generation,” Januszkiewicz says.

Januszkiewicz’s firm traditionally has developed its own penetration testing tools for its client engagements as well as its own research work. She says existing forensic investigation tools rarely come with all of the features her team requires and that provide researchers the ability to gather specific types of information. CQURE researchers built, for example, their own hacking tool for the cryptographic Data Protection Application Programming Interface (DPAPI) in Windows.

Her team reverse-engineered DPAPI and its later version, DPAPI-NG. “That is why we had to write our toolkit, which consists of over 40 tools decrypting almost everything in the operating system,” she said. The researchers discovered how to decrypt DPAPI user-protected data by using the private key stored on a domain controller.

“DPAPI-NG is a very fresh subject and we already have the whole toolkit for it,” Januszkiewicz notes.

Januszkiewicz says CQTools encompasses both exploit kits and information-extraction functions, which a researcher could use to grab information from different areas in an operating system, for example, and it can bypass anti-malware software during pen testing engagements and research.

CQURE performs consulting, pen testing, incident response services, training, and security research

Januszkiewicz, along with Mike Jankowski-Lorek, CQURE’s cybersecurity specialist and cybersecurity and database architect, will demonstrate CQTools in their talk at Black Hat Asia. “I will be presenting different ways of revealing secrets from the operating system,” she says. “I will show how data and secret storage and encryption work on Windows, and how we are able to compromise related operating system mechanisms.”

Related Content:

• New Zombie ‘POODLE’ Attack Bred from TLS Flaw
• Researchers Dig into Microsoft Office Functionality Flaws
• Toyota Prepping ‘PASTA’ for its GitHub Debut
• Security Spills: 9 Problems Causing the Most Stress

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/analytics/security-firm-to-offer-free-hacking-toolkit/d/d-id/1333984?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Looking for some new cybersecurity tools? Then make time to check out the Arsenal at Black Hat Asia in Singapore next month, it’s open to everyone bearing a Black Hat Asia pass, and offers a unique opportunity to see live demonstrations of the latest open-source security tools.

Stop by the Arsenal (located in the Business Hall) and check out the “RF-Xfil: Prototype Toolkit for Data Exfiltration Over Radio Frequencies” demo if you’re looking for a new (albeit proof-of-concept) tool for exfiltrating data over FM radio frequencies generated using an off-the-shelf USB-to-VGA dongle.

Developed during Hacksmith v2.0, the RF-Xfil runs on a Linux target, feeding audio, screenshots, text, and keystroke data over an FM radio channel. It’s a potentially useful tool for anyone seeking new ways to covertly exfiltrate data (for fun or profit), and a great way to learn more about software-defined radio.

You might also appreciate the “Archery: Open Source Vulnerability Assessment and Management – 2.0” Arsenal demo, which aims to showcase how the open-source Archery tool helps developers and pentesters perform scans and manage vulnerabilities. It’s been updated with some new features ahead of Black Hat Asia, so swing by and catch a live demo.

“Kurukshetra: Playground for Interactive Security Learning,” by contrast, is a web framework developed to be the first open-source framework to provide a solid foundation to host reasonably complex secure coding challenges. It’s a framework where developers can learn secure coding practices in a hands-on manner.

Kurukshetra is composed of two components. The backend framework, written in PHP, manages and leverages the underlying docker system to provide the secure sandbox for challenges. The frontend is a web app providing all the necessary controls for the admin to host and modify the challenges and for the user to execute and view the result of each of his input. A major update will be released at Black Hat Asia with a better dashboard, new language support, and gamification features, so make time to stop by!

If cybersquatting is among your concerns, don’t overlook the “Squatm3gator: 360° Cybersquatting” Arsenal demo. Squatm3gator is a Python tool designed to enumerate available and not available domains generated by modifying the original domain name through different techniques (substitution attacks, homoglyph attacks, etc.). It’s especially useful for helping penetration testers identify domains vulnerable to being used in phishing attack simulations, as well as helping security analysts prevent effective phishing attacks,

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29. Early registration pricing for Briefings Trainings ends Friday, January 18, so register before then to get the best price!

