Welcome to DISC InfoSec blog | Awareness and education are key in information security, we share InfoSec & compliance related information..to Learn more contact us »
While 92 percent of people know that using the same password or a variation is a risk, 65 percent still re-use passwords across accounts, drastically increasing the risks to their sensitive information, a LastPass report revealed.
While consumers have a solid understanding of proper password security and the actions necessary to minimize risk, they still pick and choose which information they apply that knowledge to, according to the report.
Strong cybersecurity habits are more important than ever this year, given the sheer volume of time individuals have spent online in the last 18 months and the corresponding spike in cyber-attacks. Yet the survey revealed that despite 71 percent of people working wholly or partly remote and 70 percent spending more time online for personal entertainment during the pandemic, people were still exhibiting poor password behavior.
If you’ve already listened to this week’s Naked Security Podcast you’ll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday…
…had been dumped forever by Apple.
Apple notoriously won’t tell you anything about the security situation in its products unless and until it has a patch out.
So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn’t, we couldn’t tell whether it was still safe and didn’t need the patches, whether it needed the patches but they’d be a bit late, or whether it needed the patches but would never get them.
And with iOS 15 arriving as the new kid on the block this week, we assumed the worst, following the “one-in-one-out” principle.
The Biden administration fired another shot in its battle against ransomware Tuesday as the U.S. Treasury Department took steps to disrupt the financial infrastructure behind ransoms, designating for sanctions the SUEX OTC, S.R.O. virtual currency exchange for laundering ransom payments.
By designating SUEX, the Treasury Department’s Office of Foreign Assets Control (OFAC) is blocking the exchange’s property (and interests in property) that are under U.S. jurisdiction. In addition, if a designated person owns 50% or more of an entity, they also can be blocked; those involved in some transactions or activities – whether individuals or financial institutions – could be exposed to sanctions or some other penalty.
While the actions taken against SUEX aren’t attached to a particular ransomware-as-a-service (RaaS) or ransomware variant, the agency said an analysis of the exchange’s activities found transactions made for at least eight ransomware variants.
“This advisory is really a final warning for companies to get their security operations in order,” said Jake Williams, co-founder and CTO at BreachQuest. “The vast majority of ransomware incidents we respond to were trivially preventable.”
The government, he said, “sees companies facilitating ransomware payments as encouraging future ransomware attacks.”
The new advisory may prevent organizations from paying attackers to recover their data, “making it even more critical that they do what they can now to ensure they don’t suffer a ransomware attack in the first place,” said Williams.
Praising the Biden administration for doing “more for cybersecurity awareness and direction than we’ve seen in the past,” Bill O’Neill, vice president of public sector at ThycoticCentrify, added that, “The idea of disincentivizing organizations from paying out a ransom to attackers will likely only end up backfiring and having an adverse effect economically.” While the average company most often folds to ransomware demands “because they lack the proper knowledge, resources and technology to wrest [back] control of the data that was stolen from them to begin with,” O’Neill said, “Penalizing business owners for complying will only hurt them twofold while doing nothing to ultimately stop attacks from happening.”
If attackers can’t get ransom, then they’ll turn to the black market to make money by selling the data they pilfered. “Their victims, however, will be exponentially worse off and possibly open to further attacks,” said O’Neill. “The better approach would be to continue introducing policies and programs to raise awareness and educate organizations about the best ways to stay safe and prevent attacks, as well as providing resources surrounding key technologies to implement to help further minimize risks.”
The sanctions might be a good first step, but John Bambenek, principal threat hunter at Netenrich, said, “What is more important in stopping ransomware is finding those involved and getting them brought to justice; these kinds of actions could also impair intelligence collection on those bad actors.”
“We get data from organizations that are testing vendors by trade, bug bounty vendors, and organizations that contribute internal testing data. Once we have the data, we load it together and run a fundamental analysis of what CWEs map to risk categories,” the Open Web Application Security Project (OWASP) explains.
“This installment of the Top 10 is more data-driven than ever but not blindly data-driven. We selected eight of the ten categories from contributed data and two categories from the Top 10 community survey at a high level.”
The reason for leaving space for direct input from application security and development experts on the front lines is the fact that it takes time to find ways to test new vulnerabilities, and they can offer knowledge on essential weaknesses that the contributed data may not show yet.
The list is then published so that it can be reviewed by practitioners, who may offer comments and suggestions for improvements.
There are a range of security policies for dealing with users’ smartphones, from the most restrictive approach – no smartphone access allowed – to an open approach that allows personal phones to connect to the internal corporate network. We suggest that the right solution is somewhere in between.
You may have read about the Pegasus spyware in the news; the NSO Group’s software exploits flaws in iOS (iPhones) to gain access to data on an unsuspecting target’s phone. NSO sells Pegasus to governments, ostensibly to track criminals, but it’s often used by repressive regimes to spy on their opponents, political figures, and activists.
In the past, Pegasus infections were primarily achieved by sending a link to the victim’s phone; when the target clicked on it, they would trigger an exploit that would allow attackers to gain root access to the phone. Once the spyware obtains root access, it can read messages on apps like iMessage, WhatsApp, Telegram, Gmail and others. A sophisticated command and control network can report back to the operator and control the phone as well.
VMware’s latest security update includes patches for 19 different CVE-numbered vulnerabilities affecting the company’s vCenter Server and Cloud Foundation products.
All of the bugs can be considered serious – they wouldn’t be enumerated in an official security advisory if they weren’t – but VMware has identified one of them, dubbed CVE-2021-22005, as more critical than the rest.
Indeed, VMware’s official FAQ for Security Advisory VMSA-2021-0020 urges that:
The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.
In particular, the company explains:
The most urgent [patch] addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
VMware unabashedly says that “this needs your immediate attention,”, and we think it’s a good thing to see a software vendor talking about cybersecurity response in plain English instead of mincing its words.
VMware vSphere and Virtual Infrastructure Security
Nick Kael, CTO at Ericom, discusses how phishing is gaining sophistication and what it means for businesses.
Hackers are upping their game, using an approach I call “Deep Sea Phishing,” which is the use of a combination of the techniques described below to become more aggressive. To keep pace, cybersecurity innovators have been working diligently to develop tools, techniques and resources to improve defenses. But how can organizations fight against evolving threats that have yet to be launched—or even conceived of?
For example, in February, 10,000 Microsoft users were targeted in a phishing campaign which sent emails purporting to be from FedEx, DHL Express and other couriers which contained links to phishing pages hosted on legitimate domains, with the goal of obtaining recipients’ work email credentials. Use of legitimate domains allowed the emails to evade security filters, and people’s pandemic-related reliance on delivery services and habituation to similar messages boosted success rates.
And in May, attackers launched a massive, sophisticated payment-themed phishing campaign. The phishing emails urged users to open an attached “payment advice” – which was, in fact, not an attachment at all but rather an image containing a link to a malicious domain. When opened, Java-based STRRAT malware was downloaded onto the endpoint and via a command-and-control (C2) server connection, ran backdoor functions such as collecting passwords from browsers, running remote commands and PowerShell, logging keystrokes and other criminal activity.
Phishing is no longer the basement-brewed, small-scale nuisance of cyber lore, either. Today, nearly 70 percent of cyberattacks – like like those cited above – are orchestrated by organized crime or nation-state affiliated actors. With many recovery tabs running into the millions, organizations need a solution that can safeguard them from attacks that have not yet been engineered — i.e., zero-day attacks that can cause the most damage.
But before we tackle the issue of defense, let’s first take a look at just what we’re defending against. The types of phishing tactics noted below are listed in ascending order of sophistication.
hiring and retaining the best talent has quickly become a top priority for most organizations today. In the cybersecurity industry, which faces an immense skills shortage, this is especially true. In fact, according to CompTIA and Cyber Seek, a job-tracking database from the U.S. Commerce Department, there are nearly 500,000 open positions in cybersecurity nationwide as of Q2 2021, which makes hiring the right candidate for a technical role in IT security like finding a needle in a haystack. As a result, it’s never been more important to attract and develop employees in cybersecurity – and here are a few best practices for doing so.
Every employee and organization are different. Even in an industry with a talent deficit, employee/employer culture needs to be symbiotic. What an employee and an employer are looking for must be aligned and when it is, the opportunities are endless.
These scams can take many different forms, including:
A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used by romance scammers, who sucker you into an online friendship, for example by stealing other people’s profile data from online data sites, courting you online, and then “sending” you a “gift”, often jewellery or something they know you would appreciate if it were real. The scammer then pretends to be the courier company handling the “delivery”, correctly identifying the item, its value and its made-up shipping code. Finally, there’s a customs or tax payment to make before the item can be released in your country (something that often happens with genuine deliveries via geniune courier companies). Some unfortunate victims pay out this fee, in cash, in good faith. In this sort of scam, the crooks are directly after your money.
A fake order will be delivered once you have confirmed the purchase. These fake orders range from low-value subscriptions that have auto-renewed, all the way to expensive new mobile phones or gaming consoles that will ship imminently. Given that it’s easier to guess what you haven’t just bought than what you have, these crooks are banking that you will click the link or phone the “customer support” number they’ve helpfully provided in order to cancel or dispute the charge. Once they have you on the hook, skilled social scammers in a call centre operated by the crooks offer to “help” you to cancel the bogus order or subscription (something that can be annoyingly hard for legitimate goods and services). In this sort of scam, the crooks are after as much personal information as they can persuade you to hand over, notably including full credit card data, phone number and home address.
A fake delivery failed and the item was returned to the depot. These fake delivery notices typically offer to help you reschedule the missed delivery (something that is occasionally necessary for legitimate deliveries of geniune online orders), but before you can choose a new date you usually need to login to a fake “courier company” website, hand over credit card data, or both. The credit card transactions are almost always for very small amounts, such as $1 or $2.99, and some crooks helpfully advise that your card “won’t be charged until the delivery is complete”, as a way of making you feel more comfortable about committing to the payment. In this sort of scam, the crooks won’t bill you $2.99 now, but they will almost certainly sell your credit card details on to someone else to rack up charges later on.
But creating an identity layer wasn’t imperative for the creators of the internet as they didn’t predict the emergence of online platforms that facilitate people-to-people interaction.
The digital presences most of us have are based on browsing or consumer habits and are siloed within various accounts and social networks. Indeed, they don’t present an accurate picture of our unique identifiers and who we are.
Building an identity layer is complex
Establishing a verified digital identity is a complex process. Authenticating that a person performing an action online is who they say they are, and then validating that they exist is tedious for two major reasons.
Using OMI on Microsoft Azure? Drop everything and patch this critical vulnerability, snappily named OMIGOD. But wait! You probably don’t know whether you’re using OMI or not.
Y’see, Open Management Infrastructure (OMI) is often silently installed on Azure—as a prerequisite. And, to make matters worse, Microsoft hasn’t rolled out the patch for you—despite publishing the code a month ago. So much for the promise of ‘The Cloud.’
What a mess. In today’s SB Blogwatch, we put the “mess” into message.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Difficult Hollywood.
Your next step” Microsoft Azure users running Linux VMs in the … Azure cloud need to take action to protect themselves against the four “OMIGOD” bugs in the … OMI framework, because Microsoft hasn’t. … The worst is rated critical at 9.8/10 … on the Common Vulnerability Scoring System. … Complicating matters is that running OMI is not something Azure users actively choose. … Understandably, Microsoft’s actions – or lack thereof – have not gone down well. [And it] has kept deploying known bad versions of OMI. … The Windows giant publicly fixed the holes in its OMI source in mid-August … and only now is advising customers. … Your next step is therefore obvious: patch ASAP.
IBM Security Services today published a report detailing a raft of issues pertaining to cloud security, including the fact that there are nearly 30,000 cloud accounts potentially for sale on dark web marketplaces.
The report is based on dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research.
The report found advertisements for tens of thousands of cloud accounts and resources for sale. Prices generally range from a few dollars to over $15,000 per account for access credentials depending on the amount of cloud resources that might be made accessible. On average, the price tag for cloud access rose an extra $1 for every $15 to $30 in credit the account held. Therefore, an account with $5,000 in available credit would be worth about $250, the report surmised.
In 71% of cases, threat actors offered access to cloud resources via the remote desktop protocol (RDP). X-Force Red found that 100% of their penetration tests into cloud environments in 2021 uncovered issues with either passwords or policy violations. Two-thirds of cloud breaches would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems, the report noted.
More troubling still, IBM research indicates that vulnerabilities in cloud applications are growing, totaling more than 2,500 vulnerabilities for a 150% increase in the last five years. Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months.
The report also notes two-thirds of the incidents analyzed involved improperly configured application programming interfaces (APIs), mainly involving misconfigured API keys that allowed improper access. API credential exposure through public code repositories frequently resulted in access into cloud environments as well, the report noted.
Microsoft has been warning of a “widespread” phishing campaign in which fraudsters use open redirect links to lure users to malicious websites to harvest Office 365 and other credentials.
ITG Phishing Staff Awareness Training Program educates your staff on how to respond to these types phishing attacks 📧
This, paired with the “anything you can do, I can do better” mantra adopted by today’s nation-state threat actors, has left mission-critical information vulnerable to attack as it undergoes the great cloud migration.
These agile threat actors – without any red tape to stand in their way – have already adopted a cloud-centric mindset, oftentimes at the expense of our national security. Meanwhile, emerging technologies like artificial intelligence and machine learning that lend themselves to assisting defensive efforts are rendered useless unless the defense community focuses more time, energy and resources on becoming cloud-centric.
Ultimately, the issue of national security hangs in the balance, and the best way to ensure we stay ahead of the curve is by using the cloud to “digitally overmatch” our opponents and unlock the full potential of digital transformation.
Overwhelming opponents
Originally coined by the Army, the concept of “digital overmatch” stems from the idea that the respective branches of the military can easily overwhelm their opponents on the ground due to their superior resources. Now, in the era of cyber-enabled conflict, this concept can also be applied to the non-Defense space. Given that data is such a strategic asset, defenders must ensure they can outpace and outmaneuver adversaries by using data-driven technologies such as the cloud, and deliver on-demand resources across all domains whenever and wherever they’re needed.
Without commercial and government innovation in cloud-native technology, federal agencies and the military are unable to maximize the full potential of their modernization strategy.
Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak.
The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.
As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.
Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).
Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Apple’s processes were not sufficient to detect malicious code in the case of this threat.
You know what we’re going to say, so we’ll say it right away.
Patch early, patch often.
Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems.
They’ve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though its official designation is CVE-2021-30860.
Citizen Lab has attributed the vulnerability, and the code that exploits it, to controversial device surveillance company NSO Group, already well-known for its so-called Pegasus line of spyware-like products.
According to Citizen Lab, this exploit relies on booby-trapped PDF files, and was spotted in the wild when a Saudi Arabian activist handed over their phone for analysis after suspecting that spyware had somehow been implanted on the device.
The Citizen Lab report coincides with Apple’s own security bulletin HT21807, which credits Citizen Lab for reporting the hole, and says simply:
Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. […] An integer overflow was addressed with improved input validation.
