STE WILLIAMS

Threat actors chained CVE-2017-8570 with known design behaviors in .docx and RTF to launch a multi-stage document attack.

A newly discovered multi-stage document attack exploits design behaviors in .docx and RTF, along with CVE-2017-8570, to drop a malicious payload called Formbook on target endpoints. Attackers bypass traditional security tools with embedded URLs instead of active code.

Researchers at Menlo Security Labs who isolated the second-stage document say the behaviors enabling this attack are not new, but that this threat demonstrates an increasingly common way for hackers to slip past security defenses by relying on remotely hosted malicious objects.

“What we discovered is a new way in which Windows is getting the second-stage payload,” says Vinay Pidathala, Menlo’s director of security research. “There’s absolutely no macros, no shellcode being used, just a URL. When the victim opens the document, it will go and fetch the remotely hosted components and load it in the context of the Word process.”

The first stage of this attack is a spearphishing email with a malicious .docx file attached. The file does not have any macros, nor does it use any exploits, and embedded in its frame section is the URL. If the doc is opened, Word makes an HTTP request to download the remote object the URL is pointing to, which in this case redirects to another URL that points to a malicious RTF file.

Attackers are abusing capabilities in Microsoft Word that were more commonly used when it was an HTML editor, says Pidathala. Nobody uses Word to edit HTML anymore, he says, but those functions and API calls still exist and threat actors are taking advantage of them.

The RTF file contains an embedded script and another exploit, he continues. It marks stage two of the attack, which abuses both a design behavior in RTF documents and the CVE-2017-8570 vulnerability. When an RTF document with an embedded objected is opened, the object is automatically dropped into the %TEMP% directory of Windows.

“This is a well-documented design behavior, but we’re seeing these getting abused by attackers now,” he points out.

Half of the attack is achieved by dropping the malicious component on the endpoint, but it needs to be executed in order to fully compromise the machine. CVE-2017-8750 does this by executing the object to complete the attack and drop the Formbook malware.

Formbook, the final payload in this scenario, is a commercially available malware capable of taking screenshots, stealing personally identifiable information, keylogging, and downloading additional components if and when it needs to. Menlo researchers believe this is the first time Formbook has been delivered in this specific way.

While it’s not a complete banking Trojan, Pidathala points out that it does have a banking component built into it. Full banking Trojans are solely built for stealing banking credentials; he describes this as “more like a RAT that has a lot of functionalities built into it.”

This attack signifies a broader trend of threat actors leveraging remotely hosted objects to sneak past security defenses. In 2017, there were many zero-day exploits capable of fetching remote objects from the Internet and exploiting them in the context of Word, which researchers say was the only Office application used for this attack.

Now, attackers have begun to chain exploits with design behaviors to call remotely hosted malicious objects and run them without raising any red flags to the victim.

“All they have to do is open the first-stage document and that’s pretty much it,” says Pidathala, emphasizing the lack of user interaction needed to successfully launch the attack. “From there, they don’t have to click anything or interact with the malicious document in any way.”

It’s difficult to tell an attack is taking place. “They’re not able to identify anything malicious about it because all there is, is a reference to an external URL,” says Menlo CTO Kowsik Guruswamy. “Technically it’s not malicious; it’s just a URL that happens to follow through with all the second- and third-stage droppers.”

Related Content:

• Unpatched Vulnerabilities the Source of Most Data Breaches
• How to Build a Cybersecurity Incident Response Plan
• Microsoft Patches Critical Flaw in Malware Protection Engine
• Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/rtf-design-office-flaw-exploited-in-multi-stage-document-attack/d/d-id/1331482?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: tulpahn via Shutterstock

There’s every reason to be concerned about the potential of an IoT system, sensor, or device being hacked in the enterprise or a user’s home office.

These devices regularly are exposed for their vulnerabilities, and most are not built with security in mind. An attack via an IoT device can blindside an organization: Take the hotel in Las Vegas last year that lost data when a hacker made his way on to the network through a high-tech fish tank.

Over time, just about every household appliance and piece of office equipment will have an IP address, which means it will be potentially open to hackers.

Forrester’s Merritt Maxim says 92% of global technology decision-makers with more than 1,000 employees say they have security policies in place for their firm’s use of IoT devices and solutions. However, only 47% consider their security tools sufficient. A full 34% consider their security tools insufficient and another 10% say they do not have security tools to enforce their IoT security policies.

“I think the biggest misconception people have is that these type of hacks could not happen in real life,” Maxim says. “People don’t think that their refrigerator, car, or office will be hacked, but the threat is real and the likelihood is that these threats will only increase.”

Imposing though the threat has become, Suneil Sastri, director of product and content marketing at SOTI, adds that there are steps IT staffs can take to mitigate the threat.

“People need to understand that there are solutions,” Sastri says. “IT people and consumers can change passwords, encrypt devices, and remotely patch devices. What we’re concerned about is that people won’t move forward with IoT because they are worried about security.”

Jeff Wilbur, director of the Online Trust Alliance, says the good news is that some IoT vendors are fixing exposed vulnerabilities in their products, such as Fitbit, LG’s Smart ThinQ dishwashers, and Samsung SmartThings. 

Here are some common myths about securing IoT devices and systems.

 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/6-myths-about-iot-security/d/d-id/1331408?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If IT has a reputation as the gatekeeper, the security department is the one providing the locks and barbed wire.

End users think IT security is a hassle: complex passwords, password expiry and multi-factor authentication are tolerated when they are made mandatory, but nobody is thrilled about it.

But look at it from the consumer’s perspective. Even before it was reported that devs working for Cambridge Analytica had employed data harvested from more than 50 million Facebook profiles without permission, consumers had expected those holding their information would protect it as far as possible. That included access by authorised people only. Facebook and Cambridge Analytica will have sharpened those anxieties.

Meanwhile, with each successive data breach, expectations have evolved and individuals and governments increasingly expect breach notifications.

All good for the consumer – but a headache for organisations, IT departments and end users.

How, then, do we enforce security and compliance without getting in the way of the user’s “experience”? Dare we even ask that question or does security and compliance rule above all – regardless of usability? Maybe that depends on who you are asking.

A secure and compliant IT environment

Once upon a time, IT security was easier. Configure your firewalls, put your internet-facing servers in a DMZ, lock down your desktops (including restricting floppy drives or USB access) and add a good antivirus software. Control remote access via a bank of dial-up modems with security tokens thrown in for good measure. Now, the internet is on everyone’s phone and we have corporate data in the cloud, being accessed from the same machine a teenager downloads torrents on to.

For the IT pro, security and compliance has become “choose the right tools and configure them correctly”. That sounds so simple. Let’s throw in “educate your users” so they aren’t entering their login credentials into dodgy phishing links because they may have been expecting a parcel delivery.

The fun starts when you try to decide what the “right” tools are and how they should be configured. Evaluating your options for threat protection, data loss protection, conditional access, cloud access security brokers or mobile device management is complicated.

The natural starting point is your current tech stack and seeing what your vendor of choice can offer. It’s also natural to jump on your forum of choice and ask the tech tribe for their experiences and recommendations.

In the background is the fact you’re probably constrained by budget and, as with any technology choice, your decision won’t be validated until after its implementation. Good luck if it’s a one-year (or more) licensing deal.

What’s less obvious, though, are the security and compliance controls that already exist right under our very noses. From the very bottom of the tech stack, there exist “geek knobs” to tweak that are all gladly set to a default. BIOS and operating systems have become more secure by default (ignoring inbuilt vulnerabilities for the purpose of this paragraph). Yet there’s still a skill in reviewing the defaults to see if they meet our organisational needs. Technical blogs and best-practice recommendations exist for a reason – they give us comfort that we’re securing our environment in the best way possible, if such a thing exists.

And don’t think just because you’re using Software-as-a-Service you’re safe. Let’s assume you’ve reviewed the SaaS app first before purchasing it to check that its features meet your security and compliance requirements. You did that before spinning up your first team in Slack, right? You might find you need a premium plan or paid security add-on. And then there are settings in the application itself – who can create folders or channels, who can delete things and who information can be shared with. All need to be carefully tweaked to reflect your organisation’s needs and to protect your users from themselves. Repeat after me: “The default settings aren’t always right for us.”

A secure and compliant corporate culture

So here’s the thin security line: how far do you go with locking everything down?

