Nov 23

There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely.  My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment.  Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs.  This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs.   For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.

I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier.  MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.

It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine.  If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection.   So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.

 

 

Nov 02

It seems that car thieves have been targeting the keyless entry systems of high end vehicles, taking advantage of insecure security in their on board computers.  In addition to stolen cars, this has also caused some insurers in the UK to refuse coverage for certain models of Range Rovers in London unless their owners take additional security measures.  This is an interesting development – if your potential customers can’t get insurance coverage because your car (or other device’s) computer enabled systems aren’t secure, then you have a real incentive to fix the problem.   Now how do we apply this to other types of systems?

Nov 02

When your co workers or family members ask what to do about passwords, have them watch this brief, easy to understand and information packed video from the folks at Sophos…

 

Nov 01

racing the patch clock

By alberg best practices, CSO Comments Off

all too true, usually

When previously undisclosed vulnerabilities in the Drupal web content management system used by many large companies to manage their web sites were announced, hackers were busy exploiting those weaknesses within hours.  This incident highlights the bind that security people and system administrators are increasingly find themselves in – we need to patch critical vulnerabilities quickly to protect our systems from compromise, but rolling patches out without proper testing can also lead to downtime (witness Microsoft’s recent run of faulty security patches).    Having the skills to mitigate vulnerabilities while patches are tested and rolled out is a something we need to cultivate as security pros.

Oct 31

VA court gives tech savvy criminals the finger

Now, here is a head scratcher… a circuit court in Virginia has ruled that while law enforcement cannot force you to reveal the passcode for your mobile phone, they CAN force you to unlock your phone with a fingerprint, since a passcode requires you to divulge knowledge while a fingerprint is a form of physical evidence.  While this seemingly nonsensical decision is not binding on other courts, it can be used as precedent in future cases.  I guess the moral of the story is that you should disable TouchID on your iPhone before embarking on your life of mobile phone assisted crime.  Alternatively, you could reboot your iPhone as John Q Law closes in, since TouchID will not work until you have entered your passcode after a reboot.

Jul 13

In August of last year, a security researcher at UC Berkeley found two security vulnerabilities in LastPass while researching the security of web based password managers.  He reported the problems to LastPass, who quickly remediated them.

One of the vulnerabilities would have allowed an attacker to gain access to unencrypted credentials IF the user accessed a malicious web site and then used the LastPass “BookMarklet” to log into that site  – if you use the browser extensions for Chrome, IE, Firefox, or Safari (as 99% of LastPass users do), your account was not vulnerable to this attack.  BookMarklets are only used if the browser in use does not support LastPass directly.

The other vulnerability would have allowed an attacker who knew a user’s log in ID to retrieve an user’s encrypted password file, but not the key needed to decrypt this file.

LastPass states that they have no evidence that either of these vulnerabilities were exploited by anyone other than the researchers.

I still use and recommend LastPass – after all, if we stopped using software every time a security vulnerability was found and fixed, we would not be using Windows, Mac OS, or any browsers and plugins.   The extra security provided by using LastPass to manage unique strong passwords for the sites you log into far outweighs the risk of being compromised by vulnerabilities such as the ones described.

There is a lesson to be learned for LastPass users, though.  The security of your account is as only as good as the master password you choose for your LastPass account.  Make sure that it is hard to guess, and is constructed using letters, numbers and special characters in order to make it as hard as possible for someone to crack.

I am disappointed in how long it took LastPass to reveal this issue – when you are entrusted with users’ “keys to the kingdom,” you have a responsibility to be transparent about issues like this in a timely fashion.  I think that this is also a good time for LastPass to open up their code for third party security review to be proactive about finding and fixing security issues before the bad guys do.

 

 

Jul 12

While the “Internet of Things” has great potential, it also opens up new attack surfaces for those with nefarious intent to exploit.  A good example of this was found by a security researcher last week.  LIFX offers wifi controlled LED light bulbs that can be turned on an off as well as color adjusted via an iOS or Android app.  In order to operate, the light bulbs must authenticate to the wireless network in the user’s home or office.  The researcher found that it was possible to retrieve the wireless network password from the bulbs themselves, giving them access to the rest of the devices on the same network.  LIFX has issued a patch to correct this issue, but this serves as a reminder that all of those new, whiz bang network connected devices are part of your network’s security perimeter.   Many of these devices are coming from startup companies which may not have a security culture embedded in their development process.   To be fair, the researcher had to do some fairly sophisticated to pull off this hack, but as IoT devices begin to proliferate, the payback for attackers will be worth the extra effort.

Jul 04

 

BAE Systems Spokeman

An update on the “hedge fund hacking” story from a couple of weeks ago… it appears that this attack (in which it was alleged that hackers penetrated hedge fund trading , delayed HFT orders and sent order information to servers in eastern Europe) did not actually happen. Apparently, this scenario was used internally at BAE Systems as a “what if” during table top exercises. For some reason, a BAE employee described this scenario to a reporter as if it was an actual incident. This is a real black eye for BAE (which probably explains why they waited for the holiday weekend to announce this).

More information:

http://www.cnbc.com/id/101807792

I still think that the kind of attack described in this scenario is bound to happen in the future as organized crime figures out that the capital markets provide much more profit potential than stealing credit card info – but there is no confirmed case of such an attack happening so far.

Jun 20

Ready cash – the ultimate attacker tool?

Cybersecurity firm BAE Systems (a large and credible industry player) announced that it had found and remediated an attack on an unnamed hedge fund back in late 2013 which placed malware on the firm’s servers which intercepted HFT trades, delayed their execution, and sent information about the trades to a third party server. BAE believes that “organized crime” was behind this attack.

If this report is accurate, it marks a new level of sophistication and business insight by attackers – rather than simply stealing random information or creating denial of service situations, these guys used knowledge of the financial industry (and at least some significant level of capital) to profit from their hack. Apparently, the attack went unnoticed for 8 weeks.

The firm’s report also mentions another attack on an insurance firm, where the attackers created bogus insurance policies in the firm’s underwriting systems and then file claims against them.

This is a new attack trend that I have been expecting to see for some time – now that attackers have gotten really comfortable and successful with the technical side of hacking, the next logical step is to combine these skills and wins with business knowledge and capital to create much more sophisticated, profitable and (for victimized companies) potentially devastating attacks.  The financial services industry needs to take this incident seriously and adjust its view of the motives and sophistication of attackers.  While we have all talked about the theoretical possibility of hacks like this one, it has always seemed to be one of those “just over the horizon” threats.  Well, this new bit of news should firmly place these blended cyber/business/capital attackers and attacks on our radar.

While we don’t know exactly how the attackers gained access to the servers in question, I would be pretty surprised if a workstation malware compromise was not one of the first steps in the attack chain.  Another reason to keep bolstering our workstation defenses – patching, EMET, browser virtualization, behavioral based malware detection, and web filtering and blocking.  And another reason to have a conversation with your employees about just how perilous the landscape is becoming.

 

May 08

encrypted.jpgA security vulnerability in the way that online storage provider DropBox (and possibly rival Box) handles links to shared files caused some documents (which were supposed to be viewable only people designated by the file owner) accessible and available to web site owners using Google’s visitor analytics and advertising tools.  The rival online storage firm which found the issue claimed to have reported the problem (which gave access to sensitive files like mortgage documents and tax returns) to Dropbox last November.  Dropbox fixed this issue, which it insists is a feature rather than a security flaw, this past Monday.

This issue highlights the need to make encryption of files and data stored on cloud service providers with keys stored on the user’s local system simple enough for non technical folks.  The solution also needs to be able to support sharing of encrypted files securely with a third party or with other cloud services you authorize.  If cloud providers can get this right (no small feat), living your life in the cloud will truly be ready for prime time.

Some solutions which currently exist:

  • Boxcryptor is a software solution which sits on top of Dropbox and other storage providers and automagically encrypts files as they are sent to and received from the cloud.  They provide secure sharing as well as mobile apps for the major platform.  Of course, since Boxcryptor is an overlay to services like DropBox, using this product would break the integration between DropBox and other cloud apps.
  • There is at least one consumer usable provider (SpiderOak) which currently claims to offer this type of Zero Knowledge Encryption.

The real answer to the issue of cloud encryption lies in having the encryption built in to the platforms in a standard and interoperable way.  C’mon cloud vendors, you can do it!

 

preload preload preload