December 25, 2024

Cyber Attacks From Las Vegas Spiked During Black Hat, Defcon: Imperva

Posted on August 22, 2014 by in Security

The days when the Black Hat USA and Defcon conferences are ongoing are two times when surfing the Internet in Las Vegas can be a gamble all on its own.

According to Imperva, there was a spike in malicious activity emanating from Sin City two weeks ago when the conferences were under way.

“I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline,” blogged Barry Shteiman, Imperva’s director of security strategy. “In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US. Finally, we summarized by date and where the city itself is Las Vegas.”

Here’s what the company found. Typically, it detects roughly 20 attacks originating from Las Vegas on a normal day. However, during the conferences that number peaked at 2,612. There was a significant drop off as Black Hat began winding down. On Aug. 6, the conference’s second to last day, there were just 20 detected attacks. The start of Defcon – which is also the final day of Black Hat – erased that decline however and the number of attacks shot back up to 1,916 on Aug. 7.

On the final day of Defcon, Aug. 10, the number of detected attacks fell to 7.

Chart of Attacks Coming from Las Vegas

Imperva also noted a jump in attack volume during the NAACP conference in July, which indicates one of a few possibilities: either a large crowd in a conference-scale event causes a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there, Shteiman wrote. As for Black Hat and Defcon, they are not exactly typical conferences, he added.

“They have some of the brightest security/hacking minds in the world attending,” he blogged. “Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and therefore are less likely to be drive-by victims of hacking – for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Imperva Names Former Coverity Chief as New CEO

Posted on August 19, 2014 by in Security

Redwood Shores, California-based Imperva announced on Monday that it has appointed Anthony J. Bettencourt as the company’s new president and chief executive officer. Bettencourt replaces Shlomo Kramer, Imperva founder and CEO, who will continue to serve as chairman of the company’s board and serve as Chief Strategy Officer.

Bettencourt came to Imperva from Coverity Inc., where he recently served as chief executive officer, leading the company through its acquisition by Synopsys for roughly $ 375 million in February 2014. Prior to Coverity, Bettencourt served as CEO of Verity, a provider of enterprise search solutions, leading the company through its acquisition by Autonomy Corp. in 2005.

Bettencourt currently serves on the boards of Proofpoint, Blinkx and Formation Data Systems.

“I am very pleased to be joining Imperva, and look forward to capitalizing on the opportunities at Imperva for Imperva shareholders, employees and partners,” Bettencourt said. “Imperva has established a strong leadership position in the data center security market and has a proven track record of success and innovation. I am excited to be working with the Imperva executive team, board of directors and employees to grow the company to its highest potential.”

“We are very excited to welcome Anthony to Imperva. He was chosen for his distinguished track record of executive leadership, as well as his ability to build highly effective organizations. Anthony has demonstrated an ability to drive shareholder value in competitive market segments and he brings experience driving technology excellence and global growth,” Kramer commented, “I look forward to working with Anthony and am confident that he is the right person to lead Imperva on the next stage of growth.”

Earlier this year, Imperva announced its plans to acquire two security firms and assets from another, in a move that will help extend its data center security strategy across the cloud.

In its most recent quarter, Imperva (IMPV) posted revenues of $ 38.40 million, up 22.7% year-over-year, beating analysts’ estimates by $ 3.98 million. Within services revenue, overall subscription revenue grew 110% to $ 5.3 million, compared to the second quarter of 2013. Combined product and subscriptions revenue was $ 21.8 million compared to $ 18.2 million in the second quarter of 2013. The company said that during the second quarter of 2014, it booked 88 deals with a value over $ 100,000 compared to 76 deals during the second quarter of last year.

As of July 31, the company said it has over 3,300 customers in more than 75 countries around the world.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Android Trojan Krysanec Comes Disguised as Legitimate Apps

Posted on August 13, 2014 by in Security

Researchers at ESET have uncovered a new remote access Trojan (RAT) for Android that has been masked by cybercriminals as various popular applications.

The malware, detected by the security firm as Android/Spy.Krysanec, is capable of infiltrating both free and paid Android apps, and it has been distributed via a file sharing website, a Russian social network and other channels. It has been disguised as 3G Traffic Guard, a mobile banking app from Russia’s top lender Sberbank, and even ESET Mobile Security. However, unlike the legitimate programs, the trojanized versions are not signed with valid digital certificates.

According to ESET’s Robert Lipovsky, the malicious applications they have discovered actually contain the old multi-platform RAT known as Unrecom (previously known as Adwind). Trend Micro revealed back in April that the threat was upgraded to run on Android devices. At the time, the security firm also discovered that Unrecom worked as an APK binder, giving it the ability to trojanize legitimate applications.

Once it finds itself on a device, the threat can be used to download and execute additional components that enable cybercriminals to perform various activities, like recording audio through the microphone, taking pictures, accessing text messages, obtaining the current GPS location, and collecting information on installed apps, placed calls and visited webpages.

Researchers have found that some of the samples communicate with a command and control (C&C) server hosted on a domain belonging to No-IP, the dynamic DNS provider whose domains were seized recently by Microsoft as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets. The domains were later returned to the DNS company and the case was dropped after Microsoft determined that No-IP was not knowingly facilitating the distribution of malware. 

 “It’s a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious capabilities, and re-build it as new,” Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an emailed statement. “The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward.”

 

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Hackers Demand Automakers Get Serious About Security

Posted on August 11, 2014 by in Security

A group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.

In an open letter to “Automotive CEOs” posted (PDF) on the I am the Cavalry website, a group of security researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.

Hacking Cars“The once distinct world of automobiles and cybersecurity have collided,” read the letter. “Now is the time for the automotive industry and the security community to connect and collaborate..”

Vehicles are “computers on wheels,” Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the open letter. The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

Computers manage engines, brakes, navigation, air-conditioning, windshield wipers, entertainment systems, and other critical and non-critical components in modern cars. Security experts have warned that unless the systems are built with better security features, cyberattacks against cars could result in a physical injury to the driver and possible passengers. The five star plan can conceivably be used by consumers, ala Consumer Reports style, to understand which automakers are thinking about security, Corman said.

The first “star,” safety by design, simply means automakers should design and build automation features with security in mind. Engineers should be stopping to think about how the systems could be tampered with and then build in blocks to prevent such an attack. Automakers should also implement a secure software development program within their companies to encourage better coding and design.

Third party collaboration asks automakers to establish a formal vulnerability disclosure program, to clearly state what its policies are and who to contact. This doesn’t mean bug bounties—where companies would pay for bugs—but rather designing a process that ensures bug reports and other information from third-party researchers reach the right engineers.

Automotive Security Vulnerabilities

“Tesla already gets a star,” Corman said, noting the electronic car maker recently established such a policy.

Evidence capture is the first technical piece in the Five Star program, and asks for forensics capabilities such as events logging in car systems.

“We have black boxes in airplanes,” Corman said, noting it’s currently impossible to collect any information on why something failed in car systems. Security updates mean the issues found and reported which have been fixed actually get pushed out to individual cars in a timely and effective manner. And the final star—and the last technical piece—is segmentation and isolation, referring to keeping critical systems separate from the rest of the car’s network.

“With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes,” said Corman.

Vehicles, transportation systems, industrial control systems, and medical devices represent some of the hottest areas of cyber research. At Black Hat this year, Charlie Miller, an engineer at Twitter, and Chris Valasek, director of vehicle security research at IOActive, demonstrated how they could remotely control vehicles by compromising non-critical systems. The panel built on last year’s research, which showed how they could take over the breaks and the car’s steering from the back seat of the car. There were sessions discussing medical device security, and a DEF CON presentation looked at how traffic control systems were not secure.

The security industry reaching out directly to the automobile industry was a good idea, said Andrew Ruffin, a former staffer for Sen. Jay Rockefeller (D-WV), a member of the Senate Commerce Committee. Ruffin attended the press conference at DEF CON 22 on Friday. “I’m encouraged by the letter and hope there’s a quick response,” said Ruffin. “I think this has some legs.”

Considering how technology has permeated practically all parts of modern life, the group wants manufacturers to think about security and start implementing security features in their designs and business processes. The goal is to start thinking about security and implementing safeguards before the major cyberattack happens, said Corman. To people who say these things take time and would require a lot of work, Corman had two words: “We know.” The time to start is now, so that in a few years, these efforts would actually show results, he said.

Along with releasing the open letter, the group participated in a closed-door session with automobile and medical device representatives in a private meeting in Las Vegas on Tuesday and plan to discuss automotive hacking at DEF CON on Sunday. There is also a change.org petition demanding automakers pay attention car safety and cybersecurity.

“When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles,” the letter said.

Signatures and instructions for signing  the petition can be found online

Podcast: Car Hacking with Charlie Miller and Chris Valasek

Related: Car-hacking Researchers Hope to Wake up Auto Industry

Related: Forget Carjacking, What about Carhacking?

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

Russian Hackers Obtained 1.2 Billion Passwords: Report

Posted on August 5, 2014 by in Security

Password Lists

A Russian hacker group has obtained an estimated 1.2 billion Internet credentials collected from various websites around world, Nicole Perlroth and David Gelles of the New York Times reported Tuesday. 

According to data provided to the newspaper by Hold Security, the Times reported that user names and passwords were stolen from roughly 420,000 websites of all different sizes. According to the report, the hackers also gained access to 500 million email addresses.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, founder and chief information security officer of Hold Security, told the Times.

Most of the sites that the hackers pillaged are still vulnerable, Holden said. The Times said the group is based in a small city in south central Russia and includes fewer than a dozen men in their 20s “who know one another personally — not just virtually.”

“This issue reminds me of an iceberg, where 90 percent of it is actually underwater,” John Prisco, CEO of Triumfant, told SecurityWeek in an emailed statement. “That’s what is going on here with the news of 1.2 billion credentials exposed. So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it.”

“Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected because there hasn’t been a concerted effort on the part of companies entrusted with this information to protect it,” Prisco continued.

An Urgent Call for Two-factor Authentication

Eric Cowperthwaite, vice president, advanced security & strategy at Core Security, explained that this is another example of the pressing need for users and companies to leverage two-factor authentication.

“Companies need to transition to two-factor authentication,” Cowperthwaite said. “Companies such as Facebook and Twitter have finally started offering two-factor authentication, but the bottom line is that most users aren’t taking advantage of it.”

“Banks, as a standard practice, should absolutely be using two-factor authentication,” Cowperthwaite added. “They have a certain amount of loss from fraud built into their operating model – they just accept that it will happen. This acceptance is a shame since there are many simple ways to reduce those costs significantly.”

Holden told the Times that his team has started to alert victimized companies of breaches, but had been unable to reach every website. He also said that Hold Security was working to develop an online tool that enables users to test and see if their personal information is in the database.

“Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible,” said Joshua Roback, Security Architect, SilverSky. “We should expect to see these accounts for sale on underground forums before the week is through.”

“Understanding why passwords are so valuable to hackers can both explain and prepare enterprises to deal with potential security vulnerabilities,” SecurityWeek columnist Gil Zimmermann noted in a December 2013 column. “There are potentially hundreds of uses for stolen passwords once they are obtained.”

While not close to the scope of this recently disclosed discover, Germany’s Federal Office for Online Security (BSI) warned Internet users in January that cybercriminals had obtained a list of 16 million email addresses and passwords.

Related: Hackers Just Made Off with Two Million Passwords, Now What?

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Mozilla Accidentally Dumps Info of 76,000 Developers to Public Web Server

Posted on August 3, 2014 by in Security

Mozilla Exposes Email Addresses of 76,000 Developers and 4,000 Password Hashes

 Mozilla, the foundation behind the popular Firefox Web Browser, warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process.

The discovery was made around June 22 by one of Mozilla’s Web developers, Stormy Peter, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday.

Mozilla Developer Data Exposed“Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” Peter wrote.

While the data was exposed to the public, it doesn’t necessarily mean that anyone with malicious intentions had discovered it before being cleaned up, and according to Peter, Mozilla hasn’t seen any malicious activity the server, but noted they can’t rule it out.

According to Peter, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peter warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems. Peter further clarified in comments on the blog that the exposed passwords included salts that were unique to each user record.

Mozilla sent notices to those affected, and suggested that for those that had both email and password information exposed, change any similar passwords they may be using.

In typical breach disclosure fashion, Peter explained that Mozilla was examining how the “processes and principles that are in place” could be made better to reduce the likelihood that a similar incident could happen again.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Organizations Slow at Patching Heartbleed in VMware Deployments: Report

Posted on July 25, 2014 by in Security

Image of Heartbleed Vulnerability

VMware released a series of updates to address the OpenSSL vulnerability known as Heartbleed in its products in April, but many organizations still haven’t secured their installations, virtualization management firm CloudPhysics reported on Monday.

Based on machine metadata collected from virtualized datacenters, CloudPhysics determined that 57% of VMware vCenter servers and 58% of VMware ESXi hypervisor hosts are still vulnerable to Heartbleed attacks.

“This is a remarkably high percentage given that ESX run the majority of business critical VMs in the world. I speculate that IT teams are more lax about patching ESXi since those machines are typically behind the firewall and not easy to reach from the outside world,” Irfan Ahmad, CTO and co-founder of CloudPhysics, wrote in a blog post.

“However, that laxity doesn’t make the delay in patching a good idea,” he added. “For one thing, insider attacks continue to be a major source of breaches. Another consideration is that if outside attackers do manage to infiltrate a low privilege service inside your firewall, you have just given them carte blanche to attack your most sensitive data.”

According to Ahmad, 40% of the organizations in CloudPhysics’ dataset have at least one vCenter server or ESXi host running a vulnerable version of OpenSSL. By May, over 25% of vCenter servers and ESXi hosts had been patched, but over the next two months, the rate at which organizations were applying the updates had slowed down.

Shortly after the existence of the Heartbleed bug came to light, there were roughly 600,000 vulnerable systems. A couple of months later, Errata Security reported that the number was down to 300,000. However, some experts predict that it will take months, possibly even years, until all systems are patched.

“If insiders, or attackers via insiders, exploit the Heartbleed vulnerability through an untraceable attack they can gain access to mission-critical systems. With the window for the exploit being so large, combined with the current slowness of patching, the severity of an already serious problem is exacerbated,” Ron Zalkind, CTO of cloud data protection company CloudLock, told SecurityWeek.

“Maintaining patches is always prudent, but with an exploit like Heartbleed, its importance cannot be overstated. We strongly encourage organizations to immediately patch their systems per guidance from VMware, with a particular focus on systems that are the most significant to their businesses.”

Eric Chiu, founder and president of cloud control company HyTrust, points out that the traditional approach to security has been to protect the perimeter, which has bred a long-standing misconception that systems within an organization’s datacenter don’t need to be protected.

“However, breaches are not only happening more often and getting bigger, but they’re also primarily happening from the inside. Attackers are using social engineering, phishing, malware and other attack techniques to steal employee or I.T. credentials in order to gain access to networks. Once in, they can move forward, backward or laterally, and siphon large amounts of sensitive data without ever being detected. Given that virtualization is a ‘concentration’ of systems and data, the result is a higher concentration of risk. If an attacker is able to pose as a virtualization admin, for example, that could ultimately be ‘game over’ for a victim company,” Chiu told SecurityWeek.

“Bottom line, organizations need to shift their security strategy from that of just an ‘outside-in’ approach, to an ‘inside-out’ model. They should assume attackers are already inside, in which case access controls, audit logging, alerts and data encryption are important—if not critical… especially in ensuring a secure cloud environment.”

Related: Heartbleed Vulnerability Still Beating Strong

Related: Recovering from Heartbleed: The Hard Work Lies Ahead

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Apple iPhone ‘Threat to National Security’: Chinese Media

Posted on July 12, 2014 by in Security

BEIJING  – Chinese state broadcaster CCTV has accused US technology giant Apple of threatening national security through its iPhone’s ability to track and time-stamp a user’s location.

The “frequent locations” function, which can be switched on or off by users, could be used to gather “extremely sensitive data”, and even state secrets, said Ma Ding, director of the Institute for Security of the Internet at People’s Public Security University in Beijing.

The tool gathers information about the areas a user visits most often, partly to improve travel advice. In an interview broadcast Friday, Ma gave the example of a journalist being tracked by the software as a demonstration of her fears over privacy.

“One can deduce places he visited, the sites where he conducted interviews, and you can even see the topics which he is working on: political and economic,” she said.

The frequent locations function is available on iOS 7, the operating system used by the current generation of iPhones released in September 2013. “CCTV has only just discovered this?” said one incredulous Chinese microblogger.

The dispute is not the first time Apple has been embroiled in controversy in China, where its products are growing in popularity in a marketplace dominated by smartphones running Google’s Android operating system.

Apple lost a lawsuit against a Chinese state regulator over patent rights to voice recognition software such as the iPhone’s “Siri” just this week.

In March 2013 the Californian company was notably the target of criticism orchestrated by the Chinese media on behalf of consumers, who were critical of poor after-sales service.

And in 2012 the US firm paid $ 60 million to settle a dispute with another Chinese firm over the iPad trademark.

The privacy scare also reflects mutual distrust between the US and China after a series of allegations from both sides on the extent of cyber-espionage.

Leaks by former US government contractor Edward Snowden have alleged widespread US snooping on China, and this month it was reported Chinese hackers had penetrated computer networks containing personal information on US federal employees.

Apple did not immediately respond when contacted by AFP for comment.

Related: Obama Not Allowed an iPhone for Security Reasons

 

RelatedNSA Tracks Mobile Phone Locations Worldwide

© AFP 2013


SecurityWeek RSS Feed

OpenDNS Adds Targeted Attack Protection to Umbrella Security Service

Posted on July 9, 2014 by in Security

OpenDNS has enhanced its cloud-based network security service Umbrella with new capabilities designed to protect organizations against targeted attacks, the company announced on Tuesday.

The company says its monitoring systems are capable of detecting malicious traffic from the first stages of a potential targeted attack by comparing customers’ traffic to activity on OpenDNS’s global network. By providing predictive intelligence on the attackers’ network infrastructure, OpenDNS enables organizations to block attacks before any damage is caused.

OpenDNS LogoMany organizations are capable of identifying single-stage, high-volume cyberattacks, but the “noise” generated by these types of attacks makes it more difficult to detect highly targeted operations, the company explained.

According to OpenDNS, its services address this issue by providing real-time reports on global activity and detailed information for each significant event. The reports can be used by enterprises to identify ongoing or emerging targeted attacks based on whether or not the threats have a large global traffic footprint, or if they’re detected for the first time.

In order to make it easier for security teams to investigate an incident, OpenDNS provides information on the users, devices and networks from which malicious requests are sent. Information on the attackers’ infrastructure can be useful for predicting future threats and for blocking components that are being prepared for new attacks. 

“Enterprises today are challenged to keep up with the volume of attacks that are targeting their networks. Not only is the efficacy of today’s security tools declining, but when they do identify a threat they lack the context that is critical to blocking it,” said Dan Hubbard, CTO of OpenDNS. “The ability to determine the relevance and prevalence of an attack is key to prioritizing response, remediating infected hosts, and understanding the scope of the threat.”

The new capabilities are available as part of the Umbrella service based on a per user, per year subscription.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

North Korea Doubles Cyber War Personnel: Report

Posted on July 6, 2014 by in Security

SEOUL – North Korea has doubled the number of its elite cyber warriors over the past two years and established overseas bases for hacking attacks, a report said Sunday.

The North’s cyber war unit now has 5,900 personnel, compared with 3,000 two years ago, the South’s Yonhap news agency said.

“The communist country operates a hacking unit under its General Bureau of Reconnaissance, which is home to some 1,200 professional hackers,” a military source was quoted as saying.

North Korean hackers have launched cyber attacks through overseas bases in countries such as China, the source said.

In recent years, hackers have used malware deployments and virus-carrying emails for cyber attacks on South Korean military institutions, commercial banks, government agencies, TV broadcasters and media websites.

Investigations into past large-scale cyber assaults have concluded that they originated in North Korea.

The North has denied any involvement and accuses Seoul of fabricating the incidents to fan cross-border tensions.

South Korea has increased its Internet security budget to train experts since it set up a special cyber command in 2010, amid growing concern over its vulnerability.

RelatedNorth Korea Jump Significantly: Solutionary

RelatedSouth Korea’s ‘Top Gun’ Cyber Warriors

RelatedNew Disk Wiping Malware Used in Attacks Against South KoreaCyber-Attacks From 

© AFP 2013


SecurityWeek RSS Feed