STE WILLIAMS

Two things happened on Halloween with a bearing on cybersecurity.

The first is that the 15^th year of the National Cyber Security Awareness Month (NCSAM) came to an end. You have heard of NCSAM, right?

The second, apparently timed to coincide with 31 October, was that Google is yet again modifying the background security checks it performs during accounts sign-in as well as modifying its recovery process in the event of unauthorised access. There’s also important news if you’re a hold-out against enabling JavaScript.

The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.

Wrote Google product manager, Jonathan Skelker in a blog announcement:

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious.

The company is deliberately vague about what signals indicate this but it alluded to similar ideas in the reCAPTCHA v3 announcement from earlier this week.

No JavaScript, no Google

However, distinguishing an unauthorised from a legitimate sign-in requires that you haven’t disabled JavaScript, either completely, in your browser’s settings, or selectively, with a plugin like NoScript. Google reckons around 0.1% of its users do this to counter what they believe is the language’s potential for misuse. However:

We’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.

Failure to do this will result in the user being confronted with the following error message:

The browser you’re using doesn’t support JavaScript, or has JavaScript turned off. To keep your Google account secure, try signing in on a browser that has JavaScript turned on.

In short, if you’re in the 0.1%, JavaScript will have to be at least temporarily enabled to access Google.

Account recovery

If Google thinks it has detected malicious account access, users are now taken through additional checks looking for unauthorised financial activity, access to files on Google Drive, whether access has affected third-party accounts accessed via Google, and double-checking recovery information such as phone numbers for any changes.

The options and process for this is laid out on Google’s secure a hacked or compromised account page.

It’s all perfectly sensible stuff but a quick glance at that page shows how involved Google account security has become – the main advice section now runs to a total of nearly 1,100 words, referencing settings and concepts not all users will be familiar with.

As Google’s Skelker admits:

Online security can sometimes feel like walking through a haunted house – scary, and you aren’t quite sure what may pop up.

His analogy, aimed at the threats, increasingly applies to protections too.

As their number expands to serve a worthy cause, it’s a theme worth thinking about come next year’s National Cyber Security Awareness Month.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pbc-V4iRKl4/

Anonymous Coward, in commenting on a report from The Register about vulnerabilities that expose people’s browsing histories, pithily sums up potential repercussions like so:

Sweetheart, whats this ‘saucyferrets.com’ site I found in your browsing history?

If you value your privacy and your ferret predilections, be advised that in August, security researchers from Stanford University and UC San Diego presented, during the 2018 USENIX Workshop on Offensive Technologies (WOOT), four new, privacy-demolishing attack methods to get at people’s browsing histories.

The novel attacks fit into two classic categories – visited-link attacks and cache-based attacks – and exploit new, modern browser features such as the CSS Paint application programming interface (API) and the JavaScript bytecode cache: two examples of evolving web code that don’t take privacy into account when handling cross-origin URL data, the researchers say.

So-called history sniffing vulnerabilities are as old as dirt, and browser code has addressed them in the past. Here’s a paper written on the issue back in 2000, and here’s a Firefox bug reported that same year about how CSS page disclosure could let others see what pages you’ve visited.

Old or not, common web browsers – Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer, and Brave – are all, to greater or lesser degree, affected by the new methods of sniffing, the researchers say.

Even most of the security-focused browsers they evaluated – they looked at ChromeZero, Brave, FuzzyFox and DeterFox – coughed up browsing histories in the face of two of their attacks. The Tor Browser alone stood fast against all four attacks: not surprising, since it doesn’t actually store users’ browser histories.

These attacks weren’t just “effective;” at least one of them was sizzling. One of the visited-link attacks – CVE2018-6137, a bug in Chrome 67 that Google fixed in June – peeled off user browsing history at the rate of 3,000 URLs per second. The vulnerability allowed an attacker to figure out whether a link had been visited by using the CSS Paint API to check if a “paint” method – used to change the color of visited links – had been invoked.