On the desktop, do you prevent users from executing any installation file? In SaaS apps, do you prevent the creation of new folders or channels? Do you even disallow access from non-corporate devices entirely (through HR policy enforcement rather than technical solutions, if necessary)? The bad news is there is no standard answer. All of these decisions are a judgement call and will vary from one organisation to another. That seems kind of weird, when you think security would be a standard thing that everybody does the same way. Work for more than one company in your career (even in a non-tech role) and you’ll see how wildly different those decisions can be. Isn’t choice a great thing?

Maybe in an ideal world, vendors would truly make products that are secure by default and came with no geek knobs to tweak. I can only imagine the uproar. IT pros hate losing control.

If, in the real world, we tweaked all those knobs way down low and locked all the things, would we have end-user mutiny on our hands? Again, that answer varies. A bank or government defence agency would have no issues with that approach. Yet some businesses with less than 20 staff would scream if they had to ever change their PC login password or, heaven forbid, they were forced to use individual login accounts for each person (I kid you not). Unfortunately, some of those small businesses handle things like financial data.

It’s a scary thing to note that some corporate cultures are more accepting of security and compliance measures than others. Usability does play a big part in this acceptance, including a shift in what the end users are used to. On your first day as bank employee, you get your own login with an expiring password and a locked-down desktop. You’re subjected to loss-prevention training that talks about things like internal fraud and you’re told in no uncertain terms to lock your computer when you’re away from it. Small businesses miss that memo and just trust their colleagues. Try and change how people are operating and then you get resistance, especially if you are taking away some of their freedoms.

The bank employee induction is a great example of a security-conscious culture, driven by management and accepted as the norm. If we could just figure out how to replicate that across every organization, maybe our data would be a little safer.

Actions and consequences

Step too far into the security world, however, and you may be faced by a mutiny. Locking down all the things sure makes them secure, but it can be counter-productive and stifle a modern, work-from-anywhere culture.

So much so that shadow IT is a thing, where workers implement their own workaround to get things done outside of IT’s acceptance. Some cloud security tools like Microsoft’s Cloud App Security now exist to find an detect the use of all SaaS solutions from your network, to shine a light on what may not be authorised.

An Australian horror story exists of a guy spinning up an AWS instance from a cafe across the road from work to test out a theory for a project. Access to AWS was blocked from the corporate network and the IT approval process was too cumbersome and time consuming for a small proof of concept. He figured out an easier way to do it: using his mobile phone’s hotspot from his work PC. While IT people cringe at this, the company in question is quick to point out it involved test sample data and patted the guy on the back for coming up with a successful outcome.

So, from personal Dropbox accounts to your company data in random cloud PaaS systems, these are the knee-jerk reactions to the IT security barbed wire, when we make it all too hard for the business to get their work done.

Can we build HR policies to dissuade people from doing this? Sure, but they’re toothless tigers if management are going to pat people on the back instead. And let’s not get started about what you do when management are the ones putting in the workarounds.

Maybe the best approach is to create that security-conscious culture. Change the employee perspective by highlighting how they would feel if another company leaked their sensitive personal or financial information? To your customers, you are that company. It also doesn’t hurt to examine your controls and see how that impacts the day of an employee. A simple process change or technology tweak could remove some of the friction while still maintaining a secure and compliant environment.

Timeless struggle

Maybe we can only dream of a world where security, compliance and ease of use can co-exist. Maybe we need to suck it up and put security first, regardless. It’s a battle that’s raged since the dawn of the password. Decades on, even with the use of biometrics to supposedly make things that much more impregnable, we’re still wondering how strike the right balance. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/09/balancing_security_compliance_freedom/

Retro programmers may need to reconsider using the Linux beep command as an activity or progress alert.

One of the silliest bugs on record emerged late last week, when Debian project leader Chris Lamb took to the distro’s security to post an advisory that the little utility had a local privilege escalation vulnerability.

The utility lets either a command line user control a PC’s speaker, or – more usefully – a program can pipe the command out to the command line to tell the user something’s happened.

If, of course, their machines still have a beeper-speaker, which is increasingly rare and raises the question why the utility still exists. Since beep isn’t even installed by default, it’s not hard to see the issue would have gone un-noticed.

News of the bug emerged at holeybeep.ninja/, a site that combines news of the bug with attempts at satirising those who brand bugs and put up websites about them.

But the joke’s on holeybeep.ninja because according to the discussion at the Debian mailing list, the fix the site provided didn’t fix all of beep‘s problems.

As Tony Hoyle wrote: “The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn’t do it as root, but people are people) … It’s concerning that the holeybeep.ninja site exploited an unrelated fault for ‘fun’ without apparently telling anyone.”

German security researcher and journalist Hanno Böck alerted the OSS-sec list to further issues on Sunday.

Böck listed an information disclosure bug in which beep “opens arbitrary files for write as root, bypassing file permissions”.

Debian’s Rhonda D’Vine wrote this reveals the existence of files normally hidden from the user, and: “If a file has side effects when opened, beep allows the calling user to trigger those side effects even if they are not authorised to do so. Jakub Wilk pointed out that named pipes and tape devices are affected.”

Böck’s note also linked to an integer overflow and a bug in the patch supposed to fix the original issue.

As a result, Böck wrote, beep should probably be discarded: it needs a proper code review, and there’s no much point to the effort “for a tool talking to the PC speaker, which doesn’t exist in most modern systems anyway. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/09/linux_beep_bug/

Cisco’s Smart Install software has become the vector for a series of infrastructure attacks and politically-motivated defacements.

Cisco’s own Talos security limb reports that bad actors, some likely state-supported, have been scanning Switchzilla devices to see if they run Smart Install. The tool is insecure-by design because its purpose is to allow deployment of brand-new switches to remote sites. Those switches are therefore insecure as they await proper configuration.

Or improper configurations: Cisco has previously explained that potential attacks reached all the way up to replacing the IOS operating system image (if the attacker had the resources to create their own IOS-like image).

Because of those dangers and because many users forgot to turn Smart Install off, Cisco last year released a tool to shut it down. But Talos says about 160,000 devices still run the software and some are under attack.

Talos is seeing increasing probes for the Smart Install client

Kaspersky Labs thinks it’s found evidence of those attacks. The company has reported that parties are replacing Cisco switches firmware so they boot up with the message “Do not mess with our elections” and an ASCII art United States flag. The attack also bricks the device.

Talos has reminded users how to see if a switch is running Smart Install:

switch#show vstack config | inc Role
Role: Client (SmartInstall enabled)

Talos has also advised that you can switch off Smart Install with the no vstack command or by using an access control list to limit access to Smart Install. Or you could use Cisco’s patch from 2017, which it seems a remarkable number of people did not deploy! ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/09/shodan_can_see_160k_cisco_smart_install_clients_and_some_are_getting_attacked/

Well-known cybersecurity journalist Brian Krebs is reporting a US scam aimed at chip-based payment cards.

The crooks are stealing cards before they reach their intended recipients – an old technique for credit card fraud, admittedly, but now with an added twist.

These days, just stealing a new card in transit often won’t work, because the crooks don’t have the information needed to activate the new card…

…but in this scam, the crooks have figured out a way to do an end run around the activation process: steal just the chip off the card, and wait for the legitimate recipient to activate the card.

Assuming the recipient doesn’t spot the tampering, of course.

How the crime works

According to the US Secret Service, the government law enforcement agency that deals, amongst other things, with postal fraud, the crime goes something like this:

• Intercept cards on the way to corporate recipients. We’re not sure whether corporates are targeted because they have more money, because they tend to receive cards in easily-detectable batches, or because their card usage patterns mean that scammed cards generally take longer to get spotted.
• Prise the chips out of the cards.
• Glue old chips from expired cards into the holes left by the real chips. The replacement chips don’t need to work – they merely need to look OK to disguise the fact that the cards have been tampered with.

• Send the original cards onwards to the intended recipients.
• Wait for the recipients to activate the modified cards.
• Spend, spend, spend using the stolen chips glued onto fake blank cards. This works either until the card issuers spot irregularities in the transactions being processed, or until the cardholders try to do chip transactions themselves, realise their new cards have a dud chips, and report the problem.

What to do?

As far as we can see, this sort of scam would be harder to pull off outside the US, where chip transactions require a PIN as well as the chip.

Banks in some countries still insist on sending out both new cards and PINs by snail mail, which is insecure for recipients who live or work in apartment or office blocks with a shared mailbox area, but the crooks would nevertheless need to intercept both the cards and their matching PIN mailers to be able to use the stolen chips.

Chips aren’t hard to remove, however – here’s a video of us doing it using just a hairdryer and a pair of tweezers:

What to do?

Here are some tips that will help if you are worried about chip-swap scams:

• Inspect the card mailer carefully. We assume that the crooks need accomplices inside the postal service who remove letters from the system so they can be opened, modified and re-sealed.
• Inspect the chip and the card carefully. It’s hard to remove the chip without leaving some signs of tampering, so look out for heat damage (the card plastic tends to wrinkle, bend and change colour easily) or scratches around the chip where the original was pried out.

• Take the card into your bank to activate it. That way the bank can verify whether the chip is valid or not before enabling it – activating online or over the phone works without validating the chip itself.
• If you can’t activate in the bank, do a small chip transaction immediately after activation. Do not swipe the card, because you are testing to see if the chip is dud or not. If it is, cancel the card at once.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dPfmKq6_zMk/

Roundup While Facebook caught most of the security-related flak this week, there were other infosec stories out there.

Here’s a summary of stuff happening, beyond what we’ve already covered.

Don’t get pwned. Word. Dude

Microsoft, which used to be a byword for insecure software until Bill Gates’ trustworthy computing memo that turned the biz around, has added more defense mechanisms to its key suites this week: Redmond has upgraded the security for some Office 365 apps, if you’re using a paid-for subscription.

For a start, Microsoft has added password protection for links shared on its OneDrive cloud storage system. Competitor Dropbox did this a while back, and it’s about time Redmond followed suit.

Ditto its changes to Outlook, which now claims to have end-to-end message encryption. People using Outlook.com, Outlook for iOS and Android, or Windows Mail can send encrypted messages between themselves transparently – there’s no need to click on stuff to decrypt, etc. If you send an encrypted message to someone without the above software or service, then they can “choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email,” Microsoft Office exec Kirk Koenigsbauer said.

Word, Excel, and PowerPoint are also getting an upgrade, with automatic scanning of links embedded in documents. The new code will check out the URLs to make sure that they aren’t on Redmond’s databases of dodgy websites and pages.

But one big, and very welcome change by Microsoft could do a lot to quell the scourge of ransomware that has become so prevalent over the last year. The Files Restore feature for paid subscribers allows you to restore OneDrive contents from a backup that covers the last 30 days of use, meaning if some malware has scrambled your files, you can retrieve intact copies. And the system can detect when the ransomware struck, and automatically restore to the last good safe checkpoint.

Another blow for ransomware

For nearly a year now, businesses around the world have been stymied by the LockCrypt ransomware, a particularly nasty strain of the criminal code.

Researchers at Malwarebytes Labs took a deep dive into the code and discovered that the creators had made a bit of a boo boo. Rather than using a proven encryption system, the writers had rolled their own and weren’t that good at it.

“The authors did not make the best choice for the random generator,” the eggheads report. “Rather than using a cryptographically strong one, they went for the GetTickCount function.”

As a result it now looks likely that a number of LockCrypt-infected PCs can now get their files back using suitable recovery tools. Until, that is, the code is refreshed, and the whole cat and mouse game begins again.

Yet another piece of stupidity

Funny, though, the bad LockCrypt code is it hasn’t been the worst cockup of the week. As we were going to press, a conversation on Twitter showed a quite astonishing display of hubris.

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria’s Twitter account confirmed that this was the case, but that there was no need to worry because “our security is amazingly good.”

Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea

— T-Mobile Austria (@tmobileat) April 4, 2018

@Korni22 What if this doesn’t happen because our security is amazingly good? ^Käthe

— T-Mobile Austria (@tmobileat) April 6, 2018

That line is going to bite T-Mobile Austria in the backside, if or when they next get hacked. To be fair, it’s late at night in Europe and the Twitter account was probably being handled by an overworked social media worker, but it’s not a good look. Especially when people started digging further and found various security shortcomings. The whole thread is a mind job.

But that doesn’t excuse the plain-text password storage. T-Mobile USA confirmed it does not store passwords in plain text.

Finnish f**kup

Such stupidity pushed back a story we’d planned to Finnish on. Geddit?

The Finnish Communications Regulatory Authority has issued an alert after the New Business Center in Helsinki, a company set up to advise companies on how best to get their businesses off the ground, got hacked. Information on 130,000 user accounts and their plaintext passwords were stolen in what’s thought to be the third largest data loss in numbers of users in Finnish history.

