[metaslider id=2951] … Read More
Archives for December 2016
Attack works only on Visa network, Newcastle University researchers say.
Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork — six seconds flat.
Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.
The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.
The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.
All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.
The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.
These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science, in a statement.
The guessing attack worked only on Visa’s network. MasterCard’s network – the only other network that the researchers tested – quickly detected the guessing in even across different networks.
To verify the attack, the researchers used their own cards and ran a website bot and an automated script against 400 top merchant sites to see if they could guess their own Visa card details.
For the paper, the researchers began with the PAN for each of their cards and tried to see if they could guess the CVV, expiration date, and address associated with each. The attack works even when the PAN number is not available.
With a valid PAN, all that an attacker has to do to guess the expiration date is to look for merchant sites that require only the card number and expiry date field. Because most cards are valid for five years, an attacker needs only 60 attempts spread across multiple merchant websites to guess expiration month and year. With the expiration date on hand, it takes less than 1,000 attempts to get the 3-digit CVV again by spreading the guesses over multiple sites.
As a result, with as few as 1.060 automated guesses, it becomes possible for an attacker to get the CVV and expiry date on any card. At the same time, if all merchants required cardholders to input the same three fields—the PAN, CVV, and expiration date, it would take as many as 60,000 attempts to get each field, the researchers said in their paper. If you become a victim of credit card theft, get help immediately.
A New Approach to Cybersecurity
It’s a simple concept: The earlier you detect and mitigate a threat, the less the ultimate cost to your business. Implementing an effective end-to-end threat management process that focuses on reducing detection and response times can help you avoid high-impact security incidents like data breaches. We refer to this process as Threat Lifecycle Management (TLM).
Improve the Efficiency of Your Security Operations with Threat Lifecycle Management
TLM is a series of aligned security operations capabilities and processes that begins with the ability to see broadly and deeply across your IT environment and ends with the ability to quickly mitigate and recover from a security incident.
The goal of effective TLM is to reduce your mean time to detect (MTTD) and mean time to respond (MTTR), while keeping staffing levels flat. However, even mature security operations centers (SOCs) have historically struggled to streamline these complex processes, resulting in reduced team efficiency and effectiveness as well as higher costs.
Fortunately, you can enable effective TLM at a scale appropriate to your business through modern technology, specifically in the areas of machine analytics and security automation and orchestration. Advanced machine analytics are key to discovering potential threats quickly, while security automation and orchestration capabilities increase analyst efficiency to support the entire threat investigation, through full remediation and recovery.
Lower Your Total Cost of Ownership and Maximize Return on Investment
It’s important to note that the realization of effective TLM is an investment in technology, people, and process. On the technology front, it is certainly possible to leverage a combination of disparate systems and solutions. However, when doing so, effectiveness depends on multiple API-level integrations and the speed in which you can navigate multiple product interfaces.
Ideally, a unified platform with a single interface should be used to deliver the combined capabilities to realize end-to-end TLM. Ultimately, only a unified platform can ensure a low total cost of ownership (TCO) and effectively maximize the return on investment (ROI) of your security technology and personnel.
Bottom line: When you realize Threat Lifecycle Management with an advanced, unified platform, you can overcome resource constraints to quickly implement a capable and formidable security operation in support of rapid monitoring, detection, and response.
Download the whitepaper to learn how you can prevent high-impact cyber incidents through optimized threat lifecycle management.
I’m excited to share our latest release, LogRhythm 7.2. It arms your team with the ability to detect, respond to, and neutralize threats before they result in damaging cyber incidents like a data breach.
LogRhythm 7.2 builds upon the groundbreaking innovations in LogRhythm 7.1 to minimize total cost of ownership and enable end-to-end threat lifecycle management. So what’s new in 7.2?
Improved Performance and Reduced Total Cost of Ownership
If your organization is like most, your requirements are growing faster than your budget is. LogRhythm 7.2 performs at massive scale, but in a cost-efficient manner.
This release improves data processing and indexing performance by up to 200 percent, reducing your IT infrastructure costs. It also provides automated data source onboarding and streamlines many other administrative tasks, allowing your team to focus on alarms that matter instead of spending time on administration.
New Security Analytics Capabilities and Visibility into Cloud Infrastructure
With LogRhythm 7.2, we’ve expanded our data schema to include over 20 new fields that unlock powerful new threat-detection capabilities.
We’ve also expanded our device support to deliver greater visibility into cloud-based systems, such as AWS, Azure, Salesforce, and Box. Altogether, LogRhythm now provides out-of-the-box MDI support for over 785 unique data source types—twice as many as our closest competitors.
Even Stronger User and Entity Behavior Analytics (UEBA)
LogRhythm uses data from across your users, networks, and endpoints to detect threats across your holistic attack surface. This release offers significant enhancements to our packaged User and Entity Behavioral Analytics (UEBA) module, so you can better identify insider threats, compromised accounts, privilege abuse, and more. The module’s enhancements include new threat detection algorithms, stronger kill-chain corroboration, and improved real-time dashboards enabling more targeted threat hunting.
Streamlined SecOps and Security Automation Orchestration
No one has to tell you about the major shortage of qualified security pros—you’re dealing with it every day. By investing further in our embedded security automation and orchestration capabilities, we are ensuring that you can make the most of your valuable personnel.
We’ve made extensive customer-driven workflow and UI enhancements, including one-click access to threat intelligence data. LogRhythm Labs has created over 20 new SmartResponse™ automated playbook actions, accelerating response and saving time.
The release also enables you to report and trend on mean time to detect and mean time to respond, helping you measure and prove your team’s value.
Learn More about Our Latest Release
As the only focused security intelligence and analytics company, LogRhythm is optimally suited to dig into, understand, and meet our customers’ pressing customer needs. This focus enables the rapid development of relevant improvements that directly benefit customers.
At LogRhythm, we are incredibly focused on our security intelligence and analytics mission. We believe that a unified platform approach to threat lifecycle management is the only way to optimally deliver reduced mean time to detect (MTTD) and mean time to respond (MTTR).
Whether you use LogRhythm as the foundation of a large global 24×7 SOC or small virtual SOC, our latest 7.2 release will help your organization. Its many innovations will reduce your total cost of ownership and also improve the efficiency and effectiveness of your security operations.
For more information on LogRhythm, give us a call at 866-431-8972 or send us an email at email@example.com
US CERT – National Security Awareness System
12/01/2016 12:00 AM EST
Original release date: December 01, 2016
“Avalanche” refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI), is releasing this Technical Alert to provide further information about Avalanche.
Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers.
In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise.
Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.
The following malware families were hosted on the infrastructure:
- Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
- URLzone (aka Bebloh)
- VM-ZeuS (aka KINS)
- Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
- newGOZ (aka GameOverZeuS)
- Tinba (aka TinyBanker)
- Vawtrak (aka Neverquest)
- Smart App
- Trusteer App
Avalanche was also used as a fast flux botnet which provides communication infrastructure for other botnets, including the following:
- QakBot (aka Qbot, PinkSlip Bot)
A system infected with Avalanche-associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information. Some of the malware had the capability to encrypt user files and demand a ransom be paid by the victim to regain access to those files. In addition, the malware may have allowed criminals unauthorized remote access to the infected computer. Infected systems could have been used to conduct distributed denial-of-service (DDoS) attacks.
Users are advised to take the following actions to remediate malware infections associated with Avalanche:
- Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though parts of Avalanche are designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of an Avalanche malware, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
- Avoid clicking links in email – Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser (see Avoiding Social Engineering and Phishing Attacks for more information).
- Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
- Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
- Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.
From W-2 scams to WordPress vulnerabilities, ransomware, business email compromises, DDos attacks and allegations of a hacked presidential election — 2016’s been a hell of a year in cybersecurity, and it’s not over yet.
There’s no reason to believe 2017 will be any better. If anything, it could be even worse as cybercriminals continue to push social engineering, find new ways to deliver malware, crack vulnerable databases and leverage mobile technology to find ways to get inside corporate defenses and target individuals. But maybe with the help of cybersecurity specialists and digital forensic professionals (you can try these out to know more), we might have a glimmer of hope!
We asked two leading cybersecurity experts, Matt Dircks, CEO of secure access software company Bomgar and Scott Millis, CTO at secure device management and mobile security company Cyber adAPT, what to expect in 2017.
1. Passwords ‘grow up’
The recent DDoS attack that wreaked havoc on a huge portion of the internet on Oct. 21was at least partly enabled by unchanged default passwords on IoT devices, says Dircks, which hackers were able to exploit. Don’t think you’re immune; how many of your users have simple, common or outdated passwords? In 2017, Dircks says better password management services will gain traction as businesses understand how vulnerable they are.
“I used to do a party trick where I’d go to someone’s house and hack their router. There are so many purpose-built, ‘dumb’ devices out there like the routers used to facilitate the DDoS attack a few months ago, that it’s making hackers’ jobs easy,” Dircks says.
Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it’s not just external threats that are a problem.
Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says.
“What we’re talking about is credential vaults. In an ideal world, a user would never actually know what their password was — it would be automatically populated by the vault, and rotated and changed every week. Look — hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they’ll go elsewhere rather than invest the energy to chip away,” Dircks says.
2. Privilege gains power
Hackers want high-level access, which they get through targeting the credentials of privileged users like IT professionals, CEOs and vendors, Dircks says. And while organizations have applied security to the systems, applications and data that are most critical to their business, these preventative measures simply aren’t enough anymore. In 2017, he says, savvy organizations will finally get serious about protecting not just systems, but privileged users by identifying them, monitoring their access and closing off access to what they don’t need.
“We’ve had some clients who say, ‘Well, I just stick my users or outside vendors on the VPN and they’re fine,’ but they have no idea what they are actually accessing! With privilege management, think of it like an elevator bank, where depending on your role, you can only get to certain floors. It really limits what you can do, especially if you’re malicious. Even if I do have a valid password, if my privilege lets me access floors one and seven, but I try to go to six, then the system will block me and notify someone,” Dircks says.
Addressing this issue, too, will involve organizations willing to provide extensive education and training on the potential dangers involved, especially in an increasingly mobile workforce where many individuals would rather sacrifice privacy and personal data for access and believe their security will be taken care off by the third-party services providers and application creators, he says.
“Especially in the last few generations of digital natives, people are more than willing to give up their personal information and data for access to apps, connectivity, information — this can easily be exploited. And they are willing to trust that these app developers, these providers, will make sure they’re safe and secure. That’s dangerous. Combine the cybersecurity skills gap, talent shortage, mobile workforce, app-centric environment, more sophisticated hacking and it’s a perfect storm. We think it’s just going to get worse before it gets better,” Dircks says.
3. The security blame game will heat up
“When we talk to our clients, one trend we’re seeing that is really horrifying is that they don’t even say ‘if’ an attack occurs anymore, they say ‘when.’ It’s like, at this point they are just throwing up their hands and saying, ‘Well, I’m gonna get hit, how bad is it going to be?’ and that, to me, is just terrifying,” Dircks says.
The IoT and increasing reliance on security solution providers means companies may not be able to easily account for ownership or origin once a breach happens, he says. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected to internal systems that can’t yet be patched? A number of IoT devices are often overlooked because they fall outside of IT’s traditional purview, but that means exposure to threats.
“With the integration of IoT, automation and the cloud, no one seems entirely sure who’s actually responsible for maintaining security of all these various pieces: the IoT device manufacturer? The security services provider? The internal IT department? Individual users? You’re only as secure as the least-secure device or relationship,” Dircks says.
When a breach occurs, even with layers of security, the question of who “owns” it and who had or has power to do something about it will create intense reactions and finger-pointing, he says.
Companies can head off this blame game by ensuring open communication between IT and business leadership to understand the potential threats, options for security and safety and the challenges and constraints that exist within the organization, Dircks says.
“Part of the problem is that, as a CSO, a CISO or even a CIO — anyone with security responsibility — you’re either invisible, if you’re doing your job right, or you’re on the hot seat. If you come up with great policies, procedures and security measures, then you often leave those to IT to operationalize. But if those fail because you didn’t understand the business needs, the budgets, the requirements, then you’re not really helping,” he says.
4. Ransomware will spin out of control
Since January 1, 2016, Symantec’s Security Response group has seen an average of more than 4,000 ransomware attacks per day: a 300 percent increase over 2015, according to its 2016 Internet Security Threat Report.
Most organizations rely on low-overhead prevention techniques, such as firewall and antivirus solutions or intrusion prevention to mitigate threats like these, says Cyber adAPT’s Scott Millis. However, these tools are insufficient, and breach data shows that detection and incident response must be improved.
And as attackers continue to use social engineering and social networks to target sensitive roles or individuals within an organization to get to data, the need for comprehensive security education becomes even more critical, he says.
“If security policies and technologies don’t take these vectors into account, ransomware will continue to seep in. There’s also the issue of detection. Some attackers can reside within a company’s environments for months, often moving laterally within environments, and silos between network, edge, endpoint and data security systems and processes can restrict an organization’s ability to prevent, detect and respond to advanced attacks,” Millis says.
Finally, new attack surfaces — for example, IaaS, SaaS and IoT — are still so new that organizations haven’t yet figure out the best way to secure them, he says.
5. Dwell times will see no significant improvement
Dwell time, or the interval between a successful attack and its discovery by the victim, will see zero significant improvement in 2017, Millis says. In some extreme cases, dwell times can reach as high as two years and can cost a company millions per breach.
“Why so long? In my view, this is annoyingly simple — there’s little or no focus on true attack activity detection. At the advent of the ‘malware era’, companies, vendors and individuals were rightly concerned about ‘keeping out the bad guys’, and a whole industry grew quickly to focus on two basic themes: ‘Defense-in-depth’, which I view as layering prevention tactics in-line to make penetration from the outside more difficult; and ‘Malware identification’, which manifested itself as an arms race towards 100-percent-reliable identification of malware,” Millis says.
While response technologies and remediation capabilities, improved, victims were able to isolate and repair damage very quickly. The problem is these technologies didn’t help reduce dwell time; unless response teams stumbled upon something malicious or randomly discovered an anomaly, Millis says.
Nowadays, security pros are using network device log files to search for clues as to whether an attack has been attempted or has succeeded, but storing and sorting through the massive amounts of data needed for this approach is costly and inefficient, Millis says.
“The need for huge data stores and massive analytics engines drove the new security information and event management (SIEM) industry. While SIEM is a great after-the-fact forensics tool for investigators, it still isn’t effective in identifying attacks in progress. What we — and some other companies — are doing now is developing products that focus on analyzing raw network traffic to identify attack indicators. Finding attackers as soon as possible after they have beaten the edge or device prevention gauntlet, or circumvented it entirely as an innocent or malicious insider, will dramatically shorten dwell time,” he says.
6. Mobile will continue to rise as a point of entry
At least one, if not more, major enterprise breaches will be attributed to mobile devices in 2017, Millis predicts. A Ponemon Institute report found that for an enterprise, the economic risk of mobile data breaches can be as high as $26.4 million and 67 percent of organizations surveyed reported having had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.
People and their mobile devices are now moving around way too much, and much too fast for old-fashioned cybersecurity strategies to be effective. Add to that an increasing sense of entitlement by users with regards to the devices they choose to use, and you have a situation ripe for exploitation. Therefore, it could be more crucial now to audit the security of mobile apps’. This can ensure whether any of the applications available in the market can actually protect the gadgets from potential threats of cyber attacks.
“Many users feel they can protect their privacy while having secure, uninterrupted access to business and personal services. And still many people subscribe to the view it is not they who are accountable for security breaches; if they can work around ‘security’ to improve their user experiences, they will. CISOs, CIOs and CEOs view this as a complex challenge to the implementation of their enterprise security strategies, and one that won’t be solved by having email and calendar data delivered over SSL to a single, approved OS,” Millis says.
Mobile payments, too, will become a liability. MasterCard’s ‘selfie pay’ and Intel’s True Key are just the tip of the iceberg, he says. Individuals should understand that they need to treat their biometric data just as carefully as they do other financial and personal data; again, that comes down to education and training, he says.
“Wouldn’t it be nice if public Wi-Fi access providers were required to put up the internet allegory to the warnings on cigarette packs? Something like, ‘Warning: This public access connection is not secure and information you send and receive while connected may possibly be viewed, collected and subsequently used by criminals to steal your assets, identity or private information,'” Millis says.
7. Internet of threats?
IoT vulnerabilities and attacks will rise and will increase the need for standardization for various security measures — hackers at this year’s Def Con found 47 new vulnerabilities affecting 23 devices from 21 manufacturers.
And, of course, in October 2016 the massive DDoS attack on major global websites including Twitter, Netflix, Reddit and the UK government’s sites — was reportedly powered by the Mirai botnet made up of insecure IoT devices.
“A lot of attention is focused on ‘smart devices’ as proof of IoT’s growing influence. The reality is a connected device doesn’t make it a smart device. The ‘things’ that are being connected often ‘fire-and-forget’ in their simplicity, or are built-in features and tools we may not even know are there — like the routers used in the Mirai botnet. This leads to a mindset of ignoring these ‘dumb’ devices without paying attention to the fact that these devices, while inherently ‘dumb’, are connected to the biggest party-line ever made: the internet,” says Bomgar’s Matt Dircks.
This isn’t just a problem for smaller consumer devices, or even for connected homes and cars. Dircks isn’t even particularly focused on the possibility of another DDoS attack. What’s more troubling is the potential for an attack on large, widespread infrastructure systems like the power grid, or even avionics or railway systems, he says.
“I’m not worried about things like, if my connected showerhead turns on hot or cold. I think there’s a fairly significant chance we’ll see a major hack on power grids or on transportation systems like rail in 2017. This is the ‘dumb’ IoT that’s still out there — the technology from the 1950s and 1960s that’s powering these critical infrastructure systems that is almost totally unsecured,” he says.
This is a perception problem; the general public doesn’t tend to see these systems as being similar to the IoT devices they use with increasing frequency — even mobile phones can fall into that category, says Millis.
“Like smart-phones before them, IoT devices are assumed to be new, separate, and not subject to the same limits, as older technology, but think about it. It’s nonsense: Smartphones are the most plentiful internet device around. IoT is the next hyper-jump in scale. Some organizations are wisely ahead of the curve a little bit this time, trying to head off the same security issues that mobile devices are facing now. So far, activity here has all come down to prevention yet again, but we believe every device and/or connection can be compromised. Shortening dwell time and securing IoT depends on being able to tell when that inevitably happens, as quickly as possible and with the highest level of confidence,” Millis says.