IT Support and Hardware for Clinics
32.1K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Cybersecurity experts warn of ‘digital D-Day’ in healthcare 

Cybersecurity experts warn of ‘digital D-Day’ in healthcare  | IT Support and Hardware for Clinics | Scoop.it

After two global ransomware attacks highlighted the potential dangers of network disruptions in the healthcare environment, cybersecurity experts are warning that subsequent attacks could have a much more devastating impact on patient safety.

 

There is particular concern over the vulnerabilities of medical devices, nearly all of which are connected to the network in some way, where the potential for patient harm is enormous. Malware could weave its way through infusion pumps and disrupt medication dosages, or cyberterrorists could coordinate a physical attack with a shutdown of hospital EHRs across a city.

 

“We’re going to have our digital D-Day, our cyber D-Day, if you will, in medical, and there’s going to be patients that die,” Christian Dameff, M.D., an emergency room physician and clinical informatics fellow at the University of California San Diego Health, told McClatchy. “It’s going to be a big deal.”

 

Beyond the inherent risks in medical devices, widespread EHR disruptions mean patients will be diverted from emergency rooms and clinicians would be left to treat patients without critical patient information at their fingertips. After the UK’s hospital system was hit by the WannaCry attack in May, emergency physicians said the impact was “undeniably dramatic” and argued that digital security “simply hasn’t been an NHS priority.”

 

The same industry concerns exist in the U.S., according to a recent report by the Department of Health and Human Services Cybersecurity Task Force which called for a “unified effort” among public and private entities to address some of the industry’s most pressing concerns regarding staffing shortages and medical device insecurity.

 

“Some of these attacks are like ringing the dinner bell for adversaries,” Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, told McClatchy. “Once they know they can and it’s that easy, at that point it becomes a race.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Lenovo Patches Critical PC Flaws

Lenovo Patches Critical PC Flaws | IT Support and Hardware for Clinics | Scoop.it

Lenovo issued an emergency patch to fix flaws in software that it preinstalls on many of its Windows PCs after security researchers warned that it contained vulnerabilities that attackers could use to remotely seize control of systems.


The vulnerabilities affect the Lenovo System Update software - version 5.6.0.27 and before - which was previously known as ThinkVantage System Update. The Chinese PC manufacturer says the vulnerable software may be present on its ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series devices.


The flaws were discovered by IOActive security researchers Michael Milvich and Sofiane Talmat in February, after which they alerted Lenovo and helped it prepare related fixes, which Lenovo released in April. But the researchers' findings were only made public this week.


One flaw, rated critical by the IOActive researchers, centered on a "race condition," in which attackers could have System Update verify that an executable file was legitimate, and then substitute a malicious executable. "Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation," Lenovo warns in a related security advisory.


To fix the flaws, users should update to version 5.06.0034 or later of Lenovo's software, which includes related patches. "Lenovo System Update automatically checks for a [new] version whenever the application is run," the company's security advisory says. "Click OK when prompted that new version is available." Alternately, users can download updates manually.

Follows Superfish

The security alert follows revelations in February that Lenovo, which is the world's largest PC manufacturer, had been preinstalling adware called Superfish on many of its PCs. Numerous security experts warned that the adware put users at risk because of the insecure manner in which it used digital certificates to intercept and decrypt otherwise encrypted Internet traffic.


Now, security experts are expressing dismay that yet more flaws have been found in Lenovo's preinstalled software. "Lenovo has been found wanting again on the security front," information security expert Alan Woodward, a professor at Surrey University, tells the BBC. Following on the Superfish debacle, he said Lenovo was demonstrating a "lamentable record for security."


While Lenovo initially defended Superfish - as a feature - it later backed off and began working with security firms to delete the software. The manufacturer also promised that beginning with new devices running the forthcoming Windows 10 operating system it would include only essential operating system and related software, including hardware drivers, security software and Lenovo's own applications, with a spokeswoman saying they would be free from "what our industry calls 'adware' and 'bloatware.'"

Predictable Security Tokens

While Superfish adware was preinstalled on many consumer-focused Lenovo systems, the new vulnerabilities are largely present on business-oriented machines.


Furthermore, Lenovo's System Update software is powerful, in that it will execute any code that it receives, for example to update the Windows operating system. Such functionality would be useful to attackers, of course, if they could trick it into installing malicious code. If that attack was successful, then the attackers could install a backdoor, execute malware that steals data stored on the device, and take full control of the machine.


To guard against that, the System Update software requires any client that attempts to connect to the service to authenticate itself, using a security token. "Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions," the IOActive researchers say about the previous version of System Update. "As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed." Lenovo's patch, however, fixes that problem.

Another Flaw Patched

Another problem present in previous versions of the Lenovo System Update software was a failure to conduct complete security checks on executable code.


"As a security measure, Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them," the IOActive researchers said in their vulnerability warning. As before, this flaw was patched by Lenovo in April.

In particular, the Lenovo software did not fully validate the certificate authority chain. As a result, an attacker could create a fake certificate authority, use it to sign a malicious executable, and then fool the System Update software into executing it.


For example, per the "classic coffee shop attack," a related man-in-the-middle attack could be launched if the attacker was connected to the same WiFi network as a vulnerable Lenovo PC, the researchers say. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks," they add.


But protection was provisional on the Lenovo software correctly handling digital certificates, which it was not. "Lenovo - like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers - were not able to validate if certificates were from a trusted authority," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which develops software to secure and protect cryptographic keys and digital certificates. "As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide [via] encryption, and go undetected."


Again, however, Lenovo and IOActive report that all of the above flaws have now been patched.


more...
No comment yet.
Scoop.it!

Ransomware Attacks' New Focus: Businesses

Ransomware Attacks' New Focus: Businesses | IT Support and Hardware for Clinics | Scoop.it

Ransomware attacks are getting more agile, varied and widespread, and are increasingly taking aim at businesses of all sizes in all sectors, rather than consumers.

These attacks involve two-part schemes. First, a device is infected with malware that locks the user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.

In recent weeks, three reports from security firms and researchers have noted new ransomware scheme trends that are making these attacks more difficult to thwart and detect.

As a result, experts say businesses need to focus more attention on employee education about how to avoid falling victim to these attacks and other socially engineered schemes.

New Attacks

On March 2, security firm FireEye warned that hundreds of websites may have been exposed to "malvertisements" - ads containing ransomware - via criminals' abuse of ad networks that use real-time bidding.

"Real-time bidding is an ad sale and delivery system that allows for instant, autonomous ad auctions at the time the ads are served," FireEye says. "A number of buyers set up bids ahead of time for a certain amount of ad impressions (i.e., page loads) on pre-selected sites and certain target demographic characteristics. When a user requests an ad, the ad exchange awards the highest bidder who has an active bid on advertising matching the incoming user's demographic profile. As a result, the auction winner's ad is displayed."

In another recently released report, anti-virus provider Bitdefender noted that cybercriminals were using help files as a way of infecting devices with a variant of the ransomware known as CryptoWall. Attackers sent malicious emails with the subject "Incoming Fax Report" that contained help files with a compiled HTML extensions, Bitdefender noted. When users opened the files, they were presented with a help window that automatically downloaded CryptoWall in the background.

In a third report, released March 6, a French malware researcher known as Kafeine said he discovered what at first appeared to be a new version of the ransomware known as TorrentLocker, but was later determined to be new malware. This is concerning, researchers say, because it proves how quickly hackers are adapting by developing entirely new malware strains that evade current detection mechanisms.

The Evolution of Ransomware

"Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared," says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro. "The most troubling evolution is the migration to mobile ransomware.

In May 2014, security researchers warned of a new type of ransomware attack taking aim at employees and customers of banking institutions in Europe. The attack was being spread to mobile devices through the banking Trojan known as Svpeng (see New Ransomware Targets Mobile).

Today, attacks waged against Windows and Android operating systems have continued to spread.

"There is a lot of momentum behind ransomware and we do expect it to be a continuing issue throughout the rest of this year and beyond," says John Miller, manager of the Cyber Crime Threat Scape at cyber-intelligence firm iSIGHT Partners. "Law enforcement in different countries can help educate residents about the threats," which are designed for targeted global markets based on language and payments habits, he explains.

But it's up to individual companies to educate their own employees about how to identify a ransomware attack before becoming victimized, Miller adds.

Why Ransomware Is So Dangerous

Rather than targeting home-users' files, as was common in 2012 and 2013, attacks emerging in late 2014 started targeting business assets by encrypting enterprise database files and shared storage systems, says Jeff Horne, vice president of the security firm Accuvant.

"This is extremely dangerous to an enterprise network, as it could potentially destroy a business if offline backups haven't been stored," Horne says. "The real issue is the encryption that is being utilized, more often than not, cannot be broken with today's computers. Therefore, when these files are locked, if the ransom isn't paid, the files are gone until computers can break the encryption."

Another danger, he says, is that hackers sometimes collect the ransom but never unencrypt the data, making it virtually useless to the business.

Randy Abrams, research director for cyberthreat intelligence firm NSS Labs, malware strains used in ransomware attacks are getting stealthier. And like Horne, he says the encryption hackers are using to lock files is getting harder to break.

"Older ransomware used cryptographic techniques that could be cracked," Abrams says. "This currently is no longer the case."

Ransomware can be devastating to victims who have no back-ups or who don't back up to local or network-connected drives, he says. "Online backup services, such as Carbonite, are very useful. But users must be certain that file types are also backed up."

A Growing Threat

The use of ransomware is spreading because the attacks make good business sense for cybercriminals because they can reap big payouts, iSIGHT's Miller says. "Windows ransomware is all over the place," he says. "It's very effective and very popular."

Cryptolocker was the first type of ransomware that got attention, Miller points out, "and criminals' observations of the damage that Cryptolocker was doing made them realize how profitable ransomware could be."

Today's attackers, who range from organized cybercrime rings to nation-states, are selling ransomware using sophisticated business models, says Peter Tran, general manager and senior director of security firm RSA's global advanced cyber-defense practice.

"The hacker distribution techniques and ecosystem are run like a business," Tran says. "The development, buying, selling, trading and distribution creates micro-economies that scale very quickly for both cybercriminals and nation-state attackers. This is a global network much like the open-source software developer communities, where software can be developed very quickly and with greater capacity than closed, proprietary development."

Also, most of the malware strains used in these attacks are evading detection by anti-virus programs, he adds.

"In the past 12 months, over 300 million malware samples have been reported in circulation, many of which are modifications of existing variants, but many are unique," Tran says. "The sheer scale is overwhelming."


more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

Survey shows cyber crime on the rise

Survey shows cyber crime on the rise | IT Support and Hardware for Clinics | Scoop.it

An estimated 40% of Irish internet users have received emails or phone calls trying to get access to their computer or personal details such as their banking information.

That is according to the latest Eurobarometer poll on the experience of cybercrime.

Nearly a third of Irish internet users have discovered malicious software on their device, but just over half of them have installed anti-virus software.

This compares with an EU average of 61% who have taken this precaution.

16% of Irish internet users - the third highest in the EU - say they have had experience of their social media or email account being hacked compared to an EU average of 12%.

Among the top concerns of Irish people are the misuse of personal data, security of online payments and online purchases.

While Irish people are more aware of cybercrime than the EU average, half of users do not take basic precautions such as changing their passwords every 12 months.

And while internet access in Ireland has never been higher at 80%, Ireland is behind Sweden (96%) the Netherlands (95%) and Denmark (94%).

Lowest access was in Romania (54%), Portugal (55%), and Greece (58%).


more...
HK Khan's curator insight, February 18, 2015 2:38 AM

We Gives Latest News Of Hacking, Updates Of Cyber Crimes, Computer Technology News, Reviews and Full Version Softwares, Drivers For Laptops

Scoop.it!

Why Fraud Is Shifting to Mobile Devices

Why Fraud Is Shifting to Mobile Devices | IT Support and Hardware for Clinics | Scoop.it

As a result of the explosive growth in worldwide use of smart phones, mobile malware will play a much bigger role in fraud this year, predicts Daniel Cohen, who heads up the anti-fraud services group at security firm RSA, which just released its 2014 Cybercrime Roundup report.


Mobile devices will be the new focus for phishing attacks, taking the place of spam attacks that for more than a decade have been waged against PCs, Cohen, an expert on phishing trends, says in an interview with Information Security Media Group.

"Smart phone technology is the fastest adopted technology in the history of mankind," Cohen says. In 2014, 1.3 billion new smart phones were purchased by consumers throughout the world, while in 2015, forecasts suggest that another 2 billion of these devices will be shipped to consumers, he points out.

"The bad guys are looking at this ... and they understand that they have to be on those platforms and those systems," he says.

Security Challenges for Mobile

This shift to mobile fraud is posing challenges for security teams, because the methods used to protect end-users from attacks waged against PCs don't translate well for mobile, Cohen notes.

The mobile threat involves the use of what Cohen describes as "permission-ware." The end-user knowingly downloads mobile applications and gives those apps permission to run on his device, Cohen says. So when the app is malicious, the user determines the number of permissions that app will have once it's installed.

Cohen points to Svpeng, mobile ransomware identified by security firm Kaspersky Labs in summer 2014, as an example of the kind of threat that will become more common this year.

"Svpeng started out as a phishing attack on the mobile phone," Cohen says. "The app would wait for a legitimate app to launch, and once that app launched, the malicious app, Svpeng, would launch and then ask for more information. ... In 2015, we will see the mobile channel leveraged more and more in attacks like this."

In the interview, Cohen also discusses:

  • How the underground economy is evolving and fueling the rapid spread of malware and phishing attacks;
  • Why the U.S. continues to rank No. 1 for phishing attacks waged against banking brands; and
  • Why remote-access attacks waged against point-of-sale vendors are expected to increase this year.

At RSA, Cohen serves as the head of the anti-fraud services group, where he focuses on phishing attacks, malware and threat intelligence.


more...
No comment yet.
Scoop.it!

Sony Hack a 'National Security Matter'

Sony Hack a 'National Security Matter' | IT Support and Hardware for Clinics | Scoop.it

The White House says that it's treating the malware attack against Sony Pictures Entertainment and subsequent data leaks as a "national security matter." But the administration says it's too early in its investigation into the attack to definitively attribute the attacks to any particular group or nation state.


"This is something that's being treated as a serious national security matter," White House Press Secretary Josh Earnest told reporters in a Dec. 18 briefing. "There is evidence to indicate that we have seen destructive activity with malicious intent that was initiated by a sophisticated actor. And it is being treated by those investigative agencies, both at the FBI and the Department of Justice, as seriously as you would expect."

The hacker attack against Sony has reportedly included data theft and, on Nov. 24, wiper malware being used to erase Sony data. That's been followed by ongoing data leaks and other threats against Sony Pictures Entertainment and its employees.

Earnest says the ongoing attack "has also been the subject of a number of daily meetings that have been convened here at the White House," led by homeland security adviser Lisa Monaco and cybersecurity coordinator Michael Daniel and including representatives from intelligence, diplomatic, military and law enforcement agencies.

A group that calls itself the Guardians of Peace has claimed credit for the attack against Sony Pictures, including the leaks of stolen data, which has included top Sony Pictures executives' Outlook e-mail spools. After "G.O.P." launched its attacks and began leaking data, however, the group then claimed it would stop the data leaks if Sony canceled its forthcoming comedy "The Interview," which centers on a tabloid TV reporting team that gets approached by the CIA to assassinate Kim Jong-un, who heads the Pyongyang-based communist dictatorship that rules North Korea.

After G.O.P. published a "terror" threat against movie theaters, U.S. theater chains announced that they would not show the film. Subsequently, Sony announced that it would shelve "The Interview" indefinitely, which has sparked a further backlash against the already beleaguered movie and television studio.

Investigation Still 'Progressing'

In response to questions about whether North Korea launched or sponsored the Sony attack, Earnest said that while the investigation is "progressing," he was not yet able to comment on that question, Reuters reports. But he said that the administration "would be mindful of the fact that we need a proportional response," and cautioned that the people behind these types of malicious attacks were "often seeking to provoke a response."

"They may believe that a response from us in one fashion or another would be advantageous to them," Earnest said, for example, by focusing international attention on their agenda, or increasing their standing with peers.

Ken Westin, a security analyst at information security vendor Tripwire, says it is premature to attribute the Sony hack to any specific group or nation. "FBI notices have been sent out stating specifically no connection has been made and that the investigation is still under way," he says.


While the White House and FBI say it's too soon to blame the hack attack against Sony Pictures - which is a subsidiary of Japanese multinational conglomerate Sony - on any particular group or actor, other government officials have nevertheless been sharing their own theories with multiple media outlets. "We have found linkage to the North Korean government," a "U.S. government source" tells NBC News, which reports that the attack against Sony appeared to have been launched from outside North Korea. But no evidence was supplied that might confirm any supposed linkage to Pyongyang having participated in or ordered up the attacks.

Information security experts, meanwhile, have warned against reading too much into any supposed "linkage" between the Sony hack and North Korea, or the fact that unnamed government sources told the New York Times that North Korea was "centrally involved" in the attack against Sony, saying such suppositions have yet to be confirmed by the release of any supporting facts. In fact, security experts warn, the information being cited by unnamed government officials at times seems to contradict suggestions of Pyongyang involvement.

"People don't seem to be reading past the headline or first couple of paragraphs," says attrition.org CEO and security expert Brian Martin, a.k.a. Jericho, in a blog post, referring to the New York Times report. "What seems like a strong, definitive piece falls apart and begins to contradict itself entirely halfway through the article."

Intelligence Not 100% Reliable

Furthermore, what one unnamed intelligence source believes may not square with another intelligence source, warns Jeffrey Carr, CEO of threat-intelligence sharing firm Gaia International. He says the intelligence community "is rarely unified when it comes to intelligence analysis; especially cyber-intelligence."

Carr and other security experts have also warned that whoever is sharing supposed Sony-related intelligence may also have a political agenda. "Cybersecurity has become an increasingly political topic thanks to recent NSA revelations and increased defense spending being allocated to cyber defense - and offense - not to mention issues of pirating, net neutrality, privacy and related topics, all of which the Sony breach touches on," Tripwire's Westin says.

Despite the lack of solid evidence that proves North Korea is responsible for the Sony attack, some commentators have been referring to the hack against Sony in military terms. Former Congressman Newt Gingrich, for example, claims that "with the Sony collapse America has lost its first cyberwar."

But security experts have cautioned against jumping to conclusions. "I've said it for a week, and I must say it again," Martin of attrition.org says. "How about we wait for actual evidence. ... Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn't mean they actually did anything."



more...
Kyle Greene's curator insight, October 18, 2017 11:59 AM

Cyber Security is a growing concern among all companies in the Entertainment and Media industries. This article addresses the notion that the treaty to companies cyber security is so prominent that government agencies such as the White House and the FBI. I feel that this article is a reliable source because it is from a website hosted by Cyber Security workers, and authors who have first hand experience in Cyber Security.

Scoop.it!

Top Security Threats Still Plaguing Enterprise Cloud Adoption - Redmondmag.com

Top Security Threats Still Plaguing Enterprise Cloud Adoption - Redmondmag.com | IT Support and Hardware for Clinics | Scoop.it

As cloud computing moves beyond the early-adopter stage, security and privacy concerns and the inherent risk of moving assets off-site are not just fears -- they're real. Uncertainty about data security and privacy slowing the adoption of cloud computing existed before last year's revelations by Edward Snowden of covert government surveillance, but the scope accentuated skepticism, coinciding with the rise of cyber attacks from around the world.

"Edward Snowden's revelations were really a wake-up call for the industry about what the government can do with your data," says IDC analyst Al Hilwa. "And if the government can see your data, who else can? It's really not surprising that security concerns have slowed enterprise adoption."

Those fears notwithstanding, they're unlikely to put a major dent in projected adoption of public cloud services in the coming years. Gartner Inc., for example, predicts cloud computing will constitute the bulk of new IT spending by 2016, and that nearly half of large enterprises will have hybrid cloud deployments by 2017. However, the results of a recent survey by U.K.-based communications services provider BT Group of IT decision makers in large U.S. companies underscore a contradiction: 79 percent of respondents said they're adopting cloud storage and Web applications in their businesses, but they also report their confidence in the security of the cloud is at an all-time low.

Top Security Threats
The lack of confidence is with good cause. The Cloud Security Alliance (CSA) has identified what its researchers believe to be the top nine cloud security threats. Data breaches top that list, dubbed "The Notorious Nine". Also on that list are data loss, service traffic hijacking, insecure interfaces and APIs, denial-of-service attacks, malicious insiders, cloud services abuse, insufficient due diligence, and shared technology vulnerabilities. The company emphasized those risks at a three-day conference in September hosted jointly by the CSA and the International Association of Privacy Professionals (IAPP).

Not on that list, but another major risk, is the ease with which employees can and typically do bypass IT departments when using cloud services, says Jim Reavis, founder and CEO of the CSA. Today, anyone can use a credit card to spin up a virtual machine on Amazon or Microsoft Azure, set up a SharePoint instance via Office 365 or another third-party provider or by using free services such as Box, Dropbox, Google Drive or Microsoft OneDrive. Reavis points out that when people bypass IT when using these and other services, it undermines business-level security policies, processes, and best practices, making enterprises vulnerable to security breaches.

Another risk Reavis points to: the lack of knowledge by IT management of the scope of cloud usage in an organization. At the CSA Congress 2014, the group published the results of a survey of U.S. companies, many of which drastically underestimated the number of cloud-based apps running in their organizations. The report concludes, "Cloud application discovery tools and analytical tools on cloud app policy use and restrictions are crucial in the workplace, especially when it comes to sensitive data being used by these cloud applications. With sensitive data being uploaded and shared by these apps with authorized and unauthorized users, policy enforcement becomes a major role in protecting your data."

The report estimated with more than 8 billion Internet connected devices, a growing number of businesses may own data, but no longer own their infrastructure. "A few years from now, that 8 billion will become a quarter trillion," Reavis says. "If we lose ground on privacy and security today, we'll have a very hard time getting it back. That creates a mandate to embrace the tools and technologies that are emerging to manage and protect these resources."

The proliferation of all those devices and the bring-your-own-device corporate culture has resulted in an enterprise that's more difficult than ever to protect -- cloud or no cloud, says C.J. Radford, VP of Cloud at data security company Vormetric Inc.

"The perimeter has failed or is failing, given that data is now everywhere," Radford says. "If you're only focused on your perimeter, you're going to have a very hard time protecting your data. But that's where the enterprise has traditionally spent its money over the past 10 or 15 years -- essentially, on building a bigger moat. The problem is, you can't build a moat around, well, everything."

Controlling Access
In an increasingly cloud-centric, perimeter-less world, enterprises must concentrate their security efforts on protecting the data itself, Radford says. His company partners with leading cloud vendors, including Amazon Web Services Inc., Rackspace, IBM Corp., and Microsoft, to provide data-at-rest encryption, integrated key management, privileged user access control, and security intelligence logging. Among other things, the Vormetric Key Management Key Agent software works with Microsoft SQL Server Transparent Data Encryption (SQL Server TDE) to help manage SQL encryption.

"Today, it's all about controlling data access," he says. "If you read any of the major breach reports, one of the ways the bad guys are getting access to data is compromising privileged username and password credentials. They're doing it through social engineering, phishing and that sort of thing."

Not surprisingly, Radford is a strong advocate of data encryption, and he also recommends a bring-your-own-key (BYOK) approach. "You should never rely on the provider to manage your encryption keys," he says.

"BYOK means the provider can turn over your data in encrypted form, but it's useless without the key. The other thing it buys you is the ability to `digitally shred' your data. We call that `permanently securing your data.' That's why we always say, rule No. 1 in encryption is never lose your key."

Encryption support is even showing up above the infrastructure level. Azure, Outlook.com, Office 365 and OneDrive, for example, are now supported by Transport Layer Security (TLS), Microsoft announced last summer. The encryption support covers inbound and outbound e-mail, as well as Azure ExpressRoute, which allows users to create private connections among Azure data.

Data encryption and data-centric solutions seem to be especially appealing to enterprises in the post-Snowden era, says Luther Martin, chief security architect for Voltage Security Inc.

Martin believes the primary cloud security concern in the enterprise today is availability.

"If you look at the data, in terms of frequency, most of the cloud incidents so far have been about service outages," he says. "The outages have been relatively short, but they can be terrifying, and there's not much an enterprise can do about them."

He also notes, however, that encryption keys present their own challenge -- namely, keeping track of them. "Effective encryption key management is hard," he says, "and people often don't give it the consideration it deserves. I mean, if you lose a key, you've lost your data, too."




Via Michael Dyer
more...
No comment yet.
Scoop.it!

Devastating malware that hit Sony Pictures similar to other data wiping programs

Devastating malware that hit Sony Pictures similar to other data wiping programs | IT Support and Hardware for Clinics | Scoop.it

A malware program with data wiping functionality that was recently used to attack Sony Pictures Entertainment bears technical similarities to destructive malware that affected organizations in South Korea and the Middle East in the past.

Security researchers from Kaspersky Lab, Symantec and Blue Coat Systems independently reported that Trojan Destover, the malicious program used in the Sony Pictures attack, relied on a legitimate commercial driver called EldoS RawDisk to overwrite data and master boot records.

That same driver was used by a piece of malware called Shamoon that is believed to have been used in August 2012 to render up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia.

A previously unknown hacktivist group called the Cutting Sword of Justice took credit for the attack on Saudi Aramco through a series of posts on Pastebin. The group said it targeted the company because it was the main financial source for Saudi Arabia’s Al Saud regime, which the group claimed supported oppressive government actions in countries like Syria, Bahrain, Yemen, Lebanon and Egypt.

The attack against Sony Pictures Entertainment was carried out by another previously unknown group called the Guardian of Peace (GOP), which claimed to have targeted the company because “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years.”

The sharing of a third-party driver is not enough evidence to establish a direct link between the two malware programs, but it is possible that the Destover creators copied techniques from Shamoon, especially since the EldoS RawDisk driver is an unusual choice for implementing data wiping functionality.

Both Destover and Shamoon stored the EldoS RawDisk driver in their resource sections and both were compiled just days before being used in attacks, researchers from Kaspersky Lab said in a blog post.


Destover shares even more commonalities with another wiper malware program called DarkSeoul or Jokra that affected several banks and broadcasting organizations in South Korea in March 2013.

“The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired,” researchers from Symantec said in a blog post. “Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks.”

The Jokra attacks were accompanied by website defacements that displayed a message from an obscure group of hackers called the Whois Team. “This is the beginning of our movement,” the message said. “User accounts and all data are in our hands.”

The GOP also left a message for Sony Pictures informing the company that it had obtained its internal data and both GOP’s and Whois Team’s messages were accompanied by images of skeletons, though this might be a mere coincidence.

“Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack,” the Kaspersky researchers said. “It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.”

A more direct connection was established by Symantec between Destover and a backdoor program known as Volgmer that allows attackers to retrieve system information, execute commands, upload files, and download files for execution.

“Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets,” the Symantec researchers said. “The shared C&C indicates that the same group may be behind both attacks.”

The apparent links between Destover and malware that was used to target South Korean organizations will likely fuel ongoing speculation that North Korea might be behind the attack against Sony Pictures Entertainment, supposedly as retaliation for an upcoming comedy film called “The Interview” in which two reporters are asked by the CIA to assassinate North Korean leader Kim Jong Un. North Korea reportedly denied its involvement in the attack.

These commonalities “do not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover,” the Kaspersky researchers said. “But it should be noted that the reactionary events and the groups’ operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.”




more...
No comment yet.
Scoop.it!

Is Government Malware unstoppable? - Avira Blog

Is Government Malware unstoppable? - Avira Blog | IT Support and Hardware for Clinics | Scoop.it

During the last couple of weeks we have received various requests on our standpoint and capabilities regarding the detection of spyware programs developed by governments. It looks like this has become the hot topic of the moment also due to the recently discovered Regin malware.

What is Regin?

According to Virus Bulletin, we are looking at a multi-staged threat (like Stuxnet) that uses a modular approach (like Flame), a combination that makes it one of the most advanced threats ever detected. Researches show that Regin has been used in espionage campaigns for the last 6 years. This sophisticated backdoor Trojan affects Microsoft Windows NT, 2000, XP, Vista, and 7 and it is able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization.

Protection against government malware

In this context, we would like to remind our users that Avira is a founding member of IT Security made in Germany and we pride on providing our customers a guarantee of Quality and Reliability.

We thus committed ourselves, among other things, to:

  • Exclusively provide IT security solutions no other third party can access.
  • Offer products that do not cause the transmission of crypto keys, parts of keys or access recognition.
  • Eliminate vulnerabilities or avoidance methods for access control systems as fast as possible once detected.

Additionally, we would like to clarify our standpoint on malware developed by government. Whenever we discover a new piece of malware, we are adding detection for this for all of our customers, regardless of the source of the malware. It is the case for recently discovered Regin as well, since our Antivirus products already detect all known Reging samples.

We strongly believe that no malware is unstoppable, not even government malware. Users need to make sure that they are protecting all of their digital devices with the latest technology, keeping their operating system, 3rd party applications and of course their antivirus software up-to-date.



Via Paulo Félix
more...
No comment yet.
Scoop.it!

Defending Against 'Wiper' Malware

Defending Against 'Wiper' Malware | IT Support and Hardware for Clinics | Scoop.it
In the wake of the FBI issuing a warning that a U.S. business has been attacked using a dangerous form of "wiper" malware, security experts say businesses must protect themselves against attack code that aims to delete the content of every hard drive it touches.

See Also: Preparing for OCR Audits: Presented by Mac McMillan of the HIMSS Privacy and Policy Task Force

Defensive measures organizations can take include segmenting important information to hardened networks, backing up data offsite in case systems get wiped, and investing in appropriate resources to detect breaches quickly (see: Speeding Up Breach Detection).
Related Content

NATO Faces Challenges in Mounting Cyber-Defense
Senators Probe Home Depot, Apple Breaches
Breach Response: Are We Doing Enough?
3 Key Questions from CEOs to CISOs
Redeeming NIST's Reputation

Related Whitepapers

Securing Cloud Workloads
Secure Mobile Banking: Protecting Your Customers and Your Bottom Line
How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand
Protecting Customers and Safeguarding Brand Reputation in the Era of the Cybercriminal
Fight Phishing and Fradulent Email with Big Data

The FBI alert is reportedly tied to the Nov. 24 hack of Sony Pictures Entertainment, which locked employees out of their PCs, instead displaying a message that their system had been "Hacked By #GOP," referring to a group of attackers calling themselves Guardians of Peace (see Sony Hack: FBI Issues Malware Alert).
Malware Characteristics

The alert is notable because attackers rarely employ wiper malware that's designed to delete the content of drives. To date, wiper malware has only been seen in a handful of attacks, mostly in the Middle East or South Korea, Costin Riau, who heads the information security research team at anti-virus vendor Kaspersky Lab, says in a blog post.

But many information security experts say they've never seen such an attack launched against a business in the United States. "This is somewhat of a watershed event," says Alex Cox, senior manager at information security research organization RSA FirstWatch. "Up until now, we have had very limited examples of large-scale data destruction."

That's because the majority of attack code is designed to steal data - and especially financial or intellectual property details - rather than destroy it. "Wiper-type malware is rare because the motive of modern virus writers is to infect machines silently and avoid detection for as long as possible to enable attackers to control the infected machine for longer and to steal [valuable] information," says Brian Honan, who heads Ireland's computer emergency response team. "Wiper malware, in contrast, is noisy [and] those infected will know straightaway."

Wiper malware attacks the master boot record and core file system operations, says David Kennedy, CEO of TrustedSec, an information security consulting service. "It makes it hard to recover from the malicious software, which could be disastrous for organizations," he says.

This form of malware also operates fairly swiftly, says Shirley Inscoe, an analyst at the consultancy Aite Group. "Once the malware gets into a system, it spreads and could be very difficult to detect and shut down in time to avoid major disruption."

As a result, many information security experts believe that the attack referenced by the FBI may not be the work of garden-variety cybercriminals. "Data deletion would typically be associated with hacktivism - deletion of backups - or strategic political or wartime goals, such as Stuxnet," Cox says. "Destroying access to a network doesn't really fit the cybercrime model - where criminals want to retain quiet access to continue their theft - or the APT model where nation-states want to retain access for espionage purposes. A dead network is a network that gives no data."

As the Sony Pictures attack demonstrates, wiper malware can also be used to disrupt an entire business. "When I think of such threats, it's Shamoon that comes to mind," says Sean Sullivan, security adviser at Finnish anti-virus firm F-Secure, referring to malware that was used in August 2012 to wipe an estimated 30,000 PCs at Saudi Aramco, Saudi Arabia's state-owned petroleum and natural gas producer. Security experts never identified exactly who launched Shamoon.

Wiper malware has typically been the domain of someone who wants to air a grievance, says John Hultquist, who heads the cyber-espionage practice at threat-intelligence firm iSight Partners. "Even though it has practical effects - for instance, halting oil production or shutting down operations - its greatest impact is perception - the message being sent," he says.
Defensive Measures

Organizations can take several steps to protect themselves against wiper malware, starting with using segmented networks, F-Secure's Sullivan says. "Isolate important intellectual property to hardened networks," he advises. "Access those networks 'remotely' - [using] some kind of remote desktop software." That adds a security layer that makes it more difficult for attackers' malware to access - or wipe - PCs connected to that network.

Backing up data is also essential, in case systems get wiped and must be reinstalled, and such backups must be disconnected from the network, lest they get deleted by the same wiper malware. "Continual, offsite data backups are critical for any organization," says Michael Sutton, vice president of security research at cloud security firm Zscaler. "Backups can be a challenge with a mobile workforce when devices rarely return to the corporate office, but Internet-based backup solutions provide a means of remote backup so long as an Internet connection is available."

In addition, organizations that received the FBI alert can use the file structure for the malicious software, which was provided, to help detect a malware intrusion, Kennedy at TrustedSec says. "However, note that these [file structures] could change when deployed in other systems," he says. "The best approach is still having multiple layers of defense in order to prevent an attack from occurring in the first place."

The attack against Sony also illustrates the critical importance of having business continuity and disaster recovery plans, says Rick Holland, principal security analyst at Forrester Research. "InfoSec teams need to be highly engaged with the groups that put these plans together," he says. Servers are obviously included in such plans, but they also need to extend to workstations and desktops that are critical to business operations, Holland adds.

"Events like this could lead organizations to research virtual desktop deployments, which make recovering from these types of attacks much easier," he says.

Investing appropriate resources into quickly detecting breaches is also essential. "The unfortunate reality of today's threat landscape is that enterprises will be breached," Sutton says. "When that occurs, it is essential that the breach is quickly identified and isolated as to limit the overall damage."
more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


more...
No comment yet.
Scoop.it!

How to protect your wireless router from malware

How to protect your wireless router from malware | IT Support and Hardware for Clinics | Scoop.it

O D worries that other people, including criminals, can see his IP address. “What can happen if they come into my router?”

As I pointed out last year, your router’s IP address is anything but a secret. Every website you visit gets a look at that number. And from that IP address, they can discover your ISP and your general location (your neighborhood, but not your address).

But can they infect your router with malware? It’s not likely, but the danger is significant enough to take precautions.

[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

Last year, researchers discovered a worm, which they called TheMoon, that infected several Linksys routers. Linksys soon issued a fix to stop it. This wasn’t the first such attack, and it will almost certainly not be the last.

Note that TheMoon infected only Linksys routers. I’m not picking on Linksys; the next attack could be on D-Link or Netgear routers. That’s the nature of this kind of  malware— it’s manufacturer-specific. So chances are that a worm that tries to attack your router won’t be compatible with it—and for once, you can be thankful for incompatibility.

What follows are the basic precautions everyone should take. For more details, read this helpful router security piece by Michael Brown and Jon L. Jacobi.

  1. Update your browser firmware. Check the manufacturer’s website regularly to see if there’s a new version.
  2. Go into your router’s setup page and make sure that remote administration is turned off. (If the IP address is 0.0.0.0, it’s off.)
  3. Change the name of your wireless network. There’s no need to advertise the make of your router.
  4. Change the router’s password. I’m not talking about the Wi-Fi password, but the one that gets you into the router’s setup. And make it a strong password.

Finally, if you’re really worried, hide your IP address by using either an anonymity browser like Tor, or a virtual private network (VPN) like CyberGhost.



more...
No comment yet.
Scoop.it!

DDoS-attack takes Dutch government sites offline for 10 hours

DDoS-attack takes Dutch government sites offline for 10 hours | IT Support and Hardware for Clinics | Scoop.it

A sophisticated distributed denial-of-service (DDoS) blocked Dutch government and privately run commercial sites from the public for more than 10 hours Tuesday.

The ministry of General Affairs, the National Cyber Security Center (NCSC), website hosting company Prolocation and services provider Centric are working to determine the specific methods used in the attack and who was behind it.

The attack, which started at 9:45 a.m. local time, was difficult to deflect because the attack patterns changed regularly, said Prolocation’s director, Raymond Dijkxhoorn. The attack was different from the usual DDoS attempts that happen on an almost daily basis and are easier to defend against, he said.

“It is the first time that we couldn’t deal with it,” Dijkxhoorn said.

The attack targeted the sites of the federal government directly, but also caused other sites that were hosted on the same network to go down, Dijkxhoorn said. Blog site Geenstijl.nl and telecom provider Telfort’s site were among those blocked in the attack.

A few of the sites on the network used DDoS-deflecting services from providers like Cloudflare, Dijkxhoorn noted. But unless all clients on a network are able to ward off a DDoS attack, there is a risk for other sites on that network, he said.

Geenstijl, for instance, uses Cloudflare, which will usually allow traffic to reach the site’s server when a DDoS attack targets the site. However, Geenstijl’s server can still become unreachable as a result of a DDoS attack aimed at other sites on the network that don’t have such protection, Dijkxhoorn said. The Dutch government did not use such external DDoS protection services, he said.

The DDoS attack consisted of mix of methods used alternately, according to Dijkxhoorn. Though Prolocation has experience with DDoS attacks, this was the first time they encountered this strategy, he said. He declined to provide more details about the attacks, since he has agreed with the NCSC not to do so until the investigation is finished.

The NCSC and Centric both declined to comment on details of the attack, pending the investigation.

Prolocation, however, has discussed the incident with engineers at Prolexic and Akamai, who say they have seen similar methods used in DDoS attacks in other places around the world.

Sites hosted on the same IP block can go down as collateral damage when one site is the focus of the attack, confirmed Akamai’s manager for Belgium, the Netherlands and Luxembourg, Hans Nipshagen. If the government sites had used external DDoS filtering services, the network might have stayed up, he said.

While it was difficult to tell from the outside the exact methods used against the government sites, the DDoS attack seems to have been large-scale, employing a vast amount of traffic, Nipshagen said. Some big DDoS attacks use multiple vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed, swarming target sites, according to an Akamai report. These incidents have been fueled by the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry, Akamai said.


more...
No comment yet.
Scoop.it!

The 5 Most Dangerous Software Bugs of 2014 | WIRED

The 5 Most Dangerous Software Bugs of 2014 | WIRED | IT Support and Hardware for Clinics | Scoop.it

Dealing with the discovery of new software flaws, even those that leave users open to serious security exploits, has long been a part of everyday life online. But few years have seen quite so many bugs, or ones quite so massive. Throughout 2014, one Mothra-sized megabug after another sent systems administrators and users scrambling to remediate security crises that affected millions of machines.

Several of the bugs that shook the Internet this year blindsided the security community in part because they weren’t found in new software, the usual place to find hackable flaws. Instead, they were often in code that’s years or even decades old. In several cases the phenomenon was a kind of perverse tragedy of the commons: Major vulnerabilities in software used for so long by so many people that it was assumed they had long ago been audited it for vulnerabilities.

“The sentiment was that if something is so widely deployed by companies that have huge security budgets, it must have been checked a million times before,” says Karsten Nohl, a Berlin-based security researcher with SR Labs who has repeatedly found critical bugs in major software. “Everyone was relying on someone else to do the testing.”

Each of those major bug finds in commonly used tool, he says, inspired more hackers to start combing through legacy code for more long-dormant flaws. And in many cases, the results were chilling. Here’s a look at the biggest hacker exploits that spread through the research community and the world’s networks in 2014.

Heartbleed

When encryption software fails, the worst that usually happens is that some communications are left vulnerable. What makes the hacker exploit known as Heartbleed so dangerous is that it goes further. When Heartbleed was first exposed in April, it allowed a hacker to attack any of the two-thirds of Web servers that used the open source software OpenSSL and not merely strip its encryption, but force it to cough random data from its memory. That could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data. Even after systems administrators implemented the patch created by Google engineer Neal Mehta and the security Codenomicon—who together discovered the flaw—users couldn’t be sure that their passwords hadn’t been stolen. As a result, Heartbleed also required one of the biggest mass password resets of all time.

Even today, many vulnerable OpenSSL devices still haven’t been patched: An analysis by John Matherly, the creator of the scanning tool Shodan, found that 300,000 machines remain unpatched. Many of them are likely so-called “embedded devices” like webcams, printers, storage servers, routers and firewalls.

Shellshock

The flaw in OpenSSL that made Heartbleed possible existed for more than two years. But the bug in Unix’s “bash” feature may win the prize for the oldest megabug to plague the world’s computers: It went undiscovered, at least in public, for 25 years. Any Linux or Mac server that included that shell tool could be tricked into obeying commands sent after a certain series of characters in an HTTP request. The result, within hours of the bug being revealed by the US Computer Emergency Readiness Team in September, was that thousands of machines were infected with malware that made them part of botnets used for denial of service attacks. And if that weren’t enough of a security debacle, US CERT’s initial patch was quickly found to have a bug itself that allowed it to be circumvented. Security researcher Robert David Graham, who first scanned the Internet to find vulnerable Shellshock devices, called it “slightly worse than Heartbleed.”

POODLE

Six months after Heartbleed hit encrypted servers around the world, another encryption bug found by a team of Google researchers struck at the other side of those protected connections: the PCs and phones that connect to those servers. The bug in SSL version 3 allowed an attacker to hijack a user’s session, intercepting all the data that traveled between their computer and a supposedly encrypted online service. Unlike Heartbleed, a hacker exploiting POODLE would have to be on the same network as his or her victim; the vulnerability mostly threatened users of open Wifi networks—Starbucks customers, not systems administrators.

Gotofail

Heartbleed and Shellshock shook the security community so deeply that it may have almost forgotten the first mega-bug of 2014, one that affected exclusively Apple users. In February, Apple revealed that users were vulnerable to having their encrypted Internet traffic intercepted by anyone on their local network. The flaw, known as Gotofail, was caused by a single misplaced “goto” command in the code that governs how OSX and iOS implement SSL and TLS encryption. Compounding the problem, Apple released a patch for iOS without having one ready for OSX, in essence publicizing the bug while leaving its desktop users vulnerable. That dubious decision even prompted a profanity-laden blog post from one of Apple’s own former security engineers. “Did you seriously just use one of your platforms to drop an SSL [vulnerability] on your other platform? As I sit here on my Mac I’m vulnerable to this and there’s nothing I can do,” wrote Kristin Paget. “WHAT THE EVER LOVING F**K, APPLE??!?!!”

BadUSB

One of the most insidious hacks revealed in 2014 doesn’t exactly take advantage of any particular security flaw in a piece of software’s code—and that makes it practically impossible to patch. The attack, known as BadUSB, debuted by researcher Karsten Nohl at the Black Hat security conference in August, takes advantage of an inherent insecurity in USB devices. Because their firmware is rewritable, a hacker can created malware that invisibly infects the USB controller chip itself, rather than the Flash memory that’s typically scanned for viruses. A thumb drive, for instance, could contain undetectable malware that corrupts the files on it or causes it to impersonate a keyboard, secretly injecting commands on the user’s machine.

Only about half of USB chips are rewritable and thus vulnerable to BadUSB. But because USB device makers don’t reveal whose chips they use and often switch suppliers on a whim, it’s impossible for users to know which devices are susceptible to a BadUSB attack and which aren’t. The only real protection against the attack, according to Nohl, is to treat USB devices like “syringes,” never sharing them or plugging them into an untrusted machine.

Nohl considered his attack so serious that he declined to publish the proof-of-concept code that demonstrated it. But just a month later, another group of researchers released their own reverse-engineered version of the attack in order to pressure chip makers to fix the problem. Though it’s tough to say whether anyone has made use of that code, that means millions of USB devices in pockets around the world can no longer be trusted.



more...
No comment yet.
Scoop.it!

TorrentLocker ransom rampage encrypts 285 million files and counting

TorrentLocker ransom rampage encrypts 285 million files and counting | IT Support and Hardware for Clinics | Scoop.it

Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted—a misery-inducing 285 million to date.

Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.

On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.

Of the nearly 40,000 victims detected by analyzing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.

As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.

A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realized, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.

Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.

“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Lveill.

As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.

The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users—an alleged unpaid invoice, a speeding ticket, and package tracking—all localized to the country of the victim.



more...
No comment yet.
Scoop.it!

Sony Hack: Ties to Past 'Wiper' Attacks?

Sony Hack: Ties to Past 'Wiper' Attacks? | IT Support and Hardware for Clinics | Scoop.it

The "wiper" malware attack against Sony Pictures Entertainment has numerous commonalities with previous wiper attacks in Saudi Arabia and South Korea, anti-virus firm Kaspersky Lab reports.

While that's no smoking gun proving that the same group is behind all three attacks, "it is extraordinary that such unusual and focused acts of large-scale cyber destruction are being carried out with clearly recognizable similarities," says Kurt Baumgartner, a Kaspersky Lab principal researcher, in a blog post.


Previous, high-profile wiper malware attacks - designed to erase data from PC and file-server hard drives and delete the master boot record, so the machines cannot boot - have included the use of "Shamoon" malware against Saudi Aramco, and "Dark Seoul" malware against South Korean banks and broadcasters. The attacks - respectively launched in 2012 and 2013 - each resulted in an estimated 30,000 hard drives being erased. The identify of the attackers has never been confirmed - although South Korea published evidence of North Korean ties to Dark Seoul. Security experts say insiders, hacktivists or a nation state could be responsible.

Baumgartner sees an extensive list of similarities between the Shamoon and Dark Seoul campaigns, and the Nov. 24 Destover - also known as Wipal - malware campaign against Sony. From a timing perspective, for example, Kaspersky Lab says attackers compiled both the Dark Seoul and Destover wiper executable files 48 hours or less before the wiper attacks commenced, while Shamoon was compiled five days before the payload was set to "detonate."

For Sony, that timeline offers new clues about just how badly the company had likely been breached. "It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack," Baumgartner says, because it would have been very difficult to steal so much data and infect numerous systems in less than 48 hours.

Technical Similarities

Technically speaking, Shamoon and Destover both used commercially available EldoS RawDisk drivers, which enable developers to create applications that can gain direct access to Windows disks, thus allowing them to evade security restrictions or file locking, Baumgartner says. "The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself," he says. But the overwritten data wasn't just random zeros and ones. "Just like Shamoon, the DarkSeoul wiper event included vague, encoded pseudo-political messages used to overwrite disk data and the master boot record," he says.

By overwriting the master-boot record, or MBR, attackers could make it impossible to boot an infected Windows machine. But the good news, Baumgartner says, is that based on previous attacks, the attackers didn't forcibly wipe all data being stored on the disk, which ultimately made recovering whatever was being stored on the drive easier. "In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data," he says. "Destover data recovery is likely to be the same."

Shamoon, Dark Seoul and Destover were all hit-and-run attacks committed by groups about which nothing is known. "All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically charged event that was suggested as having been at the heart of the matter," Baumgartner says.

The graphic and warning used by the "Whois" team that claimed credit for Dark Seoul, and the "Guardians of Peace" - or G.O.P. - group that's claimed credit for hacking Sony, are aesthetically quite similar, including similar fonts, colors, warning language and love of skull graphics.

Not New: Sabotage, Ransomware

But the technical, timing and aesthetic similarities don't prove that the same group was behind all three attacks, and security experts say that whoever launched Destover may have just carefully studied Shamoon or Dark Seoul.

And sabotage attacks launched against individuals and businesses are nothing new. On an individual level, for example, "what we are seeing a lot of is so-called ransomware, which is effectively a monetized version of this type of [wiper malware] attack," Roel Schouwenberg, a security researcher at Kaspersky Lab, tells Information Security Media Group.

While security experts say large-scale wiper attacks are rare, cybercriminals do sometimes employ these tactics. In June, for example, criminals used a distributed-denial-of-service attack against source code hosting firm Code Spaces to obscure their simultaneous 12-hour hack attack in which they deleted most of the business's data, machine configurations as well as onsite and offsite backups, and then demanded a ransom. Instead, Code Spaces shuttered.

Leaked: PII For Actors, Directors

For Sony, the breach is embarrassing for executives and puts employees and freelancers at risk. The list of leaked data includes Social Security numbers for numerous current and former employees and freelancers, including actor Sylvester Stallone, Australian actress Rebel Wilson and director Judd Apatow, The Wall Street Journal reports.

"More than 600 files that contained Social Security numbers - these included Acrobat PDFs, Excel spreadsheets, and Word docs - with more than 47,000 unique SSNs were publicly available," says Todd Feinman, president and CEO of data loss and leak-prevention firm Identity Finder, in a blog post, referencing data that had been leaked by Dec. 3.

The leaked information is reportedly now circulating on BitTorrent sites, meaning that anyone can download the files and potentially use the data to commit identity theft. The risk of ID theft - for example to fraudulently open credit card accounts or take out mortgages in someone else's name - for 15,000 current and former employees is high, Feinman warns, because their full names, birthdates, and home addresses are also included in the leaked Sony data.

Sony has not responded to repeated requests for comment on the hack attack.



more...
No comment yet.
Scoop.it!

Destover: Destructive malware has links to attacks on South Korea

Destover: Destructive malware has links to attacks on South Korea | IT Support and Hardware for Clinics | Scoop.it

Backdoor.Destover, the destructive malware that was the subject of an FBI Flash Warning this week, shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.  

Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution. Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.

Destover also share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can’t be ruled out. Links also exist to the Shamoon Attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon.  

Destover in action
Destover is a particularly damaging form of malware that is capable of completely wiping an infected computer. It was the subject of an FBI Flash Warning earlier this week after at least one variant of it was understood to have been used in a high profile attack.

There are several malicious files associated with the FBI Destover report:

  • diskpartmg16.exe
  • net_ver.dat
  • igfxtrayex.exe
  • iissvr.exe

Diskpartmg16.exe is the first file that is created on an infected computer and, when executed, it creates the files net_ver.dat and igfxtrayex.exe.

When “diskpartmg16.exe” is run, it connects to a number of specific IP addresses within a set IP range, as well as computer names in the format “USSDIX[Machine Name]”. This indicates that this variant of Destover was not intended to be indiscriminate and the malware had instead been configured to only attack computers belonging to one particular organization.

The destructive payload of Destover is carried by igfxtrayex.exe. In certain instances, when run, it will:

  • Delete all files on fixed and remote drives
  • Modify the partition table
  • Install an additional module(iissvr.exe)
  • Connect to a number of IP addresses on ports 8080 and 8000.

Iissvr.exe, meanwhile, is a backdoor which listens on port 80. Once an attacker communicates with the compromised computer, this file displays a message, which reads:

 

“We’ve already warned you, and this is just a beginning.

We continue till our request be met.

We’ve obtained all your internal data including your secrets and top secrets.

If you don’t obey us, we’ll release data shown below to the world.

Determine what will you do till November the 24th, 11:00 PM(GMT).

Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.

Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.

And even if you just try to seek out who we are, all of your data will be released at once.”




Via Paulo Félix
more...
No comment yet.
Scoop.it!

New Survey Reveals Enterprises Are At Risk From The Internet Of Things

New Survey Reveals Enterprises Are At Risk From The Internet Of Things | IT Support and Hardware for Clinics | Scoop.it
The Internet of Things (IoT) is challenging enterprises as IT teams struggle to secure the influx of newly connected devices.

Via Roger Smith, Paulo Félix
more...
Roger Smith's curator insight, December 3, 2014 7:27 PM

When your fridge can SPAM the Internet to using an air conditioner to bug a meeting room, IOT is going to cause many problems when it comes to security

Level343's curator insight, December 5, 2014 3:35 PM

BUSINESS PRODUCTIVITY RULES OUT OVER SECURITY

Another key finding from Tripwire’s survey is that while 63 percent of C-level executives expect business efficiencies and productivity to force them to adopt IoT devices regardless of the security risks, only 27 percent of them are “very concerned” about the risks.