“Details of the business plans may also include information leaked,” the Finnish authority stated in an advisory.

“It is currently not known that the disclosed information would be freely accessible to anybody on the Internet. However, it is likely that the disclosed information has spread to cybercriminals.” ®

News in brief

• We’ve been writing about SS7 attacks for a while now, in which miscreants with access to any phone company’s internal infrastructure redirect calls and text messages away from victims on the other side of the world. This allows crooks to hijack online accounts by intercepting password-reset tokens and two-factor authentication codes. If you’re interested in how these sorts of capers work, Alejandro Corletti Estrada of Spanish infosec biz DarFe has put together a 68-page guide on everything you wanted to know about exploiting SS7 but were too afraid to Google it and read thousands more pages of documentation.
• Brit teen Saleem Rashid has published a rather in-depth guide to silently backdooring Ledger’s hardware cryptocurrency wallets. If you have physical access to the wallet, either while it’s shipping to a new customer or left unattended on a desk, or you can trick someone into installing malicious firmware on the gizmo, it is possible to tamper with the device to steal funds, Rashid claimed. One of the main sticking points is that Ledger’s hardware uses two microcontrollers, one to do the secure stuff, and the other to control the LCD and USB interfaces. The secure side can’t guarantee it is being given official Ledger firmware to run from the non-secure controller. France-based Ledger reckons it has addressed this design oversight with version 1.4 of its software, which you should install.
• ATT has bagged a $3.3bn tech infrastructure supply contract from the NSA, despite rival DXC offering to do the job for $750m less, documents released at the end of last month reveal. The exact work is classified. Essentially, Uncle Sam’s snoops thought ATT’s technology was better than DXC’s, and worth the premium.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/07/security_roundup/

Exclusive A popular drone dealership website left its entire transaction database exposed online with no encryption at all, revealing a host of purchases by thousands of police, military, government and private customers.

The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register.

We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection whatsoever – and the sensitive customer details in those receipts were exceptionally easy to access. Even your grandparents could have found it using Internet Explorer.

Details available for world+dog to browse through included names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer (e.g. Visa) and the last 4 digits of credit cards used to pay for goods.

Orders placed by police and military personnel included:

• A purchase of a DJI Phantom 3 quadcopter by a serving Metropolitan Police officer, delivered to the force’s Empress State Building HQ in London, and made with a non-police email address composed of his unit’s very distinctive abbreviation
• A British Army Reserve major who had an £1,100 drone posted to his unit’s HQ
• A member of the Ministry of Defence’s procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance
• A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera

It was unclear whether these purchases were for personal or governmental use.

Other orders seen by The Reg include ones placed by: staff from privatised defence research firm Qinetiq; the UK’s Defence Science and Technology Laboratory’s radar RD base at Portsdown Hill; the Brit Army’s Infantry Trials and Development Unit; UK police forces up and down the country; local councils; governmental agencies; and thousands more orders placed by private individuals.

Many were for cameras and other optical gear as well as drones, reflecting the network of branded e-commerce sites that Drones For Less forms a part of.

Infosec researcher Scott Helme told us: “From a technical perspective having this kind of information in a publicly accessible directory is incredibly negligent. This information should be stored in a database and most certainly should not be available to the internet and stored in plain text!

“At a minimum the company involved need to contact all of the affected customers and inform them what data has been leaked so that they can take whatever steps they deem necessary, even if that’s just so they can be vigilant for potential phishing emails. I hope that the ICO will also take action against the company for such a negligent leak of personal information.”

About that UK web address…

Drones For Less gives a London Mailboxes ETC shop (effectively a PO box number) as its postal address, and an 0203 SIP number – which can be configured to forward calls anywhere in the world – as a contact telephone number.

We first called it to report the breach to the site’s operators on 2 April. After being invited to hold by a cheery North American-accented auto-answer message, we got through to a customer support rep who introduced himself as John. He also had a distinctly North American accent. John asked us to email him details of the breach. We did this and asked repeatedly for a statement from the firm, to no avail.

Repeated followup phonecalls resulted in John sending us the email addresses of others within Drones For Less, inviting us to ask them for a comment, which we have done.

The dronesforless.co.uk domain name is registered to a company calling itself Mapleleafphoto LLC. The address – 2 Toronto Street, Toronto, Canada, as a Nominet Whois lookup shows – is a UPS shop, so is effectively another anonymous PO Box forwarding address.

A superficially similar website called Mapleleafphoto.ca gives a Quebec contact address which appears to lead to an industrial unit in that city.

The Drones For Less operator appeared, earlier this week, to be playing whack-a-mole with individual links to samples of the breached data we sent to him, taking those down but not others. Following sustained pressure, it now appears, to the best of El Reg‘s ability to confirm, that the data has been removed from public view.

Drones For Less appears to be closely related to Cameras For Less, Video For Less and Tablets For Less, judging by house adverts on its Contact Us page.

A spokeswoman for the British government sent us a statement:

We treat the security of our information very seriously. We have asked the company involved to remove any public record of this data and to let all those affected know.

The UK Information Commissioner’s Office and Canada’s Office of the Privacy Commissioner are both aware of the breach. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/06/dronesforless_data_breach/

Use these tips to stay safe online during everyone’s least-favorite time of the year.

‘Tis the season — the tax season … or should we say the tax fraud and risk season? While you might be concerned about preparing your taxes correctly, you should also be concerned about preparing them safely. While online tax filing is on the increase, there also has been an increase in tax software and online filings being attacked. You and tax preparers need to be vigilant in the pursuit of tax fraud and do as much as reasonably possible to understand how attackers are looking to take advantage and then apply appropriate actions.

Using high-level tools and tactics, cybercriminals can access information in your tax filings in the following ways.

• Compromised account: Attackers can crack or leverage a compromised password and gain access to your online account. This is a common attack tactic. In fact, 81% of breaches leverage a compromised credential, according to Verizon’s 2017 Data Breach Investigations Report.
• Account fraud: Attackers register for a new account with socially engineered information and act as you.
• Account takeover: Attackers gain access to your email and then initiate a password reset to change the password to your account, essentially gaining access and locking you out.  

We recently looked at the data from a large tax preparer’s authentication attempts in a 30-day period during the 2016 tax season. Out of over 1 million user access attempts, more than 13,600 were either denied access or were asked for additional authentication to provide further proof of identity due to a high-risk score. That means 1.3% of all access attempts were suspicious or malicious.

Sixty days into the 2017 tax season, that same preparer had 1.5 million user authentication attempts with more than 28,700 of them being either denied access or asked for more authentication. That is, of all access attempts, nearly 2% were deemed suspicious or malicious, and were handled effectively.

If this tax preparer hadn’t used an access management service, this 1% to 2% of suspicious or malicious activity could have gone undetected for weeks, and at best discovered only after some attacker-based activity took place.

So, what can you do to protect yourself? Here are tips to stay safe online during the tax season:

1. Enable multifactor authentication. More and more tax services are offering, at a minimum, two-factor authentication. Where possible, utilize additional authentication log-in options. If you’re using tax preparers, ask them how they intend on protecting your information. If they can’t answer, you might want to consider having your taxes prepared by someone else.

2. Best password practice. If your preparers don’t offer seamless multifactor authentication protection and you still decide to do business with them, make sure you have a strong password that is unique and includes numbers and symbols — and never use it across multiple sites or accounts.

3. Don’t be fooled by phishing emails. Ever receive suspicious emails asking for personal information or offering an outrageous discount or tax refund? Never open them without doing a basic authenticity check. If it seems too good to be true, it probably is.

4. Be wary of public Wi-Fi. Cybercriminals can easily see individuals’ information on public Wi-Fi networks. Avoid inputting financial or sensitive personal information when connected to a public hotspot. Wait until you’re at home or on a trusted network. 

5. Keep up to date. Keeping systems patched and updated ensures the best chance of known security issues. This is true for the operating system, antivirus software, and additional resources such as home routers. This also includes cellphones and tablets and anything else you might use to prepare and file tax documents.

Related Content:

• 7 Key Stats that Size Up the Cybercrime Deluge
• Active Cyber Defense Is an Opportunity, Not a Threat
• 3 Security Measures That Can Actually Be Measured

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

As Senior VP of Identity Strategy at SecureAuth and Core Security, Robert Block is responsible for executing strategic vision of preventing the misuse of stolen credentials. Block has over 19 years of IT experience — of which 15 years have been focused on identity and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/protect-yourself-from-online-fraud-this-tax-season/a/d-id/1331459?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Only 29% of respondents in a new IoT security survey say they actively monitor the risk of connected devices used by third parties.

Businesses’ concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and it’s posing a threat to sensitive and confidential data, researchers report.

The new survey, conducted by the Ponemon Institute and commissioned by Shared Assessments, polled 605 people who work in risk and corporate governance and who are familiar with their organization’s use of IoT devices. Of these, 21% say their business suffered a data breach directly resulting from an unsecured IoT device or application — up from 15% last year.

Connected devices are cluttering the enterprise. Forty-four percent of experts polled say their organization keeps an inventory of IoT devices, and the average number of devices in the workplace is 15,874. Sixty percent of respondents say their business considers IoT devices to be endpoints to their networks or enterprise systems.

“There’s an almost universal recognition that the risk associated with IoT devices and apps could create a catastrophic security incident,” says Charlie Miller, senior VP of Shared Assessments, echoing the thoughts of 97% of survey respondents.

“The experience they’re having with regard to data breaches and attacks is really heightening their awareness,” he continues. “The IoT device spectrum represents an increase of that threat vector. There’s a fear … that it creates an almost perfect storm for them to be attacked through additional vectors.” Yet the data shows businesses aren’t taking steps to protect themselves.

More than half (56%) of businesses don’t inventory their IoT devices. Of these, 88% say the reason is because there is no centralized control over these devices and applications. Less than 20% say they their organizations can identify a majority of IoT devices in the workplace.

The Danger of Third-Party Risk

As the IoT grows, so does the risk of third-party devices. While businesses are being more diligent about monitoring IoT devices used internally, they often fail to recognize the risk of external devices.

More than 70% of respondents say their business considers third-party risk a serious threat to their valuable assets; 66% claim the importance of the IoT ecosystem significantly increases third-party risk. The number of vendors makes it difficult to manage the complexities of IoT platforms, according to 44%.

Most businesses rely on contract clauses and policies to mitigate third-party IoT risk. More than half (53%) use contractual agreements, and 46% say they have a policy to disable IoT devices that might pose a risk. Even so, less than half can monitor third-party compliance, and nearly 60% say it’s not possible to determine whether IoT and third-party safeguards are sufficient. Only 29% say their organizations actively monitor the risk of IoT devices used by third parties.

“There is a big disconnect,” says Miller. “We still see immaturity in the third-party risk management IoT space.”

Indeed, 77% of businesses believe that within the next two years they’ll get hit with a cyberattack caused by a third party’s unsecured IoT devices or applications. Three-quarters think they’ll experience a data breach. However, 35% don’t know if they can detect a third-party breach, and 26% are unsure if their business was affected by a cyberattack involving an IoT device.

Where Risk Management Falls Short

This isn’t to say businesses don’t have third-party risk management programs; on the contrary, 60% of them do. However, only 28% of these say their programs are highly effective, and most aren’t ready to address the risk of IoT devices.

Part of the problem is a gap between those who approve the use of IoT devices and those who manage the risk. Forty-three percent of respondents say the general manager/line-of-business VP approves IoT devices, but 35% say they manage the risk of those devices.

“Typically, it’s a federated model,” says Miller. “There is a third-party risk management group that oversees, reaches out to control groups, and coordinates responses and gets subject matter experts.” Only 49% of businesses have a third-party risk management committee.

Researchers found that the most important risk governance practice is getting leadership on board. Only 17% of businesses report their board of directors has a high engagement and understanding of security risks related to vendors and third parties. Less than 40% say C-level executives believe they are accountable for the effectiveness of the risk management process.

How should businesses shape their risk management programs? Miller advises upgrading inventory systems so you can recognize all devices being used internally and externally. He also suggests assigning someone to be responsible for IoT and communicating that responsibility across the organization.

“Reliance on contract security policies is good, but we need a mechanism to ensure monitoring those requirements is effective and taking place so outliers are identified and mitigated,” he says.

Related Content:

• Sears Delta Airlines Are Latest Victims of Third-Party Security Breach
• Supply Chain Attacks Could Pose Biggest Threat to Healthcare
• How to Build a Cybersecurity Incident Response Plan
• Four Gas Pipeline Firms Hit in Attack on Their EDI Service Provider

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/iot/businesses-fear-catastrophic-consequences-of-unsecured-iot-/d/d-id/1331476?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple