Into

The cybersecurity skills shortage has been discussed in many different ways over the recent years, but a successful hiring event held by the Department of Homeland Security has some wondering if that event was a sign of optimism or an outlier.

The Department of Homeland Security (DHS) held a two-day hiring event "aimed at filling mission-critical positions to protect our Nation's cyberspace" in July. According to a new blog post, that event garnered "over 14,000 applicants and over 2,000 walk-ins" and culminated with more than 800 candidate interviews and "close to 150 tentative job offers."

Angela Bailey, chief human capital officer for the DHS, said in a blog post that the DHS "set out to dispel certain myths regarding cybersecurity hiring," including the ideas that there is a cybersecurity skills shortage and that organizations cannot hire people "on the spot."

"While not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event," Bailey wrote. "We demonstrated that by having our hiring managers, HR specialists, and personnel security specialists together, we were able to make about 150 job offers within two days. Close to 430 job offers have been made in total, with an original goal of filling around 350 positions."

Gunter Ollmann, CSO for Vectra Networks, said although the event "was pitched under the banner of cybersecurity it is not clear what types of jobs were actually being filled," and some positions sounded more "like IT roles with an impact on cybersecurity, rather than cybersecurity specific or even experienced infosec roles."

"Everyone with a newly minted computer science degree is being encouraged to get in to cybersecurity, as the lack of candidates is driving up salaries," Ollmann told SearchSecurity. "Government jobs have always been popular with recent graduates that managed to scrape through their education, but would unlikely appear on the radar as interns for larger commercial organizations or research-led businesses."

Chris Sullivan, CISO and CTO for Core Security, agreed that the DHS event may not be indicative of the state of the cybersecurity skills shortage.

"It looks like DHS executed well and had a successful event but we shouldn't interpret that as a sign that cyber-defender resource problems are over. In fact, every CISO that I speak to has not seen any easing in the availability or cost of experienced resources," Sullivan said. "In addition, the medium to long term solution requires both formal and on the job training -- college curriculum is coming but much of it remains immature. We need resources to train the trainers."

Derek Manky, global security strategist at Fortinet, warned about putting too much into just a few hundred positions compared to the potentially hundreds of thousands of cybersecurity jobs left unfilled.

"The DHS numbers are relatively small compared with the overall number of unfilled positions," Manky said. "Part of the solution is to build better technology that requires less human capital to be effective and can evolve to meet shifts in the threat landscape. Additionally, the market needs to better define what skills a cybersecurity professional should hold and use these definitions to focus on efforts that can engage and develop a new generation of cybersecurity talent."

Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said this event might be cause for optimism regarding the cybersecurity skills shortage.

"The experience that DHS shared is encouraging because it shows a groundswell of interest in cybersecurity careers. This interest and enthusiasm needs to continue across the public and private sector if we are to address the still significant gap in cybersecurity talent that is required in today's advanced threat world," Sadowski told SearchSecurity before hedging his bet. "The talent pool in an area such as DC, where many individuals have strong backgrounds in defense or intelligence, security clearances, and public sector agency experience contributes significantly towards building a pool of qualified cybersecurity candidates that may not be present in other parts of the country or the world."

Bailey attributed some of the success of the DHS event to proper planning and preparation.

"Before the event, we carefully evaluated the security clearance requirements for the open positions. We identified many positions that could be performed fully with a 'Secret' rather than a 'Top Secret' clearance to broaden our potential applicant pool," Bailey wrote. "We knew that all too often the security process is where we've lost excellent candidates. By beginning the paperwork at the hiring event, we eliminated one of the more daunting steps and helped the candidates become more invested in the process."

Bailey noted the most important advice in hiring was to not let bureaucracy get in the way.

"The most important lesson learned from our experience is the value of acting collaboratively, quickly, and decisively. My best advice is to just do it," Bailey wrote. "Don't spend your precious time deliberating over potential barriers or complications; stop asking Congress for yet another hiring authority or new personnel system, instead capitalize on the existing rules, regulations and hiring authorities available today."

Sadowski said rapid action is a cornerstone of an effective security program, but noted not all organizations may have that option.

"It's great that DHS has the luxury to act decisively in hiring, especially from what they saw as a large, qualified pool," Sadowski said. "However, many private sector organizations may not have this freedom, where qualified potential hires may require significant commitment, investment, and training so that they understand how security impacts that particular business, and how to best leverage the technology that is in place."

Next Steps

Learn more about how the cybersecurity skills shortage be fixed.

Find out how to live with the cybersecurity skills shortages.

Get info on why there is a delay in adopting new tech because of the skills shortage.


SearchSecurity: Security Wire Daily News

A Trojan targeting US healthcare organizations attempts to avoid detection by going to sleep for prolonged periods after initial infection, security researchers warn.

Symantec estimates that thousands of organizations have been hit by the Gatak Trojan since 2012. The malware is programmed to spread aggressively across an organization’s network once it gets a foothold.

The healthcare sector in particular has been disproportionately targeted – of the top 20 most affected organizations with the highest number of infected computers, 40 per cent were in the healthcare sector, Symantec reports.

Selling healthcare records is a growing trade on cybercrime forums. This could explain the attackers’ heavy focus on the healthcare sector.

Gatak reels in victims through websites promising product licensing keys for pirated enterprise software packages (backup, 3D scanning software, etc). These supposed software license key generators (keygens) actually come packed with malicious code.

The software nasty also spreads to a lesser extent using watering hole attacks (where the instigator infects websites that members of the group are known to visit).

The malware creates a backdoor on compromised machines before stealing information. Hackers are known for leveraging the malware to break into machines on associated networks, probably using weak passwords and poor security in file shares and network drives.

“In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan,” Symantec reports. “In the case of Shylock, these appear to be older versions of the threat and might even be 'false flag' infections.

“They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent,” it adds.

The malware downloads instructions from pre-programmed URLs. These instructions are hidden in image files using steganography, a technique for hiding data within image files. ®

Sponsored: Customer Identity and Access Management


The Register - Security

  • Home
  • Cloud Computing
  • Cloud Security

Tenable brings network visibility into Google Cloud Platform Credit: Shutterstock

Tenable Network Security has integrated Tenable SecurityCenter Continuous View with Google Cloud Platform, giving administrators better visibility into what is happening within their cloud infrastructure.

Cloud-based infrastructure eases IT’s administrative woes and lowers operating costs, but the benefits don’t count for much if there is any doubt about the security of key applications running in the cloud. While system administrators can easily spin up new services and hosts, security teams don’t always know what applications and services are running in their cloud and hybrid environments or understand the risks associated with each one.

[ Security expert Cricket Liu lays out the workings of a DNS-based DDoS attack -- and how to prevent one from hitting your company. Download the PDF today! | Stay up to date on the latest security developments with InfoWorld's Security newsletter. ]

With SecurityCenter CV, administrators can export logs from Google Cloud via the publish-and-subscribe service and be notified about host-level changes as they occur in the cloud environment. SecurityCenter CV gives administrators the information they need to identify potential danger spots and uncover indicators of compromise.

Attackers typically spend some time with reconnaissance after the initial breach and before they steal data or cause some kind of damage. Google Stackdriver handles cloud monitoring, logging, and diagnostics information on Google Cloud. Log data feeding into SecurityCenter CV from Google Cloud can alert defenders to potential reconnaissance activities, such as unexpected web application scans, new or existing hosts consuming too many resources, and unauthorized changes in the cloud environment.

"Organizations need a comprehensive security program that delivers complete visibility and the assurance to know their data will be safe and secure, whether using an all-cloud approach, a hybrid or multicloud environment," said Matt Alderman, vice president of strategy at Tenable Network Security.

Google has been wooing enterprise customers to its Google Cloud Platform, which is lagging behind Amazon Web Services and Microsoft Azure. The company has been investing heavily in its cloud platform and building out its infrastructure, but it is still in catch-up mode with its more established competitors.

Google’s senior vice president of enterprise business, Diane Greene, has claimed that Google Cloud Platform has the edge in areas like machine learning, open source software, and security. Part of that comes from Google, with the company’s security engineers continuously working to secure and improve the platform. The other part comes from partnerships like this one with Tenable to provide administrators with security tools they can use to monitor their own systems.

Moving key applications to the cloud introduces new types of risk to the organization, and Google Cloud Platform’s growth will depend on giving administrators the tools to gain the visibility they need across their infrastructure.

First things first, we do not recommend that you screw around with crooks.

That includes fake support calls, 419 scammers and fake tech support outfits.

If you’re talking to them on the phone, they know your phone number. If somebody in the scam outfit got your number via a data breach, the caller might even know where you live.

All you really know for sure is that they’re crooks.

Our advice is to just hang up, lest you be on the receiving end of threats to, say, chop you up and feed you to the fishes.

Having said that, there’s a set of people who most certainly don’t hang up.

Damn the potential risk, full speed ahead. They do things like draw out the conversations to waste the crooks’ time. One guy even cooked up an autobot to do the work for him: he’d forward calls to it, thereby automatically (and hilariously) wasting the fraudsters’ time.

There’s a new one to add to that turn-the-tables genre. His name is Ivan Kwiatkowski, and his modus operandi was to infect the caller with Locky ransomware.

As Kwiatkowski tells it, earlier in the month, his parents somehow managed to land on a page (now defunct, but here’s a screenshot) telling them that their brand-new system – it had been in use for only 30 minutes! – had somehow been infected with the notorious Zeus malware.

As tech support scams go, this one was replete, blinking and flashing like the Strip in Las Vegas on a Friday night:

This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.

Kwiatkowski decided to mess with the crooks. So he fired up an old Windows XP virtual machine (VM), got in touch with “tech support,” got past a prerecorded message, and eventually reached a human who identified herself as “Patricia.”

The typical tech support scam ensued:

She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.

In these scams, the caller won’t take no for an answer until you give them remote access to your computer and let them “fix” the “threat” – for a fee, of course.

You also need to buy their super duper antivirus software, of course, and open up whatever executable files they want you to click on.

It used to be that these fake tech support callers would call us, but nowadays, as more and more people refuse to take calls from unknown numbers, the crooks have been adapting.

Instead of them calling you, it’s increasingly common that they’ll use a web ad or popup that simply runs the scam in reverse: like what happened to Kwiatkowski’s parents, the crook will display a warning and advise you to call them, typically on a toll-free number.

Toll-free! Hey, they’re paying for the call, so they’ve got skin in the game, right? Well, that’s what they’re hoping you’ll figure, at any rate.

So “Patricia” got access to Kwiatkowski’s VM, typed in commands that returned results that she knew would frighten the naïve and supposedly give her tech cred – “1452 virus found!” or “ip hacked!” – and yet, in spite of her purported tech sophistication, missed the fact that the VM had a few interesting icons kicking around: OllyDbg, a 32-bit assembler level analyzing debugger for Windows, as well as IDA: a hosted multi-processor disassembler and debugger.

Oops! Your 15 minutes of free support are over, Mr. Kwiatkowski. She’ll call back so you don’t have to pay for more of this benevolence.

And that’s just what she did: she called back, berated him for not running antivirus software (which he told her he wasn’t), and encouraged him to buy ANTI SPY or ANTI TROJAN, “for the measly sum of $ 189.90.”

As a matter of fact, there’s somebody connected to your system right now! she says.

The conversation that ensues:

Isn’t that you? I ask. This says it’s someone from Delhi.
An awkward pause follows. She tells me that she’s actually the “localhost” line, because localhost means secure connexion. I fight back:
— Are you sure? I thought localhost meant the local machine.
She mumbles a little then proceeds to read me that whole section of her script again, asserting once again that this other IP belongs to [someone] who lives in Delhi like her but is a totally different person – a malicious hacker.

Back to the software sale, Patricia booted her uncooperative “client” up to her boss. Kwiatkowski sent the guy test credit card numbers that were sure to fail payment processing.

Eventually, claiming bad eyesight, Kwiatkowski sent a “photo of his credit card” and told the caller to try inputting the number himself.

That was no photo of a credit card.

He’d gone into his junk email folder and found samples of the latest Locky campaign: .zip files with a script that downloads ransomware.

Kwiatkowski had already noted that the remote-assistance client was a two-way street: he could use it to upload to the scammer’s PC as well as to download.

He grabbed a piece of malware at random and uploaded it, telling the caller that…

Look, Dileep, I’m old and my sight is not so good. It’s starting to hurt, having to squint to read those tiny numbers. Also, we’ve established I’m no good with computers, how about you give me a hand here?

That was followed by silence, after which the caller said that he had tried to open it, but nothing happened.

The scammer was wrong, of course: there was indeed something happening.

In the background, a process was running to encrypt the files on the tech support scammer’s system. The only way to get them back: to buy the decryption key from the crooks via the dark web.

As of February, we were seeing prices to decrypt Locky-ransomed files that varied from 0.5 to 1.00 bitcoin, with one bitcoin being worth about $ 400/£280.

Kwiatkowski says he’s contacted the scammer’s ISP to report abuse, as well as their webhost and authorities.

He’s considering this a solid win in the war against tech support scammers and is recommending that others do the same, even listing a phone number to call.

But I’m not so sure. It’s a great story, but we don’t tend to give hip-hip-hurrays to people who inflict ransomware.

Do two wrongs make a right?

Let us know your thoughts in the comments section below.

In the meantime, if you’re wondering…

What to do?

  • If you receive a cold call about accepting support – just hang up.
  • If you receive a web popup or ad urging you to call for support – ignore it.
  • If you need help with your computer – ask someone whom you know, and like, and trust.

In this case, when we say “someone you know,” we mean “someone you’ve actually met in person,” as opposed to just online.

You know that old truism that on the internet, nobody can tell you’re a dog? Just take out “dog” and substitute “Donald Trump himself,” “Justin Bieber,” or “legitimate tech support,” and that equation’s still solid.

In the case of PC technical support, especially to do with malware or any sort of cyberattack, don’t look for help online. In fact, if you use Bing, you can’t look online: in May, they threw out the whole lot of tech support offers, instituting a blanket ban on all online tech support ads.

Were there any babies in that bath water? Sure, probably. There might well have been legitimate tech support outfits that got banned from the search engine.

But how can you find them? Scammers have ruined it for everyone, turning that bath water into a toxic swamp.

DEALING WITH FAKE SUPPORT CALLS

Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.

(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)


Information Security Podcasts

bringing security into ITIn this podcast recorded at Black Hat USA 2016, Chris Carlson, VP of Product Management, Cloud Agent Platform at Qualys, talks about a new trend in bringing security into IT and application infrastructures, as well as working with the DevOps team for increased security.

A lot of security is built on security in-depth, layers of security, bringing the end prevention capabilities. Since the threat landscape, techniques and adversaries are changing quickly, sometimes prevention doesn’t work and you need to be able to restore your capabilities. The question is: how can we build the concept of protection into the IT and application infrastructure?

Qualys Cloud Agent extends your security throughout your global enterprise. These lightweight agents (3MB) are remotely deployable, centrally managed, self-updating and consume very little CPU resource (5% at peak to less than 2% in normal operation). They collect the data and automatically beam it up to the Qualys Cloud Platform, which has the computing power to continuously analyze and correlate the information in order to help you identify threats and eliminate vulnerabilities.

Additionally, using the Qualys asset tagging solution, assets with deployed agents can automatically or manually provide attribute updates to the Qualys Cloud Platform such as the asset group, business owner, technical owner and criticality of the device.

bringing security into IT

Qualys provides continuous Vulnerability Assessment services for Microsoft Azure virtual assets from within Azure Security Center’s unified security management and monitoring service. This integration allows Qualys customers to easily and automatically scan their Microsoft Azure environments, and incorporate those findings into their overall single view of security and compliance posture.

Black Hat USA 2016


Help Net Security


Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM...

See All Posts

IBM X-Force Research observed that a relatively new Zeus Trojan variant known as Panda, or Panda Banker, that started targeting banks in Europe and North America early this year has now spread to Brazil. According to IBM X-Force Research, Panda now targets 10 local bank brands and multiple payment platforms right as Brazil prepares to host a global sporting event.

Commercialized Malice

As its name suggests, Zeus Panda is yet another Zeus v2 Trojan iteration built upon the same source code leaked in 2011 — one that evidently keeps enabling the delivery of more commercial banking Trojans into the world.

IBM X-Force Research believes that Zeus Panda is being peddled via Dark Web underground boards by the developer who put it together. It is sold in cybercrime-as-a-service packages to other cybercriminals.

Panda Arrives in Brazil

IBM X-Force Research has been detecting Zeus Panda variants since Q1 2016. At first, botnets spreading and attacking users with this malware primarily targeted banks in Europe and North America, focusing on the U.K., Germany, the Netherlands, Poland, Canada, the U.S. and others. While Panda configurations focus on targeting personal online banking services, they are rather diverse. Other targets include online payments, prepaid cards, airline loyalty programs and online betting accounts, to name a few.

Panda is clearly one hungry bear. The malware continues to spread to new geographies and is now targeting users in Brazil. First appearing in Brazil in July 2016, the related Panda variant likely has links to a locally operated, professional cybercrime faction. The variants fetched a new Brazil-focused configuration, which was set up to steal credentials from users of 10 major bank brands in the country, as well as those of bitcoin exchange platforms, payment card services and online payments providers, among others, per X-Force findings.

Panda’s Big Appetite for Local Grub

Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce. Other targets include customer logins to a company that offers ATM management services and secure physical access technology for banks.

Who is behind this new botnet? Attribution remains elusive. However, from the attack flows analyzed by X-Force Research, it is evident that Brazil’s Panda gang is very well-versed in the operation of banking Trojans of this grade. In comparison to other Zeus Panda botnets, and most banking Trojan configurations in general, this Brazilian iteration suggests the involvement of a professional cybercrime group that is at least partly located in Brazil. A hint pointing to Panda’s operators’ possible origins is the URL of a Russia-based online service that helps users with instant money transfers, payments, top-up and output via online payments platforms, payments through mobile operators and more.

Read the white paper: Fraud protection doesn’t have to be an uphill battle

Teaching a New Panda Old Tricks

Is there anything special about Zeus Panda at this time? The malware is based on existing code and performs the same online fraud methods that X-Force researchers see with other banking Trojans. Panda grabs login credentials on the fly, is capable of injecting malicious code into ongoing web sessions to trick users with social engineering, and its operators are versed in the use of automated transaction panels (ATS).

According to attack attempts detected by IBM Security antifraud solutions, Panda’s operators’ favored fraud methodology is account takeover, in which victim credentials are stolen and then used to initiate a transaction from another device. The victim is held online by deceptive pop-up windows that require one-time passwords and allow the attacker to complete a fraudulent transaction in real time.

Zeus Panda’s top infection vector is poisoned Word documents with macros that activate the malware deployment on victims’ machines. It has been seen to spread via popular exploit kits, such as Angler and Neutrino. It also targets company email addresses with personalized messages designed to lure victims on a more selective basis than indiscriminate spam.

Under the hood, this Trojan does feature a few modifications, mostly relevant to its encryption and communications schemes, which were recently reported in detail.

Zeus All Over

From a global perspective, Zeus variations remain one of the most dominant malware problems to affect the financial sector. Looking back at the past five years, Zeus-based banking Trojans maintained one of the top ranks on the global malware chart based on the attack volumes they facilitate.

Figure 1 lists the top financial malware in the world for the first half of 2016. Ranking third is the Zeus variations line, which accounts for 15 percent of attacks worldwide and includes Zeus VM, Citadel and Panda variants, as well as generic Zeus v2 deployments operated by small cybercrime factions in different parts of the world.

Top Financial Malware per Attack Volume (Source: IBM Trusteer)

Figure 1: Top Financial Malware per Attack Volume (Source: IBM Trusteer)

What’s Next for Panda?

Panda’s move to Brazil is a very interesting occurrence in the country. Brazil’s cybercrime landscape is dominated by relatively simplistic codes designed for specific fraud scenarios, such as Boleto fraud, remote access fraud and malware used for phishing.

Zeus Panda may not be the first ever modular banking Trojan to operate in Brazil, but it is definitely a major step up from the malicious Delphi-based malcode that’s so typical in the country. This migration of a new and commercial Zeus variant into Brazil also underscores the growing collaboration between Brazil-based cybercriminals and cybercrime vendors from other countries and underground communities — a trend that has been picking up speed in Brazil since the beginning of this year.

Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project that is being commercialized to cybercriminals through Dark Web forums. As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations.

In the last few years, malware developers have been disinclined to sell banking Trojans in the underground for fear of being discovered by law enforcement. Panda’s vendor may or may not continue to sell the malware at the risk of encountering the same fate that befell other malware authors in the recent past.

Mitigating Zeus Panda Attacks

IBM Security has studied the Zeus Panda banking malware and its various attack schemes and can help banks and targeted organizations learn more about this high-risk threat. To help stop threats like Panda Banker, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities, designed to address the relentless evolution of the threat landscape.

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Browsing hygiene for the prevention of Trojan infection includes disabling ads and avoiding susceptible sites typically used as infection hubs, sites such as adult content, torrents and free gaming, to name a few. Also, since Panda Banker and similar banking malware is usually delivered as an email attachments, never click on links or attachments in unsolicited email.

Sample MD5

Sample MD5 hashes for the Panda Trojan are:

  • 9dd9705409df3739183fb16583686dd; and
  • 541a13676ca56ca69459326de5701e9c.

AV aliases include Gen:Variant.Graftor.296387, according to VirusTotal.

IBM X-Force Research will be updating information and IOCs on Panda Banker via the X-Force Exchange platform. Join XFE today to keep up to date regarding this threat and other findings from our cybercrime labs.

Fraud protection doesn’t have to be an uphill battle – Read the white paper

Topics: Banking Trojan, Brazil, Fraud, IBM X-Force Research, Malware, Panda, Panda Banker, X-Force, Zeus Panda


Security Intelligence