Author Archives: brianhonan

Telegram RAT Escapes Detection via Cloud Apps

Telegram RAT Escapes Detection via Cloud Apps

Netskope discovers a new RAT using Dropbox for its payload host and Telegram Messenger for command and control.

A new remote access Trojan is using cloud-based tools to evade traditional security scanners that can’t inspect SSL or provide cloud application-level traffic inspection, according to researchers at Netskope Threat Research Labs.

TelegramRAT uses Dropbox as its payload host and Telegram Messenger for command and control. It arrives as a malicious Microsoft Office document, exploiting a memory corruption vulnerability (CVE-2017-11882 ) patched by Microsoft last month, and it uses Bit.ly redirection to hide the payload hosted on Dropbox.

Its payload uses open-source Python TelegramRAT code, which is hosted in GitHub. The unique aspect of this malware is its reliance on the Telegram BOT API to receive commands and send messages to the attacker using an HTTPS communication channel, so traditional network security tools can’t see it.

Netskope is actively working with Dropbox security team to remediate known threats.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2BcGQCk
via IFTTT

Kaspersky Lab Files Lawsuit Over DHS Ban of its Products

Kaspersky Lab Files Lawsuit Over DHS Ban of its Products

Security firm petitions US District Court to rescind decision to prohibit its products on US federal government systems.

Kaspersky Lab is fighting back against the Trump administration’s recent ban of its security products in agency networks with a lawsuit filed today in US District Court for the District of Columbia (DC).

The Moscow-based security company is seeking the appeal of US Department of Homeland Security’s September 13 Binding Operational Directive 17-01 that banned federal agencies from using Kaspersky Lab security products on their systems. The DHS policy prohibiting the use of Kaspersky Lab software came in the wake of concerns about potential ties between officials at Kaspersky Lab and Russian intelligence agenices, and required federal agencies running Kaspersky software to remove it.

Eugene Kaspersky, CEO of Kaspersky, said in an open letter today that DHS’s directive violated his company’s rights and constitutional due process, and harmed its revenue and reputation, so legal action was merited. He also called out “rumors” and media reports.

“The company did not undertake this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the Directive,” he wrote. “DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.”

Kaspersky Lab argued its case under the Administrative Procedure Act.

Eugene Kaspersky noted that his company contacted DHS in mid-July to discuss any concerns with the company or its products, but the agency did not follow up on the company’s offer to discuss its concerns.

“DHS confirmed receipt of Kaspersky Lab’s letter in mid-August, appreciating the company’s offer to provide said information and expressing interest in future communications with the company regarding this matter. Kaspersky Lab believed in good faith that DHS would take the company up on its offer to engage on these issues and hear from the company before taking any adverse action,” the CEO said in the open letter. “However, there was no subsequent communication from DHS to Kaspersky Lab until the notification regarding the issuance of Binding Operational Directive 17-01 on September 13, 2017.”

DHS in its decision to blacklist Kaspersky Lab software cited its concerns of Russian law requiring companies to cooperate with its intelligence agencies.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the Department of Homeland Security stated in its ban decision. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.” 

According to the firm, it is calling for its due process and “repair the harm caused to its commercial operations, its U.S.-based employees, and its U.S.-based business partners.”  

“Because Kaspersky Lab has not been provided a fair opportunity in regards to the allegations and no technical evidence has been produced to validate DHS’s actions, it is in the company’s interests to defend itself in this matter. Regardless of the DHS decision, we will continue to do what really matters: make the world safer from cybercrime,” Eugene Kaspersky said in a statement.

Related Content:



Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2AUSqOk
via IFTTT

Businesses Fail in Risk Modeling and Management: Report

Businesses Fail in Risk Modeling and Management: Report

Businesses struggle to quantify and manage risk, leading to wasted resources and oversight of major problems.

Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses don’t know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.

All this comes from the FAIR Institute, a nonprofit focused on advancing risk measurement and management. The institute polled 114 professionals who identify as CISO, cybersecurity specialist, risk officer, risk analyst, and C-level exec. Its goal was to learn about the current state of risk management maturity.

The top four scores came from businesses in the health, finance, consulting, and insurance industries. While the financial services industry scored highest overall, says Jones, even the top 25th percentile of scores were relatively low — a sign risk management is immature overall.

Most cyber risk management programs are “going through the motions” on risk management, says FAIR Institute chairman Jack Jones, who is also cofounder and executive vice president of R&D at RiskLens. It’s common for organizations to make decisions about people, processes, and technology without ensuring these choices are properly informed and executed.

“The industry has historically focused on best practices checklists … rather than effective risk measurement and prioritization,” he says. Much of this is due to a weak understanding of risk. Decision making and execution are both low across industries, suggesting both are problematic.

While compliance checklists aren’t harmful by nature, people assume compliance achieves risk management objectives, Jones says. Many businesses fail to prioritize issues due to inaccurate terminology, broken mental models, and insufficient skills among those who rate risk.

One major weakness is a “huge reliance” on mental models for rating risk instead of formal analytical models, Jones explains. Forty-three percent of survey respondents claimed their Model Quality was “Weak,” as they rely on the intuition of risk practitioners to evaluate risk.

“Mental models are notoriously inconsistent and unreliable in problem spaces as dynamic and complex as cyber, which significantly increases the odds of inaccurate risk information for decision-makers,” he continues. “This affects prioritization and solution selection at both tactical and strategic levels.

Organizations also fail to motivate business leaders to take risk management as seriously as revenue goals, deadlines, and budget requirements. “As long as this is the case, non-compliance with internal policies and/or external regulations will continue to be a problem,” says Jones.

Citing previous root cause analyses he has performed, Jones explains how more than 75% of non-compliant conditions (bad passwords, missing patches) exist because other enterprise imperatives like deadlines and budgets are prioritized.

“Risk imperatives need to be placed on equal footing with other business objectives,” he emphasizes, suggesting that business executives have part of their compensation tied to specific risk management goals each year. Objectives would be agreed on by the execs who will be held accountable, he adds.

Jones advises businesses reset their understanding of risk and normalize their terminologies, mental models, and measurement practices for risk. They should also put more careful thought into who is responsible for rating risk, he adds.

“Just because someone is a great auditor or security engineer doesn’t qualify them to understand or measure risk reliably,” Jones explains. “Risk measurement is an analytic process that requires specific, and relatively uncommon, capabilities such as critical thinking skills, an understanding of basic probability principles, calibrated estimation skills, and an ability to use formal analytic models.”

When businesses can’t manage risk, it has a broader effect on the whole organization. Major issues go unaddressed and resources are wasted on smaller problems. Businesses end up treating the same issues over and over again, Jones says.

Related Content:



Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2BajI7N
via IFTTT

The Market for Stolen Account Credentials

Past stories here have explored the myriad criminal uses of a hacked computer, the various ways that your inbox can be spliced and diced to help cybercrooks ply their trade, and the value of a hacked company. Today’s post looks at the price of stolen credentials for just about any e-commerce, bank site or popular online service, and provides a glimpse into the fortunes that an enterprising credential thief can earn selling these accounts on consignment.

Not long ago in Internet time, your typical cybercriminal looking for access to a specific password-protected Web site would most likely visit an underground forum and ping one of several miscreants who routinely leased access to their “bot logs.”

These bot log sellers were essentially criminals who ran large botnets (collections of hacked PCs) powered by malware that can snarf any passwords stored in the victim’s Web browser or credentials submitted into a Web-based login form. For a few dollars in virtual currency, a ne’er-do-well could buy access to these logs, or else he and the botmaster would agree in advance upon a price for any specific account credentials sought by the buyer.

Back then, most of the stolen credentials that a botmaster might have in his possession typically went unused or unsold (aside from the occasional bank login that led to a juicy high-value account). Indeed, these plentiful commodities held by the botmaster for the most part were simply not a super profitable line of business and so went largely wasted, like bits of digital detritus left on the cutting room floor.

But oh, how times have changed! With dozens of sites in the underground now competing to purchase and resell credentials for a variety of online locations, it has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone.

If the old adage about a picture being worth a thousand words is true, the one directly below is priceless because it illustrates just how profitable the credential resale business has become.

This screen shot shows the earnings panel of a crook who sells stolen credentials for hundreds of Web sites to a dark web service that resells them. This botmaster only gets paid when someone buys one of his credentials. So far this year, customers of this service have purchased more than 35,000 credentials he’s sold to this service, earning him more than $288,000 in just a few months.

The image shown above is the wholesaler division of “Carder’s Paradise,” a bustling dark web service that sells credentials for hundreds of popular Web destinations. The screen shot above is an earnings panel akin to what you would see if you were a seller of stolen credentials to this service — hence the designation “Seller’s Paradise” in the upper left hand corner of the screen shot.

This screen shot was taken from the logged-in account belonging to one of the more successful vendors at Carder’s Paradise. We can see that in just the first seven months of 2017, this botmaster sold approximately 35,000 credential pairs via the Carder’s Paradise market, earning him more than $288,000. That’s an average of $8.19 cents for each credential sold through the service.

Bear in mind that this botmaster only makes money based on consignment: Regardless of how much he uploads to Seller’s Paradise, he doesn’t get paid for any of it unless a Seller’s Paradise customer chooses to buy what he’s selling.

Fortunately for this guy, almost 9,000 different customers of Seller’s Paradise chose to purchase one or more of his username and password pairs. It was not possible to tell from this seller’s account how many credential pairs total that he has contributed to this service which went unsold, but it’s a safe bet that it was far more than 35,000.

[A side note is in order here because there is some delicious irony in the backstory behind the screenshot above: The only reason a source of mine was able to share it with me was because this particular seller re-used the same email address and password across multiple unrelated cybercrime services].

Based on the prices advertised at Carder’s Paradise (again, Carder’s Paradise is the retail/customer side of Seller’s Paradise) we can see that the service on average pays its suppliers about half what it charges customers for each credential. The average price of a credential for more than 200 different e-commerce and banking sites sold through this service is approximately $15.

Part of the price list for credentials sold at this dark web ID theft site.

Indeed, fifteen bucks is exactly what it costs to buy stolen logins for airbnb.com, comcast.com, creditkarma.com, logmein.com and uber.com. A credential pair from AT&T Wireless — combined with access to the victim’s email inbox — sells for $30.

The most expensive credentials for sale via this service are those for the electronics store frys.com ($190). I’m not sure why these credentials are so much more expensive than the rest, but it may be because thieves have figured out a reliable and very profitable way to convert stolen frys.com customer credentials into cash.

Usernames and passwords to active accounts at military personnel-only credit union NavyFederal.com fetch $60 apiece, while credentials to various legal and data aggregation services from Thomson Reuters properties command a $50 price tag.

The full price list of credentials for sale by this dark web service is available in this PDF. For CSV format, see this link. Both lists are sorted alphabetically by Web site name.

This service doesn’t just sell credentials: It also peddles entire identities — indexed and priced according to the unwitting victim’s FICO score. An identity with a perfect credit score (850) can demand as much as $150.

Stolen identities with high credit scores fetch higher prices.

And of course this service also offers the ability to pull full credit reports on virtually any American — from all three major credit bureaus — for just $35 per bureau.

It costs $35 through this service to pull someone’s credit file from the three major credit bureaus.

Plenty of people began freaking out earlier this year after a breach at big-three credit bureau Equifax jeopardized the Social Security Numbers, dates of birth and other sensitive date on more than 145 million Americans. But as I have been trying to tell readers for many years, this data is broadly available for sale in the cybercrime underground on a significant portion of the American populace.

If the threat of identity theft has you spooked, place a freeze on your credit file and on the file of your spouse (you may even be able to do this for your kids). Credit monitoring is useful for letting you know when someone has stolen your identity, but these services can’t be counted on to stop an ID thief from opening new lines of credit in your name.

They are, however, useful for helping to clean up identity theft after-the-fact. This story is already too long to go into the pros and cons of credit monitoring vs. freezes, so I’ll instead point to a recent primer on the topic and urge readers to check it out.

Finally, it’s a super bad idea to re-use passwords across multiple sites. KrebsOnSecurity this year has written about multiple, competing services that sell or sold access to billions of usernames and passwords exposed in high profile data breaches at places like Linkedin, Dropbox and Myspace. Crooks pay for access to these stolen credential services because they know that a decent percentage of Internet users recycle the same password at multiple sites.

One alternative to creating and remembering strong, lengthy and complex passwords for every important site you deal with is to outsource this headache to a password manager.  If the online account in question allows 2-factor authentication (2FA), be sure to take advantage of that.

Two-factor authentication makes it much harder for password thieves (or their customers) to hack into your account just by stealing or buying your password: If you have 2FA enabled, they also would need to hack that second factor (usually your mobile device) before being able to access your account. For a list of sites that support 2FA, check out twofactorauth.org.

from Krebs on Security http://bit.ly/2kgFix0
via IFTTT

Cryptocoins robbed at gunpoint

As through this life you travel, you meet some funny men
Some rob you with a six-gun, some with a fountain pen.

– Woody Guthrie, “Pretty Boy Floyd”

You may have thought that was hopelessly out of date, at least when it comes to cyber crime, since robberies that don’t involve physical cash are often done not with a gun or a pen, but with computer keystrokes from miles – even tens of thousands of miles – away.

Especially when it comes to that ephemeral money called cryptocurrency, where, as Naked Security has reported, the most common ways to lose it are through the volatility of its value, exchanges getting hacked or digital wallets being frozen.

But, according to an indictment handed down in New York Supreme Court this week, it can still happen with a gun. Which should serve as a warning to all those who have been enjoying seeing their cryptocurrency investments explode in value: be careful who you confide in.

Manhattan District Attorney Cyrus Vance announced last Tuesday that Louis Meza, 35, of Passaic, NJ, had been arraigned on eight charges, including grand larceny, kidnapping, robbery, criminal use of a firearm, computer trespass and computer tampering for allegedly robbing a so-far unnamed acquaintance on 4 November of about $1.8m of the cryptocurrency Ether.

According to a press release from the DA’s office, Meza had an accomplice who is still at large, but who will likely face similar charges.

The DA said Meza knew the victim had that much Ether in a digital wallet when they met at Meza’s apartment. After the meeting, Meza “insisted” on ordering a car service to take the victim back to his apartment – a “car service” with a gunman.

On the way to the victim’s apartment, an unapprehended individual who had been hiding in the vehicle appeared suddenly and demanded that the victim turn over his cell phone, wallet, and keys while holding the victim at gunpoint.

Prosecutors said the victim was also ordered to divulge a 24-word passphrase. Thankfully the victim managed to escape the minivan where he was being held, at which point he promptly called 911.

Meanwhile, when Meza allegedly entered the victim’s apartment, his presence was documented on surveillance video. And law enforcement found the $1.8m had been transferred to Meza’s personal account the following day.

Video surveillance later obtained from the victim’s apartment building showed MEZA using the set of keys stolen from the victim to enter the victim’s apartment and then leave the apartment holding a box believed to contain the victim’s digital wallet. Additional records reveal that soon after obtaining the victim’s digital wallet, the defendant then transferred approximately $1.8 million in Ether to his own personal account.

The DA didn’t specify exactly what was in the box, but it was presumably some kind of paper record or electronic storage.

While a hard drive or USB, if encrypted, can provide protection against thieves getting access to your currency, it doesn’t stop them threatening or coercing you into doing it for them.

In this case, at least one of the perps didn’t get far and the victim will, presumably, get his money back. But Vance warned that as long as cryptocurrency values continue on their seemingly endless spike, this kind of thing will become more common. “This case demonstrates the increasingly common intersection between cyber and violent crime,” he said.

The defendant is charged with coordinating an elaborate kidnapping, armed robbery, and burglary to gain access to the victim’s digital wallet and the significant funds it contained. We can expect this type of crime to become increasingly common as cryptocurrency values surge upward.

Meza entered a not-guilty plea but was held on $1m bond or $500,000 cash bail.


from Naked Security – Sophos http://bit.ly/2jb2Pyn
via IFTTT

US Government Pays $10,650 Bug Bounty in Hack the Air Force Event

US Government Pays $10,650 Bug Bounty in Hack the Air Force Event

The bounty, split between two researchers, is the largest single reward by any government bug bounty program to date.

The United States Air Force paid out a total of $26,883 in bug bounty rewards during h1-212, HackerOne’s fourth live hacking event of 2017 and kickoff for Hack the Air Force 2.0.

This payout included a single prize of $10,650, the biggest reward from any government bug bounty program to date. Hackers Brett Buerhaus and Mathias Karlsson earned the sum, which they split, for discovering a vulnerability in the Air Force website that let them pivot onto the US Department of Defense’s unclassified network.

Twenty-five civilian hackers from seven countries, and seven US Air Force members, reported 55 total vulnerabilities in nine hours of hacking over the course of the day. The average time to first response was 25 minutes, and every report was triaged by the end of the day, HackerOne states. Hack the Air Force 2.0 will continue through Jan. 1, 2018.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2CzVCiW
via IFTTT

Top 8 Cybersecurity Skills IT Pros Need in 2018

Top 8 Cybersecurity Skills IT Pros Need in 2018

Cloud security architecture skills to customer-service savvy are among the key IT security skills needed next year as CIOs ramp up hiring.

Previous

1 of 9

Next

One-fifth of CIOs expect to expand their IT teams in the first half of 2018, a new report found, and nearly one quarter of the respondents cite cybersecurity as their top priority.

The survey results in the the Robert Half Technology IT Hiring Forecast and Local Trends Report also found that 43% of respondents point to cybersecurity as the technical skill in highest demand at their organization.

“When we entered 2017, the talking points were about bridging the gap between security and IT. But with sophisticated technical breaches and ransomware attacks like WannaCry, there is a return back to incident response and more technical skills, which are hard to find,” says Owanate Bestman, information security contract consultant at Barclay Simpson.

As for technical skills, “play to your strengths,” Bestman advises. “If you are a generalist IT manager, a business-facing security manager role that buys security software for the organization or launches security training may work. Or, if you are a network architect, then potentially you could make the transition to a security network architect.”

Here are the eight key cybersecurity skills that IT professionals – as well as IT security pros – should have in 2018, say career and job experts.

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Previous

1 of 9

Next

More Insights

from Dark Reading – All Stories http://ubm.io/2kdNVbq
via IFTTT