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/find-your-new-favorite-security-tool-in-the-black-hat-asia-arsenal/d/d-id/1333995?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2018, bad actors — that is, those perpetrating cyberattacks on businesses and organizations — upped their game across a range of fronts, devising new and insidious attack vectors. While more-savvy users have continued to play defense, cybersecurity in general remains relatively weak — certainly, far weaker than it should be, given the nature and extent of the threat(s).

Anecdotally, the year witnessed a significant uptick in targeted attacks against cloud hosting companies. Where hacks once occurred seemingly at random, attacks are now more targeted, tracking the user population as organizations have moved to the cloud. No longer are attacks limited to local machines; as the number of virtual servers has proliferated, hackers have set their sights on these remote servers, recognizing the potential for both more damage and greater profit.

Ironically, the money isn’t rolling in only from ransomware — which, on a relative basis, is actually less effective than it used to be. (Credit there goes to the IT/user community for more vigilant backup practices.) Cryptomining, or cryptojacking, emerged as a cash cow in 2018; the practice of embedding software that runs in the background, searching over time for cryptocurrency in stealth fashion, attests to the smarter, more sophisticated class of hacker that surfaced (or didn’t) these last 12 months.  

According to Webroot’s Mid-Year Threat Report Update, cryptomining — which consists of both ransomware and cryptomining — accounted for 52% of cybersecurity threats in the first half the year. By itself, cryptojacking (defined as “the nonconsensual act of cryptomining someone else’s machine”) was behind 35% of threats. The practice is so pervasive, the Webroot’s report notes, that cryptojacking scripts are said to be running on an estimated 3% of all sites that users visit.

Closely linked to cryptomining is the notable rise this year in advanced persistent threat, or APT, incidents — a clear sign that attackers are creating ever-smarter malware, at nearly an artificial intelligence (AI) level. Malware is becoming sandbox-aware; once it gets out of the sandbox, it runs malicious code. That code can do almost anything nefarious — steal passwords, log keystrokes, send information from the server to the attacker, gain remote access to the server, hide files, and accept commands. By midyear, our organization began to see more “fileless malware.” Running in memory, traditional anti-malware software can’t intercept it. AI-driven anti-malware software is now in the works — yet another example of how any technology can be used for good or ill.

That said, I find it encouraging that organizations in 2018 did boost their investments in proactive security measures; some even began to change the way they look at security, examining past breaches and isolating lessons learned. Cloud hosting providers are getting better at playing defense, although methodologies like zero trust and least privilege aren’t being adopted as rapidly or as widely as they should be.

That needs to change in 2019 if the IT community is to gain the upper hand on cryptomining and cryptojacking. Zero-trust architecture, as Forrester Research defines it, abolishes the idea of a trusted network inside a defined corporate perimeter. Zero trust mandates the creation of microperimeters of control around an enterprise’s sensitive data assets and provides visibility into how it uses data across its ecosystem to win, serve, and retain customers.

Under a zero-trust regime, all applications are configured to challenge and encrypt, enabling the organization to build out its infrastructure around that concept. Zero trust, with multifactor authentication, is the industrial-strength option in today’s environment and ought to be standard operating procedure moving forward.  

While perceived threats and vulnerabilities are assumed to exist outside the firewall, truly effective security policies assume nothing. The conventional wisdom once held that everyone inside the network was trusted and everyone outside was not. The newer, more enlightened paradigm for security is “more trusted” and “less trusted” — and that’s where the principle of least privilege comes into play.

Per a University of Indiana knowledge base, the principle of least privilege promotes minimal user profile privileges on computers, based on users’ job necessities. Each system component or process should have the least authority necessary to perform its duties. This helps reduce the attack vector of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises.

In savvy organizations, least privilege applies to every employee. Encryption is the rule internally, and multifactor authentication to log in to every networking component and storage system is mandated; no one can delete a snapshot or burrow into the firewall.

In this near-full employment economy, organizations are frankly hurting in their quest to find and retain qualified cybersecurity professionals. It’s a challenge to hire people who truly know what they’re doing, and distressingly, hackerworld is exploiting the talent gap. With cryptomining and cryptojacking poised to become a juggernaut in 2019, the security wing of the IT industry would be wise to plug that gap with all deliberate speed.

Related Content:

• Credential Compromises by the Numbers
• Attackers Continue to Focus on Users, Well-Worn Techniques
• To Mitigate Advanced Threats, Put People Ahead of Tech

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Based in the Greater Phoenix area, Alex Artamonov is a systems engineer and cybersecurity specialist now in his 10th year with Infinitely Virtual.  Skilled in VMware ESX, Microsoft Server and desktop operating systems, HP Proliant, and HP blade … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/in-2019-cryptomining-just-might-have-an-even-better-year/a/d-id/1333971?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

While bots are a problem across many industries, the ticketing industry has experienced a dramatic increase in such traffic over the past couple of years. And much of that bad traffic occurs in our own backyard, with 85% of bots launched against ticketing companies originating in North America, according to a report released today by Distil Networks.

The report, “How Bots Affect Ticketing,” also found the proportion of bad bots among ticketing companies has risen to 39.9% of all ticketing traffic. That’s a notable increase from the 22.9% found in previous reports, and even that number was considered worse than the average for all industries.

Edward Roberts, director of product marketing at Distil Networks, says the number increased because of the greater number of ticketing companies included in this year’s study, as well as the increase in volume of traffic analyzed.

“The sophistication of the bots and the ability of the organizations that propagate the bots to monetize them and survive as a business has also increased,” Roberts says. “Whether it’s brokers, scalpers, hospitality agencies, corporations, or criminals, they can lock down tickets, buy them at a cheaper price, and sell them at a premium on a secondary market.”

Christopher Rodriguez, a research manager for cybersecurity products at IDC, says he has observed this kind of activity in many other industries, including retail, travel and hospitality, and financial services.

“That’s why companies are looking at bot mitigation products such as from Distil, Akamai, PerimeterX, ShieldSquare, and Shape Security,” Rodriguez says. “These products do device fingerprinting and tracking, looking how long a user dwells on a certain page, the movement of the mouse and how quickly they type, all in an effort to determine if the user is legitimate.”

Criminals at Work
Though criminal elements are a much smaller share of the bad bot ticketing market compared with brokers, scalpers, and other companies, they seek to compromise customer accounts via credential stuffing, Distil’s Roberts says.

By running stolen credentials against the login pages of ticketing platforms, bots identify the accounts where access was granted. Once inside the account, any stored tickets (usually two to four tickets at a time) can be stolen or transferred to another account. And once inside an account, any stored credit card and personal information could be stolen or used to commit fraud. The bots also steal customer loyalty points, a problem that has become prevalent with season ticket holders of European soccer teams.

“Ticketing companies need to pay attention to public data breaches because any time there’s a major breach, the criminal will hit the names on that list,” Roberts says. “Companies also need to consider blocking the known hosting providers for bot operators.”

According to the report, ticketing has long experienced the evolution of the bot problem. As the ticketing industry moved online in the 1990s, it was the first industry to suffer from malicious bot operators using automated attacks to hold and scalp tickets. Following complaints by customers and increased pressure from artists, it was also the first industry to adopt legislation as an additional tool in the war on bad bots. In 2016, the US passed the Better Online Ticket Sales (BOTS) Act, which outlawed the resale of tickets purchased using bot technology and imposed fines. The UK, Australia, and parts of Canada have enacted similar legislation.

The latest report on the ticketing industry follows a report Distill issued last year on the airline industry, in which it found that 43.9% of all traffic on airlines websites came from bad bots, Roberts says

Related Content:

• Airlines Have A Big Problem with Bad Bots
• Bad Bots Increasingly Hide Out in Cloud Data Centers
• The Good, the Bad the Disruptive: Bots on the Wild, Wild Web
• Businesses Can’t Tell Good Bots from Bad Bots: Report

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/analytics/bots-plague-ticketing-industry/d/d-id/1334003?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A pair of research reports released today paint a picture of a cyberthreat landscape that is continuing to evolve in ways both expected and not. The reports, released by Netscout and Akamai, each look at the overall threat landscape from its own perspective and offer a slightly different view of what cybersecurity professionals face. Together, they reach similar conclusions about some of the threats growing in cyberspace and some of the industries likely to be most affected.