Google fixed that one, but that leaves three of the vulnerabilities, as Deian Stefan, assistant professor in the UCSD computer science and engineering department, told The Register. Stefan said the remaining flaws are timing-side channel attacks, which makes them “considerably less severe” than the CSS Paint API attack.

Protecting against these attacks should be taken a lot more to heart by browser makers than it is, the researchers say, given how much browsing history can reveal about somebody: age, gender, location, political leanings, preferred adult sites, and even who they are in the real world.

[O]ne user’s browsing history can spill other users’ secrets, thanks to social networking websites like Facebook and LinkedIn. Anyone who touches a search bar should care about safeguarding this sensitive data.

It should be pretty straightforward, the researchers said: “After all, the web platform provides no direct means for JavaScript to read out a user’s history.” It’s anything but, though, given that in practice, “things get more complicated.”

Browsers still allow web developers to perform a restricted (and occasionally dangerous) set of computations on history data. For example, using the CSS :visited and :link selectors, developers can conditionally style a link based on whether its destination URL appears in the user’s browsing history. And what a developer can do, an attacker can do too – so browsers must account for all kinds of abuse, like exploiting CSS selectors as side channels to “sniff” a URL for visited status.

The four new attacks show that modern browsers are failing to safeguard browsing history data from web attackers, the researchers say.

Various browser features allow attackers to leak this data, in some cases at alarming rates.

As a fix, they propose a “same-origin-style” (SOP) policy: a web application security policy in which a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

In other words: a web page should be able to show you which links you’ve visited on the same site, but not on other sites.

It would carry minor performance hits to browsers and would require a small change to how visited-links are styled, but they think the costs are worth the benefit to user privacy.

Deian said developers involved with the World Wide Web Consortium (W3C) are discussing the three remaining browser history attacks, which involve exploiting CSS 3D transforms, SVG fill-coloring, and the JavaScript bytecode cache. The researchers are also talking with Firefox and Chrome developers about measuring what type of impact a fix would have on existing sites.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LvgAjgWLyKI/

Apple keeps releasing iOS updates and Spanish researcher José Rodríguez keeps finding new ways to bypass each version’s lockscreen security.

This week’s target was iOS 12.1, which appeared on Tuesday. By Wednesday, Rodríguez had posted a YouTube video showing how the lockscreen could be beaten with the help of Siri and Facetime to reveal the device’s contact phone numbers and email addresses.

Apart from having physical access to the target iPhone, all an attacker would need is the phone number of the target (if they don’t know the number, they can just ask Siri “who am I?” from the target phone).

The attacker would then:

• Pick up the call
• Initiate FaceTime from the call menu screen
• Swipe up and enable airplane mode
• Immediately tap the (…) icon (for iOS 12.1.1 swipe up on the panel at the bottom)
• Tap “Add Person”
• Tap the (+) icon

Hey presto! They can scroll though the contact information.

Just to get ahead of Apple’s security team, the method even reportedly works on the beta for the forthcoming iOS 12.1.1.

Rodríguez’s lockscreen bypasses have become an uncomfortable fixture lately.

The most recent was only two weeks ago, a lockscreen in iOS 12.0.1 that would have given an attacker access to a device’s photos.

Ironically, that update included fixes for two previous lockscreen bypasses Rodríguez had publicised in September that compromised contacts, emails, telephone numbers, and photos.

Before that, the same researcher had discovered a clutch of lockscreen bypass issues going back to 2013.

Until Apple posts a fix, you can mitigate the flaw by disabling Siri’s VoiceOver lockscreen access: go to Settings → Siri Search and turn off Allow Siri when locked.

A deeper question is why Siri and the lockscreen still don’t mix happily.

It could simply be that there is a fundamental incompatibility in their purpose – locked access versus easy voice access to some functions – which is inherently difficult to reconcile without compromise.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gsc7S-pE74s/

A hackathon next week will see ‘net developers get to work consigning more insecure cryptography to the /dev/null of history.

The Internet Engineering Task Force’s 103rd meeting kicks off in Thailand with the customary hackathon starting on 3 November, and one of the agenda items is getting the RC4 cipher out of SSH (secure shell).

It’s so very easy on paper. All you need is a brief Internet-Draft, which changes the word “optional” to “MUST NOT” – that’s the table change in RFC 4253, section 6.3, which states 128-bit RC4 (“arcfour” in the text) is no longer supported.

In deployed SSH software, it’s a bit more than the stroke of a pen.

Getting ready for the sleepless nights, if not the travel, is a group called Cyberstorm.mu from Mauritius (whose work we’ve discussed here before), and this time round they’ll be working on the SSH RC4 deprecation.

Logan Velvindron, who co-authored the “curdle RC4 die-die-die” Draft, told El Reg he expects removing RC4 from core SSH libraries to be straightforward. It’s out in the wild, where there will be public-facing servers expecting RC4 ciphers, that the regression will bump into problems.

One challenge is that nobody really knows what’s “out there”, he said, so the Cyberstorm group has set about gathering data. “We are working on a study of the world-wide usage rate for RC4 on public facing SSH servers to get some concrete data,” he said.

Cyberstorm.mu, which Velvindron said will be the largest group of remote participants in the hackathon, will also be leading groups adding GnuTLS 1.3 support in various applications, and expanding features to a Drupal HTTP 451 error module (the error signals that a page is blocked for legal reasons like censorship; Velvindron’s colleague Veegish Ramdani from the University of Mauritius wrote the original module).

The IETF meeting that follows the hackathon has quite a workload ahead of it.

The QUIC working group hopes to finalise its base specifications, so that the proposals can reach “Last Call” status early in 2019 (signalling that community review is nearly done, and the nine QUIC drafts will start getting RFC standard status).

As IETF chair Alissa Cooper wrote, there will also be lots of action in various routing areas. The Deterministic Networking and IEEE 802 Time-Sensitive Networking groups will hold a joint workshop, along with network management (YANG and the like), and plenty more for El Reg to watch for interesting developments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/02/ssh_rc4_security/

New online threats require new solutions.

It’s no secret that ransomware and distributed denial-of-service attacks are on the rise. In fact, compared with the previous year, the average number of targeted cyberattacks per organization in 2017 more than doubled (232 through January 2018 versus 106 through January 2017). The good news, according to Accenture’s 2018 State of Cyber Resilience report, is that organizations are experiencing far more success in detecting and blocking them.

Despite this progress, only two out of five organizations invest in state-of-the-art technologies like machine learning, artificial intelligence (AI), and automation. In other words, there’s lots of room for investment in cyber-resilient innovations and solutions.

Cyberattacks More Than Doubled in 2017
The study found that organizations that take cyber threats seriously are managing to prevent 87% of all focused attacks, compared with 70% in Accenture’s 2017 report. However, 13% of such attacks are making their way through the corporate defenses: organizations deal with an average of 30 successful security breaches per year that result in damage or the loss of high-value assets.

“Only one in eight focused cyberattacks are getting through versus one in three [the previous year], indicating that organizations are doing a better job of preventing data from being hacked, stolen, or leaked,” says Kelly Bissell, managing director of Accenture Security. “While the findings of this study demonstrate that organizations are performing better at mitigating the impact of cyberattacks, they still have more work to do. Building investment capacity for wise security investments must be a priority for those organizations who want to close the gap on successful attacks even further. For business leaders who continue to invest in and embrace new technologies, reaching a sustainable level of cyber resilience could become a reality for many organizations in the next two to three years. That’s an encouraging projection.”

Security Teams Find Breaches Faster
There’s another bright spot: Security breaches are taking less time to detect, from months and years to now days and weeks. In the study, an average of 89% of respondents reported that their internal security spotted attacks within one month, as opposed to only 32% of IT teams the previous year. According to this year’s survey, just over half (55%) of organizations detected breaches in a week or less, compared with 10% in last year’s report.

Although today’s companies are quicker to detect breaches, security teams are still finding only 64% of them — a number similar to last year’s — and using external help to find the remaining ones. This underscores the importance of collaborative private/public sector cooperation to stop cyberattacks. When asked how they unearthed attacks that their security team failed to find, respondents indicated that more than one-third (38%) were found by white-hat hackers or a peer or competitor (up from 15% in 2017’s report). Interestingly, law enforcement uncovered a mere 15% of breaches, down from 32% the previous year.

