Monthly Archives: July 2016

Cybercriminals Target Executives with Whaling Attacks

It looks like cybercriminals are looking for the “bigger fish in the sea” with the rise of whaling. While phishing middle to lower level employees is still extremely relevant in the world of cybersecurity, some attackers are now looking for a bigger reward by going after the executives. The term “whaling” is more than fitting as it refers to phishing executives (whales) of large corporations.

Whaling

What is Whaling?
Whaling refers to targeted spear-phishing campaigns directed at senior executives, who often have access to delicate information such as employee or customer data. A successful whaling attack can yield executive passwords and other account details that can open up corporate hard drives, company networks, and even commercial bank accounts.

Where a regular phishing email will typically address a personal aspect of the target’s life, a whaling email will likely take the form of a business critical email, customized to a senior executive’s precise position and responsibilities in the company. Last year, a senior executive in charge of customer satisfaction at his company opened an email about a customer complaint. He followed the link to see the details of the complaint only to find himself redirected to an illegitimate website that ended up giving the attacker access to his company’s network.

Going After the Big Catch
In the last two years alone, as many as 7,000 US businesses have fallen victim to whaling attacks, resulting in over $740 million in losses. With the rewards for a successful cyberattack becoming bigger and bigger each day, so too are the security measures corporations are taking. Unfortunately, cybercriminals are also becoming more sophisticated with their attacks. With whaling, however, criminals must become more educated about their targets.

Most senior executives are aware of all the malicious spam they could encounter. Cybercriminals are now taking months to research the company they are after, to find out as much as possible in order to craft an email in a way that seems completely legitimate to the recipient. A successful attack happens only when the cybercriminal sends an email that has a reasonable rationale and builds trust by including pertinent and specific information that seems confidential.

Attackers have even begun to take to social media to see what charities or hobbies their target executive is involved in. Executives with open public profiles make prime targets for whaling attacks.

Don’t Become the Next Trophy Catch
Here are some guidelines to follow to limit your exposure to becoming the next trophy on the wall for cybercriminals:

  • Minimize or lock down the exposure of senior management by implementing privacy restrictions
    • Facebook – Don’t have an open profile that is visible to the general public and be weary of accepting friend requests from individuals you don’t know
    • Twitter/Instagram – Don’t let anyone and everyone follow you. Make sure to implement security measures where you can accept/deny follow requests.
  • Don’t rely on traditional security tools to safeguard network user information
  • Monitor suspicious emails by creating a reporting system
  • Assess your organization’s overall exposure to phishing attacks – launch a practice phishing attack to see how many employees actually visit the website in the email.

Ransomware Incidents at Health Organizations are now Classified as a Data Breach

Healthcare_Breach

According to new guidelines issued by the United States Department of Health and Human Services (HHS), ransomware incidents in HIPAA regulated organizations are now classified as a data breach. HIPAA is the Health Insurance Portability and Accountability Act, that must be followed by any health care provider who transmits health information in electronic form. In America, with the use of electronic medical records, this means just about every health care provider.

To most security professionals, this is an unusual approach, as a data breach has previously indicated the exfiltration of data by an attacker. In fact, the Code of Federal Regulations defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . .”

Although there have been rumors of ransomware that steals data, there is still no proof of any such ransomware in the wild.

The HHS has codified a breach as the following:

“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”

In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.)

In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event.

Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures.

Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data.

The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers.

Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected.

Of course, the best protections against ransomware remain the same:

  • A layered defense;
  • Good backups that are stored offline and regularly tested;
  • Security awareness training for all staff;
  • Access controls;
  • Vulnerability assessments and penetration testing (including hunt team exercises);
  • Maintaining a patch management strategy.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor.

Employees: The Weakest Link in Cybersecurity

Weak_Link_2

From day one, we have said that employees are the weakest link in the cybersecurity chain for an organization. In a recent webcast, Michael Gelles and Robert McFadden of Deloitte Consulting LLP highlighted just how big of a threat “insiders” are to an organization’s cybersecurity well-being.

Insider Threats

The term “insider threats” often refers to individuals who use their knowledge of or access to an organization and its systems to deliberately perpetrate wrongdoing, whether fraud, sabotage, theft or a violent act. These individuals may be current or former employees, contractors, or employees of third-party service providers.

However, insider threats are not all the same. There are three types of insider threats:

  • Malicious Insiders: These are the least frequent, but have the potential to cause the most damage due to their insider access. Administrators with privileged identities are especially risky.
  • Exploited Insiders: This refers to employees who may be tricked by external parties into providing sensitive data that shouldn’t be shared.
  • Careless Insiders: The type of insider seen most frequently within an organization. This person may be a new employee who doesn’t know their organization’s policies or an employee who is aware of the organization’s policies but has become complacent about them.
Insider Threat Statistics

In a study titled  “The Widespread Risk of Insider Threats” the following data was collected:

  • 97% of insider threat cases involved an employee whose behavior a supervisor had flagged, but that the organization had failed to follow up on.
  • 92% of insider threat cases were preceded by a negative work event, such as a termination, demotion, or dispute with a supervisor.
  • 90% of IT employees indicate that if they lost their jobs, they’d take sensitive data with them.
  • 59% of employees who leave an organization voluntarily or involuntarily say they take sensitive data with them.
  • 51% of employees involved in an insider threat incident had a history of violating IT security policies leading up to the incident.

Let’s take a moment to review the above statistics. I think it’s safe to say that we are our own worst enemy. There are two trends we can take away from the study. One, we aren’t doing a good enough job (statistics actually show that we aren’t doing this job at all) of monitoring the activity of our employees. With the evident threat of cybersecurity issues being in the limelight as of late, you would think this would be a major priority of managers and high-level executives. However, this leads us to our second trend that we can identify. If an employee has a negative experience at work, such as being flagged for their suspicious work behavior, statistics show that nine out of ten cases could lead to an insider threat occurrence. That has to be an extremely daunting area of concern for managers and executives to analyze. How do you manage your insider threats without unintentionally creating an insider threat?

The Stakes

The stakes of becoming the next big breach in the news are higher than ever. Cybercriminals are making very lucrative careers out of breaching networks and stealing personally identifiable information. As we become an increasingly information-based economy, securing your network and sensitive data are more critical than ever to any organization’s survival. In 2015, it was estimated that 58% of all data security threats came from the extended enterprise (employees, ex-employees, and trusted partners). Statistics also showed that an insider attack costs a company over $400,000 per incident and approximately $15 million in annual losses per company. Some incidences have gone on to cost a company more than $1 billion.

Inside_Security

Whether you are dealing with a malicious, exploited or careless insider, they all end with unauthorized users having access to your company’s sensitive data. Below are “12 Steps to Future Proofing Your Internal Security” from IS Decisions:

  1. Educate Users: More training in more innovative, engaging ways, as well as the right technology to grow awareness.
  2. Use Technology: The majority of IT professionals will be spending more on security technology in the near future, with technology and tools being the most common element of any insider threat
  3. Consider Partners & Supply Chains: When we say users, we do not just mean immediate employees. Anyone who has access to your network has to be subject to the same process and restrictions, or there is little point in having them in place.
  4. Include a Post Employment Process: As we can see from the statistics above, this one is extremely important! Ensure that a process is in place that makes sure ex-employees can no longer access the organization’s systems or data as soon as they have ceased employment.
  5. Consult External Sources: Analysts, media, and organizations dedicated to cybersecurity (like WatchPoint) can help you gain an objective view of how to structure your insider threat.
  6. Stay Up-To-Date: The technologies and thinking involved in combating insider threat are evolving as quickly as the threat itself, so it is imperative to stay informed.
  7. Educate Senior Management: Senior-level management should be just as educated as lower level management and employees about insider threats and cybersecurity in general.
  8. Get C-Level Commitment and Buy-In: The commitment to enforcing your policies must go to the top of an organization so that it can be properly enforced at all levels.
  9. Implement Greater User Access Restrictions & Control: The more restrictions there are, the smaller the surface of attack.
  10. Generate User Alerts: Generating alerts is especially useful when a user’s activity triggers suspicious behavior, so users learn to know what is and what isn’t good
  11. Take a Multi-Layered Approach: Biometrics (fingerprints), two-factor authentication, etc. all make it harder (but not impossible) for an unauthorized user to access sensitive data.
  12. Be Transparent – Externally & Internally: A good internal security policy is one that is transparent and properly communicated to all employees. But you should also ensure that you communicate your approach to security externally as well.

Customers are increasingly going to be scrutinizing companies on their approach to security, so it helps to be able to show them that you have the right attitude about keeping their data safe.

 

New trend alert: Angler Phishing

Don’t Let Angler Phishing Lure Your Customers into a Trap
angler-phishing

Fraudsters create fake social media accounts for many reasons. They may want to use your brand’s popularity to distribute malware, ads, pornography, or hate speech. Alternatively, they might want to protest or embarrass your brand. Fake accounts are never good for your company or your customers, but the most harmful fake accounts are those created to launch phishing attacks against your followers.

This type of fraud is on the rise. In 2016 Proofpoint has already seen a 150% increase in social media phishing attacks when compared to the same period last year. In particular, we’ve seen an increase in a dangerous new variation called angler phishing.

What is angler phishing?

This attack is named after the anglerfish, which uses a bioluminescent lure to entice and attack smaller prey. In this case, the glowing lure is a fake customer support account that promises to help your customers but secretly steals their credentials instead.

How does it happen?

Fraudsters create highly convincing fake customer service accounts and then monitor social media channels for customer support requests. Angler phishing hackers often wait to strike on evenings or weekends when your brand is less likely to monitor social media interactions. When the hacker sees a customer contact your brand, they hijack the conversation by responding directly to that customer using their fake support page. You can see an example of a hijacked conversation below.

angler-1
angler-2

The fraudsters are looking for any tweet or post that mentions the brand “Major Bank”. Even though John Smith tweeted his request to @majorbank, the hackers were able to intercept his tweet and respond using their fake account @askmajorbank. The link in the fraudulent response will lead John to a perfect replica of the bank’s login page. There the hackers can steal his online banking credentials, ATM pin, security questions and answers, and more.

Who is at risk?

Fraudulent customer support accounts are a problem for any business that provides customer service on social media. However, 2016 research from the Anti-Phishing Working Group shows that more than 75% of phishing attempts target financial service and ecommerce organizations to steal banking credentials and make fraudulent purchases.

How can I stop angler phishing attacks?

The first step in preventing angler phishing attacks is account discovery. But it is ineffective to manually search for fraudulent accounts that can be created and taken down in a matter of hours or even minutes.

It is also important to safeguard your social media interactions with your customers.   When getting request from customer service representatives make sure you know who you are talking with !!

Police Want to 3D Print a Dead Man’s Fingers to Unlock His Phone

Finger_Print

Asking Apple to help break an iPhone is so three months ago. Police have a new, and higher-tech idea: 3D print the fingers of a dead man and use those fingerprints to unlock the phone instead.

Michigan State University professor Anil Jain—who has been assigned six U.S. patents on fingerprint recognition—told Fusion that police showed up at his lab to ask for help in catching a murderer in an ongoing investigation. They had scans of the victim’s fingerprints from a previous arrest and thought that unlocking his phone (the make and model weren’t divulged) might provide clues as to who killed him.

Jain and his PhD student Sunpreet Arora have already printed all 10 digits using the scans and coated them in a layer of metallic particles to mimic how conducive skin is and make it easier to read. The final 3D-printed fingers aren’t finished, but they’ll be ready for police to try out in a matter of weeks.

It’s possible that the whole move will be futile because many phones that use biometric data require a PIN to be entered if it hasn’t been used in two days. If that’s the case, fingerprint won’t unlock anything.

The legality of this move is still up in the air, but the case is further proof that fingerprints, while cool, are not really the safest way of securing our private data.

Not that it matters for a dead man, but in 2014 a judge ruled that suspects can be required to unlock a phone with a fingerprint.  While the Fifth Amendment protects the right to avoid self-incrimination and makes it illegal to force someone to give out a passcode, biometric indicators like fingerprints are not covered by the Fifth Amendment, according to the ruling.

Maybe it’s time to go back to a 6-8 digit PIN.

U.S. Voter Registration Database for Sale

Trump
As if we do not already have enough to worry about in the upcoming U.S. election, now hackers have access to the entire U.S. Voter Registration database.  A seller going by the handle “DataDirect” on TheRealDeal market is offering to sell the voter database for .5 Bitcoin or about $330 USD per state.  DataDirect is offering a value pack if you buy all 50 states for 12 Bitcoin.

Voters

TheRealDeal is a DarkNet marketplace selling everything from drugs to exploit code.

The first questions you might ask are “What would someone do with the data?” and “Why would they want it?”  First, let’s take a look at what data is being offered.  Below is a sample.

Code

With this data, any number of a targeted scams could be run.  Marketers or criminals would know the name, address, date of birth, party affiliation, and if they are an active voter.

Is the data legit?

It is hard to know for sure if the data is legitimate.  The only way to know would be to pay and download the data.  From the sample data, it certainly looks like the real deal.  The sample data is not redacted on the site, and the name checks out as an actual person in California.

Where did the data come from?

In December 2015, Chris Vickery, a security researcher, claimed to have found 191 million US voter records.  He claimed there was no security needed to access the data, no password or other authentication needed at all.  At the time, Chris made attempts to get authorities to close the open door, but couldn’t get anyone to take responsibility. It is uncertain if the U.S. Voter Registration data was downloaded from the same source in December or if it was stolen from a political party or government agency’s server.

Every day we hear of a new database being offered for sale on the DarkNet.  This same seller is also offering a Thompson Reuters World-Check (2.4 million records) database and an Orastream.com (126,000 entries) user database.  Seller “thedarkoverlord” has two healthcare databases for sale from Farmington, Missouri (48,000 patients) and Atlanta, Georgia (397,000 patients).

The DarkNet, Bitcoin, and markets like TheRealDeal make it possible for criminals to continue to profit in anonymity and without repercussions. Good work if you can get it, and don’t have a conscience.

Beware! Your iPhone Can Be Hacked Remotely With Just A Message

Iphone_Hack
In Brief
Do you own an iPhone? Mac? Or any Apple device?
Just one specially-crafted message can expose your personal information, including your authentication credentials stored in your device’s memory, to a hacker.
The vulnerability is quite similar to the Stagefright vulnerabilities, discovered a year ago in Android, that allowed hackers to silently spy on almost a Billion phones with just one specially-crafted text message.

Cisco Talos senior researcher Tyler Bohan, who discovered this critical Stagefright-type bug in iOS, described the flaw as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.”

The critical bug (CVE-2016-4631) actually resides in ImageIO – API used to handle image data – and works across all widely-used Apple operating systems, including Mac OS X, tvOS, and watchOS.

All an attacker needs to do is create an exploit for the bug and send it via a multimedia message (MMS) or iMessage inside a Tagged Image File Format (TIFF).

Once the message received on the victim’s device, the hack would launch.

“The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism, so I can send the exploit today and you will receive it whenever your phone is online,” Bohan quoted as saying by Forbes.

The attack could also be delivered through Safari web browser. For this, the attacker needs to trick the victim into visiting a website that contains the malicious payload.

In both the cases, no explicit user interaction would be required to launch the attack since many applications (like iMessage) automatically attempt to render images when they are received in their default configurations.

It is quite difficult for the victim to detect the attack, which if executed, could leak victims’ authentication credentials stored in memory such as Wi-Fi passwords, website credentials, and email logins, to the attacker.

Since iOS include sandbox protection to prevent hackers exploiting one part of the OS to control the whole thing, a hacker would require a further iOS jailbreak or root exploit to take total control of the complete iPhone.

However, Mac OS X does not have sandbox protection that could allow an attacker to access the Mac computer remotely with the victim’s passwords, potentially making users of Apple’s PCs completely vulnerable to the attack.

Apple has patched this critical issue in iOS version 9.3.3, along with patches for other 42 vulnerabilities, including memory corruption bugs in iOS’ CoreGraphics that helps render 2D graphics across those OSes, according to Apple’s advisory.

Apple also addressed serious security vulnerabilities in FaceTime on both iOS and OS X platforms, allowing anyone on the same WiFi network as a user to eavesdrop on the audio transmission from FaceTime calls even after the user had ended the call.

“An attacker in a privileged network position [could] cause a relayed call to continue transmitting audio while appearing as if the call terminated,” reads Apple description.

The FaceTime vulnerability (CVE-2016-4635) was discovered and reported by Martin Vigo, a security engineer at Salesforce.

So users are advised to patch their devices as it would not take enough time for bad actors to take advantage of the vulnerabilities, which are now known.