Review

Here’s an overview of some of last week’s most interesting news, podcasts, reviews and articles:

Researchers reveal WiFi-based mobile password discovery attack
A group of researchers has come up with WindTalker, a new attack method for discovering users’ passwords and PINs as they enter them into their smartphones.

New users flock to ProtonMail in wake of Trump’s victory
ProtonMail is a Swiss-based secure email service launched by a group of CERN and MIT scientists in 2013.

Ransoc browser locker/ransomware blackmails victims
An unusual combination of browser locker and ransomware, dubbed Ransoc by researchers, is targeting users who visit adult sites.

Review: iStorage diskAshur Pro SSD
The iStorage diskAshur Pro SSD is the hard drive for users with security on their mind.

Traveling on business? Beware of targeted spying on mobile
Corporate spying is a real threat in the world of cyber war. Employees traveling on behalf of their company could create opportunities for sophisticated adversaries to take sensitive corporate data. This is especially true if they are not careful with their mobile devices.

Low-cost PoisonTap tool can compromise locked computers
Dubbed PoisonTap, the tool consists of a Raspberry Pi Zero controller with a USB or Thunderbolt plug, loaded with open source software. All in all, this setup can be achieved by anyone who has $ 5 to spare.

Fraudsters accessed Three UK customer database with authorised credentials
Three UK, a telecom and ISP operating in the United Kingdom, has suffered a data breach.

8 million GitHub profiles scraped, data found leaking online
Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

Encryption ransomware hits record levels
PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months

How hackers will exploit the Internet of Things in 2017
Here are three IoT threats likely to emerge in 2017 and what organizations can do to protect themselves.

Why Unidirectional Security Gateways can replace firewalls in industrial network environments
In this podcast recorded at IoT Solutions World Congress Barcelona 2016, Andrew Ginter, VP of Industrial Security at Waterfall Security, talks about Unidirectional Security Gateways. They can replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks.

Final warning: Popular browsers will soon stop accepting SHA-1 certificates
Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates. Other browser makers plan to do the same.

Researchers identify domain-level service credential exploit
The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.

Dangerous Android threat points to Italian spyware maker
A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Compromised: 339 million AdultFriendFinder users
Friend Finder Networks, the company that operates sites like Adultfriendfinder.com (“World’s largest sex & swinger community”), and Cams.com (“Where adults meet models for sex chat live through webcams”) has been breached – again!

Weave a web of deception to secure data
How can organizations leverage deception-based network security to keep sensitive data safe? Here are three basic steps what to look for.

Analyzing the latest wave of mega attacks
A new report, using data gathered from the Akamai Intelligent Platform, provides analysis of the current cloud security and threat landscape, including insight into two record‑setting DDoS attacks caused by the Mirai botnet.

Cloud adoption hits all-time high, Microsoft and Google dominate
Fifty-nine percent of organizations worldwide now use Office 365 or G Suite, up from 48 percent in 2015.

Critical Linux bug opens systems to compromise
Researchers from the Polytechnic University of Valencia have discovered a critical flaw that can allow attackers – both local and remote – to obtain root shell on affected Linux systems.

Facebook, Google ban fake news sources from their ad networks
Despite Mark Zuckerberg’s dismissive attitude regarding the claim that Facebook had an inappropriate impact on the US elections, the company has moved to bar sources of fake news from its Facebook Audience Network ads.

The new age of quantum computing
Quantum encryption is the holy grail of truly secure communications. If and when quantum computing becomes a widespread reality, many public-key algorithms will become obsolete.

Consumer and business perspectives on IoT, augmented reality risks
As every business becomes a digital business, the spread of technology such as augmented reality (AR) and Internet of Things (IoT) devices can add significant business value and personal convenience. Yet a new study from ISACA shows that consumers and IT professionals disagree on the risks and rewards.

Waterfall BlackBox: Restoring trust in network information
Waterfall Security Solutions announced the launch of the Waterfall BlackBox, developed to maintain the integrity of log repositories in the event of a cyber attack. Based on Waterfall’s patented unidirectional technology, the Waterfall BlackBox creates a physical barrier between networks and logged data, so that stored logs become inaccessible to attackers who are trying to cover their tracks.

Cyber risk in advanced manufacturing: How to be secure and resilient
Study results indicate nearly 40 percent of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38 percent of those impacted indicated cyber breaches resulted in damages in excess of $ 1 million.

New infosec products of the week​: November 18, 2016
A rundown of infosec products released last week.


Help Net Security

Here’s an overview of some of last week’s most interesting news and articles:

Yahoo breach was not state-sponsored, researchers claim
The massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor. Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.

The psychological reasons behind risky password practices
A Lab42 survey highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Mobile security stripped bare: Why we need to start again
There are three main threat vectors for mobile devices: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code; and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, etc.

ICS-CERT releases new tools for securing industrial control systems
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

OS analysis tool osquery finally available for Windows
Nearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized solutions for Windows networks.

DefecTor: DNS-enhanced correlation attacks against Tor users
A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Incident response survival guide
Here are some steps that will allow organizations to minimize the damage when a security breach occurs.

D-Link DWR-932 router is chock-full of security holes
Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

Enhance iMessage security using Confide
One of the new features in iOS 10 offers the possibility of deploying specially crafted applications within iMessage. Most users will probably (ab)use this new functionality for sending tiresome animations and gestures, but some applications can actually provide added value for iMessage communication.

Why digital hoarding poses serious financial and security risks
82 percent of IT decision makers admit they are hoarders of data and digital files. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.

Clear and present danger: Combating the email threat landscape
As long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes.

Europol identifies eight main cybercrime trends
A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.

Microsoft equips Edge with hardware-based container
Windows Defender Application Guard is a lightweight virtual machine that prevents malicious activity coming from the web from reaching the operating system, apps, data, and the enterprise network.

Rise of the drones: Managing a new risk environment
More drones in the skies raise a number of new safety concerns, ranging from collisions and crashes to cyber-attacks and terrorism.

Swiss voters approve new surveillance law
The Swiss Federal Intelligence Service will now be able to bug private property, phone lines, and wiretap computers (under certain conditions).

IoT-based DDoS attacks on the rise
As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.

Public safety threat: Cyber attacks targeting smart city services
A new survey conducted by Dimensional Research assessed cyber security challenges associated with smart city technologies.


Help Net Security

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Repercussions of the massive Yahoo breach
Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Review: Boxcryptor
Storing your data in the cloud comes with both positive and negative aspects. Boxcryptor is a solution that helps with this by encrypting your data on your device before it gets synchronized to the cloud storage provider of your choice.

(IN)SECURE Magazine issue 51 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

How ransomware is impacting companies in six major industries
BitSight analyzed the security ratings of nearly 20,000 companies to identify common forms of ransomware and to determine which industries (amongst Finance, Healthcare, Education, Energy/Utilities, Retail, and Government) are most likely to experience attacks.

Why DNS shouldn’t be used for data transport
Malicious DNS tunnelling is a big problem in cybersecurity.

Basic file deletion increases exposure to security risks
The use of improper data removal methods and the poor enforcement of data retention policies have created the perfect storm for confidential, oftentimes sensitive data to be lost or stolen.

US elections and the hacking of e-voting machines
As the day when US citizens cast a vote for their preferred presidential nominee quickly approaches, the issue of whether the actual voting process can be tampered with is a topic that interests many.

Malicious torrents management tool uncovered
Researchers have uncovered Raum, a tool that is used by Eastern European organized crime group “Black Team” to deliver malware to users through malicious torrents.

Xiaomi smartphones come equipped with backdoor
If you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do.

Chinese researchers hijack Tesla cars from afar
Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

We have to start thinking about cybersecurity in space
With all the difficulties we’ve been having with securing computer systems on Earth, the cybersecurity of space-related technology is surely the last thing on security experts’ minds – but it shouldn’t be.

HDDCryptor ransomware uses open source tools to thoroughly own systems
HDDCryptor (aka Mamba) is a particularly destructive piece of ransomware that encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

Biometric skimmers: Future threats to ATMs
Kaspersky Lab experts investigated how cybercriminals could exploit new biometric ATM authentication technologies planned by banks.

US gets federal guidelines for safe deployment of self-driving cars
The public is welcome to comment on the new policy, and the Department of Transportation intends to update it annually.

880,000 users exposed in MoDaCo data breach
Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

UK: Financial fraud soars
More than 1 million incidents of financial fraud – payment card, remote banking and cheque fraud – occurred in the first six months of 2016, according to official figures released by Financial Fraud Action UK. To compare, in the first six months of 2015 there were a little over 660,000 cases.

Should you trust your security software?
Recently, Google’s Project Zero security research team uncovered a bunch of critical vulnerabilities in two dozen enterprise and consumer antivirus security products from Symantec and its Norton brand.

BENIGNCERTAIN-like flaw affects various Cisco networking devices
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.

Connected devices riddled with badly-coded APIs, poor encryption
Ignoring cybersecurity at the design level provides a wide open door for malicious threat actors to exploit smart home products.


Help Net Security

Here’s an overview of some of last week’s most interesting news and articles:

Five ways to respond to the ransomware threat
While organizations wrestle with the ever-pressing issue of whether to pay or not to pay if they’re victimized, Logicalis US suggests CXOs focus first on how to protect, thwart and recover from a potential attack.

MySQL 0-day could lead to total system compromise
Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona). One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted.

Organization must modify the network access policy to address IoT devices
By 2020, 21 billion of Internet of Things (IoT) devices will be in use worldwide. Of these, close to 6 percent will be in use for industrial IoT applications.

US 911 emergency system can be crippled by a mobile botnet
What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev’s Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country.

Microsoft ends Tuesday patches
In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install.

Artificial intelligence in cybersecurity: Snake oil or salvation?
Machine learning is the science of enabling computers to learn and take action without being explicitly programmed. What has this to do with information security? Currently, not that much. But this is set to change.

DDoS and web application attacks keep escalating
Akamai Technologies released its Second Quarter, 2016 State of the Internet / Security Report, which highlights the cloud security landscape, specifically trends with DDoS and web application attacks, as well as malicious traffic from bots.

DDoS downtime calculator based on real-world information
Are you wondering how you can assess the risks associated with a DDoS attack? Incapsula’s free DDoS Downtime Calculator offers case-specific information adjusted to the realities of your organization.

ICS-CERT warns of remotely exploitable power meter flaws
Two remotely exploitable vulnerabilities, one of which can lead to remote code execution, have been found in Schneider Electric’s ION Power Meter products and FENIKS PRO Elnet Energy Meters.

Improve SecOps by making collaboration easier
Ensuring smooth collaboration and sharing between SOC analysts, incident responders, and endpoint and network administrators has its challenges.

Bogus Pokémon GO guide app roots Android devices
The popularity of Pokémon GO is apparently on the wane, but there are still more than enough players to make it a good lure for cyber crooks. In fact, fake apps like the “Guide For Pokémon Go New” recently spotted on Google Play can end up being downloaded by as many as half a million users.

What proposed Rule 41 changes mean for your privacy
Last week, US Senator Ron Wyden took the floor of the Senate to explain why his (and his colleagues’) Stopping Mass Hacking Act should be voted in.

Android apps based on Adobe AIR SDK send out unencrypted data
Developers using the Adobe AIR SDK should update to the latest version of the software development kit and rebuild the apps as soon as possible if they don’t want their users’ traffic being exposed to attackers.

Hack a Nexus from afar, get $ 200,000
Google has issued a challenge to bug hunters around the world: find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address, and you’ll be handsomely rewarded.

Cyberattacks cost SMBs an average of $ 86,500
On average, a single cybersecurity incident now costs large businesses a total of $ 861,000. Meanwhile, SMBs pay an average of $ 86,500.

6.6 million ClixSense users exposed in wake of site, company hack
If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

IoT Village uncovers 47 security vulnerabilities across 23 devices
New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, held at DEF CON 24 in Las Vegas. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.

Ransomware usage explodes, as app, browser and plug-in vulnerabilities increase
Bromium conducted research on cyber attacks and threats affecting enterprise security over the last six months. The good news is while the number of vulnerabilities is steadily increasing, not all exploitable vulnerabilities are actually exploited. The bad news is, criminals are working harder to get protected data.

Stingray use lacks transparency and meaningful oversight
Cell-site simulators – aka Stingrays, aka IMSI catchers – are widely used by US law enforcement, usually without a warrant that such type of surveillance should require.

PCI Council wants more robust security controls for payment devices
The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

Consumers harassed by 30 million spam calls every day
Consumers are giving up twice as much sensitive data over the previous year.


Help Net Security

Protecting Patient Information

About the author

Paul Cerrato has more than 30 years of experience working in healthcare and has written extensively on patient care, electronic health records, protected health information (PHI) security, practice management, and clinical decision support. He has served as Editor of InformationWeek Healthcare, Executive Editor of Contemporary OB/GYN, and Senior Editor RN Journal.

Inside Protecting Patient Information

If you are a decision maker in a healthcare organization, and you are not convinced that you need to do more to protect patients’ data, just take a look at this list of breaches of unsecured protected health information that happened in the last seven years in the US.

Decision makers at all of those organizations likely thought that a data breach wouldn’t happen to them, but it did. Fines had to be paid, security measures implemented, protection services offered to affected patients – not to mention that the victims lost trust in the organization, and some opted to sue them. Think about legal fees. So why not get a head start and avoid the worst by implementing the best protection you can muster?

This book will help you get a good idea of what can go wrong, help you calculate the cost of security, do a risk analysis, choose the right solutions for reducing the risk of a data breach (policies, procedures, employee education, encryption, access control, cybersecurity insurance, mobile device security, medical device security, etc.), and clear up misconceptions you might have about HIPAA,

It will also explain why you need to have a data breach response plan in case one happens and who you need to call in to help.

It’s a relatively short book, and you won’t get everything you need from it, but it’s a good primer that condenses the main points of the regulations protecting patients’ data, and you will get some helpful tips. It’s a good way to get a sense of what you’ll be in for if you start the journey.

The author says that one of the aims of this book is to convince the reader about the importance of security and cost of insecurity, and I believe he has done a good job. I can imagine the IT staff using it as a way to get the higher-ups to think on the subject and do something about it.

It’s an easy read, and less-tech savvy readers should have no trouble understanding it.

Another good thing to note is that this book is primarily aimed at US-based healthcare organizations and professionals. Professionals in other countries can learn about security policies and procedures and solutions, but will have to do their own research about the legislations put in place to protect health information by their own countries.


Help Net Security

Cyber Guerilla

About the authors

Jelle Van Haaster is an officer in the Royal Netherlands Army and has a background in legal, military, and technical defense matters.

Rickey Gevers is currently Chief Intelligence Officer at the security firm Redsocks. He has been responsible for numerous revelations regarding high-profile security incidents.

Martijn Sprengers is an IT security advisor and professional penetration tester who is specialised in conducting covert cyber operations.

Inside Cyber Guerilla

“Cyber guerilla is a conviction that smaller forces can rival larger forces in our networked society,” say the authors.

Cyber guerrilla attacks against bigger and better equipped opponents – States, (large) corporations, and other actors – are usually mounted by hacker groups that may or may not be parts of a larger (non-cyber) organization. They are not interested in earning money, but to fight against oppression (in any form) and (usually) Internet censorship.

This book is effectively a how-to manual that covers all the most important aspects of setting up an effective hacker group that means to engage in cyber guerrilla incursions:

  • The importance of choosing the right individuals to make part of it (whether it’s a matter of ideology or skill), and how to ultimately disband the group safely
  • Having a set goal, choosing a good leader, a good strategy and being well organized
  • Being stealthy and flexible and avoiding direct confrontation with those bigger opponents
  • Choosing the most effective tools, techniques and tactics to pull off operations
  • Having a good media strategy, and more.

The book is based on Che Guevara’s famous Guerrilla Warfare guidebook for guerrilla fighters around the world. It, and this book, contain 3 chapters and appendices. The chapters deal with the general principles of cyber guerrilla, the creation of the ideal hacker group, and the organization of operations. The appendices offer an analysis of past and existent hacker groups (Anonymous, LulzSec, etc.), their strengths and weaknesses, as well as opinions by the authors about the future of the subject addressed in each chapter.

The first two chapters will give cyber defenders a peek into the mind of this particular type of hacker, while the third one is a good source of attack scenarios that will serve them to perhaps consider things they’ve never considered before.

The main audience, though, are individuals who are looking to engage in cyber guerrilla attacks – to fight against cyber Goliaths.

The authors occasionally repeat themselves too much, but that’s not a huge problem, as the book is an interesting and relatively short read. I just wish they used the original spelling of the word guerrilla.


Help Net Security

SAP’s Monthly Patches Dominated by Hot News and High Priority Flaws

To date, SAP has issued more than 3,660 Security Notes and Support Package Implementation Notes to address thousands of vulnerabilities in its business critical applications, a new report from ERPScan reveals.

Of the total of 3,663 Security Notes that SAP has issued through June 2016, 212 were rated Hot News and 2,383 were rated High Priority, meaning that only around 25% of the flaws were Medium (798) and Low (145) priority.

Cross-Site Scripting (20.47%), Missing authorization (20.45%) and Directory traversal (11.96%) were the most common types of flaws, accounting for 52% of all vulnerabilities, ERPScan’s report shows. Configuration issues (10.52%) and SQL-injection (7.64%) round up top five issue types, followed by Information disclosure (7.33%) and Cross-Site Request Forgery (6.57%).

The approximate number of monthly SAP Security Notes has dropped to only 22 in 2016, but it was at 61 in 2011. It dropped to 53 notes in 2012 and registered a significant decrease in 2013, when it was of only 30 per month. However, the number of vulnerabilities resolved in SAP products is higher than that, because SAP fixes multiple flaws with a single patch now, ERPScan says.

Three years ago, the company used to issue a patch for each discovered vulnerability, but the newly adopted approach makes it easier to apply the security updates that arrive on the second Tuesday of each month. However, SAP doesn’t offer information on the number of vulnerabilities each patch resolves, and analysis and correlation with CVE is more difficult now, the report says.

What’s more, around 85% of vulnerabilities are usually closed internally, meaning that information about them and the patches themselves are released to customers and partners only. Furthermore, of the remaining 15% of vulnerabilities, which are discovered by external researchers, some are not assigned to CVE.

Over the past few years, SAP also extended the list of vulnerable platforms and it now includes modern cloud and mobile technologies such as HANA. Cloud and mobile technologies rendered SAP systems more exposed to the Internet, meaning that every vulnerability discovered in these services could affect thousands of multi-national companies (after all, 90% of the Fortune 2000 companies use SAP).

“For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA,” ERPScan notes.

The report also says that almost every SAP module has vulnerabilities, with CRM being in the lead, followed by EP and SRM. However, it appears that researchers and hackers were more attracted by the vulnerabilities affecting SAP HANA and SAP Mobile apps when compared to the traditional modules.

There was also a growth in the number of vulnerabilities in industry-specific solutions, with over 160 vulnerabilities detected in SAP’s products designed for particular industries. The SAP industry-specific solutions for Banking, Retail, Advertising Management, Automotive, and Utilities are the most vulnerable products.

There are more than 36,000 SAP systems worldwide, yet most of them (69%) should not be available directly via the Internet. However, there are numerous unnecessarily exposed services that render systems vulnerable, and almost half of them “are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China),” the report claims.

Related: SAP Patches Critical Clickjacking Vulnerabilities

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: Five-year-old SAP Vulnerability Haunts Global Businesses

view counter

Previous Columns by SecurityWeek News:

Tags:


SecurityWeek RSS Feed