The “Netscout Threat Intelligence Report” focuses on large organizations, such as nation-state actors, and the the impact they’re having on both statecraft and industries important to various nations. According to Richard Hummel, manager, Netscout Threat Intelligence, the number of groups working on behalf of national security organizations has skyrocketed.

“A couple of years ago, I would tell you that there were probably 35 to 40 different groups, and that’s predominantly China, Iran, Russia — some of the really big names,” he says. “But now with Netscout we’re actively tracking at least 35 of these groups ourselves, and we know of at least 170 more different groups around the globe where you have these nation states adding cyberattack capabilities to their statecraft.”

Those groups are growing in sophistication and broadening their target groups, as well. The report says academia, government, finance, and telecommunications are the targeted industries.

Another large and growing group of threat actors are criminal organizations that now have activities reaching around the globe. “The criminal organizations and the nation-state groups really have a lot of similarities,” Hummel says. “They both have large-scale operations. They both have access to a lot of really skilled operators. They’re able to throw money at their problems to fix it.”

Those efforts are resulting in attacks that are both more frequent and larger in scale than those of last year or the year before.

In the distributed denial-of-service (DDoS) attack space alone, attacks were up 26%, according to the report. “Attacks in the 100–200 Gbps, 200–300 Gbps, and 300–400 Gbps [range] exploded, up 169 percent, 2,500 percent, and 3,600 percent, respectively,” the report states.

Those attacks were aimed against strategic targets, with a “significant increase” in DDoS attacks on wireless telecommunications, satellite telecommunications, data processing, data hosting, television, libraries, and archive sites.

Akamai’s “2019 State of the Internet” report points out that a growing number of these attacks are generated by networks populated by All-in-One bots, or AIOs. These bots can be rented to commercial clients for spamming inboxes or message clients, launching DDoS attacks, or credential stuffing. According to the Akamai report, the retail apparel market experienced 3.7 billion credential stuffing attempts in the eight months of 2018 used as the basis for the report.

Those attacks aren’t coming from international actors, though the weapons used span the globe. “A lot of it’s coming from Russia, a lot is coming from Canada, but it’s largely Americans buying these botnets and running them against the sites,” says Martin McKeay, security researcher and editorial director at Akamai.

The American criminals know their targets: McKeay says that 1.636 billion credential-stuffing attacks were launched against a single retail organization.

Both reports point out Internet of Things (IoT) devices as particularly vulnerable when it comes to recruitment into these criminal botnets. Netscout’s report points out that IoT devices are especially vulnerable to brute-force attacks, since so many either have hard-coded user names and passwords or interfaces so primitive that they encourage owners to use simple credentials.

In Akamai’s case, it uses data from its own network to show that API traffic, from IoT devices that range from smartwatches to televisions, now accounts for 83% of the traffic it sees versus 17% from browsers. While McKeay is quick to point out that not every network will see the traffic mix handled by Akamai, he does believe these broad analyses are applicable to the Internet as a whole and have significant implications for security.

Both Hummel and McKeay say the most important takeaways from their respective reports is the importance of cybersecurity professionals being aware of changing patterns so they can begin to deal with the implications. There’s no indication, in either report, of the Internet becoming noticeably safer before the next version.

Related Content:

• Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
• New Botnet Shows Evolution of Tech and Criminal Culture
• Nest Hack Leaves Homeowner Sleepless in Chicago
• ‘We Want IoT Security Regulation,’ Say 95% of IT Decision-Makers
• 2019 Attacker Playbook 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/iot-apis-and-criminal-bots-pose-evolving-dangers/d/d-id/1333999?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple