Quantcast
Channel: Spotlight

Being Present

0
0

Have you ever almost been hit by a car crossing the street staring at your mobile?

Have you ever spoken to someone without them ever looking you in the eye as they stare incessantly at their mobile?

Do you feel as if you spend more time in cyberspace than in the real world?

Then you are not alone.

Our lack of being “present” is detracting from our real world situational awareness.

The great irony of the Internet is that as we become dependent on the information – 90% of which was developed in the past 5 years – the paucity of good/clean data is showing.  The Internet is a hostile environment.  The true danger of our lack being present is our faith that we can control our consumption of data.

The Web 3.0 environment is one wherein you need not show intention to receive data.

We no longer must click on links or type in searches to acquire the data we need as our devices implicitly know where we are; who we are; what we like and need and thus provide it to us as a glove fits a hand.  This would be wonderful if we could guarantee the security of that glove.   The hacker community well understands that true power comes from not just transparency but from telepathy.   Hacker crime kits like Citadel, SpyEye, Poisonivy and the BlackHole Exploit kit allow for our virtual persona’s to be hunted.

Being present is now paramount.  The first stage of regaining our situational awareness begins with putting our devices down.  The second is to challenge our corporations, partners, and governments to stop treating Cybersecurity as an expense.  It is a function of business and life in 2013 an inelastic good.  Be present today my friend because there is a car coming.

The post Being Present appeared first on .


Island Hopping in Cyberspace

0
0

The recent attacks on the New York Times; Washington Post and Federal Reserve illustrate a dangerous trend in cyber tactics.  All of these institutions became victims of Island Hopping.  Island Hopping has become the tactic of choice for elite hacker crews.  As an information security specialist your organization is being targeted by nation states; criminals and activists alike.  The recent attack on the Fed demonstrates the evolution of hacker tactics to island hop from your networks into your constituencies systems.   The evolution of lateral movement and the automation of privilege escalation; local information gathering and exfiltration of data all harken a serious paradigm shift of our adversaries to colonize our ecosystems.   The hacker community is targeted trusted third parties to bypass the perimeter defenses of the intended targets.   As illustrated by the recent ISACA Survey on APTs more than 80% of respondents had yet to alter the terms of their SLAs to manage the system risks posed by island hopping.

 

 

 

 

 

 

 

 
Ensuring the cybersecurity of the trusted third parties whom you conduct business with is imperative.   I recommend you alter your SLA’s to include the mandate of  greater security controls like; network traffic analysis; file integrity monitoring; virtual patching and custom sandboxing as requirements for the managed service providers and business partner networks.    Managing the systemic risk posed by these trusted external networks will be your true challenge of 2013.  The cybersecurity of your network now is paramount to managing the infestation of your trusted user and customer accounts.   Help thwart  island hoping by embracing the tactical shifts of the underground.

 

 

The post Island Hopping in Cyberspace appeared first on .

Securing the Internet of Everything against surveillance and attacks

0
0

The emerging Internet of Everything is set to heighten the security burden for device makers, software vendors and the numerous organizations that will rely on an interconnected network of smart devices to support operations and serve customers. While tablets and smartphones rule the roost for now in terms of consumer and business attention, new technological frontiers are already being opened up by devices such as wristband trackers and networked thermostats and automobiles.

This proliferation of Internet-enabled endpoints means that cybercriminals will gain access to many new attack surfaces. Hacking a heads-up display, security camera or refrigerator, while a seemingly outlandish prospect at the moment, ultimately could have much more immediate, tangible consequences than breaching a PC, since users interact with these newly networked assets in highly personal ways and often in their own homes.

However, the broader risk emanates from the vast amounts of personal data that IoE devices are collecting and storing. For example, current gadgets such as the Jawbone Up already collect personal information about sleep patterns, health activity and dietary regimens and synchronize it with the cloud.

As more devices follow in this mold, users and security professionals must be conscious of how deeply the Internet is becoming intertwined with their lives and how the IoE promises a different, more intimate computing experience. Threats once confined to mainframes, PCs and smartphones will evolve to persist within the new connected landscape, and the security community must be ready to guide users and companies as they consider how to address these risks.

Number of networked devices could top 50 billion by the end of the decade
How big will the IoE become? The number of connected devices had already exceeded the human population as of 2012, but it is set to surge by 2020.

Cisco estimated that by that time, there will be more than 50 billion networked devices, with most of them coming online during the last three years of the decade.  Morgan Stanley was even more bullish on IoE growth, projecting 75 billion connected devices in 2020, or 9.4 for each of the 8 billion people alive at that time.

Most immediately, the emergence of the IoE will fuel growth in networking and surveillance equipment, as well as new sensors optimized for verticals such as healthcare, retail and transportation. Hospitals may be able to better track patient conditions, while businesses can keep tabs on inventory and vehicles.

However, IoE is already becoming consumerized with items such as Sony’s proposed SmartWig, which vividly displays the benefits and potential security perils of the IoE. This networked wig contains GPS, as well as tactile sensors, capable of gathering sensitive information about the wearer’s location or vital signs such as pulse and blood pressure. Still, it may also have the ability to guide a user through dark areas, interact with smartphones and enable wireless gestures such as moving one’s eyebrows to control a TV or slide projection.

While the SmartWig is still a prototype, it demonstrates that we may not be far from a world in which billions of devices monitor user behavior, producing practical benefits while simultaneously generating massive amounts of sensitive data. Moreover, the intimacy of many IoE devices means that they produce data types that cybercriminals may find attractive and profitable. For example, there have already been several instances of researchers and hackers taking over wireless IP cameras and posting their video feeds to the Internet.

Wireless IP camera hacking incidents illustrates stakes of protecting the IoE
In early 2012, security researchers at the Hack in a Box conference in the Netherlands demonstrated that many wireless IP cameras are vulnerable to remote hacking. At the same time, their efforts illustrated how data from hundreds of millions of connected devices is already readily available on the controversial Shodan search engine, which collected information even on obscure devices like smartphone-controlled door locks.

The Qualsys researchers stated that, via Shodan, they had discovered more than 100,000 IP camera feeds that were unrelated to security surveillance operations. Twenty percent of all IP cameras that they found would authenticate a user with nothing more than “admin” as the username. Even devices that were password-protected had weak firmware that was vulnerable to brute force attacks and path transversal. Since these cameras relay network information and authentication credentials to a Web-based interface, they are putting many users’ sensitive data out in the open.

“The web based administration interfaces can be considered as a textbook example of an insecure web application and easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house,” stated the abstract of the Qualys researchers’ report.  “Apart from the flaws in the web interface, the cameras also use questionable security practices when it comes to securing the firmware, which leads to even more interesting attack vectors.”

In a separate incident from early 2012, a hacker compromised the software that runs SecurView IP cameras. With the number and variety of networked devices growing, and with networks like Shodan providing insight into their data, device makers and the security community must step to the plate and ensure that data privacy is respected and risks to virtual and physical assets are mitigated..

Securing the IoE against tomorrow’s threats
Securing something as vast as the IoE seems a like a daunting task. However, there’s still much that can be done to improve basic security – professionals should start with enforcing better encryption on Web apps, using stronger passwords and keeping operating systems and anti-malware solutions up-to-date. For example, 99 percent of the IP cameras that were exploitable via Shodan had not been updated with new firmware that protects against password attacks.

At a broader level, the IoE will demand well-designed network infrastructure that protects users while not reducing the utility of their devices. Credit card systems offer a blueprint for how to achieve this goal, since they utilize multiple layers of local and remote security to ensure that the payment experience is both safe and easy. Securing the IoE may take some creative thinking – especially in light of devices like the SmartWig – but the foundations for comprehensive security are already there and just require more diligence.

The post Securing the Internet of Everything against surveillance and attacks appeared first on .

Cyber Security moves toward fully automated systems, part 1

0
0

The Pentagon’s Defense Advanced Research Projects Agency is legendary for its secretive, bleeding-edge research projects. DARPA is most famous for creating the world’s first hypertext system and, as such, laying the groundwork for the rise of advanced computer networking and the Internet. Can the organization remake cybersecurity for the coming age of the Internet of Everything and harden a wide range of infrastructure against advanced cloud-supported threats?

DARPA, the Internet of Everything and cybersecurity
In recent years, DARPA has turned its attention to moonshot projects such as terahertz frequency electronics, a replacement for GPS and, perhaps most notably, several broad cybersecurity initiatives. On the incredibly ambitious side, there’s DARPA’s plan for an antivirus shield, called High Assurance Cyber Military Systems, that would cover the IoE. With Cisco Systems projecting that the IoE could encompass more than 50 billion IP-enabled endpoints by 2020, such an undertaking would, by definition, have to revolutionize how cybersecurity is delivered, greatly extending its presence throughout the enterprise.

Securing the IoE is certainly a mission-critical task for governments, businesses and network security providers, all of whom have growing stakes in interconnected webs of sensors, devices and other infrastructure. McKinsey has estimated that IoE business could bring in more than $6 trillion in revenue by 2025. However, realizing such value requires a combination of streamlined cybersecurity processes (such as risk management frameworks), highly capable personnel and top-flight software that covers all bases from mobile to cloud.

In that regard, IoE protection doesn’t seem all that different from standard cybersecurity practices that have been popular for decades. Still, it isn’t exactly a matter of cutting and pasting current procedures. Many recent major security incidents have been marred by slow detection and response times, which organizations will be increasingly unable to afford as their networks add new endpoints and cloud services that become attack surfaces. A 2013 Trustwave assessment of 450 data breach investigations found that the average intrusion remained undetected for 210 days.

Why does it take so long? Part of the issue may be that organizations assume that traditional risk mitigation tools, such as antivirus software, alone are enough to protect their data, despite these solutions being less than ideal for functions such as monitoring network traffic. The days of standalone antivirus, declared dead by Symantec earlier this year, may be numbered. Speaking to ZDNet in 2008, Trend Micro malware CTO Raimund Genes explained that on a strictly technical basis, typical antivirus won’t keep pace.

“Two years from now, you will not be able to store the [signature] files on a computer any more … you will not have enough memory space,” Genes said. “Some people are saying that antivirus is dead, and I have to agree the traditional methods to combat malware have no future.”

What could be next: DARPA’s goal of fully automated security systems
The security community is already looking beyond antivirus and setting its sights on the IoE. In 2016, DARPA intends to hold its Cyber Grand Challenge competition in conjunction with the prominent security conference DEF CON.

Until then, the agency is encouraging would-be competitors – 35 teams had registered by early June –  to work on systems capable of dealing with threats automatically and in real-time. The best fully automated solution will be awarded a $2 million prize, underscoring the seriousness of DARPA’s search for a new breed of cyberdefense. DEF CON is a common venue for such challenges, but this one is unique, stipulating that projects be “human-free.”

Putting the onus on machines and algorithms has its advantages. For years, cybercriminals have always had the upper hand in cyberattacks, since they only have to find a single vulnerability to take advantage of. Accordingly, incidents such as the Target breach – caused by a flaw in an HVAC provider’s systems – and the regular targeting of obscure Adobe Flash exploits are painful for human security teams to address. They’re often playing catch-up, trying to understand how the network was breached and determine the best course of action, but an automated system could give their organizations much firmer defensive postures.

“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere – a process that can take months from the time an attack is first launched,” stated Mike Walker, program manager at DARPA, according to ZDNet. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”

If the Cyber Grand Challenge participants can indeed come up with a working human-free system, it may relieve the pressure and high price tag of having to constantly play traditional defense. While defenders have to account for a dizzying array of attack surfaces, perpetrators can focus on just a single novel one. Hardening all infrastructure against potential threats is expensive, and it may not even cover the one that ends up being exploited.

Cybercriminals have more options than ever – so security teams should, too
Meanwhile, attackers have more resources – many of them extremely cost-effective – than ever for probing for weaknesses in the network, as demonstrated by Trend Micro’s recent discovery of hackers using consumer cloud service Dropbox to host command-and-control infrastructure. The instructions hosted in Dropbox can be sent to malware and botnets.

This tactic illustrates the complex, hard to interpret risks that security teams now have to account for. Dropbox traffic will usually look normal to them, even if it is masking the machinations of C&C malware. On top of that, the popularity of services such as Dropbox means that a variety of endpoints, especially PCs, smartphones and tablets, could be serving as gateways to cybercriminal operations. With the IoE coming to the fore, risks may become even more dispersed and difficult to distinguish from legitimate activity.

In the next part of this series, we’ll look at one of the specific areas in which the IoE is making itself felt, bringing new possibilities along with fresh security risks: the automated home. We’ll look at the developments in that space and how new age security mechanisms can help shield assets from harm.

SEE PART 2 of this Cyber Security series!

The post Cyber Security moves toward fully automated systems, part 1 appeared first on .

Cyber Security moves toward fully automated systems with IoE, part 2

0
0

In the first half of our series about the cybersecurity community’s move toward fully automated defensive systems, we examined how the emerging Internet of Everything is upping the ante for solutions that can identify and mitigate risks in real-time. Traditional measures such as antivirus, while still important for curbing certain classes of threat, are increasingly unsuited to fend off advanced attacks without assistance from network security monitoring tools and other modern utilities. Full automation is the logical next step in cybersecurity.

The Pentagon’s Defense Advanced Research Project Agency has been notably keen to cultivate such human-free infrastructure. The reasoning is persuasive: Security teams often have to go to great lengths, at tremendous expense, to account for scores of potential vulnerabilities (even more so given how many endpoints could partake in the IoE), while attackers only have to succeed in exploiting a single one. Automated systems could finally tip the scales in the favor of defense.

The automated home of tomorrow: A microcosm of IoE security issues
It won’t be easy to get there, however. The IoE is widely perceived by both security professionals and the public to be inadequately secured, and its sheer scope – possibly 50 billion connected devices, according to Cisco’s predictions – definitely necessitates a new breed of cyber security, yet makes such a leap forward difficult to realize.

The smart home, a dream since at least the 1950s that may only now be getting the necessary technological underpinnings, illustrates the challenge that consumers, businesses and cyber security providers face in protecting growing amounts of data and infrastructure from sophisticated threats. DARPA has cited the rise of the IoE as an impetus for automated security; the home is likely the place where many individuals will first experience the benefits and pitfalls of the IoE. A 2014 study conducted by Fortinet and GMI, “Internet of Things: Connected Home,” surveyed 1,800 consumers and discovered that while many individuals felt that IP-enabled devices would continue to become more embedded in everyday life, security would lag general functionality:

  • More than half (61 percent) of respondents in the U.S. and a solid majority (84 percent) in China believed that the IoE – more specifically the networked home – would become a reality within the next 5 years
  • Fifty percent stated that they were likely to seek better Internet service to accommodate IoE functionalities, which can range from smart thermostats to refrigerators equipped with Wi-Fi.
  • Seven in 10 were concerned about data breaches of IoE infrastructure that could compromise their personal data
  • Almost 60 percent did not trust how data collected from IoE endpoints may be used. Certainly, with Google’s acquisition of Nest, there have been concerns elsewhere about information on users’ homes being used to refine advertising targeting.

Home automation is an old idea, but making house appliances and communications systems Internet-facing is novel, and it creates many potential new attack surfaces. A 2013 Trend Micro research paper, “Home Automation and Cybercrime,” advised against deep in-home Internet integration. However, seeming to realize that many users will do so anyway, the paper’s authors recommended using strong, unique passwords for each device and isolating them from the rest of the home network if possible.

What could go wrong with home automation?
Devices such as TVs, smoke detectors and thermostats have only recently been IP-enabled, and just a small subset of them at that. Accordingly, connectivity is usually straightforward, while overall design is geared for simplicity of operation rather than security. As more of these networked appliances and gadgets enter the home, people may be opening up their data, identities and financial assets to attack.

“What makes [theft of data and money] more alarming is that these Internet-enabled gadgets only have a basic IP configuration with few or no security options, making them very vulnerable,” explained Ranieri Romera, senior threat researcher at Trend Micro, in a blog post. “Also, people are unaware of the devices’ vulnerabilities, that they use these devices as they would their computers and put in information that can be considered critical. At this point, we’re talking no longer just the risk of unauthorized access, but information theft as well.”

Indeed, many of tomorrow’s IoE endpoints are, in a technical sense, just smartphones by other names, replete with high-speed connectivity and built-in software updating systems. Tech Insider editor Sam Volkering likened connected cars to “smartphones on wheels,” and similar comparisons can be made for home security cameras and LCD-equipped refrigerators, as demonstrated in the Trend Micro infographic “The Automated Home of Tomorrow: How Vulnerable is it to Cybercrime?” As such, these devices are open to attack, with serious consequences:

  • Hijacked security cameras would let attackers know when someone was out of the house.
  • Compromised cameras, along with smart TVs, could secretly record and post video to the public Internet.
  • A connected car infected with malware would obviously be a safety hazard.

Moreover, there’s the issue of how device manufacturers and Web companies handle the massive amounts of data collected by sensors and endpoints. Writing for Wired, Cade Metz examined the case of Dropcam – recently snatched up by Nest – and argued that by getting into the IoE business, leading technology firms such as Google could turn into honey pots, from which government surveillance and cybercriminals could easily scrape sensitive information.

Securing the automated home with automated security systems
The sophistication of the connected home requires new approaches to cybersecurity. No longer are only a few discrete gadgets – a PC here, a smartphone there – connected to the Internet; instead, wide sections of infrastructure are linked by a common network.

Ensuring that an intruder doesn’t gain control over an in-home camera system or kitchen appliance will likely require measures different than just installing antivirus software on each endpoint. Trend Micro malware CTO Raimund Genes told ZDNet in 2008 that standalone blacklist-based malware was already nearing end of life on PCs, which he predicted wouldn’t have the space to store all the myriad threat signatures that security solutions were routinely identifying during scans. What more for tiny CCTV cameras and thermostats?

Fully automated security systems are a good bet for workable IoE security. While DARPA’s competition for a truly human-free solution is still two years away, organizations can already get started with endpoint and network security tools that keep tabs on activity and screen out threats.

The post Cyber Security moves toward fully automated systems with IoE, part 2 appeared first on .

How the consumerization of technology impacts data security

0
0

Over the past few years, IT teams across nearly every industry have undergone a significant shift. The consumerization of technology is a trend that has deeply impacted how companies deal with their employees’ devices, as well as how they govern these endpoints and their sensitive data. IT consumerization has created several challenges that enterprises must deal with head-on in order to make the most of advanced systems while also ensuring the protection of company-owned information.

What is IT consumerization?
According to a CA Technologies whitepaper, IT consumerization came as the result of several different factors, including the significant uptick in the use of consumer devices for company use. BYOD programs have taken the corporate world by storm, as a rising number of employees bring their personal smartphones, tablets and laptops to work for enterprise purposes.

“[U]sers are now demanding access to corporate information and applications on the devices that they use heavily in their personal life,” the whitepaper stated. “Many IT organizations initially resisted, but soon realized that the trend was inexorable, so they learned to adapt their IT processes to accommodate these new devices.”

Furthermore, the considerable growth of cloud services and social media sites have also impacted businesses. CA Technologies noted that the rise of platforms like Facebook, Twitter and LinkedIn have made it possible for users to share information and better communicate, improving the connection between businesses and their customers.

Benefits of IT consumerization
Leveraging this type of approach comes with its share of benefits, including increased flexibility and productivity among staff members. BYOD initiatives enable workers to utilize devices that they have become familiar with in their personal lives for corporate pursuits as well. Due to this boosted mobility, employees can remain connected with their colleagues and with the information and resources they need to do their jobs from any location – even those outside of the office. In this way, workers have the freedom and flexibility to access mission-critical content from their preferred endpoints, and their company benefits from the resulting rise in production and collaboration. In fact, a recent Forrester study found that 12 percent of organizations saw a rise in productivity levels after deploying a BYOD initiative, Trend Micro reported.

IT consumerization challenges
However, in order to best leverage the IT consumerization trend, there are several challenges that companies must prepare for. TechTarget contributor Lisa Phifer noted that one of the main issues here is that oftentimes the consumer-level devices being utilized by staffers do not include the staunch security requirements needed in a business setting. This can create issues when it comes to current IT policies in place within an organization, as these endpoints may not align with these processes. However, Phifer pointed out that administrators can put extra security measures in place to better protect these devices, or block access to certain resources.

“IT can establish acceptance criteria and embrace personal devices that meet requirements for business use,” Phifer wrote. “Not comfortable with devices running Android 4.1 or older? Block network, system and data access for those devices. Or, better yet, establish a policy that gives higher-risk devices limited access, such as virtualized interaction with corporate email.”

Another challenge to tackle is that of data loss, which can occur when employees’ smartphones or tablets are lost or stolen. A McAfee survey recently found that lost or stolen devices are one of the top concerns business leaders have about IT consumerization, with 58 percent noting worries connected with this issue, according to InfoSecurity.

If a device is misplaced or taken by a malicious individual, it puts company-owned intellectual property at risk. Phifer pointed out, however, that through encryption of sensitive materials and the use of tools like remote device wiping, administrators can effectively mitigate this threat.

Trend Micro also noted that hackers have caught on to the IT consumerization trend, and are leveraging several techniques to steal corporate data through employee devices. One such approach is through phishing emails, which entice users into opening malware-laced messages that can steal information. Furthermore, when staff members use certain consumer websites, it can also put their device at risk of being compromised. Educating employees on these issues can help prevent these threats.

Know what to protect
Overall, companies can be ready for IT consumerization if they plan effectively. Administrators should have a full understanding of the sensitive data their employees store and access on their BYOD-supported devices so that they know what needs to be protected. For example, Trend Micro noted that the additional operating systems on these endpoints, as well as data sharing over applications and cloud systems must be safeguarded.

“Ultimately, you will need to device how much control you need for your particular environment,” Trend Micro stated. “Regardless of the approach that you take, you can achieve complete end-user protection by gaining visibility across user activities and device usage.”

The post How the consumerization of technology impacts data security appeared first on .

Career Sites Targeted by Phishing Schemes

0
0

Throughout much of the world, finding a job has been a taxing ordeal over the last few years as the effects of the Great Recession have played themselves out in global economies. In addition to a huge supply of applicants chasing a relatively small number of positions, job seekers have also had to deal with the two-edged blade of the Internet. On the one hand, the Internet makes looking for specific openings a much easier process than it was when people had to comb through newspaper classified or check local bulletin boards. On the other, online postings can attract a deluge of submissions (all you need is an Internet connection, after all), making it hard to stand out even with a good résumé and cover letter.

To make things even more complicated, general career websites have become natural targets for cyber criminals because they receive so much traffic. For example, CareerBuilder.com is the 364th most popular website in the U.S. (in 1,408th place worldwide) according to Alexa stats as of May 22, 2015, and Monster.com is even higher at 255th (874th globally). Moreover, the sheer amount of correspondence that can come from these types of sites creates a natural opening for phishing campaigns, such as the one that recently involved CareerBuilder.

Why CareerBuilder.com was an ideal setting for a phishing campaign
Career sites will usually email members with information about their profiles and registration, as well as opportunities that may be relevant to any information they have entered into the system. All in all, this can add up to a fairly consistent stream of messages that may all seem routine and unremarkable. Such emails may also come with attachments (e.g., a Microsoft Word Document or a PDF).

All the ingredients are present for an effective phishing attempt:

  • Messages of high importance/urgency, in this case about career prospects.
  • A specific sender that the recipient is looking for (i.e., CareerBuilder) and that can be spoofed.
  • Attachments that could be modified to carry malware that would steal sensitive information.

“[O]ne of the most common phishing lures is done via email,” explained a recent Trend Micro document. “It could take the form of anything that bears urgency or distress. Phishing emails appear to be from a legitimate sender. To make it appear so, cybercriminals use forged logos, signatures, and text and use deceptive subject lines. The messages are attractive and often come with a promise, a prize, or a reward, in exchange for a registration or a login of some sort that gets the user’s information or online credentials.”

This is almost exactly what happened in the CareerBuilder incident revealed in early May 2015. Each time a CareerBuilder.com user would apply to a job opening, the organization that originally posted the position would receive an immediate fake reply with an attached document that was laced with malware. The attack angle was effective in large part because companies were actively expecting to receive attachments such as résumés, cover letters and references from applicants.

Phishing remains a popular tactic because it flaunts many traditional forms of security and directly goes after the end user. For example, many definition-based tools are not well suited to catching something like a malicious Word Document that might be too innocuous to trip up any pre-established definition. The first and only layer of defense becomes a recipient’s discretion in opening an email attachment or clicking a link.

What happens when a phishing attack succeeds?
The high-profile incident with CareerBuilder is apparently already being addressed. Still, the success of the phishing tactic in this case is a good opportunity to think about what happens after someone falls for a compromised attachment or malicious link.

Back in 2012, Trend Micro estimated that spear-phishing was involved in more than 90 percent of advanced persistent threats. Along similar lines, the security researchers who uncovered what happened to CareerBuilder highlighted how the infection of a single machine by something like a malware-laced attachment could lead to broader surveillance of an enterprise’s network.

These types of APTs are low and slow and could go on for weeks, months or even years. They are beyond the reach of typical antivirus tools and may only be discoverable through network security tools that closely monitor traffic patterns. Basically, an organization has to know what constitutes “normal” before it can determine what is abnormal with regard to network activity.

Similarly, extensive training may be required to help everyone in the organization recognize unusual attributes of emails and documents. It’s important to remember that spear-phishing has become a leading concern for enterprises because, simply put, it works. Going after a specific target and taking as many measures as possible to play to their background, habits and sensibilities is much more effective than the types of massive spam campaigns that many individuals have learned to tune out.

Speaking at a conference at the University of Texas Center of Identity earlier this year, legendary fraudsters turned cyber security expert Frank Abagnale pointed to the growing sophistication of phishing attacks. Whereas targets once dealt with implausible “Nigerian prince” scams built around dividing up millions of fictional dollars, now they are confronted with much more subtle and believable missives.

What to look out for if you think you are being phished
What happened with CareerBuilder is just one possible form this could take. There’s also the possibility of a message purporting to be from a government agency, saying that the recipient must reply immediately or face the prospect of a court hearing and/or jail time. Or, the phishing attempt could be disguised as an “account status” update from a major Web company like Facebook or Google, telling the recipient that they just need to confirm a specific detail about an account.

Fortunately, some of these messages, like a spate of ones claiming to be from PayPal, are caught by spam filters in services like Gmail. In other cases, like with what transpired with some businesses posting jobs to CareerBuilder.com, malicious correspondence is not automatically filtered and must be assessed by the actual recipient.

How can enterprise CIOs and their teams reduce the risk of a successful phishing campaign? A good starting point would be to review what types of information they make available online. The abundance of publicly accessible emails, logos, etc. provide would-be attackers with plenty of resources for imitating the look and feel of official messages, as well as selecting vulnerable targets.

A 2012 Trend Micro white paper determined that half of spear-phishing recipient emails were findable via Google searches, and that many of the ones that weren’t could be figured out by using some form of first and last name and the company’s domain. Keeping closer control over email information may be effective for reducing exposure to phishing.

Network security tools should also be implemented alongside traditional measures like antivirus. Security teams need solutions that can evaluate patterns against baseline activity and catch APTs before they do significant harm to an organization by stealing large amounts of data. What happened to CareerBuilder should be a lesson in how phishing has become more creative, requiring smart policies and capable tools for defense.

The post Career Sites Targeted by Phishing Schemes appeared first on .

Have you been the victim of an APT?: Identifying and protecting against an attack

0
0

Many company administrators and IT leaders believe that their enterprise’s security system is infallible, and will be able to detect any threat that comes their way. While many businesses have multi-layered, advanced protection technology in place, when it comes to an infection or cyber attack, the rule of thumb is to never say never.

Different organizations are attractive targets for cybercriminals for a variety of different reasons: the information they store is valuable, they are being used as a middle point to attack another group, hackers are simply attempting to siphon funds, the list goes on. But imagine if a black hat was able to slip into an enterprise network undetected and remain there for a considerable amount of time. Just consider the damage that could be done and the information compromised, all while the business carries on as usual without recognizing the threat.

When a company has been the victim of an advanced persistent threat, this is exactly what takes place. Oftentimes, even the most extensive security systems are unable to identify and alert key employees to the presence of an APT. Therefore, IT administrators and engineers must understand what to look for in order to effectively recognize the launch of an APT, or an existing one within the network. With this knowledge, the enterprise is better prepared to deal with an attack when and if one takes place, and prevent them in the future.

Who is a target for an APT?
The first step in prevention is to understand what puts a specific organization at risk for an APT attack. According to Security Magazine contributor Trevor Kennedy, some industries have historically been the focus for APT intrusions, including government groups, oil and energy companies, broadcasters or those in the power generation sector. This, however, does not mean that businesses outside of these industries are safe.

Kennedy noted that there are several situations in which a company could be targeted for an APT attack, including when they are a third-party provider for another, higher-profile organization. Oftentimes, hackers will leverage external third parties as a stepping stone to reach the target organization. For example, in the well-known Target breach, cybercriminals first targeted the HVAC company the retailer had contracted, infiltrating this provider to gain the credentials and information needed to attack the retail chain.

How can I tell if an APT attack has taken place?
It is imperative that key IT staff know what types of activity can signal the presence of an APT within the network. By identifying the first signs of an intrusion, the IT team can work to respond to the threat and mitigate its damages.

InfoWorld contributor and security adviser Roger Grimes noted that there are a few main signs IT leaders can look for to determine if they’ve been hit with an APT.

“Because APT hackers use different techniques from ordinary hackers, they leave behind different signs,” Grimes wrote.

These signs include:

  1. An increase in log-ons from accounts with higher privileges late at night: Grimes noted that oftentimes, APT attackers will breach an authentication database and target the credentials with the highest permissions. An increase in these log-ins long after the business has closed for the day can signal the presence of an APT hacker.
  2. Backdoor Trojans: Hackers leveraging APTs tend to deploy backdoor Trojans to ensure that even if they credentials they’ve stolen are changed, they can always get back into the network if they choose. The presence of widespread backdoor Trojan programs are one of the leading signs of APT infection.
  3. Suspicious information flows: Grimes noted that one of the best ways to identify an APT is to check for large, unexpected information flows from internal network points to other internal or external machines. In order to best recognize these information flows, the IT team must have a deep understanding of the network’s typical information flows so they can spot the differences.
  4. Unexpected data bundles: Similar to information flows, atypical data bundles can also signal an APT attack.
    “Look for large (we’re talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archived formats not normally used by your company,” Grimes advised.
  5. Pass-the-hash hacking tools: Grimes noted that while not all APTs utilize pass-the-hash hacking tools, they do creep up somewhat often. Additionally, many hackers forget to delete these tools, so their emergence in the network is some of the surest, most concrete evidence of attack.

Understanding current threats: Knowledge is power
Overall, one of the best ways to identify and help prevent an APT intrusion is with knowledge about current threats and a full understanding of regular activity taking place in the network. When the IT team has a baseline of network occurrences and can efficiently identify activity that is suspicious or out of the ordinary, they can work quickly to adapt protection and prevent further intrusion.

In addition, having knowledge about the latest threats being currently utilized by hackers can bolster these prevention efforts. Grimes noted that not all APTs will have the same symptoms, so knowing what the latest threat looks like and how it will act within the network is one of the best ways to recognize and stop an attack in its tracks.

The post Have you been the victim of an APT?: Identifying and protecting against an attack appeared first on .


Popular media depictions of hacker culture: Varying degrees of accuracy

0
0
Hacking culture is finding its way to small and big screens.

There’s perhaps no better indication that a particular topic or pursuit has gained culture importance than when a movie or TV show is made about it. When popular media grabs hold of an idea, it gives that idea a mainstream audience – and with that audience comes credibility. Case in point: In the 1970s, there was an Italian clothing brand whose leaders were attempting to put it on the map. The craftsmanship behind the brand was great – as was its pristine tailoring – but it still hadn’t found the mass audience that its quality of craftsmanship deserved. But that changed in 1980, when writer/director Paul Schrader put the then-pinup icon actor Richard Gere in a series of suits by the designer. The film was American Gigolo, and the designer was Giorgio Armani. For Armani, having his brand-name suits up on the screen brought him a legitimacy that arguably no other form of marketing could. To occupy popular media is what helped lend Armani the credibility it enjoys today.

There’s nothing contradictory about the concept: Popular media makes things popular. And it’s not just decorative things either. For all the Armani suites and “Rachel” haircuts that TV brought to the foreground, mainstream media has also lent visibility to big industries and practices that might otherwise go unnoticed by most people. In 1987, for example, Oliver Stone turned his skeptical cinematic eye to “Wall Street,” in a film that skewered the world of finance. For a generation of young people, it was largely that movie – and not Wall Street itself – that informed their ideas about how the American financial machine churned. As The Financial Times pointed out, the film “Wall Street” changed the actual street, arguably helped usher in an era of greater greed and ruthlessness, as up-and-coming brokers styled themselves after the film’s antagonist, Gordon Gekko.

What the “Wall Street” example illustrates is that popular media has the potential not only to call attention to facets of contemporary life that might otherwise fly under the radar, but also has the significant ability to influence belief. When people see something on screen, they’re likely to romanticize it – whether that was the creator’s intention or not. These days, there’s a new television and cinematic trend emerging that aims to illuminate and characterize a very specific culture: that of the computer hacker. While visual media has dealt with hackers in the past – the 1983 movie “WarGames” and the 1995 film “Hackers” come to mind – the examples are few and far between. Now, however, the hacker drama is emerging as a popular subcategory in its own right. But the growing popularity of cyber crime-based entertainment prompts an important question: Is popular media getting it right? To answer that question, let’s examine the most popular offerings in the hacker sub​genre, focusing on plausibility and potential influence (Note: The following entries contain minor spoilers for the television shows and films discussed):

“Mr. Robot”
What is it: A drama-thriller TV series on USA Network
Plot overview: During his days, Elliot Alderson works as a cyber security engineer (as an aside, this is an increasingly lucrative job for young people, with an average salary of $84,000 as of June 18, according to Glassdoor). But Alderson isn’t content merely working as another desk-bound techie, so he spends his evenings immersed in the high-stakes, dangerous world of hacker vigilantism. Basically, he uses his hacking prowess to bring down bad guys, and in doing so emerges as a complex hero uniquely crafted for the twenty-first century.
Critical reception: Critical reaction to the series has been almost uniformly positive, and the show is currently enjoying a “Certified Fresh” 97 percent rating on Rotten Tomatoes. As Vanity Fair stated in its rave review, “‘Mr. Robot’ has the makings of the most entertaining watch of the summer.”
Notable scene: The main character, Elliot, talks about the idea that there’s a very small group of individuals – “the top one percent of the top one percent” – who are “secretly running the world.” Their power, as Elliot tells us in a conspiratorial voiceover, is only amplified by the fact that they operate in the shadows, “without permission.” Elliot then reveals in his voiceover that he believes these people are now following him. We then see Elliot, on a subway train, looking at two men who appear to be monitoring him. The scene then cuts to the previous night, when Elliot confronts the owner of a coffee shop, informing him that he’s hacked the network and has discovered that the shop’s owner is involved in highly illegal activity online.
Plausibility: The idea of a covert band of hackers slowly bringing down a massive, faceless enterprise is, well, the stuff of suspenseful TV. But that doesn’t mean it’s outside of the realm of possibility. As show creator Sam Esmail told Fast Company in an interview, he was inspired to create the show by learning firsthand about the psychology of hackers – their general isolation and sense of loneliness, and their desire to connect with the world around them in the only way they know how: via the cyber sphere. In this way, “Mr. Robot” is more of a character study than a commentary on real events. That said, in the same way that he wanted to be true to hacker psychology, Esmail also wanted to be faithful to the process of hacking itself. Therefore, the various hacks that the show depicts are all based on ones that have happened in the real world. In this way, “Mr. Robot” is true to the facts.
Potential influence: As Esmail emphasized, the show isn’t meant to provide a window into the mechanics of cyber crime. Rather, it’s interested in the people who carry it out. Because it’s an in-depth character study, the show – if it succeeds – could influence general viewers to learn more about the particular characteristics of the hacker: What motivates them, what makes them tick. This humanization of hackers – putting a face to an inherently shadow enterprise – could lead to more widespread awareness about what needs to be done to lessen the flood of cyber crime.

“CSI: Cyber”
What is it: A network TV show on CBS with a 13-episode first season, and the newest franchise installment in the CSI family
Plot overview: A specially designated group of FBI cyber crime fighters work to scour the deep Web in order to bring virtual crime to justice. True to its CSI roots, the show runs like a police procedural, with the team working to solve murders, blackmail and other infractions – with the distinction that there’s a central cyber component to their investigations.
Critical reception: Far from the glowing reviews of “Mr. Robot,” “CSI: Cyber” has received middling critical feedback, and currently sits at a 45 percent rating on Metacritic. In a fairly representative review, Entertainment Weekly’s Joe McGovern stated that, “Watching CSI is like eating Gummi Bears. There’s no nutritional value, but the franchise has created a yummy, empty-calorie world.” But the mixed critical reception didn’t stop the show from being picked up for a second season.
Notable scene: A man hops into a car that’s tied to a fictional ride-sharing app called ZoGo. But for the man, who’s a government contractor with a high security clearance, this is to be no ordinary ride. Rather than get taken to his destination, the man ends up strangled to death by his driver. Dispatched to deal with the case, the cyber team must use their virtual skills to find out why this murder happened.
Plausibility: The show seems intent on tackling hot-button topics (the ZoGo episode debuted weeks after popular ride-sharing service Uber suffered a data breach) in a way that never risks losing the attention of the viewer. Whereas “Mr. Robot” allows its paranoid central character to dictate the narrative, “Cyber” relies on a tight narrative structure that’s crafted for primetime network entertainment value. In this way, its plausibility is limited, since it’s focused more on sustaining an exciting narrative.
Potential influence: That said, the show’s lack of plausibility doesn’t mean it’s without influence. As a primetime TV show about cyber crime fighters, “CSI: Cyber” has the unique distinction of being a show that makes heroes out of those who fight hackers. In the same way that “Law and Order” inspired many young viewers to pursue legal professions, it’s likely that “CSI: Cyber” will get some viewers looking in the direction of a career in cyber security.

“Blackhat”
What is it: A Michael Mann-directed hacker thriller starring Chris Hemsworth
Plot overview: A nuclear power plant in Hong Kong is targeted by a hacker working via a remote access tool. Through this means of intrusion, the attacker is able to cause a major disaster situation at the power plant. This is part of a broader criminal plan orchestrated by an ambitious and highly elusive hacker. In order to bring this cyber criminal to justice, an ex-hacker is brought in to beat him at his own game.
Critical reception: It’s not just that the critical reception was largely negative for this film – it’s that it was an unmitigated box office disaster. When it opened in January, it was immediately clear that the marketing campaign for the film had largely left prospective viewers confused about exactly what kind of movie this was. Was it a cerebral hacker drama? A social political commentary? A breakneck action thriller? In reality, it was a bit of all of these things, but audiences didn’t really find that out, since they didn’t turn up to the theaters. That said, there was some qualified praise for the movie, such as Matt Zoller Seitz of RogerEbert.com who, in his 3.5/4 review for the movie, called it “often ludicrous,” but added, “Slick and sometimes goofy as it is, ‘Blackhat’ is an odd, fascinating movie: a high-tech action thriller about the human condition. I can think of no better current illustration of the notion that, to quote this site’s founder, it’s not what a movie is about, it’s how it’s about it.”
Notable scene: In his hunt for the villainous hacking group, Hemsworth is drawn into a trap. He must therefore fight three people.
Plausibility: As the above notable scene indicates, the adrenaline-charged moments of physical combat in the film were less than believable, given that the warrior instinct with most hackers ends at the keyboard. But requisite Hollywood moments of brawling aside, the film has been lauded for its plausibility by the individuals whose opinion on the issue matters the most: cyber security experts. As Parisa Tabriz, head of Google’s Chrome security team, told WIRED, a scene in “Blackhat” in which a good hacker uses a USB drive to infiltrate a bank’s network is entirely plausible.
“It’s not flashy, but it’s something that real criminals have tried—and highlights the fundamental security problems with foreign USB devices,” Tabriz said. Additionally, the inciting incident behind “Blackhat’s” narrative – a remote attack on a power plant – is something that’s not only possible, but a reality: In December, South Korea experienced a hack of its state-owned Korea Hydro, according to The Wall Street Journal. Korea Hydro encompasses a network of 23 nuclear reactors. In March, investigators in South Korea stated that they believed North Korea was behind the remote intrusion.
Potential influence: While “Blackhat” was a box office bomb, the fact that it was made at all sets an important precedent for hacker-focused movies. Far from being a small film, “Blackhat” was a major motion picture with a top director and an A-list star. Its failure at the box office, therefore, may deter others from making similar films, but it may also influence filmmakers to look for different and better ways to market a cyber-based thriller, which could lead to more successful films.

These three popular media depictions of the cyber criminal sphere are only early entries in what will likely become an increasingly popular sub​genre. Given the influence TV and film have in shaping public sentiment, it will be interesting to see how media representations of hackers evolve – and if this changes the practice of hacking itself.

The post Popular media depictions of hacker culture: Varying degrees of accuracy appeared first on .

The BEC List: Helping Thwart Business Email Compromise through Collaboration

0
0

Today, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) gave the JD Falk Award to the Business Email Compromise (BEC) List.

The BEC List comprises cybersecurity firms, researchers and internet infrastructure companies that help deal with cybercriminal activities and schemes. The JD Falk Award is given to individuals or groups whose meritorious work has helped protect online users and organizations.

We commend the organizations, along with the threat and security researchers and analysts who were an instrumental part of the BEC List. Trend Micro is proud to be part of it as one of the first members at its inception in 2015. Our extensive research on BEC — from keyloggers such as Predator Pain, Limitless, and Hawkeye to the various email and social engineering tricks used in BEC — is a reflection of our commitment to making the world safe for the exchange of digital information.

Why tackle BEC?

Online scams are a recurring pain point for users and enterprises. BEC fraud in particular has accounted for over $12.5 billion in global losses since 2013, according to the FBI. Its operators use malware — many of which are bought in underground marketplaces — social engineering, or a combination of both to access and hijack systems or trick victims into wiring money into an account the cybercriminal controls. Our further research into BEC also revealed a steady increase in BEC-related attempts.

Figure 1: Half-year comparison of recorded BEC attempts

Note: Data refers to the number of BEC attempts seen, which does not indicate whether the attacks were successful. BEC samples consist mainly of CEO fraud (attackers posing as CEO/executive).

 

Figure 2: Malware samples used in BEC attacks from January 2017 to September 2017 based on VirusTotal samples

The number of perpetrators and the scope of their crime require a combined effort between individuals and organizations across the cybersecurity community to help thwart threats like BEC.

Previous recipients of the JD Falk Award were involved in various takedowns that required significant coordination and knowledge sharing such as the Avalanche takedown  in December 2016 and DNS Changer Working Group in November 2011.

We are honored to be recognized by the M3AAWG with this award. Our efforts to stop cybercriminals from successful BEC attacks – and all cybercrime – will continue.

The post The BEC List: Helping Thwart Business Email Compromise through Collaboration appeared first on .





Latest Images