Monthly Archives: March 2017

Trump Extends Obama’s EO for Sanctioning Hackers

Trump Extends Obama’s EO for Sanctioning Hackers

EO ultimately led to sanctions against Russia for hacking and other attempts to tamper with the outcome of the US election.

President Donald J. Trump has quietly extended for one year the “national emergency” executive order issued by his predecessor Barack Obama that ultimately led to the sanctions and retaliatory measures taken by the Obama administration against Russian officials for that nation’s role in hacking activities targeting the US election.


 


 

Trump’s extension of Obama’s EO 13694 comes at a highly sensitive time for the administration, as the FBI and both arms of Congress are conducting separate investigations on Russia’s interference in the 2016 US presidential election as well as any possible links to the Trump team.

 

President Trump wrote in the filing this week:

 


“These significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. For this reason, the national emergency declared on April 1, 2015, must continue in effect beyond April 1, 2017. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing for 1 year the national emergency declared in Executive Order 13694.”

The official filing is here in the Federal Register.

 


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2oj6gXY
via IFTTT

‘Sundown’ Rises as New Threat in Depleted Exploit Kit Landscape

‘Sundown’ Rises as New Threat in Depleted Exploit Kit Landscape

New exploits and obfuscation tactics have made once second-tier EK a potent threat, researchers from Cisco Talos say.

Attacks involving the use of exploit kits dropped off dramatically and have remained low ever since Russian authorities arrested over four-dozen individuals believed to be associated with the Angler EK last year. But a few kits remain active and continue to pose a threat to users.

One of them is Sundown, an exploit kit that many considered relatively unsophisticated a few months ago but has gradually evolved into a substantial threat.

Researchers from Cisco’s Talos who have been tracking the kit this week described Sundown as having matured into a major player within the exploit landscape since they last saw it.

“Many of the ‘calling cards’ that have historically been associated with Sundown have been removed, possibly indicating that the threat actors are making an attempt to make it more difficult to identify as Sundown,” says Talos threat researcher Edmund Brumaghin. “Sundown is now one of the most heavily leveraged exploit kits since the disappearance of several larger exploit kits.”

Many of the exploit kit’s original identifiers have been stripped, making it harder to spot. For instance, previous versions of the EK used to contain multiple references to the Yugoslavian Business Network, making it easily identifiable. Those references are now missing. Missing too in new versions of Sundown are the numeric subfolders and numeric file names and proper extensions that were the markers of the old EK.

Several new exploits have been added to Sundown, while some, like those targeting vulnerabilities in the Silverlight browser plugin, have been dropped. Among the new exploits is one that is based on a publicly available proof of concept targeting a recently disclosed vulnerability in the Microsoft Edge browser. Sundown is one of the few EKs in the world that have added new exploits in recent months, according to Talos.

Sundown also appears to have adopted a new approach to compromising systems. Unlike other kits that use just a single exploit to try and compromise a system, Sundown deploys its entire collection of malware tools against a potential victim. The approach, while noisy, appears designed to give the EK the best chance of breaking into a system, Talos said in the alert.

Sundown has changed in other ways as well. Previously for instance, the exploit kit would retrieve its payload via the web browser. The current version of Sundown retrieves the payload via the command line and the use of a Windows service for executing VBScript files.

The approach is similar to, and indeed appears borrowed from, the one used by another malware kit—RIG-v—to retrieve its payload. Sundown’s payloads now reside on a different server from the one it uses to host its landing page and exploit pages. “The use of different servers for hosting exploit payloads indicates that the actors behind Sundown may be experimenting with more complex infrastructure design for the exploit kit,” Brumaghin says.

One of the most significant changes to the Sundown EK campaign is the use of domain resellers to collect domains for hosting Sundown activity. The authors of the kit appear to be buying legitimately registered domains in bulk from resellers in an apparent bid to avoid blacklists and other filters. In many cases, the authors of Sundown are looking for domains that have been registered for at least one week to avoid filters that block domains that have just been registered.

“Several of the largest, most heavily leveraged Exploit Kits [such as] Angler, Neutrino, Nuclear, have largely disappeared from the threat landscape,” Brumaghin says. “Sundown has remained operational and this increased development and maturation may be indicative of their desire to fill the void left behind by the other larger exploit kits that have stopped operations.”

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2nrXGlY
via IFTTT

US Border Policy Shifts May Drive Changes in Laptop Security

US Border Policy Shifts May Drive Changes in Laptop Security

In-cabin laptop ban and requirements to unlock devices for border patrol could have enterprises revisiting their on-device data policies.

The new travel ban enacted by the U.S. Department of Homeland Security for laptops in the cabin of flights from certain countries may have corporate risk managers revisiting policies about how road warriors handle data on laptops and mobile devices.

Enterprise employees may find that government actions won’t just put a crimp on convenience but could also have heavy implications – from a regulatory and intellectual property protection perspective – when combined with growing powers of US Border Control to demand travelers unlock their devices for inspection. As things develop, large organizations doing international business may be facing a new minefield when it comes to device-based data portability in and out of U.S. soil.

At the bare minimum, experts believe this latest decree by the feds will bolster resolve for existing policies on endpoint security as worries about devices disappearing from checked luggage grows.

“It’s going to force people to actually implement and enforce the policies they have on paper,” says George Wrenn, CEO and founder of CyberSaint Security, and a research affiliate MIT’s (IC3) Critical Infrastructure Protection Program. He explains that most large organizations already have policies on device encryption, authentication and data storage to plan for loss or theft. “They’re just not enforced,” he says, “because people will carry their laptops and they’re considered to be using other compensatory strategies to prevent the loss of intellectual property and data.”

The question now becomes how to effectively enforce policies that have long been ignored, says Jonathan Gossels, president and CEO of SystemExperts.

“This is not rocket science.  We are talking whole disk encryption, good quality passwords or two factor authentication, and key management,” he says.  “Blocking and tackling, but it has to be enforced by each company to be effective.”

Nevertheless, even with the basic blocking and tackling in place, many organizations may still be squirrely about laptops with corporate secrets or customer data sets being parted from their caretakers into aircraft holds.

“Most organizations won’t feel comfortable with employees packing away their company-owned laptops and other IT equipment into their luggage, even if they are properly secured with encryption and passwords,” says Richard Steinnon, Chief Strategy Officer of Blancco Technology Group. “So, I imagine that employees traveling to the countries included in this ban will likely be asked by their employers to not carry these devices with them. If they have to, they will likely be told to remove all non-essential data before they check in their IT assets in their baggage.”

In some instances, simply leaving a corporate laptop unattended may already be against company policy. For example, warns Eric O’Neill, military contractors likely wouldn’t be able to bring their laptops on affected legs.

“When traveling internationally, the rule of thumb is to keep all critical devices on your person – especially phones, laptops and tablets that have important information on them, or access to important or sensitive information,” he says.

The travel ban is just one part of the equation. Even more troubling are the inspection rights that border patrol have increasingly been asserting with regard to devices, even those locked by their possessors.

“The long-term substantial impact is that key information may be exposed, unpredictably, and for no substantive reason, to inspectors who have no right to that access,” says Mark Graff, CEO of Tellagraff and former CISO for Nasdaq. “This development may well open these companies to litigation exposure any inadvertent violation of data security regulations. It is only a matter of time before companies fined for violating federal standards take the federal government to court for forcing that violation with the new order inspection practices.”

Both the laptop ban and the requirement of unlocking devices for inspectors throw up data confidentiality and integrity issues, explains Phillip Hallam-Baker, vice president and principal scientist at Comodo. However, the latter is a lot more difficult because there are few compensating controls.

“The laptop ban only affects a small number at present. Laptop searches by border protection is a much broader concern,” Hallam-Baker says. “Currently, the main confidentiality control available is full disk encryption, though this does not help if a user can be ordered to unlock the device. And there is a real possibility other governments will follow suit. Whether the U.S. government could be trusted not to abuse data obtained in this manner is irrelevant if your laptop is being searched in Russia.”

Many experts believe that this confluence of issues should be enough to convince organizations to update policies and address frequently traveling employees of the risks. Christopher Ensey, COO of Dunbar Security Solutions, urges extreme caution transporting any data at all on laptops, mobile phones or portable media over any border these days.

“The restrictions on what is allowed for inspection and seizure have become nearly impossible to track. The best practice is to take a vanilla device with you that can only connect to sensitive information via secure tunnels and strong authentication,” he says. “Latency in faraway lands can be an issue, and frankly the experience isn’t all it’s cracked up to be for the end user. This is, however, the best way to ensure that data isn’t going to be leaked all over the place when crossing a border.” 

Employees will lose the ability to access and work on information without internet access, but Morey Haber, vice president of technology for BeyondTrust, believes that this is the best policy for all organizations to adopt. He says that users and admins need to be mindful of managing connection configurations and security after an interaction at the border to be sure to keep the set-up fully secure.

“Whether the mobile device uses VPN or accesses the cloud to retrieve the data, being online to retrieve it and not store it locally, is critical to mitigating these risks introduced by the US government,” he says. “In addition, if the device is accessed or copied, organizations need a prompt method to change VPN keys and passwords on those devices to mitigate the image compromised being leveraged against them as well.”

Experts say that many organizations may already have derivations of this for travel to certain parts of the world. Wrenn explains that the practice of ‘shaking’ devices by shady authorities is a well-known practice.

“Companies should already be anticipating these scenarios,” he says. “So I think there just may be a need to edit policies to make sure this new use case (at the U.S. border) is factored in.”

Steinnon agrees.

“It has long been a best practice when heading to hostile environments to issue clean devices to traveling employees,” explaining that organizations typically overwrite memory and load machines with fresh images both before and after travel to certain parts of the world. “Look for this practice to become more common and even for special device services to be built around this new need.”

Related Content:


 


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2ojRGjg
via IFTTT

News in brief: jets in near miss with drones; Germany plans cyber-command; adult sites move to HTTPS

Your daily round-up of some of the other stories in the news

Two jets in close shaves with drones

Two commercial jets using London’s Heathrow airport had close shaves with drones, aviation authorities reported on Friday. In its monthly “airprox” report for February, the CAA and MAA said that in the first incident, a drone flew within 20 metres of an Airbus A320 in October last year, while in the second case, also involving an A320, the pilot saw a drone about 50 metres away from his right wing at about 1,000 metres.

Investigators said that in one of the “Category A” incidents, “a collision had only been narrowly avoided”. These incidents bring the number of reported incidents during the past 12 months up to 59, all of which are recorded on an interactive map.

Lawmakers are pondering making the registration of new drones compulsory, while large drones are banned from flying above 121 metres or near airports and airfields.

Germany to launch military cyber-command

With cyber-attacks on nations’ military forces on the rise, Germany will become the latest country to launch a cyber-command next week as it aims to boost its online defences against attacks, Reuters reported.

The defence ministry said some 284,000 attacks against its military had been recorded in just the first nine weeks of 2017, while NATO said that it had seen a five-fold increase in “suspicious events” in the past three years.

The cyber-command, which will be based in Bonn, the former capital of what was then West Germany, will have an equal status to that of the army, navy and air force, and will start off with 260 staff. That’s set to grow to 13,500 by July.

Lieutenant General Ludwig Leinhos, the commander of the unit, said that the unit would both protect the military’s IT infrastructure and develop and war-game offensive tactics: “In order to be able to defend yourself, you have to know the options for attack.”

Adult tube sites switch to HTTPS

If you prefer your entertainment to be of the NSFW and adult kind and are also keen on browsing securely, you’ll be pleased to hear that two of the big porn web clip sites, PornHub and sister site YouPorn, are switching to HTTPS by default: PornHub switched on Thursday and YouPorn will follow suit on April 4.

As The Verge notes, these two sites were two of the 11 adult websites listed on Google’s 100 most visited sites: as of April 4, when these two have made the switch, only five of those will be encrypted.

Shifting to HTTPS means that while ISPs will know you’re browsing an adult site, they won’t be able to see what you were browsing, which should reassure US web users who were dismayed at the move by Congress to downgrade their privacy.

Catch up with all of today’s stories on Naked Security


 

 

 

 

 

 

 

from Naked Security – Sophos http://bit.ly/2oHvjAz
via IFTTT

Customized Malware: Confronting an Invisible Threat

Customized Malware: Confronting an Invisible Threat

Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out.

How secure is your network from unauthorized access?

Before you launch into a practiced response regarding your best-in-class firewall and robust antivirus software, you should know that the rapidly evolving malware landscape has rendered these technologies increasingly ineffective. Prolific, adaptable hackers are deploying customized malware to compromise networks throughout the financial services, healthcare, technology, and government sectors. However, it is possible to mitigate the risk.

What Is Customized Malware?    
Customized malware is malicious software that has been modified to evade detection by traditional security technologies. Customized malware comes in many forms, including ransomware. The most common delivery method is through inbound email, by a phishing or spearphishing attack. Because traditional antivirus products provide signature-based detection, only malware variants whose algorithms have already been identified are successfully quarantined. Therefore, the modified variants escape detection at an alarming rate.

Whenever a new malware variant is identified, a “patch” that addresses this specific threat is created, distributed, and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed as soon as possible. Unfortunately, the period that elapses between identification and analysis of a new variant and then the distribution of an update is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although these undetectable threats have existed for several years, the widely publicized attack on Target provided an unprecedented glimpse of how customized malware is used. In that breach, the malware installed within the company’s network permitted a group of hackers, based in Eastern Europe, to perform extensive system reconnaissance and, ultimately, steal over 40 million credit and debit card numbers without ever being internally detected.

Shortly after the attack on Target, the United States Secret Service initiated an investigation and engaged iSIGHT Partners to assist in the forensic review. In January 2014, iSIGHT issued a report entitled “KAPTOXA Point of Sale Compromise.” The KAPTOXA report revealed that the malware variant used to attack Target had a 0% detection rate. Simply put, the malware was customized to be completely invisible.

Mitigation Approach
The evasive nature of customized malware requires the implementation of a multilayered approach to data protection and network security. Given that antivirus products have become increasingly ineffective in preventing these attacks, enterprises can’t rely solely on security technologies. An approach that combines employee education, threat containment, and network monitoring will reduce the risk of a customized malware penetration.

Education: Given that phishing and spearphishing remain the most prevalent delivery methods for initiating a customized malware campaign, it’s essential that enterprises provide all users with clear, practical guidance on how to identify and guard against this tactic. Management must recognize that all users, whether employees, contractors, or interns, are conduits for a malware exploit through a continuous barrage of “social engineering” overtures. Therefore, the most proactive method of preventing an attack is through workforce education. The education process begins with the distribution of a clear, current information security policy that provides specific, practical guidance.

The next element of effective cyber education is mandatory employee training. The curriculum must be aligned with the policy and include a discussion of employee responsibility, an explanation of prohibited activities, and a description of the consequences for violators. An ongoing training program is a central element of an organization’s cybersecurity program, without which users will engage in arbitrary and irresponsible behavior when using technology resources.

Containment: Although educating users will reduce an organization’s risk of being compromised by a customized malware attack, it doesn’t eliminate the threat. Through effective network segmentation, intruders may be contained within “segments” that do not house or process confidential information. Network segmentation is the process by which a network is divided into various subnetworks, letting an enterprise restrict segment access to only those with a clear business need. If intruders surreptitiously enter a “flat” network, one that hasn’t been properly segmented, they enjoy lateral movement and may gain access to payment applications, databases storing personal information, or intellectual property. In a properly segmented network, all critical technologies are isolated and the confidential data residing there is protected.

Think of your local bank. When you walk in, your access is restricted to the teller window and perhaps the branch manager’s office. The bank doesn’t permit customers unrestricted access from the lobby to the vault or safe deposit boxes. This is an example of a segmented physical environment but is analogous to network segmentation.

Monitoring: If implementing an employee awareness program and network segmentation fails to prevent an intrusion, system monitoring allows entities to identify and disrupt malicious activity. Although customized malware is undetectable by conventional firewall and antivirus technologies, the activities initiated by this harmful software are identifiable through network monitoring. For instance, although data-scraping malware may penetrate a retailer’s point-of-sale environment without detection, network monitoring would detect credit card data being exported from the infected terminals to suspicious, external locations.

Network monitoring is the process by which select components, such as customer databases, are continuously analyzed to detect unauthorized access. A variety of automated monitoring solutions provide the capability of generating real-time alerts of potential network threats. Network monitoring administered by properly trained staff gives an enterprise a final layer of protection against unauthorized access.

Customized malware poses an unprecedented risk to virtually all organizations. Organizations that fail to understand the dynamic nature of this situation and adjust their approach accordingly are at imminent risk of a cyberattack and the consequences that accompany these incidents.  

Related Content:



John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2nrdCF6
via IFTTT

Why I Always Tug on the ATM

Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use.

Viewed from less than two feet away, this ATM looks reasonably safe to use, right?

Although it's difficult to tell from even this close, this ATM's card acceptance slot and cash dispenser are both compromised by skimming devices.

Although it may be difficult to tell from even this close, this ATM’s card acceptance slot and cash dispenser are both compromised by skimming devices.

But something fishy comes into view when we change our perspective slightly. Can you spot what doesn’t belong here?

Can you spot what doesn't belong here?

Can you spot what doesn’t belong here?

Congratulations if you noticed the tiny pinhole in the upper right corner of the phony black bezel that was affixed over top of the cash dispenser slot. That fake bezel overlay contained a tiny pinhole camera angled toward the PIN pad to record time-stamped videos of people entering their PINs:

A closeup of the tiny pinhole that allows a mini spy camera embedded in the fake cash dispenser bezel to record customers entering their PINs.

A closeup of the tiny pinhole that allows a mini spy camera embedded in the fake cash dispenser bezel to record customers entering their PINs.

How about the card acceptance slot? Looks legit (if a tad shinier than the rest of the ATM), right?

fakecardbezel

What happens if we apply a tiny bit of pressure to the anti-skimming green bezel where customers are expected to insert their ATM cards? Look at that! The cheap plastic bezel that skimmer thieves placed on top of the real card acceptance slot starts to pull away. Also, you can see some homemade electronics that are not very well hidden at the mouth of the bezel.

Notice the left side of this card skimmer overlay starts to pull away from the rest of the facade when squeezed. Also note the presence of a circuit board close to the mouth of the fake bezel.

Notice the left side of this card skimmer overlay starts to pull away from the rest of the facade when squeezed. Also note the presence of a circuit board close to the mouth of the fake bezel.

ATM card skimmers contain tiny bits of electronics that record payment card data from the magnetic stripe on the backs of cards inserted into a hacked ATM. Most commonly (as in this case), a card skimmer is paired with a pinhole spy camera hidden above or beside the PIN pad to record time-stamped video of cardholders entering their PINs. Taken together, the stolen data allows thieves to fabricate new cards and use PINs to withdraw cash from victim accounts.

Card skimmers designed to look like the green anti-skimming devices found on many ATMs are some of the most common cash machine skimming devices in use today, probably because they are relatively cheap to manufacture en masse and there are many fraudsters peddling these in the cybercrime underground.

Typically, the fake anti-skimmer bezels like the one pictured above are made of hard plastic. However, the reader who shared these images said this bezel card skimming device was made of a semi-flexible, vinyl-like plastic material.

“I immediately went in and notified the manager who shut down the machine,” the reader said in an email to KrebsOnSecurity. “All the tellers were busy so he asked me to stand by the ATM and stop people from trying to use it while he called his security team. In the three minutes I was standing there a young woman came up and started to dip her card in the slot even thought the screen was black. I stopped her and told her and pointed out what was going. She was thankful.”

Normally, these bezel skimmers look more like the hard plastic one that came off of this ATM at a 7-Eleven convenience store in Texas in February, after a customer yanked on the ATM’s card acceptance slot:

A skimmer overlay that came off an ATM at a 7-Eleven convenience store in Texas after a curious customer tugged on the card slot.

A skimmer overlay that came off an ATM at a 7-Eleven convenience store in Texas after a curious customer tugged on the card slot.

Many people believe that skimmers are mainly a problem in the United States, where most ATMs still do not require more secure chip-based cards that are far more expensive and difficult for thieves to clone. However, it’s precisely because most U.S. ATMs lack this security requirement that skimming remains so prevalent in Europe.

Mainly for reasons of backward compatibility to accommodate American tourists, many European ATMs allow non-chip-based cards to be inserted into the cash machine. What’s more, many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip.

When thieves skim ATMs in Europe, they generally sell the stolen card and PIN data to fraudsters on the other side of the pond. Those fraudsters in turn will encode the card data onto counterfeit cards and withdraw cash at ATMs here in the United States.

Interestingly, even after most U.S. banks put in place chip-capable ATMs, the magnetic stripe will still be needed because it’s an integral part of the way ATMs work: Most ATMs in use today require a magnetic stripe for the card to be accepted into the machine. The main reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time.

Below is part of a skimming device that a reader recently pulled off of a compromised ATM in Dusseldorf, Germany. This component actually cracked off of the hard plastic fake anti-skimming bezel that was placed by a fraudster over top of the card acceptance device of an NCR cash machine there.

de-brokenskim

Here’s the plastic overlay that the piece pictured in the reader’s hand above broke away from:

de-crackedbezel

It’s fine to tug on parts of an ATM before using it (heck, I’ve been known to do this even for machines I have no intention of using), but just know that doing so doesn’t guarantee that you will detect a cleverly hidden skimmer.

As I’ve noted in countless skimmer stories here, the simplest way to protect yourself from ATM skimming is to cover your hand when entering your PIN. That’s because most skimmers rely on hidden cameras to steal the victim’s PIN. As easy as this is, you’d be amazed at how many people fail to take this basic precaution.

Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Also, if you visit an ATM that looks strange, tampered with, or out of place, try to find another cash machine. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Finally, don’t neglect your own physical security while at the cash machine: As common as these skimmers are, you’re probably more likely to get mugged withdrawing cash from an ATM than you are to find a skimmer attached to it.

Did you enjoy this post? Are you fascinated by skimming devices? Check out my series, All About Skimmers.

from Krebs on Security http://bit.ly/2nntSG6
via IFTTT