ICANN: ‘Most Critical’ Systems Not Affected in Recent Breach
Posted on December 21, 2014 by Kara Dunlap in Security
On Dec. 16, Internet Corporation for Assigned Names and Numbers (ICANN) said it fell victim to a spear phishing attack that resulted in email credentials of several ICANN staff being compromised.
The incident, which occurred in late November and was discovered in early December, allowed attackers to access the Centralized Zone Data System and the ICANN GAC Wiki.
The attacker(s) were able to poke around ICANN systems and obtain administrative access to all files in the CZDS, including copies of the zone files in the system, as well as user information such as name, postal address, email address, fax and telephone numbers, username, and password, according to the original announcement.
Fortunately, ICANN said that those compromised accounts did not have access to the IANA functions systems, which the organization says are a separate system with additional security measures that have not been breached.
IANA functions coordinate domain names with IP addresses to appropriately direct DNS requests to the appropriate server.
ICANN has a contract with U.S. Department of Commerce to maintain the IANA functions on behalf of the entire Internet community.
“During and after the attack, all critical functions hosted by ICANN, including the IANA functions, remained fully operational and unaffected by the attacker’s activities,” ICANN said in an update.
“ICANN employs multiple levels of protection for its most critical services. While the attackers were able to breach the outermost layer of defenses, our on-going investigation indicates our most critical systems were not affected.”
Related: Don’t Let DNS be Your Single Point of Failure
Related: DNS Hijack – How to Avoid Being a Victim
Managing Editor, SecurityWeek.
Tags:
WordPress is the Most Attacked CMS: Report
Posted on October 12, 2014 by Kara Dunlap in Security
Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications.
The report, which is based on the analysis of 99 applications over a period of nine months (August 1, 2013 – April 30, 2014), determined that WordPress is the most targeted content management system (CMS). In fact, WordPress websites were attacked 24.1% more than sites running on all other CMS platforms combined.
“WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet,” the report reads.
This year’s WAAR also makes a comparison between attacks targeting PHP and .NET applications. It turns out that PHP apps suffer almost three times more cross-site scripting (XSS) attacks than ASP applications, and nearly two times more directory traversal attacks. On the other hand, Imperva has determined that ASP applications suffer twice as many SQL injection attacks than PHP applications.
When it comes to websites, unsurprisingly, ones that have login functionality and implicitly store consumer-specific information are the most targeted.
Nearly half of all the attacks observed by Imperva during the nine month period targeted the retail sector, followed at a distance by financial institutions which accounted for 10% of all Web application attacks.
Compared to the previous period reviewed by the company (June 1, 2012 – November 30, 2012), attacks have been 44% longer. A 10% increase was also observed in SQL injection attacks, and a 24% increase in remote file inclusion (RFI) attacks.
As far as attack sources are concerned, Imperva found that the United States generates most of the Web application attack traffic.
“In our educated opinion, based on years of analyzing attack data and origins, we propose that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets,” the report reads.
“While this may be overwhelming, we believe that there is more to this picture. Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines, etc., and so this information needs to be looked at in proportion. What it potentially teaches us is the quality of targets. It makes sense for an attacker to execute the attack as close to the target as possible, to remain undetected or to maximize the available bandwidth of the attack.”
Attackers are increasingly leveraging cloud and infrastructure-as-a-service (IaaS) hosted applications and servers. Imperva has found that 20% of all known vulnerability exploitation attempts and 10% of all SQL injection attempts originated in Amazon Web Services (AWS) source IPs.
The complete Web Application Attack report from Imperva is available here.
Tags:
Cyber Risk Intelligence: What You Don’t Know is Most Definitely Hurting You
Posted on June 20, 2014 by Kara Dunlap in Security
Growing up, one of my father’s favorite sayings was “luck favors the prepared.”
I must have heard it a thousand times over the years. It was almost always spoken just after some sad scenario where I had failed to stay alert, informed and aware, thus my ending up at a loss. Sometimes a big loss. It was his belief that, if you’re always broadly observant of things that affect your life, good things have a better chance of happening to you. He has always been right.
Nowadays, I find myself applying this lesson to cybersecurity and cyberdefense.
More than just nifty tools and solutions, robust IT budgets, threat intelligence firehoses and rigid security policies, I’m learning over and over again that practical, habitual day-in/day-out awareness is invaluable at helping you avoid becoming a victim of cybercrime – and lessening the impact when cybercrime inevitably happens to you and your organization.
Cybercrime is all around us.
One day it may become second nature to stay constantly informed about cyber risks facing us and our businesses. We’re certainly not there yet. Sooner or later, we may all need to get used to the idea of constantly consuming data about our risks and vulnerabilities in order to act safer. It’s likely sooner rather than later. To really accomplish this type of awareness, though, takes the right levels of information. Not just data. In fact, we’re all awash in data. But more on that later.
What we need is high-quality cybercrime information that’s comprehensive, yet also focused and simple to digest. Information that’s current, consistent, intuitive, continuous and, most importantly, easy to draw conclusions from that have meaning specific to you, your business and the decisions you face. It’s what I call “complete context.”
And there’s more.
To truly benefit from this sort of information takes more than just the info itself. Just as my father also told me, it takes focus, effort and commitment. Every day. Something he just called “hard work.”
Current Data + Contextually-Relevant Info + Continuous Awareness + Hard Work = Practical Solutions
Of course, the familiar modern-day version of my father’s favorite is “Chance favors a prepared mind” said by Louis Pasteur, French microbiologist, father of Pasteurization, and father of the Germ Theory of Disease. For Pasteur, the saying meant that, by staying diligently informed of all things surrounding your problem space, you’ll more quicker see solutions for tough problems.
For years and years he labored at the microscope, observing, collecting data and analyzing. But it was his devotion to basic research on more than just the problem itself – and the quick delivery of practical applications based on what he learned – that led him to his biggest breakthroughs against unseen and deadly illnesses. Eventually, thanks to Pasteur’s way of working, we developed critical medicines such as antibiotics.
Studying a problem from every angle and every level always leads to more practical solutions and quicker (re)action.
Although Pasteur labored in the medical and biological fields, his work was in many ways analogous to modern cybersecurity. Today, scientists and researchers battle similar unseen forces, all around us, making us sick in various ways. Our networks and computers and mobile devices are constantly exposed to harmful pathogens and viruses. And, with the Target breach and things like Heartbleed, real people now know these things are fatal in their own way.
But in today’s world, we seem to have gone off track a bit in trying to cure our cyber ills.
In perhaps what was much the same as in Pasteur’s day, many smart people today labor to observe, collect data and draw conclusions. However, most of them, unlike Pasteur, are not able arrive at real practical breakthroughs that change the world.
Why is this the case?
For me, it’s mostly a simple answer:
We focus so much on looking down the barrel of individual microscopes, we get lost in all the low-level noise that’s far too focused on only a few dimensions of the problem.
Let me use Pasteur again to explain more simply.
Had Pasteur only observed the smallest bits floating around under his glass, he would’ve likely not been remembered in history. Instead, Pasteur gathered data about sick people, who they were, where they lived, how old they were, what gender, what symptoms they had, what prior illnesses they had been subject to, what their jobs were and what they had in common.
He observed animals, how they behaved, how long it took for them to become sick when they did, what they ate, where they lived and more. He even observed how rotting meat behaved, how it decomposed, how it compared to other plant and animal matter and on and on. He focused on all sides of the issue; the causes, the victims and, of course, their symptoms. Pasteur observed every facet of his problem set from high level to low, and turned basic data collection – from many dimensions at once and from all angles – into information he could use to draw practical conclusions.
Put simply, Pasteur had complete context by performing “intelligence gathering.” But, by focusing on more that just the threat itself, Pasteur was one of the first practitioners of risk analysis, or risk intelligence. It’s something we’ve only just begun to really apply to cyberdefense.
Continuous awareness of our own cyber risks compared to what’s possible and what’s happening around us right now is one of the missing pieces in current cyberdefense practices.
Today, we spend most of our cybersecurity efforts and dollars gathering massive amounts of data from millions of “microscoped” sources, but we rarely change perspectives or levels. We want to know what’s threatening us, but can’t seem to understand the picture is much bigger. Too rarely do we push back from the lenses trained only on data sets inside our specific organizations to pick our heads up and look around.
I like to call it “cyber navel gazing.”
You see, outside the microscope, there’s just so much other useful data – mostly not being stored and analyzed – that can be turned into helpful information, then into practical solutions.
Yet, we continuously employ 10s of 1000s of myriad tools, solutions and applications that comb through huge bins of raw packet data and endless streams of netflow and long-term signature repositories and terabytes of log files and interface dumps and more.
In fact, it’s as if all we do is peer through the scopes at our own micro worlds and draw conclusions that themselves lead to other tools begetting other massive piles of micro data.
Are these things all bad? Of course not. And they’re all part of fighting the fight against cyber disease. But in all of this we miss out on the bigger picture. Rarely do we store data, day in and day out, on what we’re getting hit with, how threats are occurring and what’s happening as a result. Neither are we matching that up to what our specific, individual symptoms are, who we are as targets, where we’re from, what types of companies we are, who our customers are, what technologies we’re using and on and on.
What would Pasteur say to us now if he were brought in to consult on our cyber sickness?
He’d probably just say, “Luck favors the prepared.” Then he’d tell us to start over. From the top this time.
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.
Tags:
Most Mobile Breaches Will be Tied to App Misconfiguration by 2017: Gartner
Posted on May 30, 2014 by Kara Dunlap in Security
Analyst firm Gartner is predicting that by 2017, the focus of endpoint security breaches will shift to mobile devices such as tablets and smartphones.
With nearly 2.2 billion smartphones and tablets expected to be sold in 2014, Gartner believes attackers will continue to pay more attention to mobile devices. By 2017, 75 percent of mobile security breaches will be the result of mobile application misconfigurations, analysts said.
“Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices,” said Dionisio Zumerle, principal research analyst at Gartner, in a statement. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”
Doing significant damage in the world of mobile devices requires that malware be launched on devices that have been altered at the administrative level, Zumerle argued. While jailbreaking or rooting phones allows users to access device resources that are not normally accessible, they also put data in danger because they remove app-specific protections as well as the safe ‘sandbox’ provided by the operating system, he said, adding that they can also allow malware to be downloaded to the device and enable malicious actions.
“The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user’s privileges on the device, effectively turning a user into an administrator,” he said.
Gartner recommends organizations protect mobile devices using a mobile device management policy as well as app shielding and containers that protect important data. In addition, passcodes should be used alongside timeout standards and a limited number of retries. Jailbreaking or rooting devices should not be allowed.
“We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device,” Zumerle said.
Brian Prince is a Contributing Writer for SecurityWeek.
Tags:
