December 25, 2024

Facebook Users Targeted Via Android Same Origin Policy Vulnerability

Posted on December 29, 2014 by in Security

 Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

  1. Add friends
  2. Like and follow Facebook pages
  3. Modify subscriptions
  4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
  5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
  6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

North Korea Calls Obama ‘Monkey’, Blames US for Blackout

Posted on December 27, 2014 by in Security

North Korea on Saturday called US President Barack Obama a “monkey” for inciting cinemas to screen a comedy featuring a fictional plot to kill its leader, and blamed Washington for an Internet blackout this week.

The isolated dictatorship’s powerful National Defence Commission (NDC) threatened “inescapable deadly blows” over the film and accused the US of “disturbing the Internet operation” of North Korean media outlets.

The Internet outage triggered speculation that US authorities may have launched a cyber-attack in retaliation for the hacking of Sony Pictures — the studio behind madcap North Korea comedy “The Interview”.

Washington has said the attack on Sony was carried out by Pyongyang.

The NDC accused Obama of taking the lead in encouraging cinemas to screen “The Interview” on Christmas Day. Sony had initially cancelled its release after major US cinema chains said they would not show it, following threats by hackers aimed at cinemagoers.

“Obama always goes reckless in words and deeds like a monkey in a tropical forest,” a spokesman for the NDC’s policy department said in a statement published by the North’s official KCNA news agency.

“If the US persists in American-style arrogant, high-handed and gangster-like arbitrary practices despite (North Korea’s) repeated warnings, the US should bear in mind that its failed political affairs will face inescapable deadly blows,” the NDC spokesman said.

He accused Washington of linking the hacking of Sony to North Korea “without clear evidence” and repeated Pyongyang’s condemnation of the film, describing it as “a movie for agitating terrorism produced with high-ranking politicians of the US administration involved”.

Unlikely symbol of free speech

The film took in $ 1 million in its limited-release opening day, showing in around 300 mostly small, independent theatres. It was also released online for rental or purchase.

The film, which has been panned by critics, has become an unlikely symbol of free speech thanks to the hacker threats that nearly scuppered its release.

The low-brow comedy revolving around the fictional assassination of North Korean leader Kim Jong-Un played to packed cinemas across the US.

A file sharing website reported the film had been illegally downloaded more than 750,000 times.

Online services for Sony’s PlayStation and Microsoft’s Xbox gaming consoles, which had decided to release the film online, went down Thursday, apparently attacked by hackers.

Microsoft’s online network for its Xbox gaming console was restored to nearly full service Friday but the PlayStation network remained down.

The NDC spokesman called again for a joint investigation into the Sony hack, which has already been rejected by the US, while accusing Washington of “beating air after being hit hard by others”.

“In actuality, the US, a big country, started disturbing the Internet operation of major media of the DPRK (North Korea), not knowing shame like children playing a tag,” he said.

From Monday night, websites of the North’s major state media went dead for hours.

The cause of the outages in North Korea’s already limited Internet access has not been confirmed. The US has refused to say whether it was involved in the shutdown.

The North has about one million computers — mainly available at educational and state institutions — but most lack any connection to the world wide web.

All online content and email are strictly censored or monitored with access to the Internet strictly limited to a handful of top party cadres, propaganda officials and expatriates.

KCNA previously compared Obama to a black “monkey” in a zoo in May, prompting Washington to condemn the comments as “ugly and disrespectful”.

The North Korean mouthpiece also earlier this year called South Korean President Park Geun-Hye a “prostitute” in thrall to her “pimp” Obama.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

MBR Wiper Attacks Hit Korean Power Plant: Trend Micro

Posted on December 24, 2014 by in Security

Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

ICANN: ‘Most Critical’ Systems Not Affected in Recent Breach

Posted on December 21, 2014 by in Security

On Dec. 16, Internet Corporation for Assigned Names and Numbers (ICANN) said it fell victim to a spear phishing attack that resulted in email credentials of several ICANN staff being compromised.

The incident, which occurred in late November and was discovered in early December, allowed attackers to access the Centralized Zone Data System and the ICANN GAC Wiki.

The attacker(s) were able to poke around ICANN systems and obtain administrative access to all files in the CZDS, including copies of the zone files in the system, as well as user information such as name, postal address, email address, fax and telephone numbers, username, and password, according to the original announcement.

DNSFortunately, ICANN said that those compromised accounts did not have access to the IANA functions systems, which the organization says are a separate system with additional security measures that have not been breached.

IANA functions coordinate domain names with IP addresses to appropriately direct DNS requests to the appropriate server.

ICANN has a contract with U.S. Department of Commerce to maintain the IANA functions on behalf of the entire Internet community.

“During and after the attack, all critical functions hosted by ICANN, including the IANA functions, remained fully operational and unaffected by the attacker’s activities,” ICANN said in an update.

“ICANN employs multiple levels of protection for its most critical services. While the attackers were able to breach the outermost layer of defenses, our on-going investigation indicates our most critical systems were not affected.”

Related: Don’t Let DNS be Your Single Point of Failure

Related: DNS Hijack – How to Avoid Being a Victim

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Apple, Microsoft, GitHub Release Updates to Fix Critical Git Vulnerability

Posted on December 19, 2014 by in Security

The distributed revision control system Git is affected by a serious vulnerability that could be exploited by an attacker to execute arbitrary commands and take over a developer’s machine.

The flaw (CVE-2014-9390) affects all versions of the official Git client and related software that interacts with Git repositories. Git 2.2.1 has been released to address the issue, but updates have also been made available for older maintenance tracks (1.8.5.6, 1.9.5, 2.0.5, 2.1.4).

The vulnerability, which affects users running Windows and Mac OS X, was discovered by the developers of the cross-platform, distributed revision control tool Mercurial. They initially identified the security hole in Mercurial, but after further investigation, they determined that Git is affected as well.

GitHub for Windows and GitHub for Mac have been updated to address the vulnerability. GitHub says GitHub Enterprise and github.com are not directly affected, but users are advised to update their clients as soon as possible.

Maintenance versions that include the fix for this flaw have also been released for libgit2 and JGit, two major Git libraries. Since Microsoft uses libgit2 in Visual Studio products, the company has rolled out patches for Visual Studio Online, Codeplex, Visual Studio Team Foundation Server (TFS) 2013, Visual Studio 2013 RTM, Visual Studio 2013 Update 4, and for the VS 2012 VSIX extension.

Apple’s integrated development environment Xcode also uses Git. The issue has been addressed by adding additional checks in Xcode 6.2 beta 3.

The disclosure of the vulnerability and the release of patches have been coordinated by all affected parties.

“The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” GitHub’s Vicent Marti explained in a blog post.

Marti noted that the flaw doesn’t affect Linux clients if they run in a case-sensitive filesystem. However, Junio Hamano, who maintains Git since 2005, has pointed out that some Linux users might also have to take measures.

“Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git,” Hamano said in an advisory.

Microsoft’s Brian Harry believes that an attack leveraging this vulnerability is likely to work only in certain environments.

“For someone to do this to you, they have to have commit rights to a repo that you pull from. Inside a corporation, that would likely have to be an attack from the inside. The most likely (not only, but most likely) scenario here is in some small OSS project. Large ones generally have pretty well known/trusted committers,” Harry said.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

PCI Security Standards Council Publishes Guide for Securing Terminal Software

Posted on December 16, 2014 by in Security

The PCI Security Standards Council (PCI SSC) published guidance today on the secure development and maintenance of software designed to run on point-of-interaction (POI) devices.  

POI devices are hardware or software components in point-of-sale equipment that allow a consumer to use a credit card to make a purchase, such as a PIN pad. According to the PCI SSC, the document is intended to address software that exists on POI devices, including payment and non-payment applications, and reinforce the importance of a layered approach to security.

