Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Attacks

Jérôme Segura

22 Mar 2016 - Until an attack is publicized and actually threatens bureaucrats, IT security remains an afterthought beyond budgetary consideration.

 

“Being Canadian I wanted to look into issues affecting Canadians, particularly the state of ransomware in Canada,” said Jérôme Segura, senior security researcher, Malwarebytes. “The website of Norfolk General Hospital in Simcoe, ON appeared to be compromised. I replayed the attack with a virtual machine. Ransomware encrypted all of my fields and asked for a $500 ransomware.”
[Securebuzz will not knowingky link to a compromised site.]

Since the Joomla platform on which the site was running is at version 3.8 right now, the site running version 2.5 was seriously out of date, with multiple vulnerabilities. Joomla is second only to WordPress in popularity of website platforms.

The injected code was obfuscated with strings that don’t make sense, to hide the intent. The code launched the Angler exploit kit, which defines vulnerabilities in your system. It exploits the machine to download within a few seconds of browsing the site. If your machine is not up to date it is infected.

“Two weeks ago I informed the hospital administration,” Segura said. “I even left a voice message for the president of the hospital. Apparently they receive a lot of calls from salespeople they ignore, but I wasn’t trying to sell them anything.”

On the same morning Segura spoke to Securebuzz he finally spoke with hospital officials, and learned the website is outsourced.

Instead of updating Joomla, the outsourcing firm restored a version of Joomla that was older than the compromised one. They’re now running version 2.52.28.

Criminals have scanners that look for website information. When you lock a website down you want to ensure you’re not revealing too much information about it. In this case the malware detected visitors’ IP address and launched the ransomware.

Google had already blocked the site. Yet the hosting company vehemently denied the claim of ransomware, because the hosting company IP addresses were prevented from seeing the ransomware... until Segura provided proof.

“I felt bad for the IT guy who was stuck in the middle and frustrated. I gave him names of a couple of companies that protect websites. Government entities are running sites that are outdated and putting patients, employees, and their families at risk. In theory employees could infect themselves from that site.”

It also matters if personal data is stored, although fortunately it appears there was none in this case. “Only” site visitors are at risk. There might be other malware running on the website server, although Segura couldn’t tell from the outside.

“We want to raise awareness, not point the finger at the negligence due to politics and budgets,” said Segura. “I find it almost criminal that a public hospital is running a website hosted on outdated software. The health industry has many examples, like when I go to a clinic and see they are using an unlocked Windows XP computer, with my personal information on there. The security is horrible. It’s just a matter of time.”

He’s experienced in this field, having worked website cleanup, logging into servers and removing malware, for years.

“People think they’ve cleaned the site by removing the offending code,” he said. “They forget important things, like a lot of time there a backdoor remains, or there is still residual code that allows a hacker to reinject malicious code. That’s a problem with education. Don’t just fix the symptoms – look for how the breach happened in the first place. Check your access logs. Find out if they stole your passwords. A lot of people don’t even think about that.”


Stephan Chenette, AttackIQ

2 Mar 2016 - Doesn’t matter what or how many layers you have until you know for sure they’re protecting you.


After witnessing significant customer frustration, lack of confidence and skepticism over security products, there exists a need for a vendor to provide answers and test assumptions.

“Instead of promising another product to protect you, we offer a product that validates everything you have in place now, and in the future, and helps consolidate into a solid security program with only what is essential to help you manage,” said Stephan Chenette, CEO AttackIQ. “There are 75 security products. On average they ship through hundreds of thousands of alerts, of which fewer than 20% are actionable. There aren’t enough security people to manage all of the security products. There is a huge need to automate security testing.”

So Chenette founded a firm that offers continuous security testing, challenges the infrastructure and products, and helps measure risk, validate, and provide assurance. Founded in 2013, the firm came out of stealth mode only after working with hundreds of companies in various industries.

The platform allows organizations to run security unit tests to challenge every assumption about security posture. Chenette claims it’s the first purpose-built community platform that allows organizations to use their security knowledge for repeatable and consistent tests of their security programs on an ongoing basis.

“So many alerts are myths. In every day data breaches, it’s not only the technology that fails, it’s the humans and their processes that fail also,” he said. “If we have security products you assume are working, you need to test that assumption. Most organizations instead of validating what they have works, they add more products until security becomes unmanageable.”  

Unified security testing that is powered by the AttackIQ research team and the security community includes a repository of curated security tests organizations can use to test their own programs, both on premise and in the cloud. They can safely attack and improve their defense in depth strategies.

Another goal of AttackIQ is to help every organization improve its security and spend money wisely, regardless of budget size. The correct way to buy technology is to decide what is at risk, and then build security around the valuable assets in the organization.

Testing is the missing component. You have to test what you’ve put in place, which allows you to become more resilient and secure. Finding the gaps and blind spots in your infrastructure lets you improve what works and to what degree.

“Most companies go from being skeptical to the belief that they’ve never had this before,” Chenette said. “With the FireDrill platform you can test your AV for example, in minutes. Hundreds of templates help you validate your security. Sign up for the platform, deploy agents, and begin validating your infrastructure.”

Scenarios range from validating firewall egress points, to safely testing adversarial techniques inside an organization defense in depth strategy. The goal is to validate the security controls, while exposing gaps and blind spots so an organization can improve its security and continue to retest.

“What was true yesterday might not be true today,” said Chenette. “Networks change, configurations change, machines come in and out of networks. They must be tested continually.”

It’s designed so that in less than five minutes you can sign up, deploy test points, and validate the security controls in your organization.

You have access to reports, and direct outputs via a number of different mechanisms. An organization can use any data FireDrill has to integrate into its workflow.

Fully API-driven, it’s built to integrate well with other components of an organization… technology agnostic.

“It’s no longer about the promise of technology… we have to stop the guessing game and test our assumptions,” Chenette said. “Stop guessing and start knowing.”

Stu Sjouwerman

16 Feb 2016 - Education remains the best defense against phishing attacks.

 
In its most recent white paper, The Phishing Breakthrough Point, KnowB4 had Lydia Kostopoulos, a professor at Khalifa University, run a six-month scientific study.

“We sent five people phishing emails to see if there was a breakthrough point at which people actually recognize a phish,” said KnowB4 founder and CEO, Stu Sjouwerman. “You train them, and continue to phish them. The numbers are interesting— at first 15% of users are phish prone, and then it drops to 1-2%. This is independently verified.”

Exploited WordPress sites are used to disseminate malware. As a popular website platform, especially amongst non-technical users, WordPress is often not well defended. Both its popularity and often poor defense also make WordPress sites popular targets.

Sometimes visitors to WordPress sites are redirected to sites compromised with exploit kits, such as TeslaCrypt ransomware.

[Note: while we are against the death penalty at Securbuzz, our convictions waiver when some criminal sullies the name of arguably the greatest scientific inventor of the 20th century.]

Further towards its mission to educate users about the prevalence of phishing, KnowB4 released a tool administrators can grab and deploy in their environments.

It gives users a button on their Outlook ribbon. If they see a phishy message they click that button. It deletes the suspect email from their inbox, and sends it to the Incident Response (IR) team for examination. In small organizations that’s the IT guy.

Through this alert button, which users can choose to send KnowB4 copies, a new type of phish was discovered.

•    You get an email with an attachment.
•    There is no bad link.
•    The text is a social engineering attack to lure you into opening the attachment.
•    In the attachment is nothing malicious.
•    There’s a picture of an invoice, and a link you have to click to see the invoice.
•    The attachment is a second social engineering attack.
•    The link goes to a legitimate website, which has been compromised and also isn’t on any blacklist yet that any filter would catch.

“So this slips through every filter, because none of it is malicious,” said Sjouwerman. “No spam filter, no email, no proxy server will catch this. That’s what we get back from the phish alert button. You can’t catch it… the only thing you can do is train your users.”

Dodi Glenn, PC Pitstop

20-January-2016 Support scammers are telephoning victims as well as advertising online.

Read More

9-September-2015 “There is no such thing as foolproof, because fools are endlessly inventive.” – author unknown and thanked.

Read More