The 6 steps to implementing zero trust

In their minds, this security approach can only be applied to fresh, or “greenfield,” environments – and even there organizations are hesitant as they may believe security will hinder business agility.

The true reason for why businesses are hesitant when it comes to zero trust is due to a lack of understanding of the process and the unfortunate influence of the myths stated above. Forrester’s zero trust framework gives a clear overview of the seven pillars that provide a comprehensive zero trust strategy: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Even after seeing the different elements set out, businesses may feel overwhelmed by the number of areas that can be linked with zero trust – it’s the classic “boiling the ocean” problem.

But what if companies instead took a more incremental and agile approach where benefits are realized at each stage along the way? This approach not only results in a regular and measurable improvement in security posture, but it also facilitates the integration of further capabilities throughout the process.

Implementing zero trust

Here is a simple, six-stepped, repeatable process that can help organizations adopt a zero trust security model.

Leave a Comment

Detecting Deepfake Picture Editing

In a world of deepfakes, it will soon be impossible to tell what is real and what isn’t. As advances in artificial intelligence, video creation, and online trolling continue, deepfakes pose not only a real threat to democracy — they threaten to take voter manipulation to unprecedented new heights. This crisis of misinformation which we now face has since been dubbed the “Infocalypse.”

In DEEPFAKES, investigative journalist Nina Schick uses her expertise from working in the field to reveal shocking examples of deepfakery and explain the dangerous political consequences of the Infocalypse, both in terms of national security and what it means for public trust in politics. This all-too-timely book also unveils what this all means for us as individuals, how deepfakes will be used to intimidate and to silence, for revenge and fraud, and just how truly unprepared governments and tech companies are for what’s coming.

Leave a Comment

Global Scamdemic: Scams Become Number One Online Crime

Threat hunting and adversarial cyber intelligence company Group-IB published a comprehensive analysis of fraud cases on a global scale.

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Overall, fraud accounts for  73% of  all online attacks:  56% are scams  (fraud that results in the victim voluntarily disclosing sensitive data) and  17% are  phishing attacks  (theft of bank card details). Using patented  Digital Risk Protection (DRP) technologies, the experts at Group-IB discovered over  70 groups of fraudsters that are only used in one of the fraudulent schemes, Classiscam, of which 36 are aimed at Europe. Classiscam threat actors alone were found to defraud users by $ 7.75 million in one year   .

On June 10th, during the Digital Risk Summit 2021  online conference ( Amsterdam ), Group-IB presented its research on various fraudulent machinations, obtained thanks to neural networks and ML-based scorings of the  Group-IB Digital Risk Protection System. Group-IB also unveiled Scam Intelligence, a fraud-tracking technology that paved the way for DRP, the company’s proprietary solution. In one year, the system has helped save  € 363 million for companies in Asia Pacific, Europe and the Middle East by preventing potential damage.

The number of scam and phishing violations detected by Group-IB in Europe in 2020 increased by 39% compared to the previous year. DRP’s research into threat actors’ fraud activity around the world helped categorize fraud schemes, uncovering over 100 basic schemes and their modifications. For example, a scheme of fake branded social media accounts (typical of the financial sector)  affected over 500 fake accounts per bank on average in 2020  . Insurance companies around the world are now suffering from phishing. Over the past year, an average of over 100 phishing websites were created  per insurer.

In 2020, a multi-stage scam called Rabbit Hole targeted companies’ brands, primarily retail and online services. Users received a link from friends, via social media or in messengers with the request to take part in a competition, a promotional offer or a survey. On average, users visited  40,000 fraudulent websites every day. Rabbit Hole has attacked the customers of at least  100 brands worldwide. The threat actors target the theft of personal and bank card details.

Classiscam has been the most widespread fraud in the world during the pandemic. The scheme is aimed at people using marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail stores, ridesharing and deliveries. The scheme aims to extort money as payment for non-existent goods. At least  44 countries, including Austria, France, Italy, the Netherlands and Great Britain, are affected by Classiscam. According to Group IB, a total of  93 brands were misused as part of Classiscam. As of early 2021, there were more than  12,500 threat actors made money with fake delivery services. The total number of websites involved in the scheme reached  10,000. A Classiscam -Bedrohungsgruppe makes up to  97,000 euros  per month.

“Last year the world was searched by the scamdemicheim, which represents the influx of online scams on an unprecedented scale: if your business is successful and well-known, it’s only a matter of time before scammers keep an eye out”, explains  Dmitry Tiunkin , Group-IB DRB Head, Europe. “Digital risks to brands such as online fraud, the illegal sale of products and services, and intellectual property infringement are the most widespread crimes on the Internet. Group-IB’s DRP system gives analysts a tool to uncover the entire infrastructure of fraudsters and learn about different categories of fraud attempts that could target their organizations. Group-IB DRP helps our clients identify the person behind the wrongdoing, gather as much information about them as possible, and bring them to justice.”

Leave a Comment

The Benefits of Automated Penetration Testing

Penetration testing has been one of the industries that are relatively slow adopters of automation. As security firms started automating many parts of the cybersecurity process including scanning and threat intelligence updates, security testing for some time was still mostly about traditional methods.

“In the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it,” as noted CISO Alex Haynes explains in an article exploring the potential of AI replacing humans in this field.

This is perfectly understandable, considering that penetration testing needs to be thorough and supervised by experts. Many of its parts are repetitive, but they require the scrutiny of human cybersecurity professionals to be carried out effectively. AI and machine learning technology has yet to reach a level advanced enough to competently handle the complexities of security testing.

However, the past years have produced excellent examples of solutions that take advantage of automation. These pen-testing platforms employ automation in specific areas that make excellent sense. These existing solutions provide convincing evidence of the benefits of automation in this field of cybersecurity.

Table of Contents

Leave a Comment

Reformulating the cyber skills gap

Many thought leaders have approached the skills shortage from a cumulative perspective. They ask “How on Earth can companies afford to keep re-training their teams for the latest cyber-threats?” The challenge, to them, emanates from the impracticalities of entry level training becoming obsolete as new challenges emerge.

Of course, the question of ongoing training is very important, but I believe it has misled us in our evaluation of the growing disparity between the supply and demand of cyber-professionals. What we should be asking is “How can we create a generation of cyber-professionals with improved digital skills and resilience to tackle an enemy that continually mutates?”

Defining the relationship between people and tech is of the utmost importance here. Cybersecurity is not merely a technical problem, it’s a human problem. This is a critical intersection. People are not the weakest link in an effective cybersecurity defense strategy, but the most crucial. However, technology is the apparatus that can properly arm us with the skills to defend against attacks.

The silver bullet

The only thing we can be certain of is that cyberattacks are taking place right now and will continue to take place for the foreseeable future. As a result, cybersecurity will remain one of the most critical elements for maintaining operations in any organization.

There is a growing appetite for reform in cybersecurity training, particularly among higher education institutions (e.g., with the UK’s top universities now offering National Cyber Security Centre (NCSC) certified Bachelor’s and Master’s programs. It is in the interest of the British government that this appetite continues to grow, as the Department for Culture, Media & Sport reported there were nearly 400,000 cybersecurity-related job postings from 2017-2020.

In addition, COVID-19 has been a significant catalyst in increasing uptake and emphasis on cyber skills since the steep rise in the use of digital platforms in both our work and personal lives has expanded the surface area for attacks and created more vulnerability.

Overall, though, young people remain our best hope for tackling the global cyber skills gap, and only by presenting cybersecurity to them as a viable career option can we start to address it. This is the critical starting point. Once we do this, the next important step is to give universities and schools the facilities to offer sophisticated cyber training.

The Cyber Skill Gap: How To Become A Highly Paid And Sought After Information Security Specialist! by [Vagner Nunes]

Leave a Comment

In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat service AN0M for 3+ years to intercept messages between criminals globally

The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members …

The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.

Named Operation Ironside, on Monday, law enforcement agencies from Australia, Europe, and the US conducted house searches and arrested hundreds of suspects across a wide spectrum of criminal groups, from biker gangs in Australia to drug cartels across Asia and South America, and weapons and human traffickers in Europe.

In a press conference today, Australian police said the sting operation got underway in 2018 after the FBI successfully seized encrypted chat platform Phantom Secure.

Knowing that the criminal underworld would move to a new platform, US and Australian officials decided to create their own service, which they called Anøm (also stylized as AN0M).

Just like Phantom Secure, the new service consisted of secure smartphones that were configured to run only the An0m app and nothing else.

The app, advertised through word of mouth and via the anom.io website, allowed phone owners to send encrypted text and voice messages between devices and prevented them from installing any other apps.

No phone number was required to use the app, which relayed all its messages via An0m’s central platform.

But according to investigators, this app design allowed officials to intercept the messages and decrypt texts sent by gang members to each other, many of which included details of drug movements or murder plots.

According to Australian police officials, the FBI ran the platform while the AFP technical staff built a system to decrypt messages that passed through the platform in real-time.

Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, other gangs found refuge on the network, which eventually amassed more than 11,000 users.

Investigators described Operation Ironside as one of the largest sting operations in law enforcement history.

Investigators appear to have decided to shut down the sting operation after criminal groups started catching on that the An0m app was leaking their conversations.

Source: In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat

Listening In: Cybersecurity in an Insecure Age

The Wires of War

Leave a Comment

Siloscape, first known malware that drops a backdoor into Kubernetes clusters

Siloscape is a new strain of malware that targets Windows Server containers to execute code on the underlying node and spread in the Kubernetes cluster.

Researchers from Palo Alto Networks have spotted a piece of malware that targets Windows Server containers to execute code on the underlying node and then drop a backdoor into Kubernetes clusters.

Siloscape is a heavily obfuscated malware that was designed to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers and carry out malicious activities.

Compromising an entire cluster could allow an attacker to steal sensitive information, including credentials, confidential files, or even entire databases hosted in the cluster. 

“Siloscape uses the Tor proxy and an .onion domain to anonymously connect to its command and control (C2) server. I managed to gain access to this server. We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign. I also discovered that this campaign has been taking place for more than a year.” reads the analysis published by Palo Alto Network researcher Daniel Prizmant.

Siloscape

Siloscape, first known malware that drops a backdoor into Kubernetes clusters

Leave a Comment

Latvian woman charged with writing malware for the Trickbot Group

The US Department of Justice (DOJ) just announced that it has charged a 55-year-old Latvian woman, who went by the moniker of Max, with malware-writing crimes.

Max, whose real name is apparently Alla Witte, is the sixth of seven defendants listed in the DOJ’s indictment, along with ten other unknown individuals identified only as CC8 to CC17. (CC is short for co-conspirator.)

Latvian woman charged with writing malware for the Trickbot Group

Leave a Comment

The evolution of cybersecurity within network architecture

A decade ago, security officers would have been able to identify the repercussions of an attack almost immediately, as most took place in the top-level layers of a system, typically through a malware attack. Now however, threat actors work over greater lengths of time, with much broader, long-term horizons in mind.

Leaders can no longer assume that their business systems are safe. The only certainty is that nothing is certain. The past year has been evidence of that, as large, well-trusted companies have faced catastrophic breaches, such as the SolarWinds and Microsoft attacks. These organizations were believed to have some of the best systems installed to protect their data, yet they were still successfully infiltrated.

Threat actors are also pervading through underlying networks, passing from router to router and accessing data stored far below the top level in a system. The refinement of their attacks mean that businesses can go unaware of a breach for longer periods of time, increasing the amount of damage that can be done.

Businesses should take all precautions necessary when it comes to security and assume that anything is possible and devise their security plans around the worst-case scenario. This means adopting the attitude that any one employee could be a hacker’s key to access company systems. Anyone could fall for one of the increasingly sophisticated attacks and click on a phishing email, resulting in a rabbit hole of malicious elements.

Visibility and analytics

Moving forwards, visibility and analytics will be instrumental in strengthening a business’ security approach. These elements deliver invaluable insights into a company’s security standpoint and can help identify any vulnerabilities that have gone unnoticed. Where security and connectivity within an organization have been the two main focus points of leaders, visibility and analytics have now become the third and fourth fundamental elements.

The value of this information cannot be overstated. For a company who has identified a breach attempt and shut all systems down, the first challenge is understanding how far the criminals managed to get before being detected, and what data had been accessed.

In the scenario when businesses are faced with threats from ransomware attackers and take part in negotiations, it helps to have an overview of all business systems. For example, if an attack took place over one week and a company is able to see all incoming and outgoing traffic, then they can deduce roughly how far the criminals could have got.

This could be vital in seeing through any deceptions from the hackers, who may claim to have accessed ten terabytes of data, when realistically they may only have secured a couple of files before being shut out. Only with complete visibility will businesses be able to counter a criminal’s threat.

Strengthening the architecture

There are a number of pathways that organizations can take to strengthen their network architecture against threats. Zero-trust approaches are highly recommended for businesses, especially in the age of remote working, as a way of limiting privileged accounts and the general amount of data left easily accessible. Requesting authentication before access not only protects the business’ external perimeter, but also any risks that exist within as well.

A lot of businesses will find themselves needing to re-address the very foundations of their infrastructure before any additional approaches can be taken. Integration is a massive part of strengthening a company’s network architecture as most will have existing technologies that will need to be combined into one fully functioning capability.

Not only will this allow for greater accessibility and flexibility, but it will also simplify the systems so that they are easier to manage. Achieving this integration will provide businesses with greater visibility into their platforms, making it significantly easier to identity and defend against incoming cyber threats.

Ensuring a secure future

Solutions such as Secure Access Service Edge (SASE) can assist in the strengthening of network architecture. SASE is the integration of networking and security solutions, such as zero trust and firewall-as-a-service (FWaaS), into a single service that can be delivered entirely through the cloud. This ability to deploy through the cloud allows for greater flexibility, making it easy to apply security services wherever they are needed. As a lot of applications used are cloud-based, including collaborative communications, seamless and secure transition to and from the cloud are crucial.

Cybersecurity will likely become more of a process model that is part of every new project. It will become imbedded in every business area, regardless of what their main function is. In such an extreme and sophisticated threat landscape, simply educating employees and home workers of security risks cannot be relied upon to protect companies from malicious attacks.

In an era where cybersecurity attacks are inevitable, strong network architecture and end-to-end visibility are the fundamentals to a resilient security posture. Providing a single point of control using solutions such as SASE will enable businesses to create a more streamlined network architecture, whether from remote locations or within the office. Regardless of their current standpoint, all businesses should be working towards one goal – implementing a business approach that combines the three crucial elements: security, network and visibility.

Leave a Comment

How to hack into 5500 accounts… just using “credential stuffing”

We all ought to know by now that passwords that are easy to guess will get guessed.

We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.

We tried the 10 all-digit sequences 112123 and so on up to 1234567890, and eight of them were in the top 20.

Then we tried other obvious digit combos such as 000000111111 and 123123 (we started with six digits because that’s Apple’s current minimum length, and because we noted that 123456 came out well ahead of 12345 and 1234).

The others were equally easy: qwertypasswordabc123password1iloveyou and qwertyuiop, the last being a useful reminder that length alone counts for very little.

Strong enough for everything?

What to do?

  • Don’t re-use passwords. And don’t try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
  • Consider a password manager. Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you don’t have to put all your passwords into the manager app if you don’t want to: it’s OK to have a special way of dealing with your most important accounts, especially if you don’t use them often.
  • Turn on 2FA if you can. Two-factor authentication doesn’t guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
  • Report payment anomalies. Obviously, you need to look for outgoing payments that shouldn’t have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didn’t expect, no matter how small the amount. The sooner you report any errors, even if you didn’t lose any money, the sooner you help both yourself and everyone else.

Leave a Comment

Quantum computing: How should cybersecurity teams prepare for it?

Our community – that is, technologists, mathematicians and information assurance professionals – has generally adapted well to changes in the technology landscape.

At the start of the Cold War, the western security apparatus sought to understand the actions of their adversaries by intercepting radio signals bouncing off the ionosphere and analyzing the messages they carried. Later, when the Soviets moved to microwave transmissions, that same security apparatus deployed cutting-edge line-of-sight interception techniques.

Then, in 1977, after the Soviets began to successfully encrypt their communications, the NSA launched the Bauded Signals Upgrade program, delivering a supercomputer designed to compare encrypted messages with elements of plain text transmitted by mistake, allowing the agency to break many of the Soviets’ high-level codes. Time and time again, our innovation has kept us safe, but only when we have prepared to meet the threat.

Quantum information theory, which has been explored since the beginning of the 20th century, has led to an exciting yet dangerous new prospect: new quantum algorithms to solve computational problems which have thus far proven to be intractable – or at least unachievable within a useful period – by classical computers. One such problem is the breaking of the Advanced Encryption Standard, a key pillar of modern data encryption.

A joint research team of engineers from Google and the Swedish Royal Institute of Technology published a study that theorized the breaking of a 2048 bit key in just 8 hours, something that would take today’s classical computers over 300 trillion years. The catch? This theory requires a 20 million-qubit computer, and the largest quantum computer that exists today has only 65.

Their study, alongside many like it, tells us that quantum technology will present the greatest threat to the security of our critical systems in the history of computing. It may even be useful to us in future conflicts. However, quantum computers will need considerably more processing power than is available today and will require a significantly lower error rate if they are to be utilized for cyberspace operations.

To meet this challenge, institutions across the world are rushing to develop quantum computers that are capable of delivering on the promising theory.

The U.S. National Institute of Standards and Technology is currently evaluating over 60 methods for post-quantum cryptography, quantum key distribution, and other security applications. Early indications are that quantum technology will provide an ability to detect, defend, and even retaliate against all manner of future threats.

Away from security, most people understand that quantum computing has immense potential for good – with applications in the scientific and medical research fields easy to imagine. However, this vast computing power could also be used to undermine the classical computer systems that our nation relies upon so heavily.

DISC InfoSec Shop

Cryptography and Quantum Computing

Leave a Comment

The 5 biggest ransomware pay-outs of all time

Just a few years ago, you may never have heard of ransomware. Nowadays, it’s a £10 billion-a-year industry and considered one of the biggest threats facing organizations, schools and essential services.

Dozens of ransomware cases are reported each month, with companies locked out of their files and facing extortionate demands. The current going rate for decryption keys is in the region of 0.3 bitcoin (about £100,000, or $140,000), but sometimes attackers set their sights much higher.

In this blog, we look at some of the times attackers have done that – as we review the five biggest reported ransomware payments.

Leave a Comment

Critical 0day in the Fancy Product Designer WordPress plugin actively exploited

Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021-24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild.

Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is currently installed on more than 17,000 websites.

Experts pointed out that the vulnerability could be exploited only in certain configurations, but even if the plugin is not active.

Attackers are exploiting the flaw to extract order information from site databases, anyway, this vulnerability is likely not being attacked on a large scale.

Users could modify their products by uploading images and PDF files, but experts noticed that the checks in place to prevent malicious files from being uploaded are not sufficient and could be easily be bypassed

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed.” reads the post published by the experts. “This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The flaw has been rated with a CVSS score of 9.8 out of 10, an attacker could exploit the issue to upload executable PHP files to online stores that have the plugin installed.

Leave a Comment

“Have I Been Pwned” breach site partners with… the FBI!

If your password gets stolen as part of a data breach, you’ll probably be told. But what if your password gets pwned some other way?

n case you’ve never heard of it, Have I Been Pwned, or HIBP as it is widely known, is an online service run out of Queensland in Australia by a data breach researcher called Troy Hunt.

The idea behind HIBP is straightforward: to give you a quick way of checking your own online accounts against data breaches that are already known to be public.

Of course, you’d hope that a company that suffered a data breach would let you know itself, so you wouldn’t need a third party website like HIBP to find out.

But there are numerous problems with relying on the combined goodwill and ability of a company that’s just suffered a breach, not least that the scale of the breach might not be obvious at first, if the company even realises at all.

And even if the company does do its best to identify the victims of the breach, it may not have up-to-date contact data for you; its warning emails might get lost in transit; or it might not be sure which users were affected.

Leave a Comment

These 2 attacks allow to alter certified PDF Documents

Researchers from Ruhr-University Bochum have disclosed two new attack techniques, dubbed Evil Annotation and Sneaky Signature attacks, on certified PDF documents that could potentially allow attackers to modify visible content without invalidating their digital signature. The attacks are documented in 

, and .

The experts presented the results of the study at the 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021).

The attacks leverage the flexibility of PDF certification that allows signing or adding annotations to certified documents under different permission levels. The experts demonstrated that the EAA technique could be effective against 15 of 26 viewer applications while the SSA could work against 8 viewers.  

“The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits.” reads the post published by the researchers.

The experts explained that the certification of signed content also allows users with specific permissions set by the certifier to apply certain modifications to the PDF document. This means that the user could write text to specific form fields, provide annotations, or add its own signature if permitted by the certifier.

The idea behind Evil Annotation Attack (EAA) is to modify a certified document by inserting annotations that include malicious code.

“The idea of the Evil Annotation Attack (EAA) is to show arbitrary content in a certified document by abusing annotations for this purpose. Since P3 certified document allow to add annotations, EAA breaks the integrity of the certification.” continues the post.

The idea behind the Sneaky Signature Attack (SSA) is to manipulate the appearance of arbitrary content within the PDF by adding overlaying signature elements to a PDF document that is certified at level P2, which means that it allows to fill forms.

These 2 attacks allow to alter certified PDF Documents

Leave a Comment

The evolution of the modern CISO

The modern CISO

The role of CISO first emerged as organizations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and became more complex, so too did threat actors who saw new opportunities to disrupt businesses, by stealing or holding that data hostage for ransom.

As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to advance. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. The CISO also must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.

The changing threat landscape

Previous blogs on CISO & vCISO

Virtual CISO - Virtual Chief Information Security Officer (vCISO)

Related latest CISO and vCISO titles

Leave a Comment

I hacked my friend’s website after a SIM swap attack

Here’s how easily your phone number could be stolen, why a successful SIM swap scam is only the beginning of your problems, and how you can avoid becoming a victim of the attack

Just how easy is it to conduct a SIM swap attack and what can the attacker do once they have taken control of your phone number? In short, it’s worryingly easy and the criminals can do a lot once they have the keys to the kingdom.

We hear of SIM swapping – also known as SIM hijacking and SIM swap scams – all the time, and yet many people think it can’t ever happen to them. Indeed, people often tell me that they will never get hacked in any way and they actually even wonder why anyone would even target them. But the truth is that we are part of a huge numbers game for many malicious actors and they will continue to target the low-hanging fruit. So why don’t we just implement a few precautionary methods to reduce this risk?

I will come back to what you can do to mitigate the risks later, but first I want to tell you how I tested a SIM swap attack just so I could generate a talk and help people understand the risks. A real-life story is always better when helping people to be more cyber-aware. In fact, I ran a similar experiment last year when I showed how easy it is to hack anyone’s WhatsApp account by knowing their phone number. It was a very valuable lesson for the colleague-turned-victim.

I have known my friend – a let’s call him Paul – since school and we’ve been close friends ever since. I asked him recently if I could attempt to ethically hack him for the greater good and use anything that came from it in the name of cyber-awareness and helping protect people from future attacks. He was happy to oblige and even thought it would be fun to be part of an experiment.

How SIM swapping works

Leave a Comment

Ransomware attribution: Missing the true perpetrator?

Admittedly, this does lead to doomsday scenarios offered up by authors on the multitude of platforms sharing doomsday scenarios, with weak attribution included to suit their own narrative.

While commentary on the impact of such a scenario is generally to be welcomed, the focus of attribution remains. Recent events have introduced the world at large to ransomware variants previously only discussed within the information security industry. However, one has to question whether their inclusion is even remotely accurate.

As has been documented, we live in a world where anybody with access to a computer can be a player in the ransomware industry. Through ransomware-as-a-service (RaaS) there exists a business model that supports ‘partners’ to carry out attacks against victims, and to share the profits with the developers of the ransomware. In return for this arrangement, such partners or affiliates are offered a dashboard and a sizeable share of profits, in a relationship that appears to suit both parties based on the rise in use of such a model.

And herein lies the issue.

Recent ransomware attacks, using tools such as DarkSide, were indeed carried out by such partners. Celebrations over the retirement of certain ransomware variants appear to be premature, with GandCrab serving as an indication of what may actually occur. The group behind GandCrab, which was incredibly active and claimed to have made $2bn, announced its retirement in 2019.

While this announcement was greeted positively at the time, questions were raised about why the number of affiliates dropped sharply a few short months earlier. Fast forward a few months and the growth of Sodinokibi may have answered those questions, while confirming that rumours of senior partners’ retirement from the ransomware scene may have been greatly exaggerated.

However, and this is the critical component, it is the affiliates that break into organizations, and it is these same people that deploy ransomware within the environment, while all the time the ire remains solely fixated on the ransomware developer.

While the developer(s) should not escape the ferocity of anger placed upon them, it seems the affiliates continue their activities and can simply move to any number of other schemes should actions lead to the disruption of the ransomware group they have agreed to work with.

In our continued focus toward holding those accountable for the disruption they cause, closer attention must be paid to such mercenaries who are largely responsible for the exponential growth of such attacks. It is their involvement and capabilities that have allowed such attacks to adapt and become so much more crippling than ever before.

Leave a Comment

New Disk Wiping Malware Targets Israel

Advanced malware analysis

Leave a Comment

New Bluetooth Flaws Let Attackers Impersonate Legitimate Devices

Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle (MitM) attacks.

“Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing,” the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.

The two Bluetooth specifications define the standard that allows for many-to-many communication over the short-range wireless technology to facilitate data transfer between devices in an ad-hoc network.

The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth’s authentication mechanism.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the researchers said. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”

“To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.”

In addition, four separate flaws have been uncovered in Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. A summary of the flaws is as follows –

  • CVE-2020-26555 – Impersonation in Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification 1.0B through 5.2)
  • CVE-2020-26558 – Impersonation in the Passkey entry protocol during Bluetooth LE and BR/EDR secure pairing (Core Specification 2.1 through 5.2)
  • N/A – Authentication of the Bluetooth LE legacy pairing protocol (Core Specification 4.0 through 5.2)
  • CVE-2020-26556 – Malleable commitment in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
  • CVE-2020-26557 – Predictable AuthValue in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
  • CVE-2020-26559 – Bluetooth Mesh Profile AuthValue leak (Mesh profile 1.0 and 1.0.1)
  • CVE-2020-26560 – Impersonation attack in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)

“Our attacks work even when the victims are using Bluetooth’s strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device,” the researchers said.

The Android Open Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are among the identified vendors with products impacted by these security flaws. AOSP, Cisco, and Microchip Technology said they are currently working to mitigate the issues.

The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has also issued security notices for each of the six flaws. Bluetooth users are recommended to install the latest recommended updates from device and operating system manufacturers as and when they are available.

Source: The Hacker News

Leave a Comment