“The goal of this document is to ensure that all organizations responsible for software development (and device management) understand the potential threats, and employ appropriate processes throughout the development life cycle to counter those threats,” according to the document. “The processes followed will depend on the organization, the type of application being developed, and the software languages used, but the principles remain the same.”

The document is meant to help organizations – including POI device vendors – that write or implement applications within a POI device understand the threats and counter them throughout the development lifecycle, according to the PCI SSC. It also comes at a time when cybercriminals have increasingly been paying attention to point-of-sale devices and targeting both retailers as well as vendors of point-of-sale devices (PoS). 

“Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration,” said PCI SSC Chief Technology Officer Troy Leach, in a statement. “While consumers and merchants alike benefit from additional features, complexity and increasing dependency on third-party applications can create new opportunities for exploit which is why due diligence is so vital in the development of software that terminals rely upon. This paper highlights important best practices for software coding in this unique environment.”

According to the PCI SSC, organizations can use this guidance to help ensure standard secure coding practices are followed, including:

Security awareness training that supports secure software development:

• Those involved in the development process (including software developers and peer reviewers), have important roles to play in developing software to ensure secure coding practices are implemented and address current threats. Those roles need to be defined before development begins and those individuals need to be trained and understand the secure software development program.

Secure software development lifecycle:

• Organizations need to have a software security roadmap defined before development begins that will address known threats. The software needs to be mapped and documented, and rules and processes defined so that security is implemented as part of the development process and not incorporated as an afterthought.

Device-level testing:

• It is imperative to understand how the application will work when used with the hardware, firmware, and other applications that it is intended for use with. While simulators and unit testing are essential, testing the device with the complete solution should be a priority.

Internal process reviews:

• The threat environment is constantly evolving which is why organizations need to stay current on the latest threats and changes to ensure the procedures in place are still sufficient and are actually being followed.

Michael Belton, team lead of assessment services at Rapid7, said that for an average retailer, performing hardware and software security testing on a product they purchased is cost-prohibitive.

“Security awareness training for developers, along with secure software development lifecycle practices, help ensure consistency across developers working on an application,” he said. “This consistency in security design and expectations means applications are released with fewer bugs that can be exploited. Penetration testers encounter issues related to security lifecycle practices every time they perform an assessment. These two items are perhaps the most critical challenges towards creating software that operates in a secure and predictable manner.”

The document can be read here.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Indian Police Arrest ‘Jihadi Tweeter’

Posted on December 13, 2014 by in Security

Indian police on Saturday arrested a 24-year-old executive believed to be the handler of an influential Twitter account supporting the Islamic State group, officials said.

Mehdi Masroor Biswas, employed with an Indian food conglomerate in the southern city of Bangalore, is alleged to be the handler of the Twitter account @ShamiWitness.

The account had 17,700 followers, including many foreign fighters, until it was shut down following a report by Britain’s Channel 4 News on Thursday.

Tweets from @ShamiWitness contained jihadist propaganda as well as information for would-be recruits and messages praising fallen fighters as martyrs.

Related Reading: ISIS Cyber Ops: Empty Threat or Reality?

“He has been taken into custody,” police director general L.R. Pachuau told AFP. Police raided his house in an upscale suburb of Bangalore early Saturday and seized “incriminating documents, Islamic literature and many photos”, Pachuau said.

Pachuau added that details of his arrest would be revealed at a news conference later Saturday.

The Channel 4 report quoted Biswas as saying that he had personally not joined IS ranks in Iraq and Syria because his family was financially dependent on him.

“If I had a chance to leave everything and join them I might have,” he was quoted as saying.

However, in an interview to the Indian Express newspaper published Saturday Biswas said his claims to Channel 4 were meant to get the television reporter off his back.

“When Channel 4 called me first and asked if @ShamiWitness was my Twitter handle, I did not oppose it… my outright rejection would not have convinced them. I therefore decided to admit that I was indeed @ShamiWitness in the hope that they would not air the programme,” Biswas told the daily.

The Press Trust of India news agency said Biswas was likely to be charged with cyber terrorism and sentenced to life imprisonment.

The IS militant group has made extensive use of social media for propaganda and recruitment, as well as for disseminating grisly execution videos.

Related Reading: US Cyber-Warriors Battling Islamic State on Twitter

Related Reading: ISIS Cyber Ops: Empty Threat or Reality?

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Hacking Threatens Airline Safety: Aviation Chiefs

Posted on December 11, 2014 by in Security

Cyber crime is a serious threat to safety in the skies, aviation industry heavyweights said Wednesday, vowing to fight the growing scourge before it causes a catastrophic incident.

Hackers, cyber criminals and other “terrorists” are stealing information but in a worst-case scenario could endanger lives by tampering with airline systems.

Among the five organizations getting together to take action against hacking are the International Air Transport Association (IATA) and other bodies that signed a new cyber security agreement late last week, formalizing their front against cyber crime.

“Our common goal in developing this agreement is to work more effectively together to establish and promote a robust cyber security culture and strategy for the benefit of all actors in our industry,” said Raymond Benjamin, secretary general of the International Civil Aviation Organization (ICAO).

He added: “As technologies rapidly evolve and become more readily accessible to all, cyber threats cannot be ignored.”

“This is an important new area of aviation security concern and our global community will ensure that it is met with a strong level of commitment and response.”

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Numerous Vulnerabilities Found in Zenoss Core Management Platform

Posted on December 8, 2014 by in Security

Researchers have uncovered a total of 20 security holes in Zenoss Core, the free, open-source version of the application, server, and network management platform Zenoss.

According to an advisory published on Friday by the CERT Coordination Center at Carnegie Mellon University (CERT/CC), the vulnerabilities were identified and reported by Ryan Koppenhaver and Andy Schmitz of Matasano Security.

One of the most serious flaws is CVE-2014-6261, which can be exploited by a remote attacker to execute arbitrary code.

Code Vulnerabilities“An attacker who is able to get a victim to visit an attacker-controlled website while logged in to the Zenoss interface can execute arbitrary code on the Zenoss installation. Additionally, an attacker who is able to perform a man-in-the-middle attack between the Zenoss installation and Zenoss’ corporate ‘callhome’ server – or control the ‘callhome’ server – can execute arbitrary code on the Zenoss installation,” reads Zenoss’ description of the vulnerability.

Another serious vulnerability (CVE-2014-9246) is caused by the fact that sessions don’t expire. In order to exploit the bug, an attacker needs to obtain a targeted user’s session ID and copy it to his own computer. When the victim logs in, the attacker will be logged in as that user.

Researchers have also identified cross-site request forgery (CSRF), persistent cross-site scripting (XSS), information disclosure, open redirect, authorization bypass, and denial-of-service (DoS) vulnerabilities. In addition, the experts discovered multiple issues related to passwords, including the lack of password complexity requirements, a weak hashing algorithm, and the storing of passwords in plaintext in the session database.

These vulnerabilities have been assigned the following CVE identifiers: CVE-2014-6253, CVE-2014-6254, CVE-2014-9245, CVE-2014-6255, CVE-2014-6256, CVE-2014-9247, CVE-2014-9248, CVE-2014-6257, CVE-2014-9249, CVE-2014-6258, CVE-2014-6260, CVE-2014-9251, CVE-2014-6259, CVE-2014-6262 and CVE-2014-9252.

The vulnerabilities affect Zenoss Core 4.2.4. Two of the flaws, the session expiration bug and an open redirect in the login form (CVE-2014-6255 and CVE-2014-9246), have been addressed by Zenoss with the release of the latest Zenoss Core 4.2.5 service pack, CERT/CC said. The company is internally tracking the other bugs and plans of fixing them in a future maintenance release of Zenoss Core 5, which is currently in beta.

Zenoss does not plan on addressing CVE-2014-9250, which can be exploited by an attacker to obtain a user’s username and password by retrieving the authentication cookie. The company advises customers who want to use cookie-based authentication to ensure their installations operate over SSL/HTTPS.

 

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Industry Reactions to Devastating Sony Hack

Posted on December 5, 2014 by in Security

The systems of entertainment giant Sony have been hacked once again, and although the full extent of the breach is not yet known, the incident will likely be added to the list of most damaging cyberattacks.

Feedback Friday for December 5, 2014

A group of hackers called GOP (Guardians of Peace) has taken credit for the attack and they claim to have stolen terabytes of files. Sony admitted that a large amount of information has been stolen, including business and personnel files, and even unreleased movies.

On Friday, security firm Identity Finder revealed that the attackers leaked what appears to be sensitive personal data on roughly 47,000 individuals, including celebrities.

North Korea is considered a suspect, but the country’s officials have denied any involvement, and Sony representatives have not confirmed that the attack was traced back to the DPRK.

Researchers from various security firms have analyzed a piece of malware that appears to have been used in the Sony hack. The threat is designed to wipe data from infected systems.

The FBI launched an investigation and sent out a memo to a limited number of organizations, warning them about a destructive piece of malware that appears to be the same as the one used in the attack against Sony.

Some experts believe the FBI sent out the alert only to a few organizations that were likely to be affected. Others have pointed out that the FBI doesn’t appear to have a good incident response plan in place.

And the Feedback Begins…

Cody Pierce, Director of Vulnerability Research at Endgame:

“The latest FBI ‘flash’ report warning U.S. businesses about potentially destructive attacks references malware that is not highly advanced. Initial reports associate the alert with malware that overwrites user data and critical boot information on the hard drive, rendering the computer effectively useless. Based on analysis of the assumed malware sample, no technology exists within the sample that would warrant a larger alert to corporations. Additional information, either present in the malware–like IP address or host information–or during the investigation, also likely made it clear who required advance notification. Because of the malware’s low level of sophistication as well as the reportedly targeted nature of the attacks, it is entirely reasonable that the FBI would only inform a small number of companies.

The goal of these coordinated alerts is to raise awareness to the most likely targets so that they can ensure their security readiness, without unnecessary burden to those unlikely to be affected. In this case, because the malware is targeted and not sufficiently advanced, the FBI’s approach is justified. Conversely, in the event that more sophisticated malware or a new attack vector had been discovered, greater communication would have been necessary. Based on the information available, the FBI made the right decision in issuing this particular alert.” 

Mark Parker, Senior Product Manager, iSheriff:

 “For many organizations in the midst of breach investigation, decisions are often made very quickly. Without the luxury of planning meetings and impact analysis, some of the things are done in a ‘from the cuff’ manner based upon the evidence in hand, which may in fact be incomplete. In the case of the FBI memo that was sent out, it was done in a manner that was clearly done hastily. The threat posed by the malware was significant and a quick decision was made to send out an alert.

 

While I wasn’t in the room, I am fairly certain from having been in similar rooms, and in similar situations, that a list of who should receive the alert was not a very long conversation, and the point was to get the information out as soon as possible. What this demonstrates is that both Sony and the FBI do not have a good incident response plan in place for this type of incident. All organizations should have an incident response plan in place that lays out this sort of information in advance so that time is not spent on such issues. A clear process for key decisions is a very important part of any incident response plan, as is a list of who should be contacted in different situations.”

Steve Lowing, Director of Product Management, Promisec:

“Given that Sony Pictures is releasing a movie next month that satirizes assassinating North Korea’s supreme leader Kim Jong-Un, and after learning about this release last June declared war on the company, it’s widely held that the North Korean government is behind the attack. It’s likely that this is true at least at a sponsorship level given the number of attacks on South Korean banks and various businesses over the course of the last year, with the likely attackers being the country’s cyber warfare army known as unit 121.

Unit 121 is believed to be operating out of a Shenyang China luxury hotel giving them easy access to the world with being an arm’s reach from North Korea. The main reason for this is China’s close proximity to North Korea, North Korea’s almost non-existent internet access and China’s far superior network and cyber hacking resources. This is yet another example of State sponsored hacktivism targeting companies directly.”

Jonathan Carter, Technical Director, Arxan Technologies:

“So far, the evidence seems to suggest that the Sony hack was accomplished via execution of malicious malware. Hackers typically conduct these attacks by somehow tricking the user into executing something that is malicious in nature from within a system that is sensitive in nature. The recent iOS Masque and WireLurker vulnerabilities clearly illustrate that the delivery and execution of malicious code can take some very clever approaches. In light of these recent revelations, it is reasonable to expect to see a rise in distribution of malware (disguised as legitimate B2E apps that have been modified) via mobile devices owned by employees that have access to sensitive backend systems.”

Vijay Basani, CEO of EiQ Networks:

“It is possible that the hackers accessed not only unreleased movies, but also gained access to user accounts, celebrity passport details, sensitive trade secrets and know how. This demonstrates that in spite significant investments in traditional and next-gen security technologies, any network can be compromised. What is truly required is a total commitment from the senior management to building a comprehensive security program that delivers pro-active and reactive security and continuous security posture.”

Craig Williams, Senior Technical Leader and Security Outreach Manager for Cisco’s Talos team: 

“The recent FBI ‘flash alert’ was published covering the dangers of a new wiper Trojan that has received quite a bit of media attention. There are a few key facts that seem to be overlooked by many of the early news accounts of this threat:

Cisco’s Talos team has historic examples of this type of malware going back to 1998.  Data *is* the new target, this should not surprise anyone – yet it is also not the end of the world.  Recent examples of malware effectively “destroying” data – putting it out of victims’ reach – also include Cryptowall, and Cryptolocker, common ransomware variants delivered by exploit kits and other means.

Wiping systems is also an effective way to cover up malicious activity and make incident response more difficult, such as in the case of the DarkSeoul malware in 2013.

Any company that introduced proper back-up plans in response to recent ransomware like Cryptolocker or Cryptowall should already be protected to a degree against these threats detailed by the FBI.  Defense-in-depth can also detect and defeat this type of threat.”

Carl Wright, general manager at TrapX Security:

“The FBI and other national government organizations have an alerting process that we are sure they followed to the letter. It is important for them to provide an early warning system for these types of attacks, especially in the case of the Sony breach, because of the severe damage that could ultimately be used against our nation’s critical infrastructure.

Timely information sharing must be completely reciprocal in nature, meaning, corporations also have to be willing to share their cyber intelligence with the government.

 

When we look at the significant incidents of 2014 and in particular Sony, we see that most enterprises are focusing efforts and investments on breach prevention. 2014 has clearly highlighted the need for corporations and government to include additional technological capabilities that better detect and interdict breaches before they can spread within an organization.”

Ian Amit, Vice President, ZeroFOX:

“The Sony breach is a tricky situation. How it occurred is still up for debate – possibly nation state? Possibly an insider? Possibly a disgruntled employee? Regardless, it’s clear the breach goes very deep. It has gotten to the point that Sony is outright shutting down its network. This means even the backups are either nonexistent or compromised, and the hackers likely got just about everything, making this one of the worst breaches ever at an organization of this size. The attack touches anyone involved with Sony – auditors, consultants, screenwriters, contractors, actors and producers. The malware might be contained on Sony’s servers, but the data loss is much further reaching. Make no mistake, this breach is a big one.

I am skeptical this attack is nation state-level attack. The idea that North Korea is retaliating against Sony for an upcoming film is a wildly sensationalist explanation. Hackers regularly cover their trails by leaving red herrings for the cleanup crew – indications that the Russians, Chinese, Israelis, North Koreans and your grandmother were all involved. A small script of Korean language is hardly damning evidence. Code can be pulled from a variety of sources and there is no smoking gun (yet) in the case of the Sony breach.”

Oliver Tavakoli, CTO, Vectra Networks:

“Any malware that destroys its host will have limited impact unless it is part of a larger coordinated attack. One or two laptops being wiped at Sony would be a nuisance, but large numbers of devices being wiped all at once is devastating. The latter style of attack requires an attacker to achieve a persistent network-level compromise of the organization before the wiper malware even becomes relevant.

The information released as part of the FBI alert bears this out. The malware sample detailed in the alert was compiled only days before it was used. This is a strong sign that Sony was compromised well before the time the malware was built, and the wiper malware was the coup de grâce at the end of the breach.

This is particularly significant when evaluating the FBI alert. Sharing indicators of compromise (IoC) is a good thing, and the industry needs more of this sharing. But we need to keep in mind that these particular indicators represent the absolute tail end of a much longer and widespread attack. In fact, some of the IoCs detailed in the alert are only observable once the wiper malware has begun destroying data. Obviously, this sort of indicator is much too late in the game, but too often is the only indicator that is available. What the industry needs badly are indicators of attack that reveal the compromise of the organization’s network at a point when security teams can still prevent damage.”

Kenneth Bechtel, Tenable Network Security’s Malware Research Analyst:

 “This type attack is not new, it’s been around for a long time, with multiple examples. The most recent similarity is the ransomware that’s been attacking systems. These attacks are often difficult to detect prior to the execution of the payload. The best thing is a good backup scheme as part of your response. Many times the answer to modern malware infections is to reimage the system. In case this occurs on your system, a reimage is often the best response. The only thing that reimaging would not solve is having most current data like documents and spreadsheet. It’s this combination of reimaging and restoring backups that is the most efficient response to the attack. While this ‘fixes’ the host, network forensics should be done to identify the attack and create defenses against the attack in the future.”

Jon Oberheide, CTO, Duo Security:

“I don’t believe that the limited distribution of the FBI warning was improper. But, I think the scope and focus on data-destroying malware was a bit misguided.

 

Certainly data loss can have a big impact on the operations of a business. We saw that big time back in 2012 with the Saudi Aramco attack by data-wiping malware. But, regardless of whether the data loss is intentional or inadvertent, it’s vital to have proper disaster recovery and business continuity processes in place to be able to recover and continue operation. However, when considering a sophisticated cyber-attack, disaster recovery processes must assume that an attacker has more capabilities and reach than standard inadvertent data loss events. For example, an attacker may have access to your data backup infrastructure and be able to destroy backups as well. So, modern organizations may have to revisit their DR/BC models and take into account these new threat models.

The real impact of the Sony breach is not the destruction of data, but the longer term effects of confidentiality and integrity of their data and infrastructure. Rebuilding all their infrastructure post-breach in a trusted environment is an incredibly challenging and arduous task. The disclosure of credentials, infrastructure, critical assets, employee PII, and even things like RSA SecurID token seeds will have a much longer-term, but more under-the-radar, impact on Sony’s business.

Most importantly, in the modern day, breaches don’t only impact the directly-affected organization, but they tend to sprawl out and negatively impact the security of all organizations and the Internet ecosystem as a whole. A breach doesn’t happen in a vacuum: stolen credentials are re-used to gain footholds in other organizations, stolen source code is used to find vulnerabilities to assist future attacks, and information and experience is gleaned by attackers to hone their tactics, techniques, and procedures.”

Idan Tendler, CEO of Fortscale:

“The traditional concept for security was to keep the most important resources, i.e. the vaults with the cash (or in Sony’s case, films) safe. What we’re seeing with breaches of this magnitude is that the harm now goes far beyond any immediate and limited capital damage. Leaked sensitive information regarding employee salary and healthcare has the potential to cause enormous reputational harm and internal turmoil within a workforce. Revealing that kind of data can lead to jealousy, resentment and distrust among workers and create a very toxic work environment.

With news of passwords to sensitive documents also being leaked, Sony will need to be more vigilant in securing user access to resources by constantly monitoring and analyzing user activity for possible credential abuse.”

Clinton Karr, Senior security specialist at Bromium:

“These attacks are troublesome, but not surprising. Earlier this year we witnessed Code Spaces shutdown after a successful attack destroyed its cloud back-ups. Likewise, the evolution of crypto-ransomware suggests attackers are targeting the enterprise with destructive attacks. These attacks are unlike the “cat burglary” of Trojan attacks, but much more brute force like a smash-and-grab or straight vandalism.”

Ariel Dan, Co-Founder and Executive VP, Porticor:

“Reporting the technical details of a specific attack is a sensitive topic. Attack details can and will be used by new hackers against new targets. On the other hand, companies can’t do much to defend against a type of attack they know very little about. One relevant example of such a potential attack was around a severe security bug in the Xen virtualization system that exposed cloud users of Amazon Web Services, Rackspace and other cloud providers. The cloud vendors had stealthily patched affected systems, issued a vague notification to their users of an immediate restart action, and only after it was all done was the attack realized and publicized. Reporting the bug prior to fixing the problem would have a devastating effect on cloud users.

 

Back to the Sony attack: I personally believe that reporting the entire details of a security breach can do more harm than good, but there should be a way to communicate enough meaningful information without empowering the bad guys. Blogs like KrebsonSecurity provided additional details, including a snort signature to detect this specific attack. Such data is meaningful for the defender and does not help an attacker. From this information we learned that organizations should embrace an “encrypt everything” approach as we step into 2015. We should be able to guarantee that data is not exposed even if an organization has been infiltrated.”

Tim Keanini, CTO at Lancope:

“I think the question being asked here is a great opportunity to describe the threats of yesterday versus the threats we face today.  In the past, broad advisories on technical flaws were effective mainly because the problem was universal.  Attackers would automate tools to go after technical flaws and there was no distinction between exploitation of a large corporation or your grandmother. If the vulnerability existed, the exploitation was successful.  In the case of Sony, we are talking about a specific adversary (Guardians of Peace) targeting Sony Pictures and with specific extortion criteria.  With this type of advanced threat, warnings sent out by the FBI on the investigation itself will be less prescriptive and more general making its timeliness less of a priority. 

From everything we have seen disclosed so far, it is difficult to assess and advise on the information security practice when some of the flaws exploited seem to suggest very little security was in place.  The analogy would be: it would be hard to assess how the locks where compromised when the doors to host the locks were not even present.   For example, some of the disclosure on reddit earlier in the week suggests that some files named ‘passwords’ were simply in the clear and stored unencrypted in txt and xls files.  The investigation will determine the true nature of all of this speculation but I use this as an example because the FBI could issue a warning every day of the week that said “Don’t do stupid things” and be just as effective.

The lesson learned here is that if you are connected to the Internet in any shape or form, this type of security breach happening to you and your company is a very real risk.  Step up your game before you become the subject of another story just like this.  It would be weird but Sony Pictures should write a movie on how a cybercrime group completely comprised and held an entertainment company for cyber extortion – categorized under non-fiction horror.”

Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi:

“As the FBI, DHS and others investigating the Sony hack work furiously to uncover the details and the threat actors behind this breach, it’s important that we recognize the attack patterns that are right in front of our face: cybercriminals are and will continue to use the same attack blueprint over and over again. Why? Because they use what works.

In April 2011, Sony’s PlayStation Network was breached where asymmetric keys were stolen, compromising the security of 77 million users’ accounts. Now, nearly four years later, Sony is still facing the same threat — only this time it’s directed on Sony Pictures Entertainment. In this latest breach, cybercriminals successfully gained access to dozens of SSH private keys – the same way they stole private keys in the Mask, Crouching Yeti and APT18 attacks. Once these keys are stolen, the attackers can get access to other systems — and then it just goes from bad to worse. It’s critical that incident response and security teams realize that the only way that the attackers can *truly* be stopped from accessing these systems is by replacing the keys and certificates. Until then, they will continue to wreak havoc and cause more damage with elevated privileges, the ability to decrypt sensitive data in transit, and spoof systems and administrators. All it takes is one compromised key or vulnerable certificate to cause millions in damages. Hopefully, Sony will learn its lesson this go round.”

Until Next Friday… Have a Great Weekend!

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed