All The Breaches of 2019

ZDNet has, very conveniently,  collected the information and links on all the major hacks, cyber-attacks and breaches so far in 2019. It makes for very scary reading particularly when you realize that this is just a selection of the newsworthy incidents of the year.

Learning

Apart from the variety of in the incidents, the key learning from my perspective is that organizational cyber-security needs to be pro-active – be it patching your systems on schedule and as per your risk profile or ensuring that your IDS/IPS are up to scratch. From what I can see, there is no real pattern regarding the breaches. Perhaps there is a slight increase in ransomware attacks & insider threats. However, these are seasonal and I would not draw any lasting strategies based on it.

Learning

I am going to stay with the breaches of 2019 and see what lessons we can draw from that repot. 
The other learning is a bit inferential, in my opinion: get cyber insurance, without fail. It is a no brainer.
Consider: 

• It is a certainty that you will be breached. It is better to be prepared.
• 50% of organizations do not think they are ready to handle a breach.  Even if you are ready, your suppliers may not be. 
• The average total cost of a breach, has risen 12% to $3.92 million when you take into account notification costs, expenses associated with investigation, damage control, and repairs, as well as regulatory fines and lawsuits. 
• And your stock price drops by 7% if you notify a breach. 

At least cover the financial impact so that you can handle the reputational impact.

FBI: Echo/ Google Home Advisory

FBI has some very specific advise about using consumer IoT devices. Please read the article if you use any of these devices.  TL;DR: change the default passwords. Watch out what permissions that the attendant mobile app.

Android: Bouncer App

In the matter of application permissions on Android, I discovered this app: Bouncer. It revokes permissions from apps after you are done using them. That way you do not give up any functionality while ensuring that the apps do not snoop on you. Too much. 

CWE Top 25 Most Dangerous Software Bugs

Mitre has released the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25).  The big news is that SQL Injection has slipped to #6. 

Disney+ & Nord VPN

Disney+ is available only in a few geographies and they have ensured that they block VPNs. However, Nord VPN users have been able to access Disney+ using something called “residential proxies”. The article provides a theory how. I personally think they just purchased a block of residential proxy addresses from a willing service provider.

Android Woes

Android had a fairly rotten week last week – 4 major vulnerabilities reported. Google themselves have categorized them “Critical”.  Ensure that you apply the Dec 1 security update, without fail.

• StrandHogg
• https://gbhackers.com/rcs-hacking-attacks/
• Permanent DoS on Android 8, 9 & 10
• Android Camera Threat

The Language of Cybercrime

Since phishing in general & BEC in particular so rooted in the psychology of the individual, it is very illuminating to look into how a scammer works.  The link above has some snippets  of an actual romance scam. Please read it; it is worth your time.

Learning

Two aspects stood out for me – (1) how easy it is to script an interaction to scam some one and, (2) the extent to which a scammer can push a victim. 
We each have this image of a scammer being computer nerd (disheveled may be; but a nerd!). Clearly that is not the case. Set scripts are available and all they need is a bit of seed capital. 
What we need to understand is that it is not about how smart we are; a successful scam depends  on how human you are. 

How the hell did that happen?

The article linked above explains how ransomware bypasses security checks, even in organizations that seem to have implemented good security practices.  We saw how psychology is at the core of BEC.  

Learning

The article talks about a few techniques like “Code Signing” or “Privilege Escalation”, etc.  These are but the methods how a ransomware hijacks your systems and data. The core problem in ransomware attacks is also rooted in psychology. 
The key  attack vectors  for ransomware are email links & malicious sites.  All the techniques listed in the article are useless if nobody clicks those links. And getting you to click on those links is an exercise in applied psychology.
In my opinion, investment in employee education pays extremely high dividends in the security arena.

1.2 Billion People Exposed

Data sleuth Bob Diachenko located an unsecured Elastisearch server with 1.2 Billion records leftover from two data aggregation companies – People Data Labs & OxyData.io.

Top 5 CyberSecurity Project that can save you

Small and medium enterprises can leverage these open-source projects and gain a head start to start their security initiatives for safeguarding their businesses. Another advantage of open-source projects is that companies can customise it based on their requirements and guard their information.

Are you 1-10-60 Compliant?

How long do you need to containg a breach in your organization. The recommendation is: 1 minute to detect, 10 minutes to triage, and 60 minutes to contain. The average company takes 162 hours to detect, triage, and contain a breach.
 

Ginp Android Banking Trojan

An Android malware, called Ginp, masquerades as other legitimate android apps like Adobe Flash Player. Once downloaded, it seeks  & gets permissions. That provides the springboard for further breaches. The current version targets your banking information.

How to avoid shopping scams this season

There’s nothing quite like a major online sale to have us reaching for the credit cards in the hopes of nabbing a bargain (or ten), but with Black Friday and Cyber Monday fast approaching, the need for increased diligence around our online safety is at an all-time high. 

Phoenix Key Logger Avoids detection

The Phoenix Key Logger (it has now morphed into an info-stealer) has gained anti-AV & Anti-VM capabilities. It now actively avoids 80 different security products.

Company finds it is hacked after server runs out of space

Back in 2016, an Utah based company figured out, 2 years too late, that it was hacked after one of its servers ran out of space. The hacker had stored the stolen data on the server’s disk. That archive finally grew too big, triggering the detection of the hack.

Learning

There were quite a few errors in how the company set up its systems – there were no means to detect unauthorized access or modification of its files. Nor did it track usage of resources. Nor were costs tracked closely enough to detect anomalies.
The hacker stole around 1 million user records  out of a total of around 12 Million user records.  To make it easier of the hacker, sensitive user information like, SSN, Payment card information, bank accounts, user names & passwords (GASP!!) were stored in clear text 
If you read the story, you will find that the intruder had earlier infected the company’s systems for remote access & control. So, the company’s IT sin is further compounded by the failure to clean out an infection completely – again an outcome of poor logging.
The company is a text book case study of how not to implement cybersecurity.  Learn from their travails!

The WORST way to check your password strength!

FinecoBank, a bank with more than 1.3 million customers in Italy and the UK, suggested an unusual password strategy to its customers: copy and paste the password into Google, and see if anyone else is using it.
This, obviously,  is a very bad idea!

Learning

While it is a good idea to encourage customers to choose unique, or rare, passwords, entering them in clear text in a search engine is wrong – too many actors know your customer’s password.  And after all that risk, the resulting password is likely not very strong as any human generated password is bound to follow some pattern.
A better solution is to use password generators, combined with a password manager.   It is suggested that random phrases with special character modifiers generate stronger passwords in real life.   
When this strategy is combined with multi factor authentication, you can balance security and ease of remembering the password adequately.

Mass Malware Attack

Bad actors are utilizing the interest generated by the US 2020 Elections & the impeachment proceedings to infect systems with malware.

Facebook  Plays Peek-a-Boo

The interwebs were ablaze last week with the news that Facebook switches on the phone camera when you use the app on iPhone. (Thankfully, this ‘feature’ is absent on Android)

$5M Ransom demand from Pemex

Attackers have demanded a $5 Million ransom from beleaguered Mexican State Oil firm Pemex, after making the point that they missed the ‘early bird discount’!

Cybersecurity – A Collective Responsibility

C-suite execs must set an example of good practices while also supporting the IT department with enough budget to protect the organization from next-generation cyberattacks.

AWS Suffers 8 Hour DDoS attack

AWS confirmed a sustained 8 hour DDoS attack on Route 53 & related services.  This news emphasizes the need for multi-cloud, multi-region architecture for your mission critical enterprise class applications, in my opinion.

Insider Attack Cheaper than  Malware?

A fascinating podcast on the economics of using Insider attack vectors over  the external. A discussion on what the top insider threats are, and why departing employees as a threat are pushing companies to update their exit policies.

GitHub Launches Security Lab

GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.

The FBI as put out a public service announcement about a scam that has cost companies, by FBI’s estimates, $ 26 Billion!  The FBI calls it BEC (Business Email Compromise) and essentially it is a scam where the attacker tricks the organization into transferring money to a wrong account by sending instructions from what appears to be a legitimate email id of the person sending the instruction. For example it could look like a mail from the CEO asking for a sum to be transferred to close a deal; or a vendor changing payment instructions.

Learning

BEC is different from regular phishing mails in that it is targeted and requires a high level of understanding of your processes and the identity of the purported sender.  You need to ensure that the people processing payments are first aware of this scam. You then need train people on adequately validating  instructions for change of payment – these mails are crafted to look genuine for any but the most sceptical person. And finally, you need to ensure that no one ever suffers any blowback if they follow those instructions.  The full list of recommendations from FBI:

• Use secondary channels or two-factor authentication to verify requests for changes in account information.
• Ensure the URL in emails is associated with the business it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Don’t supply login credentials or PII in response to any emails.
• Monitor financial accounts regularly
• Keep all software patches on and all systems updated.
• Verify the email address used 
• Ensure that full email extensions are viewed.

So  you found out that you have been infected by ransomware, like seems to be the norm.  What do you do next?

Here’s what 1,180 adult individuals did:

Restarted Computer 30%Online Tool 18%Restored from backup 22%Removed 13%Reformatted Computer 5%Removed using AV 5%Paid Ransom 4%Other 3%
What should you do next?

Learning

First thing to remember – do notreboot off your computer!!   That sometimes enables a malware which is stuck to complete the job. Typically, if you have a ransomware attack, you have to do two things – The first is finding the ransomware’s artifacts — such as processes and boot persistence mechanisms — and removing them from an infected host.
The second is restoring the data if a backup mechanism is available.  If the first step is not completed, then it is possible that rebooting the computer often restarts the ransomware’s process and ends up encrypting the recently-restored files.
So, your best bet is to disconnect the computer from the network and then hibernate your computer because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leave copies of their encryption keys.
Call for expert help immediately after that, instead of trying to restore your backup.
To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware’s first response guide on dealing with a ransomware attack.

Cybersecurity for women

The Indian Police Service & a set of IT professionals have launched a site,   https://cybersafegirl.com/ that educates women on how to stay safe in the cyber world. And, if they do get into trouble, what to do about it. They have a free e-booklet that can be downloaded from the site.

What is a good password?

Is a password that even you cant remember good?  “Not really.” say experts.
Unreadable passwords lead you to repeat passwords, which means that a hacker cracking one account can crack multiple accounts. 
Shift to pass phrases.  Turn on two factor authentication. Install a good password manager.

IOT Security

IOT is setting the world ablaze with its myriad use cases. One forecast  predicts that there’ll be almost 41.6 billion connected things in 2025 that will generate 79.4 zettabytes of data.  However, the same use cases increase the attack surface and enable novel attacks to materialize. 
Technopedia has aggregated various expert’s views on how this threat can be handled and the risk limited

Cybersecurity Excuse Generator

As we have been saying, it is inevitable that you will get attacked. When that does happen, how to you tell the world that you got hacked?
The site linked above comes to your rescue and gives you plenty of tongue-in-the-cheek excuses you can use. 
Strictly for recreational use!

Amazon Echo, Google Home Laser Hackable

Researchers discovered that precisely modulated lasers could silently send “voice” commands to smart speakers from hundreds of feet away. The attack also worked on smartphones and on an iPad, but only at short distances.

How can you defend yourself if this starts happening in real life? The best bet is to make sure your Amazon Echo, Google Home, Facebook Portal, Amazon Fire TV Cube and other smart speakers aren’t facing windows. 

Pwn2Own

Pwn2Own is a bi-annual hacking contest held at the CanSecWest security conference.  Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. This year’s Tokyo contest was won by Team Fluoroacetate (researchers Amat Cama and Richard Zhu) taking home the Master of Pwn title for the third year in a row.  Amazon, Sony, Xiaomi, Samsung Devices were successfully hacked this year.
The highlights of  Day 1 & Day 2 linked.

Advisory on Holidays, Phishing & Malware

As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online. A few dos & donts from CISA!

Also, please remember the vulnerability is not new.  While CVE-2019-3568 was entered into the NVD only this year, it has been exploited for over 3 years by bad actors. Again, Pegasus is not the only tool to exploit this vulnerability; it is merely the most visible as it calls itself an aid to law enforcement and hence, by definition, is on the side of the good guys. 

Kudankulam Power Plant Cyber Attack

The Kudankulam Nuclear Power Plant (KNPP) was infected by a North Korean Trojan called DTrack. The control systems of the reactor were not affected as they were air gapped. While it is known IT systems are compromised, it is not known which specific systems are compromised. KNPP was notified of the attack in September by CERT-In.

Learning

There are two learning points in this for you and your organization:

Air Gapping

The reason why we know the control systems are safe is because there is no connection between them and the internet.   They cannot be remotely controlled.  Most process industries are set up this way by default. 

However, this is a lesson that can be carried over to other industries as well, at least for mission critical systems. In this era of micro-services, it should be possible to isolate your mission critical systems. If not, at least tight access control that is periodically reviewed will help prevent most of such exploits.

Social Engineering

The DTrack remote access Trojan used in the KNPP attack has multiple variants and essentially uses process hollowing to work.  Once a system is infected, the malware has the ability to perform keylogging, copy browser history, gather all host IP addresses and retrieve information about all available networks and active connections within a device. 

If you think about it from an attacker’s perspective, it is precisely this kind of information that would enable them to mount other kind of attacks that would eventually compromise the control systems – for example, compromising an insider through other means or password reengineering or eavesdropping attack. At the very least, it allows them to build information about the IT landscape around the control systems and enables them to craft an attack with that information.

So, while it is good news that control systems are not compromised, it is bad enough that the IT systems have been breached.

Top 10 Cybersecurity Terms

A basic knowledge of cybersecurity best practices goes a long way for people looking to protect their companies from cyberattacks. Although learning about cybersecurity can seem daunting, you don’t need to be an expert to help protect your business from security breaches. The page lists 10 cybersecurity terms you should be aware of, for starters.

$102 Billion Loss in one attack?

Since Ports are interconnected by definition, Lloyd’s of London warned that a single cyber attack on one of the 15 major ports across Singapore, China, Japan, South Korea, and Malaysia can result in $120 Billion loss.In a potential attack scenario targeting ship that the study posed, a software virus could scramble the cargo database logs at major ports and result in critical disruption. 

Unremovable’ XHelper 

A new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove.  It known to have infected 45000 devices until now but it is seems to be spreading at the rate of 131 new victims a day. 
It is spread by web redirects.

Unlock any Fingerprint Locked Phone

Hackers working for Chinese security company Tencent claim that they have developed a method to photograph a fingerprint on any glass surface and use it to unlock any smartphone, no matter their fingerprint reader technology — in just 20 minutes

US investigates Tik-Tok

U.S. lawmakers have been calling in recent weeks for a national security probe into TikTok, concerned the Chinese company may be censoring politically sensitive content, and raising questions about how it stores personal data.

• November is National Critical Infrastructure Security and Resilience Month
   
• North Korean Malicious Cyber Activity -HOPLIGHT
   
• Industrial Equipment Hackathon will be the prmary focus of of Pwn2Own 
   
• Microsoft Reports Global Cyberattacks on Sporting and Anti-Doping Organizations from Russian Espionage Actors
   
• Samba Releases Security Updates
• Chinese Hackers Hack Telecom SMS Servers

• Chrome Zero-Day Vulnerability being exploited. Update now!
   
• Advisory for vulnerabilities in Advantech’s WISE-PaaS/RMM IoT management platform.
   
• Honeywell equIP Series IP Cameras Advisory 
   
• Apple Releases Security Updates for Multiple Products
   
• MS-ISAC Releases Advisory on PHP Vulnerabilities
   
• FTC Provides Tips for Warding Off Hackers
   
• Android NFC Vulnerability exploited in the wild

Pitney Bowes Ransomware Attack

The latest ransomware attack victim turns out to be global mailing and shipping service, Pitney Bowes. As confirmed by the firm itself, their systems suffered a ransomware attack which caused disruption to their services.  

Learning

The average cost of a ransomware attack on a small company is pegged to be around $200,000 per incident. The irony is, even though ransomware attacks are common, they are not particularly sophisticated or insidious.  They are easily preventable even by a small , non-technical businesses. 
The best defence against this type of attack is having regular, well tested back-ups.  Both aspects of backups, regularity and testing, are important for this defence to be effective.  Additionally, your frequency of backup has to meet your organization’s standards for RPO (Recovery Point Objective).  
The other aspect to keep in mind is that since most ransomware are introduced via email to the organization,  either as an attachment or as a link, it might pay excellent dividends to invest in the security education of your employees.  Combined with a good back-up process, this will help you prevent or recover from 90% of ransomware attacks.

Going Dark on the Net

You are aware of all the epigrams:
– “If you’re not paying for the product, you are the product”,
– “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”
– “Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.”

What all these bon mots fail at is telling you how to erase your digital footprints on the broad internet.   It is not always possible to browse the net using the incognito mode – after all, it is convenient get recommendations for that playlist that is tuned just to your tastes!
You should be able to balance your need for convenience with how much of your information is collected and  how much of it is stored for how long.

Learning

 So, how do you ensure that your digital history is not stored on the internet? First, practice safe browsing practices:
– Examine a URL before clicking
– Do not install random software from unproven sources
– Install & use a good anti-virus
– Unfriend/ disassociate with anyone you do not actually know
– Look critically at the permissions you have given and fix them

Read the article from Gear Patrol to find out  more.

Are you over-working your executives?

For most organisations in India (92%), cybersecurity is an executive level priority. However, higher workloads and fatigue leave leaders little time to actually look into cyber security threats, according to Cisco’s 2019 Asia Pacific CISO Benchmark Study

You wont believe how he tracked her location!

Indie Japanese idol Ena Matsuoka ‘gave away’ her location to her obsessed fan Hibiki Sato! Apparently, he was able to stalk her from her photos on social media.  The 26-year-old fan used the angle of the light and shadows to approximate her GPS location!  He also zoomed in on the singer’s eyes and identified a train station from the reflection in her iris. He then used Google Maps to find the train station.

Hacked Data Recovered

In an ironic twist of fate, BriansClub, a black market site that contains stolen credit cards, was hacked to rescue the data of more than 26 million credit and debit cards.
KrebsOnSecurity reports that the data stolen in August from the site, which goes by the name BriansClub was shared with financial institutions who were able to identify, monitor, and reissue cards that were compromised. 

Change your Default Passwords!

Kaspersky has set up ‘honeypots’ in various geographies to find out the nature & pattern of threats on smart devices. These are small footprint devices which have some processing capabilities.
They setup around 50 honeypots around the world. They found that there were 20,000 infected sessions every 15 minutes. 
Their conclusion? Read the title of this snippet!

There are multiple ways to work around MFAs:

• For example, like how the Twitter account of Jack Dorsey was hacked, your SIM too can be swapped.
• Or if the site using MFA is not securely developed, an attacker can bypass MFA anyway and get at your private data. 
• Finally, the ubiquitous ‘social engineering attacks’ can get you to divulge your information to an attacker voluntarily enabling them to inject themselves into the MFA cycle.

I do not want you to panic unnecessarily – after all, the FBI still says “Multifactor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks, …”.  I would only ask you to make note of the caveat.

– Sridhar Parthasarathy

JustDial Exposes 156 Million Users  

A massive security loophole at Just Dial has just been discovered. The flaw, discovered by an independent security researcher, has exposed almost 156 million unique users across the Just Dial ecosystem, that includes its web, mobile website, app and voice
JustDial claims to have addressed this issue.

Cyber Security News This Week

Vulnerabilities in Multiple VPNs

The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review NSA’s Cybersecurity Advisory and CISA’s Current Activity on Vulnerabilities in Multiple VPN Applications for more information.

Microsoft – Cyberattacks on key emails

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information.

iTerm2 Vulnerability

Vulnerabilities have been discovered in MAC OS Terminal Emulator iTerm2, as per US-CERT information on vulnerability (CVE-2019-9535). Visit iTerm2’s downloads page for patch information and additional details for more information.

Windows Update Assistant Vulnerability

Microsoft has released a new version of the Windows 10 Update Assistant in order to fix a local privilege escalation vulnerability. The update is critical to cover the flaw.

Amazon CloudCam – People see you!

Dozens of Amazon workers based in India and Romania review select clips captured by Cloud Cam, according to five people who have worked on the program or have direct knowledge of it. Those video snippets are then used to train the AI algorithms to do a better job distinguishing between a real threat and a false alarm.

Twitter uses MFA data for ads

Twitter admitted to ‘inadvertently’ using data provided for multi-factor authentication for targeting ads.  The company did not divulge how long this has been going on or the extent of the misuse of data.

Vulnerabilities in Multiple VPNs

The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review NSA’s Cybersecurity Advisory and CISA’s Current Activity on Vulnerabilities in Multiple VPN Applications for more information.