December 24, 2024

Network Vision Fixes Code Injection Vulnerability in IntraVUE Software

Posted on February 27, 2015 by in Security

Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.

A code injection flaw (CVE-2015-0977) has been found in IntraVUE by Jürgen Bilberger from Daimler TSS GmbH, a security researcher who has discovered and reported vulnerabilities in several industrial control system (ICS) products over the past years.IntraVUE by Network Vision

According to an advisory from ICS-CERT, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary operating system commands that could impact the availability, integrity, and confidentiality of affected servers.

This is a high-severity vulnerability with a CVSS base score of 10. Even an attacker with low skill could leverage the bug, but there is no evidence that an exploit is publicly available, ICS-CERT noted.

The security hole affects all Windows versions of IntraVUE prior to 2.3.0a14. The issue has been addressed with the release of IntraVUE 2.3.0a14 on February 9. In the meantime, Network Vision also released version 2.3.0a16, which brings some functionality improvements.

“It is recommended that the new version be applied as soon as possible. Users who have software support contracts with Network Vision can upgrade to the newest version at no cost,” reads the advisory from ICS-CERT.

Network Vision is a Newburyport, Massachusetts-based company that provides industrial Ethernet solutions for sectors such as automation, critical manufacturing, transportation, and water systems.

IntraVUE, the company’s flagship product, is designed to provide Ethernet device visualization and enable organizations to quickly identify issues affecting devices deployed in distributed and hostile environments. The solution can be used to identify duplicate MAC and IP addresses, connection or application faults, device or cable moves, and unauthorized connections.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

U.S. Offers $3 Million Reward for Russian Cybercriminal

Posted on February 24, 2015 by in Security

U.S. Offers $ 3 Million Reward for Russian Sought in Bank Hack

Washington – The United States on Tuesday offered a $ 3 million reward for information to apprehend a Russian national sought in a major hacking enterprise that stole some $ 100 million.

The State Department made the announcement of the reward for information on Evgeniy Mikhailovich Bogachev, believed to be the administrator of the group that created the “GameOver Zeus” malware that enabled thieves to break into bank accounts in 12 countries.

Bogachev is already on the FBI “cyber’s most wanted” list and is believed to be living in Russia.

“This reward offer reaffirms the commitment of the US government to bring those who participate in organized crime to justice, whether they hide online or overseas,” a State Department statement said.

Bogachev was charged last year with 14 counts including conspiracy, computer hacking, bank fraud and money laundering, after the FBI said it dismantled the operation with the help of technology companies such as Microsoft and Symantec.

According to investigators, the scheme used emails to infect up to one million computers, which could then be controlled by the hackers to gain bank login credentials to steal funds.

Some security experts said the malware re-emerged shortly after the FBI action.

Related: Gameover Zeus Most Prevalent Banking Trojan of 2013: Dell SecureWorks

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013

Tags:


SecurityWeek RSS Feed

Feedback Friday: Lenovo Preinstalled Superfish Adware on Laptops – Reactions

Posted on February 22, 2015 by in Security

For a period of several months, Lenovo shipped numerous laptop models with a piece of adware that broke HTTPS browsing and put users at risk. Now, the company has apologized to customers and provided them with instructions on how to remove the application.

Lenovo preloaded the WindowShopper browser add-on from Superfish thinking that customers would enjoy its features. However, many users were annoyed by it and started complaining on the Chinese manufacturer’s forums. After security researchers analyzed the software, they realized that it poses serious risks.

The adware injects ads into web pages by using a local proxy and a self-signed root certificate. Superfish actually replaces legitimate certificates with its own, making connections that should be secure untrusted.

Industry reactions to Superfish incident

Even more worrying is the fact that researchers have managed to extract the certificate’s private key. The private key can be used to sign potentially malicious websites and software that would be trusted on affected Lenovo notebooks.

Industry professionals pointed out that Lenovo should have known better not to install such software on its computers. Experts also noted that while this is a common practice, they hope that manufacturers will learn from the Superfish incident.

And the feedback begins…

Martijn Grooten, Editor at Virus Bulletin:

“Like most people working in security, I’m not very keen on the idea of ads in general and running third-party code on your computer or inside your browser in particular. But then, I accept that ads are part of the ecosystem and that pre-installing software that, as it is euphemistically called, “enhances user experience” makes laptops significantly cheaper.

Now injecting ads into a browser is bad enough, doing so by running an HTTPS proxy on the machine is a lot worse. HTTPS shouldn’t be touched unless it is for a very good reason – inserting ads is never a good reason.

But what makes it still orders of magnitude worse than that, is that their proxy uses the same certificate on all affected (or, perhaps more accurate, infected) PCs. Hence anyone can obtain the private key of the certificate – which, as people have already showed, isn’t rocket science – and use this to man-in-the-middle HTTPS traffic without the Lenovo user being aware.

The industry of bundled apps and programs is a complicated one and finding out what all the programs installed on the PCs you sell are up to might not be as easy as security researchers may suggest. But Lenovo should have been able to detect Superfish adding a SSL root certificate to the computer, as well as it running an HTTPS proxy on the local machine.”

George Baker, Director of Professional Services at Foreground Security:

“This was clearly a questionable design decision by Lenovo. Trusted manufacturers should know that building in a ‘man-in-the-middle’ feature is just that… highly questionable, regardless of the claimed benefit. And weak protection on the Superfish software’s own private key further undermines the system’s root of trust. If the software is present and trusted by the operating system, a knowledgeable attacker can exploit it at will.

That said, it’s good that it was caught early, after four months of production, and that Lenovo is taking some action. That should at least limit the number of users – and the amount of their private data – who are exposed.”

ThreatStream CTO Greg Martin:

“The latest Superfish debacle highlights the current strategy for device manufacturers across the electronics ecosystem looking to get their slice of the billion-dollar advertising revenue market that has made Google and others so successful. Unfortunately, like the case with Lenovo and many others, users’ privacy and security are compromised – often in secret – leaving them extremely vulnerable to malicious hackers who leverage the this type of tracking technology against them.

Unfortunately this won’t be the last we see of this type of story, but hopefully the publicity from Superfish will be enough to warn other like-minded manufacturers to take a more transparent approach and offer their users opt-out capabilities on future products that include embedded ad-tracking tech. Because Superfish was developed and licensed to Lenovo, it will be interesting to find out which other manufacturers are leveraging the Superfish technology in their products.”

Patrick Belcher, Director of Security Analytics, Invincea:

“The Lenovo and Superfish unwanted software debacle should serve as notice that there are dozens of ad companies that push spyware and toolbars, many of which exhibit rootkit-like properties and siphon off local user information to sell to advertising companies.

These programs are delivered like Trojan horses, bundled into innocuous applications with the sole intent of spying on and generating revenue at the expense of the user’s privacy. The ad companies purchase this siphoned data to deliver targeted advertising, and sometimes, malvertising to specific groups of users of the Internet.”

Ian Amit, Vice President at ZeroFOX:

“The Lenovo laptops that shipped with “Superfish” adware capable of snooping through the user’s encrypted web traffic are a very tangible threat to consumers and companies. People posting about their new Lenovo laptop on social media makes it easy for attackers to find them. Consequently, mapping those users’ home, work, and local coffee shops enables attackers to confidently launch man-in-the-middle attacks by abusing how Superfish allows snooping of encrypted web traffic (i.e. online banking, shopping, email, VPNs, etc).

We recommend that companies ensure their threat intelligence provide contextual data on their exposure as related to this vulnerability (employees, partners, locations, etc).”

Simon Crosby, CTO and co-founder of Bromium:

“It is high time for PC OEMs to accept that adware and other junk software installed in consumer devices is precisely the opposite of what their customers want, and that delivering a secure, non-intrusive, high quality product is valued by consumers. The Microsoft Surface Pro 3 is perhaps the antidote to the foolish behavior of PC vendors. It delivers the best that Microsoft offers, with no hidden scams.”

Grayson Milbourne, Webroot Security Intelligence Director:

“Sadly this is common practice in the industry. Customers aren’t informed this type of software is installed, leaving many users wondering how they have an infection on their brand new laptop when an anti-virus program picks it up. Consequently, this breeds a level of mistrust between the offending company and its customer base. In this case, users have aired their frustrations over social media channels – and it’s completely distracting from the quality products Lenovo manufactures.

In the past couple weeks, Lenovo has been forced to expend valuable time and resources managing backlash from the security community and customers. Undoubtedly, this is hurting the company’s bottom line and opening the door for competitors to claim privacy superiority.

If there’s a silver lining, it’s that this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Steve Lowing, Director of Product Development at Promisec:

“Preinstalled software, such as adware like Superfish, must go through the same scrutiny as the shipping company (in this case Lenovo) would do for their own software in order to prevent these kinds of brand impacting missteps from happening. While it’s not exactly uncommon to see adware or promotional-ware software on new laptops these days, the times have changed where these once opt-in based services are not forced on us by default.

Coupling this tactic with poorly designed software that can carry out a “man-in-the-middle” attack on what is expected to be secured data is a potential lawsuit waiting to happen. Companies like Lenovo should know better than to pre-install this kind of software in the first place.”

Mark Parker, Senior Product Manager, iSheriff:

“The practice of pre-installing 3rd party software on PCs delivered to retail establishments, and direct shipped to business customers, presents a considerable risk. Given the choice, most consumers and businesses would choose not to have the 3rd party software installed. In the case of Lenovo and Superfish, we see an indication of exactly how dangerous that can be.

The man-in-the-middle certificate used made it such that every secure session was no longer private. In a day and age where corporate breaches are increasing, we should be seeking ways to limit our exposure, not pre-installing software that can create an attack vector.”

Chris Schweigert, Security Operations Director at EiQ Networks:

“The recent discovery of the Superfish application on Lenovo PC’s brings up the old best practices of installing a known, respectable copy of an operating system on your computer when you take it out of the box. Commercial off-the-shelf (COTS) applications have long been scrutinized by major enterprise environments and you simply cannot trust what you get from a manufacturer.

As a best practice, organizations should have a gold build install of all the authorized software for each new computer that comes in. You have to nuke the manufacturer installed applications and then re-install what you know to be trusted. Another advantage here is the ability to more easily identify changes to that baseline configuration on all your systems.”

Randy Abrams, Research Director at NSS Labs:

“It is disconcerting that virtually no anti-malware products were detecting Superfish, however the difference between malicious adware and acceptable adware is not ‘black and white.’ Not all behaviors are expected to be detected without a level of inspection that is not possible with the amount of malware being released daily. Vendors like Superfish employ teams of researchers to evade anti-malware products.

There are very likely many other adware products performing the exact same activities as Superfish. The primary motivation Superfish has is advertising revenue. This could have gone much worse for Lenovo if theft was the motivation for backdoors in third party software.

It is incumbent upon C-Level IT professionals to make sure there are well-defined processes and procedures for releasing third-party software on any medium. This must include tracking and auditing of third party vendors, monitoring their reputations and malware scanning with multiple products.

Coincidentally, the newly-formed Clean Software Alliance (CSA) will help in preventing this type of adware to go undetected. The CSA is a coalition of antimalware vendors, download bundlers and other members of the ‘adware’ ecosystem that are cooperating to set meaningful standards for ‘adware.’ Superfish’s conduct would preclude CSA approval.”

Muddu Sudhakar, Caspida CEO:

“U.S. computer manufacturers are getting a lot of push back from other countries for their hardware sales after scrutiny from incidents like those tied to the NSA and Snowden. Hardware vendors need to show beyond reasonable doubt that they are shipping high quality, highly secure products, eliminating backdoors in hardware and operating systems.

We need new third party certifications for hardware vendors who ship desktops/laptops or servers such as Lenovo, IBM, HP, and Apple. The third party certification should be robust and should be done independently of vendor companies and independently of government agencies.”

John Hultquist, Senior Manager, Cyber Espionage Threat Intelligence at iSIGHT Partners:

“We have noticed a trend affecting the software supply chain. The places people go to download applications or updates have been compromised on several occasions recently by cyber espionage actors who trojanize the software with their own malware. Chinese and Russian operators have swapped out everything from SCADA software to computer games, targeting very specific users as well as some opportunistic victims.”

John Pirc, Chief Strategy Office and Co-founder of Bricata:

“Based on the information surfacing about Superfish, administrators should inspect for where this application is installed and remove it. If you are using cloud based applications such as Microsoft Office 365 for Business or Google Apps for Work, enabling 2-step authentication offers additional protection in case your log-in credentials have been exposed. In the event someone is able to get your username and password they might try and log-in from another system; 2-step authentication would protect you from becoming further compromised.

This could also complicate matters for the Lenovo install base if they have a significant footprint within the U.S. government or federal contractors. My same recommendations for businesses apply in these sectors. However, I would strongly recommend that anyone in the USG and contractor community who uses a Lenovo PC and is involved with any sensitive projects should have their system checked for Superfish. Having the app installed may not mean they are compromised, but again, the main objective is reducing your risk.

Lenovo is a great company and it is unlikely they would knowingly place ‘malware’ on a system. Lenovo should have caught the Superfish issues earlier, via discussions in their user forums and I’m sure they are addressing the matter. Still, this does not discount the risk facing those who are at risk of a man-in-the-middle attack.”

Greg Hoffer, senior director of engineering, Globalscape:

“We put a lot of trust in technology, but this event is a reminder for everyone: take nothing for granted, and remain ever vigilant with the products you develop, integrate and purchase. There are ample industry standards available for security development and testing, independent security experts available to validate performance, and well-established protocols for production and operations. Assume nothing and put into action the old axiom, ‘Trust, but verify.’”

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Many Boards of Directors Not Regularly Briefed on Cyber-Security: Survey

Posted on February 19, 2015 by in Security

Even as cyber-threats circulate, the boards of directors at many enterprises continue to remain out of the loop when it comes to security.

A new study from the Ponemon Institute found that 78 percent of the more than 1,000 CIOs, CISOs and senior IT leaders surveyed had not briefed their board of directors on cyber-security in the last 12 months. In addition, 66 percent said they don’t believe senior leaders in their organization consider security a strategic priority.

The findings follow a recent survey from the National Association of Corporate Directors (NCD) that found that more than half (52 percent) of the 1,013 corporate directors surveyed were not satisfied with the amount of information they were receiving about cyber-security. In addition, 36 percent said they were unsatisfied with the quality of that information.

“For a long time IT issues were seen by Boards of Directors as jammed printers and computer crashes,” said Michael K. Daly, CTO of Raytheon’s cyber-security business. “Showing the threat to brand and reputation – and ultimately shareholder value – has taken time. The Global Megatrends Survey showed that only 22 percent of respondents have briefed the board on the organization’s cyber-security strategy in the past 12 months and only 21 percent of say the board actually requested a briefing. In fact, one of the driving factors behind Raytheon’s desire to do this study was to elevate the information security point of view into the C-suite.”

One of the best ways to communicate with the boardroom is by reporting simple metrics that matter to the business, said Daly.

“Telling a board how many times a firewall blocked an attack doesn’t mean anything – they are left to wonder if it is good or bad that we are seeing attacks,” he said. “At Raytheon we report one number, dwell-time – the amount of time an attacker is able to use a computer before being stopped. Our goal is to keep that number as close to zero as possible by preventing their ability to communicate, move or do harm. For our board members, the trending of that one number allows them to determine the company’s exposure to risk and whether the right investments are being made, whether it is in analytics, talent, employee training, or new tools.”

Less than half of the respondents believe their organizations take appropriate steps to comply with leading cyber-security standards, and just 47 percent said their organizations have sufficient resources to meet cyber-security requirements.

Still, the majority of respondents believe their cyber-security postures will improve due to the following reasons: cyber intelligence will become more timely and actionable, more funding will be made available to invest in people and technologies, technologies will become more effective in detecting and responding to cyber threats, more staffing will be available to deal with the increasing frequency of attacks and employee-related risks will decline.

“High-profile cyber-security breaches are closing the gap between CISOs and CEOs by forcing meaningful security discussions into corner offices and boardrooms,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement. “In the meantime, our study found there is still a large delta between resources and needs, as security leaders lack both funding and manpower to adequately protect assets and infrastructure.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Records Compromised in Data Breaches Skyrocketed in 2014: Research

Posted on February 16, 2015 by in Security

Security firm Gemalto released a report on 2014 data breaches recently and the news was not good.

In its latest Breach Level Index report, the company revealed that one billion records were compromised last year in more than 1,500 data breaches worldwide. Compared to 2013, those numbers are an increase of nearly 80 percent in terms of data records and more than 40 percent in terms of breaches overall.

Gemalto’s Breach Level Index calculates the severity of data breaches across multiple dimensions based on breach disclosure information. Among the notable attacks included in the report are the Home Depot breach, the attack on JP Morgan Chase and the attack on eBay. 

“Easily at the top of the list in terms of the number of breaches was North America with 1,164 breaches, accounting for about three quarters of all breaches (76%),” according to the report. “Those attacks involved more than 390 million records, or 38% of the total.”

According to the data in the BLI, the main motive for cyber-criminals in 2014 was identity theft. Fifty-four percent of all data breaches were identity-theft related – more than any other category, including access to financial data. In addition, identity theft breaches accounted for one-third of the most serious incidents. Incidents where the compromised data was encrypted in part or in full increased from one percent to four percent.

“We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number,” said Tsion Gonen, vice president of strategy for identity and data protection at Gemalto, in a statement. “Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.” 

Broken down by industry, retail and financial services experienced the most activity compared to other sectors. Retail companies saw an increase in data breaches compared to 2013, and accounted for 11 percent of all breaches in 2014, according to the report. However, in terms of data records compromised, the percentage of retail records jumped drastically, from 29 percent to 55 percent. This was due in large part to attacks on point-of-sale systems, according to the report. 

In the case of the financial sector, the number of breaches remained relatively unchanged, though the average number of records lost per breach increased ten-fold. Overall, the number of data breaches involving more than 100 million compromised data records doubled compared to 2013. Most of the time, the malicious activity was traced to an outsider (55 percent), though 25 percent of incidents were tied to accidental loss. Fifteen percent were linked to a malicious insider. 

“Not only are data breach numbers rising, but the breaches are becoming more severe,” said Gonen. “Being breached is not a question of ‘if’ but ‘when.’  Breach prevention and threat monitoring can only go so far and do not always keep the cyber criminals out. Companies need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.” 

The full report can be read here.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Feedback Friday: Reactions to White House Cybersecurity Information Sharing Initiative

Posted on February 14, 2015 by in Security

Obama Signs Executive Order After an Address at Stanford University

During the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Friday, President Barack Obama signed an executive order to promote cybersecurity information sharing between private sector companies and the U.S. Government.

The executive order, signed by the President on stage after addressing a large audience, outlines an information sharing framework that would help companies work together, along with the federal government, to more effectively identify and protect against cyber threats.

“This has to be a shared mission,” Obama said during his speech. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

Overall, industry professionals applauded the steps by the White House, but indicated this is just a small step in addressing serious threats. An executive order can only go so far and more is needed than just information sharing to combat sophisticated cyber attacks, experts said.

Feedback On White House Information Sharing Initiatve

And the feedback begins…

Phil Smith, SVP of Government Solutions and Special Investigations at Trustwave:

“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber arms race.’ That statement is significant because it puts organizations and individuals on notice that cybersecurity is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection however it will not work without safe harbor protections for companies that participate.

An executive order can only go so far. It takes Congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful.

When organizations share information they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”

 Ken Xie, CEO of Fortinet:

“During the White House’s Cybersecurity Summit, there was a lot of great discussion around information sharing. The biggest obstacle is that our industry is extremely shorthanded: it’s estimated we can only fulfillne in every 20 technology positions needed in the cybersecurity space. Who will mitigate the threat? Where and who are the cyber swat teams? Who will train the responders? Answers to these questions remain unanswered, though the conversation is a step in the right direction.”

Nate Fick, CEO of Endgame:

“Much of the talk in the room is about information sharing. In security, the advantage often goes to the team with better, more usable data. So any steps to encourage faster sharing are meaningful progress.”

Tomer Weingarten, CEO of SentinelOne:

“Information sharing is a good start. However, it needs to be handled in a way that preserves the privacy of affected organizations and prevents data from being “leaked”. In the wrong hands, this intelligence would let attackers know that their operation has been compromised, could reveal attack binaries that can be re-used and expose companies that have been breached which may lead to more attacks against them. Also, sharing data and intelligence will do little to mitigate carefully crafted attacks since they often do not demonstrate any previously seen indicators.”

Mike Brown, VP and GM Public Sector for RSA:

“It isn’t just information sharing that is needed. We have some valuable avenues to share information. What we need is liability relief and clarity about the type and format of information that needs to be shared. That is also critical so that information that is shared is actually actionable.”

Tal Klein, CMO for Adallom:

“The fact that the President is addressing the issues of cyber security is a good thing – we definitely need more awareness. That stated, I am less excited about specific directives that may offset the financial incentive for companies to be in the business of cyber security. Information sharing is good, but if a security company makes their money researching threats and then is expected to turn over their research to the public domain as soon as its complete, then the value of that research diminishes.

 

I don’t think the government should be in the business of regulating the information security industry. What I suspect is that we are close to the age of the “cyber lobby” (dare I say “cyber subsidies”) – and I’m not sure that will benefit anyone other than the companies that pay to influence policy. So, I would prefer the President’s agenda would begin and end with “awareness” and avoid tinkering with the economic  dynamics of the information security market.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

“Voluntary sharing of cybersecurity intelligence can be an important step – provided it’s accompanied by appropriate liability and privacy constraints. The benefits are clear: last year’s United Parcel Service breach was in fact discovered as a direct result of threat intelligence sharing between the government and private sector.

 

Sharing cyber intelligence can have a positive impact if information sharing is made actionable. To accomplish this, security professionals should assume they’re already compromised, and implement policies, tools and budgets to balance breach prevention with pre-breach detection and response.”

Marc Gaffan, CEO & Co-Founder of Incapsula:

“President Obama is taking a bold stance be visiting with tech companies in silicon valley this week to talk about his proposed cybersecurity legislation, right on the heels of his cybersecurity agency announcement earlier this week. In the past, the sale and use of botnets, which have the potential to overwhelm a site or network with malicious activity, was surrounded by legal ambiguities and grey areas. Obama’s new legislation removes all ambiguity so for the first time companies can prosecute the so-called “bot-herders” that try to do them harm.”

Ron Gula, CEO, Tenable Network Security:

“It’s important to applaud this administration for its attention to cyber security. It’s been long overdue and at the rapid pace technology is evolving, we are already behind the curve. Executive orders such as this, while not a substitute for good security practices, raise awareness for the need to invest more heavily when it comes to cyber security.

Information sharing won’t solve the bigger problems we face in the industry, but it’s a good place to start. Everyone in IT is realizing the scale and saving from centralizing command and control. Once consolidated, the information shared will provide greater context, allowing for organizations to be more agile in mitigating sophisticated attacks.”

Ryan Shaw, Director of Research and Development at Foreground Security:

“The President’s intention to issue an Executive Order (EO) promoting government and private sector cybersecurity information sharing is an important acknowledgement of the current deficiencies in our country’s current cybersecurity defense capability. Unfortunately, EOs and new agencies will not be able to resolve the sharing challenges that have existed for years.  These challenges include:

· Lack of trust between the parties involved

· COTS cybersecurity tools (e.g. SIEM, NSM, Web Proxies, ID/PS, Next-gen Firewalls) that are ill-equipped to deal with large quantities of multi-source, non-normalized threat indicators

· Shortfall of skilled cyber-threat analysts or source-agnostic platforms to manage the deluge of threat indicators

· Multiple sharing vehicles and taxonomies (these are a portion of the Voluntary Standards for ISAOs that the President will speak of)”

John Dickson, principal at software security firm Denim Group:

 “There is no mention of increased liability protection for companies in the today’s briefing sheet.  Absent of increased protection, or at least clarity, for the corporate liability question will likely result in a lukewarm reception from industry.  Couple that with remaining post-Snowden doubts that remain over working with government and law enforcement, then you have a potential non-starter here.

The focus on strong privacy and civil liberty protections misses the point here – that’s not hurdle in more information sharing, liability protection is. Cooperation with the Congress is an imperative. My contacts in the US Capitol say these initiatives are coming out with little consultation with Congress, which also brings up the question of the measures’ ultimate implementation.”

Jeff Williams, CTO, Contrast Security:

 “I’m encouraged by all the talk about public-private partnerships that bring security to the forefront for government, large businesses, small businesses, and consumers. The panelists were right about the problems of speed and scale that cybersecurity involves.  I was thrilled to see that there is awareness of the complexity and importance of the problem at the highest levels of government and business.

 

However, the overwhelming theme of the summit was that the way forward is to focus on the threats and that communication will enable us to stop attacks.  I have serious doubts as to whether chasing the threat will have any effect whatsoever – the attribution problem is so significant in cyberattacks that after months we still have no resolution to the Sony attack, much less Anthem or others.

The worst part is that spending all this effort chasing our tails takes away from time we should be focused on building secure code and strong defenses. The fact that we are still producing code with SQL injection after almost two decades is embarrassing. The government can and should play a role in encouraging the software market to produce secure code. But with a confusing patchwork of agencies, agendas, and responsibilities, government has fallen far behind the financial industry in their ability to secure their own house.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

 “The White House is pushing a lot of recommendations that don’t seem to have gone through a vetting process by experienced technologists. The effort to weaken encryption will ultimately have the opposite of the desired effect. There are new rules that impact security researchers and will lead to less secure systems, because it will be illegal for researchers to test those systems.

 

The positive results will be the increased visibility and discussion about these issues. For me, if the US government really wanted to improve security they would be at the forefront of data sharing and making it easier for researchers to contribute, not harder.”

Dan Waddell, Director of Government Affairs, (ISC)2:

“It’s important that the American public put this issue into perspective.  As mentioned by Lisa Monaco, the White House’s top aide for counterterrorism and homeland security, the cyber threat is becoming more diverse, sophisticated and dangerous. The actions of cyber attackers, while seldom seen played out online, are potentially as egregious on many different levels including economically, militarily, and in regards to the public’s day-to-day safety.

Overall, I think it’s a positive sign that we’re having these discussions at the highest levels of both the public and private sectors as well as academia.  CEOs, CISOs, government leaders and educators are all saying the same thing – cybersecurity is an absolute necessity to help protect our nation’s interests. It has an impact on every aspect of our lives – from homeland security, to defense, to the economy, to energy and critical infrastructure, to health, etc.  Everyone shares a common interest: We need to secure information of the people, for the people.”

Chris Wysopal, CTO & co-founder at Veracode:

 “The challenge for the tech industry is they need to retain the trust of their users or they can’t grow their businesses which require more and more intimate data be stored and processed by them.  That is why after many years of security professionals complaining of the lack of SSL usage by majo7r tech companies it wasn’t until the Snowden revelations that it was finally enforced by the big players.  

 

“The federal government has to convince the people using Google, Yahoo, Apple, etc., not the executives from those companies, that their data is safe from wholesale snooping or the information sharing they want is going to be a struggle.” 

Ken Westin, Security Analyst Tripwire:

“This Order and the informatPion sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry. In order to make these initiatives effective, secure and manageable, will require strong oversight and properly allocated resources to implement, not just initially, but also over the next few years as the program evolves. There needs to be constant vigilance and review of processes, data collected and effectiveness of the program in order to ensure agencies do not overreach and that the program itself remains useful to industry and agencies alike.

The devil is truly in the details, although I believe the spirit and intentions of the Order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just law makers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.” 

*Additional reporting by Eduard Kovacs

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Complexity is the Enemy of Security

Posted on February 11, 2015 by in Security

We’ve likely all heard the phrase “complexity is the enemy of security” many times. It’s an oft-used sound bite, but what can we learn from this concept to improve our respective security postures? Although there are many angles one could approach this concept from, I’d like to examine it from a security operations and incident response perspective.

Simplicity in Collection and Analysis

Most enterprises instrument their network to collect many different, highly specialized forms of data. For example, an organization may collect netflow data, firewall logs, DNS logs, and a variety of other specialized forms of data. This creates a stream of various different data types and formats that complicates and clouds the operational workflow. Unfortunately, the first question when performing analysis or incident response is often “Where do I go to get the data I need?” rather than “What questions do I need to ask of the data?”

In addition to the variety and complexity of these specialized forms of data, the volume of data they create often overwhelms enterprises. These huge quantities of data result in shorter retention periods and longer query times. This perfect storm of circumstances creates a very real operational challenge.

Security Data Collection

Fortunately, organizations can address this challenge by seeking out fewer, more generalized collection technologies that provides the required level of visibility with greatly reduced complexity and volume. Continuing with the above example, in lieu of many different highly specialized network data sources, an organization could consider one layer 7 enriched meta-data source.

Simplicity in Detection

Wikipedia defines an Indicator of Compromise (IOC) as “an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.” Associated contextual information is also usually included along with the artifact and helps an organization to properly leverage the IOC. Context most often includes, among other things, information regarding to which attack stage an indicator is relevant. Attack stages can be broken up into three main families, each of which contains one or more attack stages:

• Pre-infection: reconnaissance, exploit, re-direct

• Infection: payload delivery

• Post-infection: command and control, update, drop, staging, exfiltration

It is well known that many organizations struggle with excessive amounts of false positives and low signal-to-noise ratios in their alert queues. There are several different angles from which an organization can approach this problem, and in fact, I have previously written about some of them. Another such approach, which can be used in combination with the others, is to go for the “money shot”.

At some point, when an organization wants to watch for and alert on a given attack, intrusion, or activity of concern, that organization will need to select one or more IOCs for this purpose. Going for the “money shot” involves selecting the highest fidelity, most reliable, least false-positive prone IOC or IOCs for a given attack, intrusion, or activity of concern. For example, if we look at a typical web-based re-direct attack, it may involve the following stages:

• Compromise of a legitimate third party site to re-direct to a malicious exploit site

• Exploitation of the system from the malicious exploit site

• Delivery of the malicious code

• Command and control, along with other post-infection activity

Although it is possible to use IOCs from all four of the above attack stages, using IOCs from the first three stages presents some challenges:

• Compromised legitimate third party sites likely number in the millions, meaning we would need millions of IOCs to identify just this one attack at this stage. Further, there is no guarantee that the attempted re-direct would succeed (e.g., if it were blocked by the proxy). An unsuccessful re-direct means that there was no attempt to exploit. In other words, for our purposes, a false positive.

• Exploits don’t always succeed, and as such, alerting on attempted exploits can often generate thousands upon thousands of false positives.

• If we see a malicious payload being delivered, that is certainly of concern. But what if the malicious payload does not successfully transfer, install, execute, and/or persist? We have little insight into whether a system is infected, unless of course, we see command and control or other post-infection activity.

Command and control (C2) and other post-infection activity, on the other hand, is always post-infection. That means that if we can distill a high fidelity, reliable IOC for this attack stage, we can identify malicious code infections immediately after they happen with a very low false positive rate. Obviously, preventing an attack is always preferable, but as we all know, this is not always possible. The next best option is timely and reliable detection.

Simplicity in O&M

When people began moving from the cities to the suburbs in the post-war United States in the 1950s, new infrastructure was built to serve the shifting population. The infrastructure served its population well for 50 years or so, until the 2000s, when the physical lifetime of water mains, electric power lines, and other infrastructure was reached. What people quickly realized is that although money and resources had been allocated to build and deploy infrastructure, money and resources had not been allocated to operate and maintain the infrastructure for the long term. In other words, O&M would be required to repair or replace the aging infrastructure, but the resources for that O&M would have to be found elsewhere.

Similarly, in the information security realm, as new business needs arise, new security technologies are often deployed to address them. Enterprises often forget to include O&M when calculating total cost. Another way to think of this is that each new security technology requires people to properly deploy, operate, and maintain it. If head count were increased each time a new security technology was deployed, the model would work quite well. However, as those of us in the security world know, head count seldom grows in parallel with new business needs. This presents a big challenge to the enterprise.

O&M cost (including the human resources required to properly deploy, maintain, and operate technology) is an important cost to keep in mind during the technology lifecycle. O&M cost is a large part of the overall cost of technology, but it is one that is often overlooked or underestimated. In an effort to lower total overall O&M costs, and building on the collection and analysis discussion above, it pays to take a moment to think about the purpose of each technology. Is this specific technology a highly specialized technology for a highly specialized purpose? Could I potentially retain the functionality and visibility provided by several specialized technologies through the use of a single, more generalized technology?

If the answer to these two questions is yes, it pays to think about consolidating security technologies through an exercise I like to call “shrinking the rack”. Shrinking the rack can be a great option, provided it doesn’t negatively affect security operations. Fewer specialized security technologies mean fewer resources to properly deploy, maintain, and operate them. That, in turn, means lower overall O&M costs. Lower O&M costs are always a powerful, motivating factor to consider.

The concept of simplicity is one that we can apply directly to security operations and incident response. This piece touches on just some of the variety of lessons we can learn from this topic. Although the phrase “complexity is the enemy of security” is a popular sound bite, if we dig a level deeper, we see that there is a great deal we can learn from the concept.

Subscribe to the SecurityWeek Email Briefing

view counter

Joshua Goldfarb (Twitter: @ananalytical) is Chief Security Strategist of the Enterprise Forensics Group at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.

Previous Columns by Joshua Goldfarb:


SecurityWeek RSS Feed

Tokyo Cyber Security Competition Draws 90 Hackers

Posted on February 8, 2015 by in Security

Tokyo – A cyber security competition began Saturday in Tokyo, with organizers aiming to show off the skills of young Japanese hackers by testing them against international rivals.

The final rounds of the Security Contest 2014, or SECCON, brought together 90 participants in 24 teams from seven nations and regions: China, Japan, Poland, Russia, South Korea, Taiwan, and the United States.

The winners of the Tokyo competition will advance to the prestigious Def Con CTF (Capture the Flag) competition, slated for later this year, organisers said. SECCON was designed to allow young Japanese technology engineers to show off their skills on the world stage, while also encouraging more to get into the field of cyber security.

Teams compete for points by hacking six virtual servers to discover particular keywords, and can also intervene to stop their rivals’ cyberattacks.

“There is a need for a forum where fledgling, young… hackers can grow and gain understanding of their families, schools and the outside world,” said Yoshinori Takesako, the head of the SECCON organising committee.

“This is important in order to keep them away from being pulled into the underground world,” he said in a statement to AFP.

The Japan-based event has drawn a total of 4,186 participants from 58 countries through various qualifying rounds.

Takesako said the organizers, supported by government agencies, tech firms, and scholars, also want to change the media image that Japan lags other nations in the cyber security field.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

SEC Examines Response From Financial Advisory, Brokerage Firms to Cyber Threats

Posted on February 5, 2015 by in Security

An overwhelming majority of brokerage and investment advisory firms examined by the U.S. Securities and Exchange Commission (SEC) have been the subject of a cyber-attack.

In its recent ‘Cybersecurity Examination Sweep Summary‘ report, the SEC took a look at 57 registered broker-dealers and 49 registered investment advisors. Eighty-eight percent of the broker-dealers and 74 percent of the advisers stated that they have experienced cyber-attacks either directly or through one or more of their vendors.

The majority of the cyber-related incidents are related to malware and fraudulent email. In fact, more than half of the broker-dealers (54 percent) and 43 percent of the advisers reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker-dealers reported losses in excess of $ 5,000 related to these emails, with no single loss being greater than $ 75,000. Twenty-five percent of the broker-dealers confessing losses related to the emails said the damage was the result of employees not following their firm’s identity authentication procedures.

<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fcybersecurity-healthcare-retail-sectors-lags-behind-utility-and-financial-industries-report%22%3E"Brokers and advisors, especially those who handle very wealthy clients, are used to dealing with substantial sums of money, but they’re also human beings who can be duped by a well-crafted phishing scam,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “Not all of these brokerages are as big as Wells Fargo and Morgan Stanley. Small and medium financial firms are gaining visibility because criminals are walking away with meaningful sums of money. The criminals are becoming more savvy about which kinds of transactions remain under the radar, and the more success they have with these targets, the more of these businesses they go after.”

The good news is the vast majority of examined broker-dealers (93 percent) and advisers (83 percent) have adopted written information security policies, and 89 percent of the broker-dealers and 57 percent of the advisers conduct periodic audits to determine compliance with these policies. For the majority of both broker-dealers (82 percent) and the advisers (51 percent), these written policies discuss mitigating the effects of a cyber-security incident and/or outline the plan to recover from such an incident. These policies however generally did not address how firms determine whether they are responsible for client losses associated with cyber incidents.

While firms identified misconduct by employees and other authorized users of their networks as a significant concern, only a small proportion of the broker-dealers (11 percent) and the advisers (four percent) reported incidents in which insiders engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client or firm information, or damage to the firms’ networks. 

The vast majority of examined firms conduct firm-wide risk assessments on a periodic basis to identify cybersecurity threats, vulnerabilities and any potential impact to business. While most of the broker-dealers (93 percent) and advisers (79 percent) reported considering such risk assessments in establishing their cybersecurity policies and procedures, fewer firms applied these requirements to their vendors. While 84 percent of the brokerage firms require cyber-security risk assessments of vendors with access to their firm’s networks, only 32 percent of the advisers do so.

“Cybersecurity threats know no boundaries,” said SEC Chair Mary Jo White, in a statement. “That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

XSS, XFS, Open Redirect Vulnerabilities Found on About.com

Posted on February 3, 2015 by in Security

About.com, the online resource website visited by tens of millions of users each month, is plagued by several types of potentially dangerous vulnerabilities, a researcher revealed on Monday.

According to Wang Jing, a PhD student at the Nanyang Technological University in Singapore, a large majority of the pages on About.com are vulnerable to cross-site scripting (XSS) and cross-frame scripting (XFS/iFrame injection) attacks.

The expert tested close to 95,000 About.com links with a script he developed and determined that at least 99.88% of them are vulnerable. The search field on the website’s homepage is also plagued by an XSS flaw which, according to Jing, means that all the domains related to about.com are vulnerable to XSS attacks.

In order to exploit XSS vulnerabilities, an attacker needs to convince the victim to click on a specially crafted link. XSS attacks can be used to alter the appearance of a website, access potentially sensitive information, and spy on users.

XFS attacks can be used to steal data from websites accessed by the victim. For the attack to work, a malicious actor must get the user to access a Web page he controls. Such vulnerabilities can also be exploited for distributed denial-of-service (DDoS) attacks, the expert noted.

Jing has also identified open redirect bugs on several About.com pages. The vulnerabilities can be leveraged to trick users into visiting phishing and other malicious websites by presenting them with a link that apparently points to an about.com page.

“The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7,” the researcher said in a blog post.

About.com was notified of the existence of the vulnerabilities back in October 2014, but so far the company hasn’t done anything to address them, the researcher said. About.com hasn’t responded to SecurityWeek’s requests for comment.

Poof-of-concept (PoC) videos for the XSS vulnerability on the About.com homepage and the open redirect flaw have been published by the researcher. 

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed