Infosec Island Latest Articles https://w.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 Unpatched Type Confusion Flaw Impacts Microsoft Browsers https://www.infosecisland.com/blogview/24980-Unpatched-Type-Confusion-Flaw-Impacts-Microsoft-Browsers.html https://www.infosecisland.com/blogview/24980-Unpatched-Type-Confusion-Flaw-Impacts-Microsoft-Browsers.html Mon, 25 Sep 2017 14:29:59 -0500 A type confusion bug in Microsoft Edge and Internet Explorer remains unpatched as Microsoft doesn’t consider it a security vulnerability, Cybellum reveals.

The issue was reported to Microsoft on August 21, 2017. The researchers say that while Microsoft has confirmed the vulnerability, it decided against releasing a patch for it, because of the special conditions required to reproduce it. Specifically, it requires developer tools to be opened.

Affecting the latest versions of x86 Edge and x86/x64 Internet Explorer, the vulnerability occurs in the layout rendering engine (EdgeHTML & MSHTML), and the security researchers claim that, with some additional work, it would be possible to reproduce the crash without the developer tools.

“The type confusion occurs in the function window.requestAnimationFrame, which expects to receive a single function pointer parameter. The vulnerability occurs because the function doesn’t properly validate the parameter, and may be called with a value that is not a function pointer (an integer value),” the researchers say.

Being treated as a pointer, the supplied integer goes through a series of dereferences and a compare function and, if all the requisites are satisfied, the function performs one more dereference and returns that value to the caller. The function pointer is checked against CFG protection and, if the test succeeds, the function pointer is called, thus providing the attacker with full control over EIP, Cybellum says.

The researchers argue that the only prerequisite required for the vulnerability to be triggered is to make the function AreAnyListenersFastCheck@CDebugCallbackNotificationHandlers return “true”, mainly because the actual vulnerability happens in the function BeforeInvokeCallbackDebugHelper@CAnimationFrameManager.

According to them, the easiest way to trigger the vulnerability is to open the developer tools, but that exploitation doesn’t have the same requirement. Moreover, the researchers claim that the bug was discovered with developer tools turned off, and that viewing the page source can also trigger it.

To exploit the bug, an attacker would need to successfully control a series of dereferences, successfully bypass\satisfy the CFG protection check, gain full control over EIP, and continue with standard exploitation until code execution has been achieved.

“Practical exploitation of this vulnerability isn’t trivial, and might require combining it with another vulnerability (e.g. an info leak). That said, this is a great starting point for a multi-browser (Edge\\IE) remote code execution exploit,” the researchers say.

The security researchers note that they reported the bug to Microsoft on August 21, but that the tech giant informed them on August 30 that, “because of the hard requirement to open developer tools in order to manifest the issue, this submission doesn’t meet the bar for servicing via security update, and will not be assigned a CVE.”

However, the company suggested that typical user behavior won’t involve opening the developer console while browsing. “While we understand that users can be tricked into opening this, we don’t believe that this will be a common scenario for a typical user,” Microsoft reportedly said.

Nonetheless, the tech company agrees that opening the Developer Console alters the application and puts it in a less secure state and that the issue needs to be addressed. Moreover, Microsoft also told Cybellum that a future version of Internet Explorer will resolve the issue.

RelatedUnpatched Vulnerabilities Impact Popular Browser Extension Systems

RelatedGoogle Discloses Unpatched Flaw in Edge, Internet Explorer

Copyright 2010 Respective Author at Infosec Island]]>
Deceptioneering: Exploring How Humans Are Wired for Deception https://www.infosecisland.com/blogview/24977-Deceptioneering-Exploring-How-Humans-Are-Wired-for-Deception.html https://www.infosecisland.com/blogview/24977-Deceptioneering-Exploring-How-Humans-Are-Wired-for-Deception.html Sat, 23 Sep 2017 09:11:00 -0500 No matter how much security technology we purchase, we still face a fundamental security problem: people. This is a realization that we’ve been grappling with as an industry for quite a while. As a security practitioner and during my time as a research analyst and industry adviser at Gartner, I spent countless hours evaluating security technologies and helping organizations decide which technologies and products would best enable them to secure data. But one malicious or negligent human can often intentionally or unintentionally nullify the effectiveness of technology based controls. The truth is that humans are both our biggest threat and they serve as our last line of defense.

To make humans an effective last line of defense, we need to first grapple with two disturbing truths: 1) All humans are master deceivers; and, 2) we are all easily deceived.

Let me explain… Each of us are trained in the ways of deception beginning early in our childhood. Early-on we were taught that lies make life easier and social situations more comfortable. Do you remember going to family reunions and being told to just act like you enjoy being there? Shake crazy uncle Bob’s hand even though he freaked you out? Eat your peas without complaining? And as we get older, we refine the talent even more – from learning how to expertly navigate questions like, “do these jeans make my butt look fat?” to when your significant other asks if you like their new hair style, to when your boss asks for your ‘honest opinion’ about his/her new strategy.

And those are just lies from the ‘little white lie’ category; we haven’t even started to get into the whoppers that we and others tell to hide things, get away with things, trick people, cheat, mislead, and outright steal from each other. And yet, we all know people who have believed both benign and malicious lies. And – if we are truthful with ourselves – we’ll even admit that each one of us has been deceived badly more than a few times over the course of our lives.

If I were to give the main reason that we fall for scams, social engineering and the like, it is because our brains our easily fooled. Our brain’s job is to filter and present reality. Each of our brains take-in a massive amount of input and then decide what is important, what the implications are of the input, and what (if any) response is needed. And our brains do that very efficiently by employing several shortcuts. Over the millennia, magicians, pickpockets, con-artists, scammers, and others have learned how to hijack these mental shortcuts and use them to their advantage.

In my keynotes, I love using examples from magic, pickpocketing, and hypnosis to quickly and easily demonstrate how our brains can be manipulated. In this article, we don’t have the benefit of many of the visual aspects of what I’d usually demonstrate, however I’ll do my best to provide some of the high-level theory and principles.

Principle 1: Misdirection and attention

Our brains are programmed to constantly scan and determine what to ‘lock on’ to. This is referred to by brain scientists as our “spotlight of attention." Magicians and pickpockets are masters at exploiting vulnerabilities in our attentional spotlight. They will draw your attention to one object or area while doing the ‘dirty work’ at the periphery or completely outside of the attentional spotlight. They frequently use a large visible action to cover for a smaller action.

We think that we are masters of our attention, but it is extremely easy for our attention to be hijacked. Unfortunately, it isn’t just illusionists that know and take advantage of this; criminals and scam artists do as well. The world is still recovering from NotPetya. This malware was originally widely believed to be what it appeared to be – ransomware. However, it was even more malicious. It was a wiper disguised as ransomware and very likely initiated as a state sponsored cyberattack.

Another example of misdirection in the cybersecurity world is when attackers launch a DDoS attack against a financial services company to cause diversions from the account takeover attacks. The end user and the bank see the extremely visible effects of the DDoS attack, and the account takeover and fraud activities are obfuscated for a time.

Principle 2: Influence and rapport

Another principle that comes into play when hijacking our brains is that of influence and rapport. Hypnotists, magicians, pickpockets, as well as criminals and con-artists are all masters at pulling the levers of influence and building rapport. Street and stage magicians, hypnotists, and pickpockets work to ensure that their participants quickly form a level of trust. This allows them to gain complicity as the performer shows them where to stand, what to do, and so on.

Robert Cialdini, Regents' Professor Emeritus of Psychology and Marketing at Arizona State University, wrote Influence: The Psychology of Persuasion, what is most often referred to as the definitive book on how influence works. Cialdini's theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity. He also recently added a seventh principle: the unity principle. The principle is about shared identities; what Seth Godin would refer to as Tribes. The more we identify ourselves with others, the more we are influenced by them.

Rather than describing each of the influence factors here, I encourage you to review Chaldini’s work, or one of the many derivative works based on his research. Needless to say, however, scam artists and phishers around the world leverage many of these tactics as they bait their hooks! The influence tactics are also additive; meaning that a savvy phisher will employ multiple influence tactics within a single message to make the lure attractive. For instance, if a phisher creates a message using scarcity/urgency, authority, social proof, and reciprocity all in one phishing email, they bring more fire power to their message than a simple message that uses none or only one of the tactics.

Principle 3:  Framing and context

Framing is of critical importance for performers, politicians, and marketers… as well as social engineers and con-artists. The concept of framing is derived from the social sciences. And it is basically the context, world view, or lens that a person views reality (or a specific situation) through. Framing can also be a social engineer or attacker’s way to hide in plain sight (costuming, persona development, and playing to the situation).

An example of framing that I use in presentations is where a specific effect can be presented in multiple ways depending on the frame that I’m trying to play to. For instance, if I have a sealed envelope that contains a written record of a participant’s upcoming choice, I can reveal that as either a prediction (if I want to play the part of a psychic) or as an example of how I can influence the participant to think or choose something (playing the part of a mentalist or Svengali-like hypnotist).

Simply stated – a frame gives us the context to interpret or understand the information we are presented or the situation in which we find ourselves. In fact, there are political, religious, and marketing organizations all dedicated to understanding the frames that people have and how to work within or to expand those frames so that people are open to new or different/challenging ideas. Frames are an extremely powerful force – and they are not always fact-based. When frames and facts collide, the facts are pushed aside and the frame is embraced tightly. FrameWorks President Susan Bales is known to often say, “When the facts don’t fit the frame, the facts get rejected, not the frame.” (PDF)

Since everything operates within a frame, scammers, phishers, con-artists, and other unsavory types learn how to play to the frame. They will impersonate respected authority figures – such as in Business Email Compromise attacks. Framing also takes place in the way that language is used, the choice of medium for an attack, and more. For a great breakdown of framing in the context of social engineering, I encourage you to read the ‘Framing’ entry in the ‘Influencing Others’ section of The Social Engineering Framework at Social-Engineer.org.

Conclusion

Understanding how our brains can be used against us is a critical first step in learning how to combat the attacks of savvy attackers. The immediate take-away is that we need to give ourselves permission to slow down and think before acting. Doing so takes us out of situations where we are just acting in a reflexive/automatic manner and allows us to process things a bit more logically. Then we can mentally rewind the actions and potential motivations behind what people are saying, the emails that we are receiving, and situations that we are in to see if someone might have just tried to hijack our brain.

About the author: Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner Research, in addition to covering areas of IAM strategy, CISO program management mentoring, and technology service provider success strategies.

Copyright 2010 Respective Author at Infosec Island]]>
Phishing Campaign Abuses Compromised LinkedIn Accounts https://www.infosecisland.com/blogview/24976-Phishing-Campaign-Abuses-Compromised-LinkedIn-Accounts.html https://www.infosecisland.com/blogview/24976-Phishing-Campaign-Abuses-Compromised-LinkedIn-Accounts.html Tue, 19 Sep 2017 10:18:52 -0500 A recently observed phishing campaign was abusing compromised LinkedIn accounts to distribute phishing links via private messages and email, Malwarebytes warns.

The attack abuses existing LinkedIn accounts to distribute the phishing links to their contacts, but also to leverage the InMail feature to target external members. The campaign abuses long standing and trusted accounts, including Premium membership accounts that can use the InMail feature to contact other LinkedIn users.

The fraudulent message claims to link to a shared document but instead redirects to a phishing site for Gmail and other email providers. To ensure that victims don’t immediately realize they’ve been scammed, a decoy document on wealth management from Wells Fargo is displayed after the user is asked to input their username, password, and phone number.

The phishing message Malwarebytes has encountered came from a trusted, compromised contact and contained a link to a so called shared Google Doc. The Ow.ly URL shortener is used to hide the true URL used in the scheme, a method employed many times in previous phishing campaigns. Free hosting provider gdk.mx was also abused to redirect to a phishing page hosted on a hacked website.

The analyzed page was built as a Gmail phish, but also asks for Yahoo or AOL user names and passwords. It also asks users to input their phone number or a secondary email address before displaying the decoy Wells Fargo document to them.

Messages sent via InMail, which allow premium LinkedIn members to contact users who aren’t in their network, include a security footer message with the user’s name and professional headline, so that other members can distinguish authentic LinkedIn emails from phishing email messages. However, the platform also warns users that they can’t trust the content of these messages, even if they are sent via LinkedIn.

Malwarebytes also points out that the use of InMail, which requires a Premium account, comes at a hefty monthly cost. While spammers were seen upgrading free accounts only to send spam messages, the method couldn’t be used in large scale attacks, due to limited InMail credits.

“This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim’s reputation so long as it allows them to deliver their payload far and wide,” the security researchers note.

According to Malwarebytes, the number of compromised accounts isn’t known and is also unclear how the impacted LinkedIn accounts were compromised. Attackers might have abused the large scale LinkedIn breach that was disclosed last year, but could have also gained access to the compromised account by using data from other major data breaches.

“It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link,” Malwarebytes says.

LinkedIn members who have been compromised should immediately review their account’s settings, change their password and enable two-step verification to prevent further compromise. They are also advised to warn their contacts of the compromise, as previous messages could be part of similar phishing attempts.

Related: 4.2 Billion Records Exposed in Data Breaches in 2016: Report

Related: Scrub 6.5 Million - It Was 117 Million Passwords Stolen From LinkedIn in 2012

Copyright 2010 Respective Author at Infosec Island]]>
BankBot Spreads via Utility Apps in Google Play https://www.infosecisland.com/blogview/24975-BankBot-Spreads-via-Utility-Apps-in-Google-Play.html https://www.infosecisland.com/blogview/24975-BankBot-Spreads-via-Utility-Apps-in-Google-Play.html Mon, 18 Sep 2017 14:55:34 -0500 Several utility applications distributed through Google Play have been infected with the BankBot Android banking Trojan, TrendMicro reports.

Initially spotted in the beginning of 2017, when its source code leaked online, BankBot has been highly active throughout the year. Between April and July, the malware managed to slip into Google Play via infected entertainment applications or posing as banking software, and has recently switched to utility apps, it seems.

Designed to steal users’ online banking credentials via phishing pages, the malware can request admin privileges on the infected devices to perform its nefarious routine. In addition to stealing login credentials, it can also intercept and send SMS messages, retrieve contacts list, track the device, and make calls.

According to TrendMicro, the malware managed to infect four utility apps in Google Play, and might have impacted thousands of users. One BankBot application, the security researchers reveal, has been downloaded over 5000 times.

The same as previous variants, the new Trojan iteration targets legitimate banking applications. However, the security researchers noticed that, while it still targets banks in 27 countries, the variant has added phishing pages for ten more United Arab Emirates (UAE) banking apps.

On the infected device, BankBot checks the installed software and, if it finds a targeted banking app, it connects to the command and control (C&C) server and upload the target’s package name and label. The server responds with a URL download the library containing the files necessary for the overlay page displayed on top of banking apps.

The overlays have been designed so that the users believe they have accessed the legitimate pages. Thus, they input their login credentials without realizing the page is fake.

BankBot also packs a series of evasion techniques, and won’t work unless it runs on a real device and if the targeted banking app is installed. It also avoids devices located in the Commonwealth of Independent States (CIS) countries.

When it comes to UAE banking apps, the malware also performs an additional step, prompting users to enter their phone numbers. The server then sends a code to the victim via Firebase Message and the victim is instructed to input bank details only after providing the pin. However, even if the bank information is correct, , BankBot shows an “error screen” and asks the user to input the credentials again.

“Apparently, the author of BankBot wants to verify the banking details of their victims. They ask for the details twice, just in case users input it incorrectly at first. BankBot will send the stolen data to the C&C server only after account information is entered twice,” Malwarebytes says.

BankBot’s widened reach and the fact that it is experimenting with new techniques are concerning, TrendMicro points, out, citing research claiming that mobile banking users in the Middle East and Africa are expected to exceed 80 million by 2017.

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: Source Code for BankBot Android Trojan Leaks Online

Copyright 2010 Respective Author at Infosec Island]]>
How to Fail Safe Your Data in the Cloud or When It’s Shared with 3rd Parties https://www.infosecisland.com/blogview/24973-How-to-Fail-Safe-Your-Data-in-the-Cloud-or-When-Its-Shared-with-3rd-Parties.html https://www.infosecisland.com/blogview/24973-How-to-Fail-Safe-Your-Data-in-the-Cloud-or-When-Its-Shared-with-3rd-Parties.html Tue, 12 Sep 2017 13:24:32 -0500 Experienced engineers know to “fail safe” the systems they design. This basic principle merely says that a system remains in a safe state in the event of any failure. For data security systems, this means that the sensitive data should remain inaccessible if anything goes wrong with the system. The simplest way of accomplishing this is data encryption.

Unfortunately, enterprises often overlook this critical principle when securing their data, even when the data is stored in the cloud or shared with 3rdparty service providers. In these scenarios, the scope of potential failures increase as enterprises lose control and visibility over their data. Take Verizon as an example. They shared customer data with NICE Systems for the purpose of customer analytics. That data included customer information in unprotected form. As a result, when NICE accidentally put the information in a misconfigured S3 bucket in the Amazon cloud, that information was available for the whole world to see.

What happened to Verizon is just a trivial example of how security systems could fail with an honest mistake. Any CISO will tell you that their IT systems are constantly being attacked every day and that their employees are regularly receiving phishing emails. These events represent efforts by malicious parties to actively create failure in enterprise security systems, and the reality is that they only need to succeed once. The question, then, is what those hackers or rogue insiders see when they have circumvented the firewalls, evaded the monitoring, and bypassed access controls. Do they see valuable data ready for the taking, or are they confronted with an encrypted blob that encourages them to give up and seek other targets?

Given the fundamental role encryption can have in securing data, the use of data encryption is still surprisingly low. Nearly every data breach disclosure has indicated that the data was not encrypted. Of course, this may be due to the fact that many regulations do not require a disclosure when the data is encrypted. Despite this safe harbor, however, there’s still breaches disclosed weekly and hundreds of millions of records lost every year. Clearly, many are still not getting the message.

The reasons given for not using encryption are many: encryption is too complex, its overhead is too high, key management is tricky. Furthermore, for cloud and 3rdparty use cases, traditional data-at-rest encryption appears more for meeting bare minimum compliance requirements rather than securing data. Fortunately, encryption solutions have made great strides. In addition to traditional storage and database encryption, application-level encryption options are more readily available and can protect data at a columnar granularity. Encrypting at the application level allows enterprises to maintain control and visibility of sensitive data values even if data is uploaded to the cloud or shared with 3rdparties.

Modern application encryption solutions reduce the application development effort by taking care of key management, monitoring, and reporting. The best solutions eliminate the need for application code changes and make encryption an operational exercise rather than create new development work. By making data security part of the operational process, enterprise can create a uniform agile encryption strategy that can quickly adapt to new security and compliance requirements while focusing their application development team on their core business requirements.

Whether ephemerally or permanently, data will be shared with 3rd parties and/or stored in the cloud. It behooves enterprises to protect that data with application encryption to ensure that there is a last line of defense against any failure in the data security system.

About the author: Min-Hank Ho has been developing enterprise security solutions for over 16 years and currently leads engineering for Baffle, Inc. Prior to joining Baffle, he led the development of Oracle Advanced Security and Oracle Key Vault, widely used data security products for enterprises with Oracle databases.

Copyright 2010 Respective Author at Infosec Island]]>
No Such Thing as Too Small to Hack https://www.infosecisland.com/blogview/24972-No-Such-Thing-as-Too-Small-to-Hack.html https://www.infosecisland.com/blogview/24972-No-Such-Thing-as-Too-Small-to-Hack.html Thu, 07 Sep 2017 09:13:00 -0500 Small business owners all-too-frequently believe that they won’t be targeted by hackers because they don’t offer anything of interest to cybercriminals. Since mainstream media outlets tend to solely focus on the “spectacular” large corporate and government breaches, it’s somewhat understand that this misconception continues to fester. But that narrative may be starting to shift – at least a bit.

 

The U.S. Securities & Exchange Commission recently stated that SMBs are “at even greater risk, and are far more vulnerable once they are victimized.” As the volume of attacks and lucrative profits continue to grow, all business owners – from Fortune 100 companies to small family-owned businesses – need to get serious about defending their business websites from being compromised.

 

A 2016 Cybersecurity Ventures report says the financial toll of cybercrime is expected to double from 2015 to 2021. Even with the skyrocketing costs of cybercrime affecting every sector of the global economy, mostly only large corporations have made significant progress toward mitigating this threat. Either by refusing to admit that they will be targeted or insisting that they already have sufficient protection, SMBs are still largely in denial about the clear fact that a business remains vulnerable as long its website remains unprotected or unmonitored.

 

Small business owners often aren’t aware of the fluid and dynamic nature of discovering and disclosing vulnerabilities, and how this causes both updated and outdated website platforms to be at risk. According to a spokesperson for the Small Business Administration (SBA), companies that used Web Content Management Systems face even more acute threats, as “at any given time between 70 to 80-percent of users are running outdated versions of WordPress – leading to critical and well documented vulnerabilities.”

 

An owner of a typical small business site reviews web traffic figures daily, and they are often pleased to notice any increase in volume. However, analysis from multiple independent studies illustrates that an average of seven percent of daily traffic actually consists of hackers exploring and/or exploiting vulnerabilities. That figure is likely even higher for a “small fish” SMB that provides goods and services to a “big fish”– since these SMBs are often used as gateways into the more heavily defended large enterprises.

 

While DDoS attacks tend to receive some of the more frequent, large-scale press coverage, there are other website attacks that can wreak even more havoc on a small business. The nearly constant stream of application-layer bot attacks is much more common and harder to detect and defend against. “Bad” bots are masquerading as “good” bots such as Google and Bing crawlers – but are actually conducting competitive data mining, account hijacking, and much worse. They affect a business website’s availability, degrade the user experience, and vacuum up proprietary information all while under the radar – potentially eroding consumer trust in a brand.

 

Small businesses that are hacked often suffer losses of much greater magnitude than their larger counterparts because they lack the established “name recognition” of big companies. Hackers may use a site to host malware, to get around blacklisted IP addresses, which can gravely affect company’s marketing efforts by hurting their search engine rankings on Google, Bing and many others. If a company’s site is detected as compromised, search engines will devalue a domain until its able to rid it of malicious code.

 

Since mid-2010, attacks targeting small businesses have steadily increased to the point that they now account for about half of all attacks. Despite the high probability of facing a very real cyber-nightmare, the vast majority of small business owners have not made significant progress because they either lack the resources for sufficient defense or have not taken the threat seriously. According to the Small Business Administration cybersecurity portal, owners and staff with IT responsibilities must began to think about how to respond to a sudden loss of control or access to their website platforms. They should prioritize security assets “by conducting penetration tests and then shoring up defenses against the vulnerabilities that are discovered.”

 

SBA analysts recommend that owners utilize technology that is designed to solve the specific challenges that the business is facing in the cyber arena. “Small businesses should automate as much of their security as they possibly can. If after performing an inventory, customers employ data loss prevention technology to monitor if sensitive information is leaving the organization, they can automate scanning for these types of vulnerabilities,” the organization states.

 

Technology alone does not equal security, as owners and employees must begin to realize that their websites offer a potentially immense value proposition to hackers. An SMB is definitely not too small to care.

 

*Updated with reference and link to Cybersecurity Ventures report

 

About the author: Avi Bartov is co-founder of GamaSec, a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.

 

Copyright 2010 Respective Author at Infosec Island]]>
How Secure Are Your Company’s Social Accounts? https://www.infosecisland.com/blogview/24970-How-Secure-Are-Your-Companys-Social-Accounts.html https://www.infosecisland.com/blogview/24970-How-Secure-Are-Your-Companys-Social-Accounts.html Thu, 07 Sep 2017 07:12:49 -0500 HBO, and many other companies, have been faced with that dreaded sick feeling of finding out that someone hacked their Twitter or Facebook accounts. In many cases, businesses are not treating their brand and good-will the same way they are treating other corporate assets like their HR or finance systems.

Most businesses force password changes and two-factor authentication on users of internal systems. More forward thinking companies have implemented privileged account management systems that allow users to check-out of passwords to high-value or high-risk systems and then randomize those passwords when they are checked back in. In some cases, a privileged account management system may even disable an account when it is not being used by someone making that account nearly hack-proof. However, companies seem to be slow with realizing that their Twitter, Facebook or LinkedIn accounts and passwords require exactly the same protection as any of their high-risk or high-value internal systems. Why is that? Why aren’t companies at least turning on two-factor authentication, at a minimum?

The story in question is a great example of a well-known company having damage done to their brand by a group of hackers. Unlike a financial system or an HR system the loss of brand reputation is incalculable but acknowledged to be very high. Notwithstanding the fact that that a brand is damaged every time an article is written about what happened to them. (I love HBO and I will continue my subscription nevertheless!)

Is it too inconvenient to have to check-out a password when you want to Tweet? Or update your company’s status on Facebook? Or use two-factor authentication? Do you have many social media employees who all need access to the same social media accounts at the same time so you’re sharing a password with many and two-factor authentication doesn’t work for shared accounts? Most modern privileged account management systems give you the capability of defining policies like “require check-out after hours”, “require check-out if outside the network”, or “wait for check-in before check-out” to ensure that only one person is posting at a time. It’s even possible to ensure that the social media employees never see the password that they are checking out! A combination of these types of policies could easily level-up your protection of your social media (privileged) accounts. A really good system would also ensure that any passwords used by employees that aren’t randomized are checked against a list of known, hacked, passwords that are in the dictionaries of most hackers. A great example of some of these well-known hacked passwords include: starwars, 123456 or qwerty.

It’s really time to start protecting your Facebook, LinkedIn, Twitter, Tumblr, Instagram and all other social media systems with as much security as your accounts payable or human resources system. There are no technical excuses.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
Enterprise Security in the Age of Advanced Threats https://www.infosecisland.com/blogview/24969-Enterprise-Security-in-the-Age-of-Advanced-Threats-.html https://www.infosecisland.com/blogview/24969-Enterprise-Security-in-the-Age-of-Advanced-Threats-.html Tue, 05 Sep 2017 10:20:08 -0500 How Predictive Intelligence Helps to Protect Companies

The malware and IT security panorama has undergone a major change, and enterprise security will never be the same. Hackers have improved drastically, both in terms of volume and sophistication, new techniques for penetrating defenses and hiding malware are allowing threats to remain on corporate networks for much longer periods than ever before.

Protecting an enterprise is a challenge because an enterprise can have hundreds of thousands of computers in its network; and a criminal just needs to compromise one of them to succeed. Security companies have been protecting, trying to protect computers for decades, implementing smart tactics (trying) to ensure there is never one computer infected.

In the beginning, it was easy, the number of threats were very low, so being able to identify all threats was enough, computers were safe. Some of those threats were complex, like polymorphic viruses. Some of them, like the metamorphic ones, were a nightmare for antivirus companies, as it could take several days, even weeks, for the expert researchers to create a detection for them. The creators of these viruses were people trying to show off their abilities, how good they were, and that was it, there was no other ulterior motive.

As the internet rose, there became a clear motive: money. Once cyber-criminals figured out how to benefit financially from these attacks, things really took off, and security companies, once again, had to adjust.

The reality today is the number of new threats created is growing exponentially. In the old days a virus could take weeks or months to travel from LA to NY, now with the internet, in a few seconds a virus could go from Washington DC to Tokyo.

Blacklisting is one tactic traditional anti-virus companies have used to fight cyber-crime. Blacklisting has decades of experience and included accurate signature detections, capable of effectively detecting hundreds of millions of malware samples. On the negative side, blacklisting comes with a lot of uncertainty. Their goal is to find malicious software, anything considered non-malicious is allowed, even though the security vendor and the customer have no idea what it is and what it is doing.

To make up for this uncertainty, we have also seen the tactic of whitelisting. Whitelisting can work well as it only allows goodware to be executed through the system. However, just like blacklisting, there are pitfalls with this method, including trojanized programs.

Both blacklisting and whitelisting worked well for a while, but in the age of advanced threats, they can no longer be counted on as the sole method. What happens when there is not malware involved in an attack? Neither of these models work, because at the end of the day they are two sides of the same coin, eliminating malware. Cyber-criminals can try and fail a million times, but as soon as they get it right once, they win. It’s not a level playing field, and our solutions need to evolve to get ahead.

In the Verizon Data Breach Investigation Report published this year, they cover security breaches and the different tactics used by the attackers.

Malware was only used in a 51% of the cases, half did not include malware at all! Which means that both approaches (blacklisting or whitelisting) do not work, and won’t protect your business.

So, where do we go from here? What does an advanced cyber-security solution need to look like for enterprises in 2018 and beyond?

  • Classification of all files using
    • Blacklisting: As explained these technologies have their limitations, but at the same time they are excellent at doing what they must do (detecting malware)
    • Whitelisting: With it, we can eliminate the uncertainty caused by blacklisting
  • Automation The only scalable & viable way to classify all files is through automation, providing the best possible accuracy.
  • Real Time Monitoring Goodware is already being used successfully by attackers, so we need to know everything that is happening in each computer in real time, including detecting malware-less attacks.
  • Forensics It doesn’t matter how good we are, cyber-criminals will eventually compromise a computer, we cannot always outsmart them. That’s why having this last component is essential. As soon as a security breach is detected, with forensics we can answer all the questions that need to be answered: what has happened? When did it happen? How did the attackers enter? What have they done?

Including all of these components is an uphill battle for security vendors, but as an industry, we know what it takes to combat the most sophisticated cyber-attacks in history. Now, it’s a matter of execution, and businesses recognizing how important security is to their objectives.

About the Author: @Luis_Corrons has been working in the security industry for more than 17 years, specifically in the antivirus field. He is the Technical Director at PandaLabs, the malware research lab at Panda Security. Luis is a WildList reporter, and a top-rated industry speaker at events like Virus Bulletin, HackInTheBox, APWG, Security BSides, etc. Luis also serves as liaison between Panda Security and law enforcement agencies, and has helped in a number of cyber-criminal investigations. 

Copyright 2010 Respective Author at Infosec Island]]>
Security Awareness: Watch-Out for Hurricane Harvey Online Scams https://www.infosecisland.com/blogview/24971-Security-Awareness-Watch-Out-for-Hurricane-Harvey-Online-Scams.html https://www.infosecisland.com/blogview/24971-Security-Awareness-Watch-Out-for-Hurricane-Harvey-Online-Scams.html Mon, 28 Aug 2017 16:24:00 -0500 As the tragic events continue to unfold in Southeast Texas, the dark side of the Internet is already coming to life with a wide variety of online scams to trick global web surfers.

While there are many good causes that need our immediate support, there have already been reports of both hurricane victims and potential donors receiving misleading information that is attempting to deceive. Sadly, both Texans in trouble and those who want to give from around the world, are falling for relief effort scams.

Numerous media sites posted a toll free number to call if you were in a state of emergency. However, the number called is for an insurance group.

Meanwhile, all across the country, warning bells are sounding about scammers trying to trick people into giving to fake accounts. For example, the Office of the Indiana Attorney General’s Consumer Protection Division is warning Hoosiers to be vigilant in giving.

What Can You Do?

The Better Business Bureau is advising donors to be wary of these techniques which should set off alarm bells:

1. Don't fall for copycats.

2. Be wary of emails and social media.

3. Don't provide personal information.

4. Do your homework. Visit give.orgto review the BBB Charity Report and to verify that a charity meets bureau standards for accountability.

5. High pressure.Be leery of a charity that insists on immediate relief help. Legitimate charities will be glad to accept a donation later on.

Also watch-out for Facebook pages or bogus “Go Fund Me” accounts that try to attract emotional support with pictures. They typically will use actual disaster photos from the storm to make them look official.

The best advice I have is to give to the Red Cross using well-known and trusted channels. To contribute to the Red Cross, you can simply text the word HARVEY to 90999 on your cellphone.  Or visit their website, RedCross.org,to donate by credit card.

Additionally, be aware that personal appeals for money on crowdsourcing sites typically are not tax deductible, unlike the American Red Cross and Salvation Army.

Phishing Scams

As reported during previous natural disasters and global events, phishing is usually the path of least resistance for the bad guys to get the sensitive data they want without being detected. If they can become you, they can slowly steal the data over time and cover their tracks.  In phishing, the bait is a clever message and you are the fish. We fall for the phishing bait, because the phishers are masters of disguise. The bad guys play on our emotions and desires and appear to be from trusted sources.

In the case of Hurricane Harvey, watch for official looking appeals that go to unfamiliar places or web addresses that are a few letters off. Also, don’t donate to organizations that are not tax deductible.

Spear phishing is similar to phishing, except the attack is more targeted, sophisticated and often appears to be from someone you know such as a company colleague, your bank, a family member or a friend. The message may include personal information like your name, where you work, and perhaps even a phone number or other related personal information.

During a crisis, you may receive items forwarded to you from friends or family. However, don’t just assume that all is well. Check the details of where they are asking you to donate or what links you are clicking on.

Finally, understand that this scamming trend is not new and not going away. As Trend Micro pointed out several years ago, cybercriminals have time on their side and are just waiting for you to let your guard down. If you don’t fall for tricks surrounding this natural disaster, sadly, another major event is most likely just around the corner. Be prepared!

Copyright 2010 Respective Author at Infosec Island]]>
Why the GDPR is Important to Your Organization https://www.infosecisland.com/blogview/24968-Why-the-GDPR-is-Important-to-Your-Organization.html https://www.infosecisland.com/blogview/24968-Why-the-GDPR-is-Important-to-Your-Organization.html Mon, 14 Aug 2017 02:32:24 -0500 The General Data Protection Regulation (GDPR) officially goes into effect in May of 2018 and will have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are struggling to come to terms with.

At the Information Security Forum (ISF), we consider this to be the biggest shake-up of global privacy law in decades as it redefines the scope of EU data protection legislation, forcing organizations on a global scale to comply with its requirements. This includes US-based organizations. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including an absence of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.

However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets. The GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.

Understanding the Consequences of Non-Compliance

Most countries, including all EU nations, have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce and penalize the processing of personal data. In the US, a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.

Supervisory authorities are granted investigatory powers by the GDPR, allowing them to investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests. These complaints can be submitted to any supervisory authority, not just the supervisory authority with territorial responsibility.

If an organization is found to be infringing the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing altogether, as well as force an organization to communicate data breaches to the affected data subjects.

Preparation Must Begin Now

No organization that operates on a global footprint of suppliers can afford not to prepare for changes that will result from new GDPR compliance rules. Falling out of compliance with data regulation can really hit you in the pocket. The checklist of rules requires extreme preparation and responsibility all of which must shouldered by the organizations who cannot look solely government or regulators for help.

The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next year will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. Because of the effort required to report data breaches, it is essential that organizations prepare in advance.

Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements. A Data Protection Officer (DPO) should be designated to act as a focal point for ongoing data protection activities. An organization’s governance functions, including information security, legal, records management and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes and technical solutions in place to achieve compliance.

With reform on the horizon, organizations planning, or already doing business in Europe, should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how is it being stored, who is responsible for it and who has access to it.

In theory, an organization should have completed its GDPR preparations well before next May in order to gain assurance from, and provide assurance to, third parties’ requests. This will require resources with the expertise and time to issue and process those requests. Data protection, legal and information security teams should plan for this task so that they are not overwhelmed with requests closer to the enforcement deadline.

Copyright 2010 Respective Author at Infosec Island]]>
NIST Offering Much Needed Guidance for Neglected SMBs https://www.infosecisland.com/blogview/24967-NIST-Offering-Much-Needed-Guidance-for-Neglected-SMBs-.html https://www.infosecisland.com/blogview/24967-NIST-Offering-Much-Needed-Guidance-for-Neglected-SMBs-.html Fri, 11 Aug 2017 11:19:00 -0500 It’s refreshing to see that SMB cybersecurity is getting noticeably more attention on a national level in the United States. Awareness of the risks is growing, and with the Congress and organizations such as the National Institute of Standards and Technology (NIST) publicly playing a larger role in the public discussion, we’re on our way to making some notable inroads.

After all, small to medium-sized businesses account for over 46 percent of the entire output of the private sector in the United States, and therefore they are a vital cog in our overall economic engine. SMBs are responsible for creating 63 percent of all new jobs, yet they have been largely overlooked in the cybersecurity arena as fast-growing threats and opportunities for disruption emerge.

According to NIST researchers, in a recent interagency report (PDF) titled, “Small Business Information Security: The Fundamentals,” while many companies are investing heavily in people, processes, and technology to boost their security posture, “small businesses typically don’t have the resources to invest in information security the way that larger businesses can and so criminals view them as soft targets.”

Usually motivated by profit, most cybercriminals can actually be viewed as small business owners themselves (albeit illegal ones), who like legitimate business owners try to squeeze as much revenue from as few resources as possible. The financial and manpower costs to breach a Fortune 500 company are usually much greater than the few dollars they might spend to compromise a local dry-cleaning chain, and owners must be able to identify and protect themselves from their unique risks.

While attacks are a mix of both random than targeted efforts, there are certain characteristics that serve as “common denominators” for attacks against SMBs. According to research presented at BlackHat 2017, cybercriminals generally target SMBs because of weaknesses in either people, processes or technology.  Any business that requires its employees to have regular access to desktops, laptops, and company email is a more susceptible and enticing target for cyberattacks. A surprisingly high number of systems are still outdated, and unpatched, and therefore highly vulnerable.

Another way to gain the unwanted attention of hackers is to host online customer service portals or other website resources that store customer or company information – and then fail to protect the website properly. SMB owners or IT administrators should understand the risks and best practices that are associated with them. Those who don’t think about enforcing proper policies and training initiatives are also inviting trouble, as this makes a hacker’s task akin to taking candy from a baby. Thus, the welcomed heightened discussion on federal level.

The NIST framework provides the much-needed guidance that organizations of any size can use to identify their major risks in cyberspace, assess their vulnerabilities in people, processes, or technology, improve their ability to prioritize and invest smartly in cyber resources, and demonstrate their good faith efforts to manage risks and safeguard themselves and their customers (which can be crucial to regaining customer trust after a breach).

Having strong people and processes can be just as important to securing information as the technological component, and therefore establishing intelligent policies and proactively seeking guidance can make the difference between an SMB falling victim or successfully mitigating risk.

About the author:Avi Bartov is co-founder of GamaSec (www.gamasec.com), a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.

Copyright 2010 Respective Author at Infosec Island]]>
What Is Hypervisor-based Security and Why Is It Important in Stopping Zero-Day Exploits? https://www.infosecisland.com/blogview/24966-What-Is-Hypervisor-based-Security-and-Why-Is-It-Important-in-Stopping-Zero-Day-Exploits.html https://www.infosecisland.com/blogview/24966-What-Is-Hypervisor-based-Security-and-Why-Is-It-Important-in-Stopping-Zero-Day-Exploits.html Fri, 11 Aug 2017 08:40:00 -0500 Recent studies show that it takes a company an average of five months to discover a data breach, and 53 percent of these incidents are detected only after an external audit. This is concerning in the face of the current cyber security landscape, where endpoint security is offered with varying degrees of success and data center security is largely uncharted territory. As the complexity of attacks against data centers rises exponentially, product development for an effective data center security solution is moving too slowly to meet the demands of enterprises struggling to defend against the onslaught of new threats.

Why don’t enterprise security solutions pick up more threats?

One thing common to all vulnerabilities, both known and unknown, is memory exploitation. Traditional endpoint security solutions are very good at identifying file-based malware and monitoring the operating systems (OS) from within the network. However, because all in-guest security solutions rely on information from the OS, advanced threats can cloak infiltration through zero-day vulnerabilities and file-less attacks. In these cases, the attacks instruct the OS to “lie” to the endpoint security solution so that it cannot identify the suspicious activity.

How do you catch something you can’t see?

Fortunately, even though cyber-attacks have rapidly evolved, the framework of enterprise IT infrastructure has transformed completely, enabling it to better protect threat vectors. The hypervisor now sits as an intermediary between virtualized endpoints and physical hardware. This provides the brand-new opportunity of delivering security through the hypervisor layer.

The hypervisor, mainly a tool for performance, has an untapped security potential. The hypervisor sees clean, unaltered information about the memory being used by each virtual machine, and it is completely isolated from them. It can detect and prevent advanced attacks by offering real-time detection at the hypervisor layer.

Leveraging the hypervisor to tap directly into raw memory, hypervisor-level security solutions can secure workloads from outside the operating system. Marking memory pages as Read-Write only, when the VM attempts to execute a page - as a result of the attack - the hypervisor will stop the operation and notify the engine in the security appliance.

How do hypervisor-security solutions “see” processes in memory?

Hypervisor-level security systems protect against malicious techniques and most importantly isolate the security virtual appliance from guest VMs that may be housing malware. This means rootkits can’t hide from the security appliance or interfere with its operation. With full access to guest memory, the solution can see what’s truly going on.

Traditionally, when trying to detect an attack, endpoint detection technologies look for who tries to initiate the attack (signature-based), or for signs of malicious behavior, or what an attack looks like. However, hypervisor-level security provides insight to what attacks look like at a memory level. Even if everything looks normal within the OS, malware inevitably leaves certain traces in the memory space.

Utilizing the hypervisor for security measures is a crucial paradigm shift, as the number of techniques for utilizing exploits remains very small, and all center on misusing memory to have malicious code executed. Hypervisor-level security solutions can identify common exploitation techniques (e.g. code injection, function detouring, API hooking), without knowing beforehand the actual vulnerabilities the attackers use.

Placing security measures outside the operating system (or in this case, guest machines), security solutions gain unparalleled visibility into advanced threats while being isolated from them. This means enterprises of all sizes can reduce blind spots in endpoint security solutions, fortifying infrastructures against cyber-attacks.

About the author: Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild Trojan horses.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – August 2017 https://www.infosecisland.com/blogview/24965-SAP-Cyber-Threat-Intelligence-Report--August-2017.html https://www.infosecisland.com/blogview/24965-SAP-Cyber-Threat-Intelligence-Report--August-2017.html Fri, 11 Aug 2017 05:41:00 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • This set of SAP Security Notes consists of 19 patches with the majority of them rated medium.
  • One of the vulnerabilities closed this month affects Adobe Flex software development kit, thus every custom application written with the help of the library is susceptible to XSS vulnerability.
  • The most common vulnerability type is XSS. By the way, Cross-Site Scripting remains the most widespread security loophole in SAP Applications with 20% of the released Notes addressing this type of issues.
  • Vulnerabilities in SAP Customer Relationship Management module deserves attention. The number of SAP Security Notes for this module totals 393. This month, 3 Notes belong to this area, including an SQL Injection which allows stealing sensitive customer data.

SAP Security Notes – August 2017

SAP has released the monthly critical patch update for August 2017. This patch update includes 19 SAP Security Notes Notes (16 SAP Security Patch Day Notes and 3 Support Package Notes).

1 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

3 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.7.

image

The most common vulnerability types is XSS.

image Issues that were patched with the help of ERPScan

This month, several critical vulnerabilities identified by ERPScan’s researchers Vahagn Vardanyan and Vlad Egorov were closed by 4 SAP Security Notes.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan team.

  • An SQL Injection vulnerability in SAP CRM WebClient User Interface (CVSS Base Score: 6.3). Update is available in SAP Security Note 2450979. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
  • Multiple vulnerabilities (Cross-site scripting and Information disclosure) in SAP SRM Live Auction Application (CVSS Base Score: 6.1). Update is available in SAP Security Note 2493099. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modification of displayed content. Moreover, an attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.), which will help to learn about a system and to plan further attacks.
  • A Cross-site scripting vulnerability in SAP CRM IPC Pricing (CVSS Base Score: 6.1). Update is available in SAP Security Note 2481262. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • A Open redirect vulnerability in SAP NetWeaver Logon Application (CVSS Base Score: 4.3). Update is available in SAP Security Note 2423540. An attacker can use an Open redirect vulnerability for redirecting a user to phishing or malicious sites without his or her knowledge. The vulnerability occurs because an application takes a parameter and redirects a user to the parameter value without any validation.

Focus on vulnerabilities in SAP CRM

Customer Relationship Management (CRM) is among the most widespread and important business applications. Moreover, enterprises consider this software the most critical in terms of business processes – according to the ERP Cybersecurity Survey 2017 55% of respondents find CRM a most critical asset. It comes as no surprise taking into account that this module stores and process the essential business data – from list of customers to pricing information.

image

Unfortunately, this application also contain numerous security drawbacks, a total of 393 SAP Security Notes fixes different vulnerabilities in SAP CRM. This month, 3 SAP Notes belong to the SAP CRM application area.

Nonetheless, not the number of issues, but their criticality and, what’s more important, business impact play a significant role in terms of the enterprise cybersecurity posture. For example, an SQL Injection vulnerability in SAP CRM WebClient User Interface (SAP Security Note 2450979) identified by ERPScan allows a remote attacker to conduct corporate espionage by sending a special request and steal all the customer data such as customer datasets, pricing, sales, or prospective bids.

About XSS Vulnerability in third-party library

In the time gap between SAP Security Day for July and August, the vendor released its SAP Security Note 2393021. Some in-house written SAP applications may be vulnerable to XSS in case developers are still using unpatched Adobe Flex Software Development Kit. The advisory states that SAP also “consumed the same SDK in our framework”, meaning SAP’s Web Dynpro Flex. In general, applications written using old versions of Adobe Flex SDK and Web Dynpro Flex are susceptible to the Cross-Site Scripting Vulnerability.

The issue was first identified in 2011 and the appropriate patch was released in March 2012. The vulnerability (CVE-2011-2461) allowed remote injecting arbitrary web script or HTML by the use of vectors related to the loading of modules from different domains.

As the issue affects a library, simply applying the fix would not be enough to get rid of the vulnerability. Applications which were written with the vulnerable libraries should be rebuilt using the patched version of SDK.

XSS is the most spread vulnerability affecting SAP applications (see the statistics below). SAP Cyber Security in Figures revealed that 20% of vulnerabilities belong to this type. This set of patches is not an exception, 5 of the closed issues are XSS, including 2 identified by ERPScan’s researchers.

image Other critical issues closed by SAP Security Notes August

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2486657: SAP NetWeaver AS Java Web Container has a Directory Traversal vulnerability (CVSS Base Score: 7.7). An attacker can use a Directory traversal vulnerability to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2376081: SAP Visual Composer 04s iviews has a Code Injection vulnerability (CVSS Base Score: 7.4). Depending on code, attackers can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
  • 2381071: SAP BusinessObjects has an Cross-Site AJAX Requests vulnerability (CVSS Base Score: 7.3). An attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights. An attacker may use a cross-site scripting vulnerability to do so, or they can present a specially crafted link to a victim. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Evasive Malware on the Rise: Time to Stop Stealth Attacks in their Tracks https://www.infosecisland.com/blogview/24964-Evasive-Malware-on-the-Rise-Time-to-Stop-Stealth-Attacks-in-their-Tracks.html https://www.infosecisland.com/blogview/24964-Evasive-Malware-on-the-Rise-Time-to-Stop-Stealth-Attacks-in-their-Tracks.html Fri, 11 Aug 2017 02:39:46 -0500 Imagine discovering that the locks and alarms on the doors and windows of your home only worked sometimes, in unpredictable fashion. How would you keep thieves away from your valuables and protect your family members? Would you camp out in the front room keeping watch night after night? You’d have to find a way to outwit would-be intruders. Wouldn’t it be nice if you could trick them with an illusion that made your house look completely empty or full of hungry Rottweilers?

This made-up scenario is all too real in cyberspace. Information security solutions dependent on previously identified signatures, behaviors, or patterns simply do not stop every attack. As hackers increasingly employ stealthy evasive malware and ransomware techniques, organizations are recognizing they need an efficient and reliable way to beat the creepers at their own game.  Businesses that don’t address evasive malware and ransomware head-on are in for a rude awakening. Cisco’s Midyear Cybersecurity Report confirms that malware developers are evolving and shifting their techniques with increasing skill and speed, even commoditizing their guerrilla weapons into ransomware-as-a-service platforms.

In a recent rash of attacks (150 organizations in 40 countries), fileless malware was used to access bank networks and install additional malware on ATMs that cause them to dispense cash at the touch of a button. It’s important to understand how these evasive exploits work. Malware authors aim to breach endpoints on their way to more extensive infiltration of systems and networks, often scraping credentials, installing spyware, or establishing the ability to remotely execute commands. In order to carry out such schemes, malware is designed to stay undetected for as long as possible. Malware is built to employ various ways of bypassing existing defenses, including checking the endpoint environment for AV, firewalls, gateways, debuggers, and sandboxes before launching exploit mechanisms.

The most devious malware authors go out of their way to package their malware so that it can’t be fingerprinted: they know that once pinpointed, the unique identifiers will be incorporated into AV updates. These fileless attacks leverage known vulnerabilities (browsers, Java, Flash, etc.) and phishing campaigns to gain entry, run code in the target computer’s memory, and continue to infiltrate by launching script interpreters like PowerShell. Malware that manipulates existing Windows programs in this way are able to trick AV, as it is difficult to distinguish between legitimate macros and malicious document files. Similarly, if malware unpacks its code into a non-malicious process, AV has a hard time preventing the resulting attack. Sophisticated attackers are even using open-source penetration testing tools to inject code into (or scrape data from) system memory.

Fileless, evasive malware is shaping up to be the exploit of the future, at least until something more potent and insidious comes along. Businesses must move quickly to supplement their endpoint protection solutions that depend on previously identified patterns and signatures. Patching and updating remain essential, but realistically, these practices are chronically neglected and incomplete. Disabling macros, limiting access privileges, whitelisting applications, segmenting networks and blocking unnecessary protocols will eliminate many of the entry points and hiding places malware authors rely on, but only until they learn new tricks. Often, these measures are not practical or have an unacceptable impact on productivity. Training employees to detect phishing scams and setting email filters to thwart BEC (business email compromise) attacks is important, but not sufficiently reliable or comprehensive. Monitoring device and Windows logs is a good way to detect unauthorized services and processes, but most organizations are already struggling to keep up with alerts and incident reviews.

While the technology does not yet exist to fool thieves into thinking you have an empty house or a pack of vicious guard dogs, businesses seeking to outmaneuver stealthy malware do have some tricks at their disposal. Prevention-oriented solutions use the attackers’ evasive strengths against them, by purposefully deceiving the malware as it tests its target environment. By simulating a forensic environment that the malware identifies as inaccessible or not exploitable, these methods trigger the malware to disarm before it unpacks or does any damage. These simulation methods deceive the malware regarding its ability to interact with other processes, thereby preventing its access to memory and sensitive data. This approach is effective against a variety of memory injection techniques, which is essential to defending against the spread of fileless malware.

Creating this “virtual reality” on endpoints enables malware vaccination, contains threats designed to bypass existing security solutions, and works even on previously unseen and rapidly shape-shifting mechanisms. As the cyber wars escalate, it is painfully clear that fighting exploits tit-for-tat is an unsustainable battle plan. Cyber crime is too organized, advanced, and profitable — and the digital systems modern commerce and society rely on are too vast and interwoven. We need to develop and implement creative solutions that are broadly effective at turning “easy target” endpoints into dead ends for hackers and their tricks.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island]]>
Enterprises: Can You Handle 3,680 Phishing Emails per Week? https://www.infosecisland.com/blogview/24963-Enterprises-Can-You-Handle-3680-Phishing-Emails-per-Week.html https://www.infosecisland.com/blogview/24963-Enterprises-Can-You-Handle-3680-Phishing-Emails-per-Week.html Tue, 08 Aug 2017 04:52:12 -0500 Given its essential role in the business world, it is no surprise that the adoption rate of email security technology is nearly 100%. However, despite this near-universal investment, breaches are still occurring at increasing rates. Targeted phishing has become the single most effective attack type in the world today, and attackers’ emphasis on social engineering tactics make the protection of cloud communication platforms a critical component of any cybersecurity strategy.

An FBI Public Safety Announcement issued on May 4, 2017 outlines the scope of the problem:

“The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 103 countries.”

However, communications security at scale is complicated by hybridized cloud adoption and the integration of customized workload integrations with public SaaS communication platforms — Microsoft Office 365 and Google Apps (now G Suite) dominate this space in the email channel.

Legacy security vendors, historically focused on on-premise technology and point solutions for email, have struggled to adapt to these newer platforms. Single-point-in-time reports to block threats at the perimeter through the use of a Secure Email Gateway are clearly insufficient, and provide no visibility, control, or protection against messages that have bypassed the SEG. In order to successfully protect the organization against highly targeted social engineering attacks, IT and Security teams must gain post-delivery visibility into, and control over, messages that have already landed in employee inboxes.

Technology, however, isn’t the only factor to blame for why we keep getting owned; it’s also a resource issue. Enterprise IT and information security teams almost always find themselves pushing against resource limitations in the face of unending attacks and increasingly sophisticated criminals — but a deficit of qualified workers often referred to as the “cybersecurity skills gap” leaves many organizations unable to find and hire the people they need in a timely fashion (if at all).

This shortage of qualified professionals leads to a critical lack of visibility. Attackers often compromise an organization in just minutes, and exfiltrate data in a matter of days; increasingly, organizations don’t know that they’ve been breached until they’re notified by a third party. Security teams must spend their time understanding and preventing threats categorically, rather than being buried in the noise of day-to-day alerts. As information security and IT staff shifts to become a more analytical role, the ability to narrow the time between incident and remediation is key to preventing a major financial or data loss event.

We analyzed information from our proprietary data cloud and found some startling facts that underscore the challenge facing enterprise IT and security teams face when protecting themselves from cyber criminals. Our researchers found that enterprises today face more than 3,680 potential phishing emails per week. This number indicates that not only are cybercriminals raising the level of personalization to entice employees to click, but also taxing enterprise systems through the volume of their attacks.

Let’s take things a step further to truly understand the administrative burden cybercriminals are placing on organizations. Experience tells us that it takessecurity admins an average of 5 minutes to analyze a single email and determine if it is a threat. Multiply this stat by 3,680 potentially dangerous emails and you find that enterprise security and IT teams would need to devote over 305 hours per week to properly review and remediate this amount of email.

The only way to keep up with this volume of work is to implement automation within the corporate cybersecurity strategy. Automation reduces the workload on IT and Security teams by programmatically identifying and addressing threats based on preset policies. Leveraging machine learning and automation can increase visibility of threats, reduce time to detect and respond to threats and also identify patterns that humans may miss.

What’s clear is that cybercriminals are stepping up not only the customization of their attacks, but also their volume. The cybersecurity skills gap has left many companies vulnerable and hackers are eager to exploit those weaknesses. As the number of Business Email Compromise scams continues to grow, understanding whether a specific message is an attack requires fully integrated threat intelligence, with significant amounts of data, to identify threat patterns and help inform incident response actions.

About the author: Kevin O’Brien is the CEO of GreatHorn. With over 20 years of experience in the cybersecurity industry, he has an extensive background in information security and data privacy.

Copyright 2010 Respective Author at Infosec Island]]>
Is Your Data at Risk Due to Third-Party Cloud Applications? https://www.infosecisland.com/blogview/24962-Is-Your-Data-at-Risk-Due-to-Third-Party-Cloud-Applications.html https://www.infosecisland.com/blogview/24962-Is-Your-Data-at-Risk-Due-to-Third-Party-Cloud-Applications.html Wed, 02 Aug 2017 06:43:00 -0500 In May of 2017, it was discovered that an exposed data repository, an AWS S3 bucket, had allowed semipublic access to the details of at least 2.2 million customers of Dow Jones & Company. The mistake was a simple one: the bucket's permission settings were set up incorrectly, allowing anyone with a free Amazon AWS account to access the content.

This leak highlights the ease with which a simple mistake in one security setting can jeopardize the personal information of your customers. The costs of such carelessness are regulatory fines, a damaged reputation and a possible lawsuit.

You may not think that it could happen under your watch – but how much of your data security is really under your control?

Do You Know Where Your Data Is Stored?

It’s likely that your business is using tens, or potentially hundreds, of third party SaaS applications to do everything from manage prospects and clients to help handle accounts. These applications save your business time and money – but they also put your data in the hands of someone else.

Most of these applications store their data in the cloud, much of it in the same type of data repository as was the leaked Dow Jones Data. What guarantee do you have that your data hasn’t been left unencrypted and accidentally made public?

Your Biggest Data Security Mistake

When most businesses hand over data to a third party, they do so under the mistaken belief that this company now has responsibility for securing that data, barely giving data security a second thought once the application is in use.

Although third parties should and do provide security, the overall responsibility for protecting the data is still yours. If the data gets leaked, it is you and your team who will be held accountable by your shareholders and customers, not the third party.

Even if the third party is contractually obliged to cover the costs of any data security problems, you must still retain oversight.

You Need A Complete Overview of the Data Chain of Custody

You rarely have detailed insight into how third parties are handling data, which means there are a lot of unanswered questions:

  • What security policies do they have in place?
  • Where is your data stored?
  • Do they regularly use contractors? What access do they have to your data?
  • Which other third-party services do they rely on ­­­– could any other businesses access your data?

The problem with getting this information is twofold: Firstly, third parties are only likely to reveal the amount of security information required contractually, but this may leave out critical information. Secondly, with most businesses using many third parties, the job of tracking them becomes time-consuming and expensive.

Implementing a Third-Party Risk Program

Manually tracking the security policies that your third parties use is impractical, if not impossible. A platform that enables businesses to access up-to-date risk assessments for a diverse range of third-party organizations is needed.

By outsourcing and automating your third-party risk assessments, you benefit from a considerable increase in efficiency and a corresponding reduction in cost and complexity. This allows you to easily assess and reduce your exposure to risk, helping you decide which third parties to deal with and which to reject.

The time-and-cost savings a robust third-party cyber risk management plan provides allows you to invest more resources into your own security, further reducing your risk.

About the author: As Head of Business Development, Scott Schneider is responsible for implementing CyberGRX’s go-to-market and growth strategy. Previous to CyberGRX, Schneider led sales & marketing at SecurityScorecard, Lookingglass, iSIGHT Partners and iDefense, now a unit of VeriSign.

Copyright 2010 Respective Author at Infosec Island]]>