Big companies still fall for social engineering “hacks” by phone – and it’s not getting better

Major companies such as Disney, Boeing and General Electric are still handing out information to “hackers” using the most basic tool of all – the human voice.

The Social Engineer Capture the Flag competition held at the Defcon security conference this year issued its full report today – and it’s grim reading, as major companies continue to “leak” crucial information in basic social engineering attacks via the telephone. Ten major US companies were targeted – and most handed out information to the attackers.

Major hacks such as the recent defacement of the New York Times home page rely on “social engineering” – fooling people into handing over information, before sending targeted emails to penetrate networks.

This year’s test found that even huge companies such as the 10 under test were not immune – and the “hackers” were also untrained, using only publicly available information (such as Facebook pages) to select targets and “craft” their phone calls, according to a report by Computer World.

The attackers were available to capture information such as which operating system was used on company systems, whether wireless access was available, whether a company used a virtual private network – and information such as who supplied vending machines and catering services. All of this could be used by hackers as the basis of an attack.

“Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year’s competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,” said Chris Hadnagy, Chief Human Hacker, Social-Engineer, Inc.
“While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer.

“For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company’s employee-only online portal. It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.”
The contest organizers selected 20 untrained contestants (10 men, 10 women), and chose brands who US customers rely on – as these would have access to their personal and financial information.
Only this week, Adobe revealed that details for 38 million users had leaked in an attack on their systems.

“The bottom line is the firms did really poorly,” says Michele Fincher of Social-Engineer.inc, which stages the contest each year, according to a report by CIO magazine.

“The companies who happened to do well did so accidentally or out of ignorance in they either couldn’t answer the question or didn’t know how, so the call shut down. Very few said, ‘I am not allowed to give out this information.’”

Social engineering is the basis of many hacks and attacks – some We Live Security reports on the subject can be found here.

The organizers noted that the untrained “attackers” crafted cleverer cover stories – ie rather than being students or researchers – and stuck to them better, taking laptops with them and using notes on the “victim” companies. They also voiced surprise at the amount of information available during the “research” phase – where callers were able to pick who to target within each company, using data collection tool Maltego as wel as Google, LinkedIn, Bing, Facebook and other sites such as BlogSpot.
“This was an excellent competition,” the organizers said, “One thing we do not, see, however, are any significant improvements on the part of companies to educate and prepare themselves against social engineering attacks.”

When big sites spring a leak: What to do when breaches put your ID at risk

When Adobe admitted this week that 38 million of its users may have had their ID and passwords leaked, it was not the first big site to break this sort of news to its users.

Sony, Evernote, LinkedIn – there are dozens of companies which have fallen victim to hackers over the past few years, leaking everything from credit card details to email addresses, and often affecting millions or tens of millions.

What should you do when it happens? You’ll often – but not always – get an email from the company explaining what’s happening, and what to do.

But the advice you’re offered by the company might be the bare minimum you can do to stay safe – and our tips offer a few extra safeguards.

It’s worth checking company sites in the event of any breach – you’ll often find more detail there, and advice on specific risks. Even company Twitter feeds can help. Adobe, for instance, offers some good advice for its users here.

Don’t always believe what they tell you

In the first few hours after a major breach, the company itself may not be aware of the extent of the attack – and may be attempting to “manage” the crisis. ESET Senior Research Fellow David Harley says, “Often, there isn’t much you can do when a major company screws up. And in fact, it’s not unknown for a company to try to gloss over the breach by not notifying individual users unless they know that they’re likely to be affected. (Local legislation has a lot of influence here: where there is legislation forcing disclosure, it may depend on how much wiggle room is left.)

Been “reassured” by email? Stay alert

In many breaches, the news is not announced via company sites or Twitter feeds – it’s first sent as an email to users. But breaches can turn out to be far worse than they appear – to take Adobe’s example, it initially seemed that “only” three million users were affected. Take as many precautions as you can, regardless of what the email says (see our advice on passwords below). Harley says, “If a company does notify you individually, it’s as well to take it seriously and consider carefully whatever advice they give you. However, it’s as well to bear in mind that such notifications may play down the threat for PR reasons, and in any case the company’s understanding of the security implications may be incomplete.”

The word “encrypted” doesn’t always mean you’re safe – nor does a strong password

When hackers break into a company and leak huge amounts of encrypted IDs and passwords, companies often trumpet the fact that the data was “encrypted” – but there are different levels of encryption, and once leaked, cybercriminals will use specialised software to extract passwords. Once the data is out there, criminals have months to use cracking software on the encrypted data – and if they are determined, and lucky, they’ll break in, no matter how strong a password you use. That means it’s doubly important to change passwords if they are reused elsewhere. If you have used a weak password, though, it will be easier for criminals to “crack” yours. A We Live Security guide to creating a stronger password is here.

Phish alert! Be very, very careful about emails from the company

When a breach occurs, the company may well email you – but be wary, cybercriminals will see this as an opportunity, too. Harley says, “Bear in mind that it’s not unknown for scammers to use breaches like this as a starting point for fake alerts used for phishing purposes. If you get an alert that contains links that require you to enter your password so that you can change it, or to access further information, treat it as suspicious. Rather than follow the link, go to a page you know is genuine and drill down from there.”

Don’t just change one password

Once a big breach has hit the news, most users change their passwords – or are forced to. But the criminals may target email services with the passwords – so it’s a good idea to have a clean sweep of online services you use, such as email, social networking and storage sites such as Dropbox. Harley says, “Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”

Don’t set yourself up for a fall

Internet users get asked for passwords dozens of times a week – so it’s only natural passwords DO get reused. Harley advises that one approach is to save your “good” email and strong passwords for the sites that matter, “Some people use a different username and standard ‘throwaway’ password on sites that don’t really matter and that they’re unlikely ever to visit again. If you do this, be sure that you use something individual and harder to crack on sites that do matter, or might in the future.”

Smartphone “contactless” payment systems may be at risk from snooper devices, researchers warn

New hi-tech contactless payment systems may be far less secure than has been believed, a team of University of Surrrey researchers has warned. Banks and cellphone makers offer “contactless” payment where a cellphone or card is tapped on a receiver to pay – but a team has proved this exchange can be “sniffed”.

Using equipment described as “ordinary and inexpensive”, the team were able to intercept data over distances of more than a foot – which could put personal data at risk.
The “receiver” was small enough to carry in a backpack or shopping trolley, and, “Would not raise suspicion in a crowded store,” the researchers say.
Speaking to We Live Security, Dr Johann Briffa, Computing Lecturer, says, “Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper.

“The results we found have an impact on how much we can rely on physical proximity as a ‘security feature’ of NFC devices.”

Phones such as Samsung’s Galaxy S4 ship with Near Field Communication chips built in – and many companies hope to use these for payment systems. “Contactless” payment cards  issued by banks are also vulnerable, the  researchers warned.

Both systems rely on extremely short-range radio transmissions – but being able to snoop on them from further away might put personal data at risk. It is not unknown for cybercriminals to construct specialized devcies for information theft – in Russia, a PIN terminal has been offered for sale on cybercrime forums, which broadcasts victims’ card details instantly via SMS.
As the number of devices with NFC chips has grown, more banks have added apps to allow payment via the chips, according to CNET.
The rate of adoption of  contactless cards varies widely by country, but almost 40 million are in circulation in Britain, according to the The Telegraph. Users pay by tapping plastic against a reader. Various companies hope to add such functionality to NFC phones.
From the outset, though, the Telegraph claims, the technology has been “dogged” by fears of electronic eavesdropping.
“What we have tested is the reception of a synthetic transmission; reception requires an antenna, receiver circuitry, and a PC with data acquisition card. The distance at which reception is possible depends on the transmitting power,” says Dr Briffa.

Briffa says the clarity of the signal,  “depends on various factors, including the transmitting power and any interference. Under lab conditions, we have achieved low error rates as far as 45cm at minimum power levels specified by the standard.”

Eleanor Gendle, IET Managing Editor at The Journal of Engineering, where the research were published, said: “With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats. It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”

Scary Code: Top 5 malware that kept researchers up at night

Which malicious code would be most frightening if sinister pieces of malware could rise from the dead on Halloween? Well, malware researchers spend all their time working with the creations of people who intend others harm, so you might expect they would be pretty immune to nervousness about the effects of malicious code. And it is true; a lot of us are very jaded about your average malware. Researchers certainly have a sense of the potential danger of the materials we are working with and are appropriately cautious, but there are some threats that are so scary that we will double or triple-check everything to make sure we cannot possibly let it loose somewhere accidentally.
While there are certainly other malware that has been more costly to fix or which spread much more widely, in terms of inconvenience or outright damage the following are the five malware that really give me the creeps:

1. CIH (aka Chernobyl)
   CIH is the oldest of the malware on this list, and it was first discovered in 1998. This virus caused such pain for its victims that it was brought up in the news every year for ages, and almost every year it seemed to have a brand new nickname in the press, but the one that stuck was related to its particular payload.CIH would spread by hiding itself in “empty” spaces within innocent files, which made it very hard to clean – the size of those empty spaces varies a lot, so the virus code could be broken up in different ways, so it was hard to be sure that cleaning routines got every last bit of it out of a file. That could mean possibly manually replacing a lot of damaged executable files.Worse than that, if your system was still infected on April 26^th (the anniversary of the Chernobyl disaster, which was speculated by some to be why the date was chosen) the virus was set to overwrite the first megabyte of the hard-drive, which made the computer hang or blue-screen. In some cases the virus would even flash the BIOS, which is to say it rendered the computer completely unusable by overwriting code on a chip attached to the motherboard that enables computers to turn on. This virus hit over a million computers worldwide, and stuck around for many years after the last variant was found.
2. ExploreZip
   ExploreZip is a pretty old virus too, first discovered in 1999. This comes from back in the days when people started using the term “blended threat” to describe the increasingly popular tactic of worms spreading by using a variety of different mechanisms. This one spread both by replying to your unread email with a copy of itself, and by searching for network shares that it could silently copy itself to. Once it was executed, it showed an error message that seemed to indicate that you’d just run a corrupted ZIP file.So far, pretty mundane stuff. But in the background, this virus overwrote .DOC files and certain programming source files with zeroes, which meant the files were destroyed in a way that could not be undone without resorting to expensive data recovery techniques.
3. CryptoLocker
   CryptoLocker is the newest threat on this list, having first been discovered in the last few months. It too causes changes to affected users’ files such that they may be beyond repair. This malware is considered ransomware, which means that it scrambles files from a list of different file-types, if the scammer is not paid $300 within a fixed time frame of a few days.That list of file-types it seeks is very extensive, so the odds are good that if you do not have a backup of your data files, they will soon be completely garbled. Sometimes with ransomware we will get lucky and there will be some sort of clue in the files or weakness in the encryption that will allow us to figure out how to decrypt the files. But as this uses asymmetric encryption (similar to the technique used by commercial products), without the attacker’s key the files cannot be retrieved.
4. Mebromi
   Mebromi is a nasty beast that was discovered in 2011, which takes a tip from CIH in that it flashes the BIOS to store some of its code. This puts part of its code outside the confines of the hard disk, which means it is outside the reach of the usual software-based cleaning mechanisms. As this would mean monkeying with the motherboard, this is a process that would probably require a trip to a repair shop.
5. ZMist
   You may have heard of polymorphic viruses, which are viruses that change the appearance of their code from one infection to the next so that they appear different enough to hopefully fool anti-malware scanners. The problem with this is that the code used to change itself is static, and can be used by scanners as a way to identify the virus. ZMist, which was discovered in 2002, was called a “metamorphic” virus because it took this idea to an even more complicated level. Rather than simply changing its appearance, it contained code to completely recompile itself from one infection to the next. This made it incredibly difficult to detect, with the technology that was available at the time.

These malware are all terribly unnerving in that they work hard to elude removal or create permanent damage on infected machines. But none of these threats managed to be truly undetectable, and most of them will not work at all on the latest versions of Windows.
The first two threats managed to become quite widespread, and they genuinely did cause a lot of damage. Because threats are now mostly financially motivated, it is generally not a good idea for them to announce their presence by causing a lot of damage on affected systems, as they are effectively killing their source of income. CryptoLocker is something of an exception to this rule, as some people are apparently paying to get their data back, but it is not truly damaging the files so much as rendering them unusable. But if you have backed up your data, this is merely an annoyance rather than a genuine problem.
The last two threats had researchers on tenterhooks for a while, as it could really have caused some major headaches or necessitated some changes in defensive technology, if malware authors had continued development of these strategies. But the thing is, malware authors looking for financial gain are not going to sink more of their time or money into development than they need to. Enough people are not employing good security practices that malware authors are able to make a considerable amount of money with much less complicated techniques.
Malware authors do not need to develop the most stealthy, armor-piercing creations imaginable to get what they want. But at the same time, this means you will not need bulletproof technology to defend yourself. For most people, practicing above average security hygiene–including good, up-to-date antivirus–is enough to evade most threats.

Sunrise “smart calendar” app warns of iCloud on the horizon after hack

Smart calendar app Sunrise has revealed it fell victim to the same cyberattack which saw social sharing app Buffer sending out thousands of weight-loss spam posts – and has warned users who link their Sunrise account to iCloud that they may be at risk.

In an update released on the company blog, CEO Pierre Valade said that users’ Google, Twitter and Facebook data are safe – and that users of LinkedIn and FourSquare will have to reconnect those services to Twitter.

Valade issued a warning to users who had connected an iCloud calendar to the app, saying, “the security breach may have put some of your calendar data at risk. As a precautionary measure, we recommend that you change your iCloud password and reconnect it to Sunrise.”

The Next Web reports that other companies were also affected – including developer product CircleCI. The Buffer incident happened after a hacker gained access to cloud-based database services company Mongo HQ, according to The Next Web.

Mongo HQ said that attackers gained access via a password that was shared with a compromised personal email account, according to ESecurityPlanet.
“As one of the many precautional measures we are taking, we will be logging every Sunrise user out of the app. Simply log back in using the “I’m Already a Sunrise User” button and choosing one of the options that you had previously connected to your account,” said Valade. “We are incredibly sorry that this happened. Your security is very important to us, and once we were aware of the issue we took immediate steps to protect you and maintain your trust.”

The hack received significant public attention after the individuals responsible used their access to “social sharing” app Buffer to send thousands of spam posts advertising a miraculous fruit-based weight loss product – some from  official Facebook and Twitter accounts for companies such as Brussels Airlines and Startup Genome.

Thirty thousand users had spam posted on their behalf, linking to a weight loss site.
The attack offered links to a product containing Garcinia Camboga, a vegetable extract often used in weight loss sup fruit,” according to TechCrunch.

Untrained staff and low budgets leave 96% of businesses feeling “unprepared” for cyberattack

 A survey of 1,900 executives at clients of the accountancy firm Ernst and Young found that almost all (96%) felt “unprepared” for a cyberattack – due to budget cuts and lack of skilled staff.

Constraints on budgets, at 69% and a perceived lack of skilled staff at 66% were the biggest barriers to good security, according to a report by IT Pro Portal.

“In addition to our survey, we interviewed a number of senior executives representing organizations that in EY’s experience demonstrate leading practices in addressing cyber risks,” the firm said in its study.

Awareness of the dangers does appear to be rising – 70% of organizations say that information security is now dealt with at the”highest level”, and nearly half (43%) of firms have increased IT security budgets, according to the report.

 Mark Brown, the company’s director of information security, said, “This year’s results show that while businesses are faced with a rising number of security breaches, budget constraints and talent shortages mean that they fail to put in place those systems that match their needs.”

Two thirds of those surveyed felt that the number of security incidents their organization faced had grown by 5% or more in the past 12 months. Around a third – 28% – suggested that the problem stemmed partially from a lack of awareness among executives, according to WorkPlace Law.

Ernst and Young said in its report, “As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless and often politically motivated.”

 “Overall, 43% of survey respondents indicate that their budgets are on the rise. Within the government and public sectors, some respondents reported budget increases, but a majority indicate that their budgets have stayed the same as last year. Small businesses with a turnover of less than US$10m or businesses located in rapid-growth markets report the highest increases as a percentage of their budgets.”

The report’s conclusion, though, suggests more needs to be done, “Despite the efforts organizations have made over the course of the last 12 months to improve their information security programs, much more still needs to be done.Only 23% of respondents rated security awareness and training  as their number one or two priority; 32% ranked it last. The only security area rated a lower priority by more respondents was threat and vulnerability management, an activity for which 31% of respondents had no program; this is surprising, as without it organizations have little visibility into where the cyber threats are and where a cyber attack may be coming from.”

Window Server for Embedded Systems now available to take on the most critical challenges

On Friday Windows Server 2012 R2 for Embedded Systems became generally available.
“We think this is going to become the product for purpose-built, next-generation, enterprise class server appliances,” said Partha Srinivasan, product manager, Windows Embedded Server and SQL Products in a post on the Windows Embedded Blog. “With this edition, enterprises and OEMs [original equipment manufacturers] now have a lot more capabilities and a host of improvements they can leverage to enhance performance, save space and ensure nearly constant uptime.”
For one thing, he noted, the Windows Embedded team has substantially improved the product’s virtualization capabilities. This is good news for OEMs in particular, which have been utilizing virtualization to consolidate the physical architecture of their solutions and improve the return on investment of their products.
“R2 also features a host of upgrades designed to improve performance in a day-to-day, real-world way,” Srinivasan said. “The time it takes to complete a live migration has been cut in half. We’ve increased data transfer rates to 10 gigabits per second, greatly enhancing speed. We’ve also added support for USB access in guest VMs, making it easier to perform software deployment and file management. These improvements will enable OEMs to offer better products to support real world scenarios where optimized load balancing and live migration are critical.”
The combination of those two areas means that not only can you run a smaller number of server appliances, but you can do so at a higher capacity. This should result in some very interesting scenarios for operating high-performance solutions in reduced-space environments. Lufthansa Systems has already developed a small-footprint server appliance for use in airplanes, to facilitate in-flight entertainment.
Head on over to Srinivasan’s post for more on the R2 release, including its improved Storage Tiers feature, security and SMD Failover Cluster feature, which has been optimized to where total recovery time is less than 20 seconds between the system going down to being completely back online. You’ll find out how critical that is for OEM partners like Motorola Solutions, whose PremierOne computer-aided dispatch system — based on Windows Server 2008 R2 for Embedded Systems — is transforming the way 911 operators communicate with officers and first responders in the field.
To read more about Windows Server 2012 R2 for Embedded Systems, visit the product page and Srinivasan's previous blogs.

Microsoft’s largest scale education agreement will help boost skills for 4 million students in Sao Paulo state network

On Thursday, Microsoft announced an agreement with the Sao Paolo State Department of Education (SEE) to offer Office 365 free of charge to more than 4 million students from the state education network through the Student Advantage program. This joint initiative with the SEE represents an investment of almost $900 million, based on the individual subscription costs for Office 365.
Student Advantage will be available as of December 1 for all educational institutions with an Office 365 ProPlus or Office Professional Plus license for its administrative and faculty staff. In Brazil, the Sao Paolo State Department of Education will be the first to reap the benefits of Student Advantage, offering its students access to the complete version of Office 365 ProPlus at no additional cost. Students from the state education network will be able to use Office 365 tools on up to five devices, including smartphones and tablets.
Office 365 ProPlus includes all of the applications from the traditional Office suite, such as Word, PowerPoint, Excel, OneNote and Outlook, among others, which can be installed locally on up to five devices and offer offline availability. When a school combines Student Advantage with Microsoft’s other cloud services, Exchange Online, SharePoint Online and Lync Online, all available free through Office 365 Education, students have access to the same set of gold-standard productivity tools and services used by Fortune 500 companies all over the world.
“We are thrilled to offer Student Advantage to Brazilian schools so students can access the latest, most up-to-date version of the world’s leading set of productivity tools in order to give them a competitive advantage when entering the workforce,” said Mariano de Beer, Managing Director of Microsoft Brazil. “Nearly 98 percent of students using productivity software currently use Office.”
"Our commitment is to take permanent actions to ensure that our students have access to technological resources that are a fundamental part of their preparation. The agreement announced today is part of the initiatives being implemented by the SEE to offer digital tools linked to the state curriculum,” said the Secretary of State, Herman Voorwald.
The full press release of Thursday’s announcement is available in Spanish.

Anonymous OpNSA Campaign – OSINT to predict DDoS attacks on Nov 5th

OpNSA analyzed with OSINT techniques based on the correlation of media activities and physical protests. The analysts provided a forecast on next attacks.

Web Intelligence analysis alerts on early signs of an Anonymous cyber campaign dubbed OpNSA that as usual will address with DDoS attack principal US Government websites. Security experts don’t exclude the possibility that the group will also target subcontractors to gather information for successive attacks within OpNSA campaign.
Last September members of Anonymous hacktivist group collective, known as Anons, targeted US lawmakers who have financial collusion to intelligence contractors in their latest campaign. Different from any other Anonymous operations, OpNSA does not involve hacking, instead the operation aims to bring attention on collusion between US senators and private contractors, whom Anons allege enabled privacy violations as part of National Security Agency surveillance program.
The names of contractors include Booz Allen Hamilton, Northrop Grumman, Raytheon, Lockheed Martin, General Dynamics and many others.
Anonymous promoted the physical participation to the manifestations organized in the streets:

“Under the cover of darkness, you are invisible. Take to the streets in the dead of night and erect over 9,000 posters, banners, flags, anything to show your support for Anonymous, OpNSA, Wikileaks, Edward Snowden, Bradley Manning, or any related campaigns. Also show your contempt for the PRISM program, the FBI and any other high profile opponents of the idea represented by Anonymous. The goal is public awareness! Post as many flyers from the sources listed as you wish. **REMEMBER** Use paste instead of tape. Use the cover of darkness. Be SAFE. Have some fun.”

“We encourage the production of videos and the taking of pictures (not to be taken on smart phones, preferably, due to their traceability) showing participation in this operation. **Keep your faces covered** Remember, this is a peaceful protest. Obey all laws, do not destroy any property, and do not do anything that could give law enforcement a reason to arrest you. Comply with their demands and be sure to give citizens a positive image of anonymous. If possible, answer people’s questions in a polite fashion. Distribute propaganda whenever possible. Public awareness of the NSA’s domestic spy programs begins with YOU. The right of free citizens to maintain their privacy is INVIOLABLE. PRISM companies, defense contractors, and federal agencies have gone out of their way to invade that privacy, and Anonymous is not pleased.”

The NSA’s website was down for 11 hours on Friday October 22th , officially for problem occurred during a routine website update but not everybody believes in this motivation hyphotizing a cyber attack of hacktivists that protested against NSA surveillance activities.
I’ve found an interesting post on the use of Web Intelligence to detect early signs of OpNSA cyber campaign that allows the researchers to predict the evolution of the operation. The analysts using the web intelligence platform Recorded Future demonstrates that members of Anonymous were promoting the physical protests prior to Saturday 26th, this allowed them to raise an alert on October 11th. Previous researches have put in close relationship the public protests with an escalation of events in the cyberspace.
The dates of October 26 and November 5 have been visible in the following graph and you have to consider that the demonstration that saw the participation in thousands protest in DC on October 26th was known for weeks in advance.

The above timeline shows the increase of media activities (e.g. Tweets forewarning protests) before the cyber attacks against the NSA occurred  in this past weekend. In the graph is evident another peak planned for November 5th that could be considered as a possiblen date for the next attack of Anonymous.

The OSINT analysis made possible to discover a growing number of tweets from over the weekend using the hashtags #OpNSA and #OpPRISM, a social media campaign to recruit volunteers in DDoS attacks against the agency on November 5th.

“Whether Friday’s incident was truly an internal error or actually a successful hack, more disruption is on the way.”

Let me also conclude with a reflection … State-sponsored hackers use the same techniques to analyze the targets and to discover the profitable moment to conduct an attack being anonymous. A rise of hacktivist campaigns is a privileged moment to conduct covert cyber operations for both sabotage and cyber espionage.

Healthcare security standard launched to end data breach blunders

A new security certification for the healthcare sector is aiming to provide a gold standard for those handling sensitive data.
The HealthCare Information Security and Privacy Practitioner (HCISPP) standard has been put together by information security body ISC² as a means of providing an industry-wide qualification for those handling sensitive data.
Tim Wilson, a member of ISC² and deputy head of ICT at NHS City and Hackney, told V3 that the need for such a qualification has come about as growing amounts of sensitive digital data is being collected by healthcare organisations.
“The changes that are going on in healthcare, such as the move to go paperless and rising cloud use, means there is real need for this type of standard," he said.
“As such several members of CISPP met up on a number of occasions in various places over the world and hammered out the details of what it should cover and the areas we need to be testing.”
The course sets out to cover six main areas that affect the collection, storage and use of data that healthcare professionals need to ensure they are fully component on. These include:

• Healthcare industry
• Regulatory environment
• Privacy and security in healthcare
• Information governance and risk management
• Information risk assessment
• Third party risk management

Furthermore, given that people often receive treatment outside their home country, the standard covers issues of cross-border data transfers. Wilson said this should add another element to the certification to ensure those who sit the test are at the top of their game.
“If you look around the world the standards in most areas are based on very similar ideals. This means you are going to have to revise for this certification, it’s not just something you can walk into,” he said.
To sit the exam healthcare staff will need at least two years of experience in a relevant role and at least one of these two years must have been in the healthcare profession.
The exam consists of 125 multiple choice questions based on a mixture of straight knowledge and scenario-based situations. No pass mark has been made public for those who sit the exam.
The course could prove popular within the NHS and related healthcare fields as numerous data blunders have affected the sector over the years, leading to many fines from the Information Commissioner’s Office.

Yahoo launches $15,000 bug bounty system after t-shirt scandal

Yahoo's long-anticipated bug bounty programme has launched following October's "T-Shirt gate" controversy.
The web firm will now pay up to $15,000 to ethical hackers who find vulnerabilities in its web services, a bigger offering than its previous policy of providing Yahoo merchandise vouchers.
Writing on Yahoo's developer blog, the company's head of security Ramses Martinez said the process had been an "extremely positive" experience.
"It is our hope that the official launch of this program will usher in a new, less-shirt-centric era for security at Yahoo," he said. "We look forward to open and productive collaboration with the community and doing our part to make the Internet more secure."
Martinez claimed last month that he was the person who instigated voucher-based rewards for hackers, even going as far as saying he paid for them out of his own pocket.
In addition to ramping up the rewards for finding security flaws, the process behind bug reporting has been overhauled, according to Yahoo. A new, more automated submission service is expected to handle reports faster, while a new, clearer set of guidelines have been published to the bug submission page.
Yahoo's seemingly inadequate bug bounty reporting system found itself in the limelight after researchers from security firm High-Tech Bridge revealed they had been paid $25 for the discovery of two relatively serious XSS vulnerabilities on Yahoo domains.
In a subsequent blog post, Yahoo's Martinez claimed the submission and recompense process had already been undergoing an overhaul even before High-Tech Bridge's blog post although the timing of the claim seemed a little too well-timed. For hackers who still want Yahoo merchandise T-shirts are still on offer.

Google loads Chrome browser with malware killswitch

Google has added a new reset function to its Chrome browser in a bid to help protect users from online cyber scams.
Google vice president, Linus Upson, unveiled the plans in a blog post and explained the feature is a reaction to a recent wave of cyber attacks targeting the company's customers.
"Online criminals have been increasing their use of malicious software that can silently hijack your browser settings," he wrote.
"We're taking steps to help, including adding a ‘reset browser settings' button in the last Chrome update, which lets you easily return your Chrome to a factory-fresh state. You can find this in the ‘Advanced Settings' section of Chrome settings."
Upson said the attacks are dangerous as the criminals are bundling the malicious software with a variety of free services. "Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or - ironically - a supposed security update, explained Upson.
"These malicious programs disguise themselves so you won't know they're there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state."
The Google vice president said the settings killswitch is one of many security features the company is working on. These include the current Canary build of Chrome's inbuilt malware blocking and Safe Browsing features.
The features are designed to automatically detect and block malware on download files and websites. Upson said the Safe Browsing service blocks 10,000 websites per day.
Google has touted security as a key selling point for its free Chrome browser. Prior to Upson, Google confirmed it would continue offering security patches for the Windows XP versions Chrome until at least 2015, a full year after Microsoft officially ends support for the operating system.

PRISM: NSA spying was a wake-up call that may strengthen cloud security

The fallout from the scandal surrounding the US National Security Agency (NSA) internet surveillance programme was still dragging on when cloud and virtualisation specialist VMware announced an expansion of its vCloud Hybrid Service during its VMworld conference in Barcelona.
While VMware has a large presence inside corporate data centres, the firm is currently playing catch-up with rivals in the public cloud arena, especially Amazon Web Services. With the vCloud Hybrid service, the firm is seeking to build out a public cloud infrastructure-as-a-service (IaaS) presence based on its vSphere platform by working with partners.
The UK is one of the first territories outside the US to get access to this service, which is currently operating in beta out of a third-party partner data centre in Slough, with full availability coming next year.
Among the areas VMware was keen to address are the security and privacy concerns of European customers, which have been heightened by the ongoing revelations regarding the sheer scale of the internet spying operation that the NSA has been carrying out.
However, concerns about US government snooping should have already been on the radar for businesses. A couple of years ago, V3's Cloud Summit raised the issue of the Patriot Act, which allows US authorities to request access to any data held by American firms – even if that data belongs to European customers and is stored in a data centre in Europe.
So we can be thankful that the NSA scandal has raised the profile of data security, which may actually make companies think more carefully about where they keep their data and how they protect it.
This is a big issue with public cloud services, since you are effectively entrusting your data to a third party, whether you are just using the cloud for storage or operating virtual machines in the cloud to process information.
Experts were already questioning whether UK and European businesses should avoid using cloud services operated by US companies, but this is easier said than done; many firms that appear to be native turn out to be subsidiaries of US operations, or could easily end up being acquired by a US company in future.
The end result of all this could be a chilling effect on the uptake of cloud services outside the US, with customers unsure of whom to trust. This would be a shame, since the cloud holds out the promise of a more cost-effective and flexible approach to IT provisioning, with customers paying only for the IT resources they require to meet their immediate needs, but able to turn on additional resources if and when they need them.
Solutions to this problem are available, but perhaps are not being employed as widely as they could be. The first is full encryption of data stored anywhere in the cloud, as well as the use of an encrypted link such as a VPN between your company network and any cloud service you make use of.
Amazon offers a feature called CloudHSM that gives customers the ability to securely manage their own encryption keys for data on its cloud, for example, although this only applies to users of its Virtual Private Cloud (Amazon VPC) service, which is isolated from the rest of AWS.
The second is the careful use of policies to ensure that really sensitive data stays safely on your own network. Information such as financial data may be just too risky to entrust to anyone outside the company, and so some on-premise IT infrastructure is likely to be required by most firms for some time to come

Fathers for Justice a bigger threat than cyber terrorists during London Olympics, says Lord Coe

AMSTERDAM: Real-world disruption from groups such as Fathers for Justice was a more serious risk to the London 2012 Olympic Games than cyber terrorists, according to Olympic chairman Lord Sebastian Coe.
Coe said despite heavy investment into the Games' cyber defences, once the Olympics started, the organisers spent more time mitigating risks from local political groups.
"In the end you always have your standard areas of risk and concern and that obviously includes acts of terrorism," he said during RSA 2013.
"But then you have other security concerns; terrorism is only one part. You have to have contingencies for everything – acts of God, accidents, the weather, flu pandemics. That's the nature of security.
"In the end most of the challenges weren't terrorists, cyber or otherwise, they were domestic. The threats were of a domestic nature, where you had a potential window for some groups – which included everything from Fathers for Justice through to taxi drivers, angry they weren't allowed into the Olympic lanes – to cause disruption. That tended to be the level of the threat."
Coe's comments mirror those of BT chief executive officer Mark Hughes, who previously said that, despite heavy investment to countermand any potential cyber terrorist activity, no attack occurred during the Games.
"We worked with various government organisations but the Home Office was effectively responsible for dealing with the threat element of the games. In the sense of what these specific threats were, terrorism was one of them, and we did work to protect against it, but, come the games we didn't see anything specific regarding the terrorism stuff," he said.
Coe praised companies such as BT for their role during the Games, highlighting their participation as a key example of how the public and private sectors can work together.
"The collaborative work that was done around the website and telecoms security, BT really took the lead with that. This was because they have very good community links anyway, as they provide infrastructure in London's boroughs. I think one of the strong legacies to come out of the Games is that there is a much greater understanding how the public and private sector can come together," he said.
"During the games I think the private sector had their views about the scale of what the public sector does change during the period. From my personal experience working alongside many of these teams, they did actually come out having a much better feel for what the public sector did. Conversely, the Games helped the public sector, which from time to time has had a fairly preconditioned idea of what the private sector is about softened."
Coe is one of many political figures to praise BT for its role in the Games. While hosting the Olympic site BT is believed to have dealt with over 200 million cyber attacks.
Increasing collaboration between the public and private sector when combating cyber threats has been an ongoing goal of the UK government and is a central part of its Cyber Security Strategy. The strategy has seen the government launch several information-sharing initiatives since it began in 2011.
Chief of these is the government's Cyber Security Information Sharing Partnership (CISP). The partnership was launched in March and is designed to facilitate real-time data sharing between the public and private sector.
The scheme has received mixed feedback since launching. Some, such as BT chief Hughes, claim it is already facilitating "actionable data sharing" between government departments and private companies. Others, like (ISC2)'s John Colley, have been less positive arguing CISP is currently only helping a very select group of businesses.

NSA chief: Google and Yahoo cable taps would be 'illegal'

The director of the US National Security Agency (NSA) has denied tapping cables at the data centres of Google and Yahoo, arguing that such acts would be illegal, and insisted that there is mutual co-operation between his agency and tech companies.
Speaking to Bloomberg, General Keith Alexander said that to his knowledge, such acts "never happened". He added that similar allegations levied against the NSA last June were "factually incorrect".
"The servers and everything we do with them, those companies work with us, they are compelled to work with us. It is compelled and these are specific requirements which come from a court order," he said.
An NSA project known as MUSCULAR, revealed by the Washington Post on Wednesday, appears to show diagrams demonstrating how data moving between systems belonging to Google and Yahoo can be tapped by agency equipment.
Alexander rebuffed the claims, saying: "It would be illegal for us to do that. I can tell you factually that we do not have access to Google servers, Yahoo servers. We go through a court order. We issue that court order to them through the FBI."
He added that the extent of the NSA's surveillance had also been exaggerated, claiming it made thousands of requests rather than millions.
Google was said to be "troubled" by the allegations, while Yahoo simply denied any knowledge of such activities taking place. Many tech companies including Microsoft and Facebook had previously been implicated in claims of providing backdoor access to the NSA, which they have repeatedly denied.
Multiple firms have filed petitions with the US government in a bid to be able to publish more transparent information on how they co-operate with the US security services.

UK government's anti-hacker CISP initiative failing to support SMBs

AMSTERDAM: The UK government's Cyber Security Information Sharing Partnership (CISP) is failing to support small to medium-sized businesses (SMBs), according to John Colley, EMEA director for the International Information Systems Security Certification Consortium (ISC²).
Speaking at the RSA Conference 2013, Colley said that enterprise firms' ongoing mistrust of small to medium-sized businesses' security, combined with their new wariness of government agencies, has hampered CISP's information sharing efforts.
"The bottom line is, I'm not going to share information with anyone I don't know and trust. So if you're a small organisation or a medium-sized organisation, you need to get to know the people with the information you need and build some trust. You can't just sit back and expect all this information to just come to you," he said.
CISP is an information-sharing initiative launched by the UK government as part of its ongoing Cyber Security Strategy. It is designed to help protect the UK's growing digital economy against hackers by facilitating real-time data sharing between the government and private sector.
Colley said this has meant many larger firms have continued the old model of sharing information on a more ad-hoc "club" basis. "Closed clubs are generally how you share information. They work by building up trust between small groups of individuals," he said.
He highlighted the NSA's notorious PRISM spy campaign as a key reason for the breakdown of trust. "The only way this works is through a trust network and clearly, this has broken down. It still works among individuals but when it comes to government agencies it's broken down. This is because the NSA has committed the cardinal sin of being found out."
The ISC² expert said this is no bad thing, as in the past such systems have proven effective. "If I go back 10 years, I was a member of a select 'dining club'. We used to meet every few months. Different companies would act as the host and at gatherings we'd have a few drinks and a nice meal and then we'd just talk about a few things. In the same year the club was running, Barclays was hit by the first phishing attack in the UK," he said.
"Phishing is old hat now, but this was the first one. Back then the acting chief security officer of Barclays told us what happened and how the attack had changed over time. Two weeks later, NatWest, part of the RBS brand I was working for, was also hit by a phishing attack. We were able to respond to that very quickly because we knew what they were able and going to do."
Colley added that making CISP more relevant to a wider audience will be difficult as it will require the government to create a new anonymised way to share data.
"I wish CISP and all these people success, but I'm not sure this will scale unless you find some standard way of reporting threats and trends, unless you can find a way to anonymise what is being sent. The problem is, by anonymising you often neuter it," he said.
"For example, during my time at RBS we were contacted by someone from the then Hi-Tech Crime Unit, telling us someone had gotten hold of something they shouldn't. When we asked where the Hi-Tech Crime Unit had got the information from, they said 'we couldn't possibly tell you'."
"This was the only time we'd gotten anything from the Hi-Tech Crime Unit, and it was so anonymised we couldn't use it as it was."
Despite Colley's negative comments, some CISP members have defended the scheme. FireEye chief technology officer and active CISP member Greg Day said the programme is in its early stages and is working on ways to help SMBs.
"When we first started thinking about CISP we were asking about what people would actually do with the information. If you go back to the big organisations they just want the quick description because they've got the capabilities to translate it and turn it into an action. But if you move down into most smaller organisations, most of them don't have the skills to use it. You'll send it and they'll just ask 'what is this, what do you expect me to do?'," he said.
"Part of the longer-term plan is to use CISP for different outputs for different people, to ask what's relevant to them. We could easily bombard people with so much information they just ignore it. You need someone doing some enrichment, looking for what's relevant going down the food chain. You then need someone who can go even further and just send out information about a solution. That's why I welcome the set up of a UK national Computer Emergency Response Team (CERT)."
The government announced plans to create a UK CERT in December 2012. The team is designed to help UK business and law enforcement groups, such as the new National Crime Agency, respond to cyber threats more quickly.

Finland’s Ministry of Foreign Affairs hit by extensive cyber espionage

Finland’s foreign minister announced that foreign intelligence agents had carried out large-scale cyber espionage into government communications.

The Finnish Ministry of Foreign Affair networks has been targeted in a cyber espionage operation lasting at least four years, the news has been reported by the Finnish commercial broadcaster MTV3.

Finland’s foreign minister Erkki Tuomioja confirmed the shocking news, a large hacking attack targeted the The Finnish Ministry of Foreign Affair networks:

“I can confirm there has been a severe and large hacking in the ministry’s data network,” “

There are indications that information with the lowest level security classification has been compromised, he said.”

He declined to comment on possible involvement of foreign governments, but MTV3 cited unidentified sources that indicated Chinese and Russian intelligence agents as responsible.

The cyber espionage was conducted with malware based attacks to spy on communications between Finland and the European Union, according first information on the investigation made public, the malicious code used by hackers has many similarities with Red October, but Ari Uusikartan, the director general of the information and documentation division at Finland’s Ministry for Foreign Affairs reported that the agent is more sophisticated than Red October.

Despite the news has reported only now, the data breach was uncovered in the first part of this year, the Finnish commercial broadcaster MTV3 confirmed that the malware was detected by a foreign reporting to CERT.FI. The Finnish government and the authorities are continuing the investigation and for this reason many details on it have not yet been disclosed.

Similarities with Red October

The cyber espionage campaign known as Red October, reported by Kaspersky Lab early 2013, hit computer networks of numerous government and  diplomatic agencies. Also in that case the cyber espionage campaign was started since 2007 and is still active, this circumstance suggests to security experts that the attack against Finland’s Ministry of Foreign Affairs could be a spin-off of the same group of hackers.

It is possible that a common actor was involved in both campaign, and probably in many other cyber attacks that haven’t been discovered yet.

Security experts investigated on Red October stated that exploits used in the attacks appear to have Chinese origins meanwhile the analysis of source code revealed the involvement of Russian-speaking individuals … Is Russia or China involved in the cyber espionage against Finland’s Ministry of Foreign Affairs?

Just for curiosity let’s remind that neighbor Estonia was victim of a powerful attack in 2007 that paralyzed the Internet network in the country, Estonia blamed Russian government for the cyber attack.

The two governments are principal suspects but in the cyberspace the attribution is quite difficult and investigators need further information, the Finnish Security Intelligence Service is investigating on the complicated case.

Probably Finland is just the first country on a long series of victims.

Google hacking – Automated website hacking tools based on Google dorks

Google Hacking is a formidable method for reconnaissance. Mass website hacking tools based on Google-dorks advantage the malicious online activities.

Google hacking is a must for hackers and pen testers, the popular search engine is a mine of information for targeted analysis and reconnaissance phase. In the past we discussed on how to use Google hacking techniques to gather information on specific targets and discover vulnerable website on a large-scale.
The attacker’s job is advantaged by the availability on the black market of numerous DIY tools that make possible the execution of the large amount of specifically crafted query to discover vulnerable websites.
The security expert Dancho Danchev just published an interesting post on Google-dorks based mass Web site hacking/SQL injecting tool used by cyber criminals to facilitate the above malicious online activity.
Typically attackers, also not necessary skilled professionals, use Google hacking techniques to identify possible targets, Google Dorks are a powerful instrument to mass web site hacking, in a second phase they adopt public/commercial availability tools relying on the exploitation of remote Web application vulnerabilities. Insecurely configured websites, CMS and social media platforms are privileged targets easy to identify and to compromise. One of the principal monetization process is the rent of malicious botnet composed of millions of malware-infected hosts compromised also thanks the above techniques.
Google hacking tools are also used for a second purpose, cybercriminals exploit them to collect huge quantities of data to resell on the underground.
In his post Danchev profiled a DIY (do it yourself) type of mass Web site hacking tool as a case study to demonstrate how easy it is to efficiently compromise tens of thousands of Web sites that have been indexed by the World’s most popular search engine.

The above pictures show a user-friendly GUI of the tool designed for automatic mass websites scanning, the purpose is the automated reconnaissance for hosts vulnerable to SQL injection attacks due the presence of known flaw.

“Once a compromise takes place, the attacker is in a perfect position to inject malicious scripts on the affected sites, potentially exposing their users to malicious client-side exploits serving attacks. Moreover, as we’ve seen, the same approach can be used in a combination with privilege escalation tactics that could eventually “convert” the compromised host as part of an anonymous, cybercrime-friendly proxy network, as well act as a hosting provider for related malicious of fraudulent content like malware or phishing pages.”

Security analysts expect to continue observing similar Google Hacking tools, even more oriented to the needs of a growing number of clients that look at black market to acquire user’s friendly DIY tools for illegal activities.
It is strongly suggested to administrators to carefully review security settings for their websites, misconfiguratios are the primary cause of data breaches and make their website easily identifiable with DIY tools based on Google hacking principles.

SQL Injection, XSS and URL Redirect found in popular websites

Security Researcher Mohamed Osman Saeed has identified numerous vulnerabilities and reported them all, they include SQL Injection, XSS and URL Redirect.

Security Researcher Mohamed Osman Saeed has identified numerous vulnerabilities and reported them all following an ethical conduct. The flaw interested principal security firms and private companies, following the complete list:

1. Invalidated URL Redirect in Symantec.
2. Multiple XSS in Fireeye.
3. Multile XSS in First.
4. Multiple XSS & SQL Injection in Oracle ( education.oracle.com).
5. Mutiple XSS in Ebay (scgi.ebay.com).
6. Multiple XSS in EbayEnterprise.
7. Multiple XSS in HP (www.shopping.hp.com).
8. Multiple XSS in SourceFire.
9. Multiple XSS & SQL Injection in PaloAlto Networks (events.paloaltonetworks.com).
10. Multiple XSS in Gartner.
11. Multiple XSS in Cisco in 2 sub-domain (tools.cisco.com – socialmedia.cisco.com).
12. Multiple XSS in tele2.
13. Multiple XSS in Fortinet Cloud.
14. Multiple XSS in EMC ( store.emc.com).

In this post he will describe the flaws discovered and the technique used for the analysis.

 

I usually used Burp suite for scanning, traffic interception & payload injection beside the mantra browser for all XSS POC’s , The flaws include XSS , SQL Injection & URL Redirection , I used manual scanning technique based on Burp suite for XSS & URL redirect, for advanced SQL I  used Sqlmap that is a really evil with cool tamper script for advanced evasion bypass, last in Oracle case a preferred the Havij automated tool that is suggested for medium SQL Injection techniques.
SQL injection allows to enumerate the database backend that contain sensitive data, beside that the attacker can leverage the attack vector to command injection , to upload malicious files, backdooring the box, owning the system and infiltrate the internal network .

 

 

 

XSS is considered as a critical client side attack, with an attack vector variation the attacker can control client browser and do evil things. Invalided URL Redirect causes the attacker can redirect the client to a malicious web site that serve, or could be used to steal user credential.

 

SQL Injection

An SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into the data – plane input in order to affect the execution of predefined SQL commands.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.
XSS

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used by that site. These scripts can even rewrite the content of the HTML page. 
Unvalidated redirects

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying the untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously crafted a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.