The View from Inside
On average, respondents said their cybersecurity program safeguards only two-thirds (67%) of their organization. Of course, external incidents remain a problem, but the survey indicates that companies also face other threats lurking within: internal attacks and accidentally published information are among the top three cyberattacks with the highest frequency and impact.

Respondents said that cyber-threat analytics and security monitoring (46% each) are the two capabilities they need the most to plug the holes in their cybersecurity solutions, but most (83%) acknowledge that other technologies — such as AI, machine or deep learning, user behavior analytics, and blockchain — are key to optimally securing the organization.

While the average number of cyberattacks per organization has increased, companies are getting better at detecting and blocking them. However, the biggest hurdle for companies is stopping breaches from happening in the first place, not improving their ability to the detect them. As their data silos expand and digital platforms become major revenue sources, the stakes for companies have never been greater. Taking days or weeks to detect a breach is no longer good enough because the costs of such delays can be devastating for most, and fatal to some. Imagine if there was a heist at your local bank: What would people say if it took days or weeks for the police to respond to the robbery?

As they adapt to the digital universe, organizations also expose themselves to ever-increasing cyber-risks and become more dependent on their IT department. Meanwhile, cybercriminals are getting better at what they do and launching increasingly sophisticated attacks via multiple threat vectors. Consequently, for companies, fighting back with a data-centric approach based on AI and machine learning is essential. It’s no longer enough to pit your smartest people against the equally brainy bad guys. In the digital era, cybercriminals are leveraging the same tools as their targets, so cyber defense needs to catch up.

In addition to protecting their organizations from external threats, IT leaders mustn’t neglect the internal breaches — intentional or accidental — that still pose a major threat. Continuous trainings and clear instructions help build awareness among staff, and policy enforcement and monitoring can ensure that employees will pay attention to them. Instead of treating security as a bothersome cost, the smartest enterprises will make online security a regular part of doing business and use it to differentiate themselves from their competitors who are still behind the curve.

Related Content:

• 6 Reasons Why Employees Violate Security Policies
• Securing Severless: Defend or Attack?
• Securing Serverless: Attacking an AWS Account via a Lambda Function
• Tackling Supply Chain Threats

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/tackling-cybersecurity-from-the-inside-out/a/d-id/1333127?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Comment You’re a small or mid-sized business and have a growing sense of unease that you aren’t doing enough on cyber security. Must be all those headlines about ransomware infections and databases ransacked. Or – perhaps – you’re experiencing an upsurge in phishing attempts.

Congratulations – you’ve woken up to something that a surprising number of companies haven’t. But now you’ve patted yourself on the back, the big question is: what’s next?

SMBs spent on average 27 per cent more on security in 2017 than the year before according to a survey last year by Cyren and Osterman Research, yet less than half felt confident they could prevent a network intrusion. Half, 52 per cent, had an IT security staff of two or fewer people.

The average SMB probably can’t afford what one might call a “proper” CISO to direct their security strategy. By that I mean someone with extensive experience, and typically formal qualifications, such as Certified Information Systems Security Professional and Certified Information Security Manager. CISOs can command six-figure salaries with an average in the range of £85,497 with “regular” staff starting above the national average.

Security professionals are expensive because they’re in short supply. They have always been difficult to find, but the shortage is getting progressively worse according to ESG Research, here.

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

READ MORE

It’s therefore pretty certain that you’ll need to use third-party help at some point.

I’ve been on both sides of the consulting fence. As a CISO running cyber security internally and using external help. As a consultant, too, I’ve provided assistance to others. I’ve seen the pros and cons and been through the ins and outs of setting up and running outsourced cyber security contracts.

Let’s start with the pluses.

Using a managed service provider promises to cut the potential cost of your security set up by dint of the fact you no longer need to hire one or two expensive full timers.

Some of you may have decided that if you can’t afford an in-house CISO you should opt for a CISO-as-a-Service instead: but that probably won’t get you much more than a day a week as the daily cost of a specialist is way higher when outsourced than when in-sourced.

In such cases you’d be best advised to consider a hybrid role – maybe combine it with other compliance or internal audit roles, for instance, or train one of you techies to step up.

Using a proper service provider is a better route. That, at least, gives you access to a full set of analysis, applications, appliances, and staff. They can run detection and manage response, saving your handful of IT pros from the job of setting up, managing and filtering alerts, of wading through a backlog of server logs, or keeping up-to-date on latest vulnerability threats and fixes.

But there are a couple of downsides.

Loss of control and trust are two of the biggest issues. You are handing over the reins for your security – as well as responsibility for your data – to an outsider. Can you trust them in the first instance and, in the second, can you be sure they’ll treat you as an individual, not a number. They may claim 24×7 support, but you know you aren’t their only customer.

Complicated and unrewarding

If you are willing to press on, what might you be thinking of outsourcing? The best thing to hand over is the really involved, complicated and – yes – tedious stuff.

Firewalls and VPN management are two good candidates. Why? To stay up to date with latest compliance and security standards requires ongoing management and dedicated attention. Access log management is another, owing to the number of logs – something that will depend on the complexity of your IT ops. Vulnerability and malware scanning are good areas, too, for the reason that threats do not stand still and your provider should be up to speed on what’s new.

Content filtering is a cert. This can prevent users following links they shouldn’t and then inadvertently downloading dangerous code once so – again – it helps to stay current. Also distributed-denial-of-service prevention. DDoS attacks aren’t new but are evolving, from assaulting the network and transport layer to the application while the volume of attacks is growing, making it difficult to keep up. Again, this is a good example of relying on somebody who does this for a living.

Across all of you will, of course, be talking servers, devices, PCs, storage systems and cloud.

Taking the middle way

When it comes to the actual nature of your outsourced relationship, my first piece of advice is: don’t be tempted to go-all-in.

You can stay secure by in-sourcing some of the basic good-practice parts of your cyber security regime rather than relying on somebody else.

If you do have techie staff, the chances are their level of awareness of cyber security is already pretty high: they may have configured something like Microsoft’s Active Directory for sign on and identity management to protect against unauthorised access and could have built your firewalls. Retain that knowledge and save money by not having somebody simply come in and hoover it up.

There’s off-the-shelf-help you can draw on, too. The UK government’s Cyber Essentials sets a good standard: the five simple actions it demands (changing default passwords, keeping stuff patches and so on) are well within the remit and capability of most.

Mixed blessings

So, OK, you’re keeping some stuff and going to have a halfway house. Just don’t assume that by taking the middle way things will be problem free. In-fact, this relationship is just as complicated, and for exactly the same reasons, as if you’d gone 100 per cent outsource.

The first big mistake is failing to define the requirements properly.

Let’s take an example. You’re using Cisco ASA firewalls but you don’t have the skills to manage them, so you outsource the job. But what do you expect the outside specialist to do? Monthly firmware updates? Weekly failover tests? Monitor the logs and respond to certain types of activity?

You need to be absolutely, 100 per cent specific in the wording of your contract what’s expected: if something’s not in there as part of the service, you have no right to expect them to do it.

Are they doing a good job?

Supplier reviews are another big potential problem area. A widespread problem in outsourcing is engaging a supplier and leaving them to simply get on with the job, either by assuming they are the experts – so everything must be fine – or because you don’t have the time to check on them.

Part of the task of signing up an external provider is defining what my former boss calls “what good looks like”. You can call it a Service Level Agreement if you wish, but when you talk of SLAs there’s a tendency for people to start getting all hung up on ticket response times – in fact, you need to be defining the expectation across the board.

What you do need, is to define in writing how each performance indicator is measured, and how that is to be presented to you as evidence that all is well with the outsourced service.

As an SMB you may lack the skills to interpret the outputs of the service monitoring. If so, take independent advice when defining the measures and interpreting the results. Or there’s this approach: Years ago, I was involved in exercises that were nothing more than defining the desired measures and checking another consultants’ homework. It’s a perfectly reasonable thing for you to do, should you lack the in-house skills for defining the relationship and measuring how it’s working.

Breaking up is not hard to do

An important part of the service review is the termination clause. Every relationship has hitches and you need to be pragmatic and learn from them. But just as your HR team use the dismissal option in their disciplinary regime sparingly, it’s still there for them to use.

This is an important part. You may have outsourced cyber security, but accountability still rests with you, so be prepared to use the severance clause if you really have to.

In today’s world, it’s wise for an SMB to outsource at least part of their cyber security, just don’t leap in. Weigh up the relative costs, make the contract is watertight, monitor things closely, conduct regular reviews, pay someone for their help if you need it on performance and service levels, and make sure you have a get-out should you need it.

Ultimately, remember: just because it’s outsourced, doesn’t mean you should let go. Outsourcing might be right for today but in-sourcing could also make sense at some point in the future. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/02/cyber_security_sourcing/

Educational electronics outlet Kitronik has suffered a data breach which its data controller suspects was caused by the same strain of malware that ransacked British Airways’ website.

In an email seen by The Register, Kitronik’s Geoff Hampson told customers that the Magecart spyware had been operating on the gadget shop’s website over August and September.

“Anyone that has followed the news in recent months will be aware of the malicious software ‘Magecart’ that has been recording customer’s key presses on such high profile websites as British Airways and Ticketmaster. The malicious software records key presses at the checkout stage, to capture sensitive details. From some point early in August until mid-September the same malicious software has been present on the Kitronik website,” he wrote.

Kitronik’s website runs the open-source Magento e-commerce platform, which has been periodically targeted by mischief-makers.

As reported previously on El Reg, Magecart works by planting Javascript onto the payment pages of websites that use embedded third-party components. That JS then beams data entered by site users back to a server controlled by the criminals.

Details exposed in the infection on Kitronik’s website included customers’ names, email addresses, card numbers, expiry dates, CVV (verification) codes and cardholders’ postal addresses – everything a fraudster would need to start making online purchases.

“We think that it is only details entered at the checkout stage that might have been taken and as a result, customers that had set up an account prior to August would not have had their address details stolen,” continued Hampson’s email. He also speculated that schools and businesses that had credit facilities were “not likely” to have been affected, adding:

Although we have a mechanism in place to alert us if the code on the website changes, this attack was very sophisticated and bypassed that code by making changes to the website database. The companies that take card payments on our behalf monitor trends and it was the payment gateway provider that notified us of a higher than normal amount of fraud, which triggered our investigation.

When contacted for comment by The Register, Hampson did not say how many customers had been affected, nor did he confirm whether the Information Commissioner’s Office had been informed. Section 67 of the Data Protection Act 2018 (implementing Article 33 of the EU’s GDPR) makes it a legal requirement that the watchdog be informed within 72 hours of an organisation becoming aware of a data breach “where feasible”.

Among other things, Kitronik focuses on selling accessories for the BBC micro:bit proto-puter, designed as a teaching tool to get schoolkids interested in coding.

Infosec researcher Willem de Groot has a blog post with precise details of how the latest strain of Magecart exploits zero-days, while a closely related malware strain, Magentocore, infected 7,000 sites, according to him.

An ICO spokesperson said: “We are aware of an incident involving Kitronik and we will be making enquiries.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/02/kitronik_online_shop_malware/

When attackers want to impersonate a brand via email, the majority turn to Microsoft and Amazon because of their ubiquity in enterprise environments.

Nearly two-thirds of email attacks spoofing brand names impersonate Microsoft or Amazon, according to one of two studies released today on advanced emailed threats.

More than half (54%) of attacks impersonate brands in their display names (the “from” field), according to Agari’s “Q4 2018 Email Fraud Identity Deception Report.” Hackers used Microsoft in 35.8% of attacks, varying their emails to mimic various units of Microsoft, such as OneDrive. Amazon came in second at 26.8%; attackers impersonated divisions including Amazon Web Services (AWS) and Amazon Prime.

Display name deception was the most common attack vector, Agari researchers found, but common trends were different for high-value targets, such as C-suite execs. For these targets, Microsoft was used in 71% of attacks; Dropbox was a distant second at 7%.

Impersonation attacks often arrive disguised as service updates, password resets, and security alerts. It’s what employees expect to see, given businesses’ reliance on Microsoft. Dropbox is common for malware distribution because people frequently use it to receive files.

“The brands that are being used are ones you’d expect to get emails from on a regular basis and that people trust,” says Seth Knox, vice president of marketing at Agari, adding that Office 365 is a common target. “There are a lot of people migrating to Office 365, and that gives you access to a lot of material if you get into someone’s corporate account.”  

Cloud infrastructure is similarly vulnerable if an attacker successfully deceives someone who handles the company’s AWS account. “That could be very damaging to a business,” he notes.

Overall, 62% of advanced email attacks use display name deception, researchers learned. While 54% impersonate trusted brands, 8% mimic individuals. Indeed, business email compromise (BEC) is an increasingly common, dangerous, and expensive threat to the enterprise. Earlier this summer, the FBI reported BEC and email account compromise losses hit a global $12 billion.

Supporting the rise of email fraud is Proofpoint’s Q3 2018 “Quarterly Threat Report,” which found targeted organizations received an average of more than 36 attacks in the third quarter – marking a 77% increase year over year. Attackers are shifting their tactics as the learn what works and what doesn’t in terms of who to target and how to best deceive them.

“In a targeted attack, they can see what works and what doesn’t and adjust accordingly,” says Chris Dawson, threat intelligence lead at Proofpoint, pointing to a prime example from the company’s most recent research: “Attackers are using fewer spoofed identities.”

Fewer Impersonations, More Victims
Unlike malware campaigns, which are typically designed to send thousands of messages at once, email fraud gives attackers a chance to craft specific messages to be successful. Trial and error has taught them if they want to be effective, they need to limit their impersonations.

From Q2 to Q3, Proofpoint saw a 68% reduction in the number of identities that were spoofed. In Q3, BEC attackers impersonated an average of five users, a number previously seen in 2017. However, BEC attacks increased overall in the same quarter, a sign of threat actors trying to use a smaller number of fake identities to deceive a larger pool of victims.

(Image: Twinsterphoto – stock.adobe.com)

Previously, Dawson says, attackers would try to spoof a range of people: CEOs, CFOs, CISOs, higher-ranking HR employees, and people in the supply chain. Now they’re limiting attacks to more recognizable people, including CEOs and CFOs, and they’re sending fraudulent messages to the people who have a close working relationship with those executives and will expect emails.

“They know the people who are going to be, on a regular basis, getting those emails from a CEO or CISO, asking for something to happen,” he explains. “What they found is with the broader spread of spoofed identities, it’s hard to do that effectively and not get caught.”

Dawson points out that researchers found an increase in the number of attacks originating from addresses spoofed within the company. Nearly 50% will pretend to be from a colleague.

When they write malicious emails, researchers found attackers are conveying a greater sense of urgency. Their requests now come with timelines and warn recipients of consequences for delays. Further, they saw payroll-related scams increase 549% – a small percentage of the total but a reminder that subject lines don’t necessarily need to be related to specific events.

The Step You Should Take
Both Knox and Dawson advise businesses to protect all variations of their domains that could potentially be used to trick employees. If they’re registered, attackers can’t use them.

“I’d recommend companies proactively register all of those potential look-alike domains,” Dawson says. “Companies are less likely to do that than the bad guys are.”

Knox recommends implementing Domain-based Message Authentication, Reporting and Conformance (DMARC), an open email authentication standard that prevents domain names from being spoofed in phishing or spam emails. In an analysis of more than 280 million domains in Q3 2018, Agari saw DMARC adoption increase from 3.5 million domains in July to 5.3 million in October.

Related Content:

• 8 Threats That Could Sink Your Company
• 2018 State of Cyber Workforce
• 9 Traits of A Strong Infosec Resume
• Destructive Cyberattacks Spiked in Q3

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/microsoft-amazon-top-becs-favorite-brands/d/d-id/1333182?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Thursday, network equipment makers Aruba, Cisco, and Cisco-owned Meraki plan to patch two flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI) that power their respective enterprise Wi-Fi access points.

The coordinated disclosure, prompted by security biz Armis’ discovery of two critical vulnerabilities, aims to patch holes in BLE implementations that allow an attacker to read network traffic traveling through affected access points, inject and execute malicious code on the routers, feed malware to connected devices, and traverse network segments. These flaws can be exploited over the air.

In a phone briefing with The Register, Nadir Israel, cofounder and CTO of Armis, said the three companies account for about 70 per cent of wireless access point hardware sold to enterprises annually, though the number of affected devices isn’t yet known.

The vulnerable TI chips, he said, create a new attack surface, one that isn’t visible to affected organizations. “Once you take over a piece of the network infrastructure, you can do pretty much anything including bypassing network segmentation,” he said.

Israel said that enterprises will need to check to see whether their Wi-Fi access points are vulnerable. “It will require every organization that has these access points to patch or validate their BLE hardware,” he said.

As is now the trend with significant vulnerabilities, the flaws have been given a name: “BLEEDINGBIT,” in shouty capitals, no less.

Ben Seri, VP of research at Armis, said the name describes the nature of the first of the two flaws. It affects two TI BLE chips (CC2640 and CC2650) which can be found in Cisco and Meraki Wi-Fi access points.

“There’s a bug in the code on the TI chips that’s supposed to mask out certain bits in the BLE packet,” Seri explained.

If an attacker turns on the highest-order bit in the BLE packet length field, which is supposed to be reserved, that can lead to memory corruption in the BLE stack and potential remote code execution.

The second flaw involves a flaw in four different TI BLE chips (CC2540/1, CC2640/50, CC2640R2, and CC2642R) powering Aruba access points that makes TI’s over-the-air (OTA) download feature accessible. Intended for developers, OTA access is supposed to be disabled in production. But for affected Aruba devices it wasn’t, according to Armis, affording an attacker the opportunity to install firmware and overwrite the device operating system.

“When you think about cyber attacks that can target organizations, most take time,” said Seri. “Here it’s actually really simple to get onto the network. Sending out a few packets allows an attacker to penetrate an access point and gain a foothold in the network.”

The affected TI chips are also used for applications other than wireless access points, including home and building automation, industrial controls, retail beacons and payment devices, health and medical devices, and fitness and gaming gear.

In terms of mitigation, Armis offers the following recommendations:

For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2. 

For CC2640R2F, version 1.00.00.22 (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.

For CC1350, version 2.20.00.38 (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.

Armis, which last year identified nine flaws in the Bluetooth stacks used by Apple, Google, Microsoft, and certain Linux distributions, said it’s still in the process of assessing the scope of the these flaws and is working with the CERT Coordination Center and vendors to ensure affected devices get patches. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/01/it_bit_by_ti_chip_slipup_dubbed_bleedingbit/

Successful phishing campaign leads attackers to confidential information of world soccer’s governing body.

FIFA, the international governing body of soccer, was hacked for a second time earlier this year, the organization has acknowledged. While full details of the hack and its consequences have not yet been released, some information has begun to emerge.

One known: how the hack took place. A phishing campaign succeeded in convincing Union of European Football Associations (UEFA) staff and officials to give up their network credentials, allowing the attackers to access confidential information.

This second hack came to light after a new group of internal documents was obtained by Football Leaks, the same organization that published documents obtained in the earlier leak. The first hack helped bring down FIFA officials and shed unflattering light on how decisions are made within the organization.

German newsweekly Der Spiegel has exclusive access to a collection of new documents and is how sharing them with an investigative reporting consortium known as European Investigative Collaborations (EIC), which says it will begin publishing the information as soon as tomorrow.

Read more here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/fifa-reveals-second-hack/d/d-id/1333174?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple