Saturday, 3 December 2016

NCSC joke of the day

I didn’t know whether to laugh or cry when I say this from the NCSC: Great hosting you today @JKingEU! We’re committed to make the UK the safest place to live and do business online, we’re glad you’re with us — NCSC UK (@ncsc) December 2, 2016 Does the NCSC really believe this? And is […]

The post NCSC joke of the day appeared first on ITsecurity.

from NCSC joke of the day

FriendFinder Networks data breach demonstrates the need for passwords to be eliminated from the security puzzle

The news that more than 412 million accounts and user credentials were exposed following the breach of FriendFinder Networks should serve as a reminder to both organisations and individuals about the weaknesses of passwords. Gideon Wilkins, VP of Sales and Marketing at Secure Cloudlink, believes that due to the high incentive for cyber-criminals to steal this information, passwords as a form of authentication should be eliminated completely from the security equation. 

According to LeakedSource, which acquired a copy of the leaked data set of the FriendFinder Networks breach, a million of the accounts have the password “123456” and more than 100,000 have the password “password”. Despite people being continuously urged to be more diligent when it comes to password management, the issue is still being ignored and, in turn, breaches continue to happen.

Wilkins commented: “This is the latest in a long line of breaches that demonstrates the risks and consequences of using passwords as a means of authentication. Complex passwords are inconvenient, meaning users often avoid them in the first place. As a result, the password usability problem has worsened in recent years, so in order to maintain the stringent control necessary over the data that flows through organisation, IT leaders need to be adopting tools that address the major security issues at hand instead of continuing to operate under a system of increasing password adoption. What’s needed is a change in mind-set towards security and to completely revise the entire concept of the password.

“Aggravating the issue even further is the fact that passwords sell for good money, meaning criminals have plenty of incentive to steal or crack them. Complex and hard to guess passwords alone are not enough as they still present risks as it’s easier and less expensive than ever for cyber criminals to crack passwords. Even a standard desktop PC can try billions of password combinations every second, and password lists and password-cracking software is widely available.

“In order to overcome the issues associated with passwords, organisations should look to other more secure pastures. It’s time to disrupt the traditional concept of passwords as a means of authentication. What’s needed is an approach that involves no passwords at all. By way of example, combining unhackable security tokens with the latest technologies means that no passwords are ever created, stored or transmitted,” concludes Wilkins.

The post FriendFinder Networks data breach demonstrates the need for passwords to be eliminated from the security puzzle appeared first on IT SECURITY GURU.

from FriendFinder Networks data breach demonstrates the need for passwords to be eliminated from the security puzzle

Christmas will be a data-sale extravaganza

Intel Security reveals over a third of Brits are planning to gift an internet-connected device this Christmas, despite UK consumers already owning an average of four connected devices*. Smartphones and tablets come top of the list, with 42% planning to upgrade their friend’s and family’s gadgets to the latest models.

Intel Security also found the top two most popular gifts this year are the two most easily and frequently hacked, and typically hold the highest level of valuable data: smartphones / tablets and laptops. Nearly two-thirds (60%) saying they will do so without ensuring security software is installed.

Gifts Brits are purchasing this Christmas:

1)     Smartphone / tablet

2)     Laptops and PCs

3)     Media Players and Streaming Sticks

4)     Smart TVs

5)     Home device such as Bluetooth speakers, connected thermostats, etc.

Intel Security’s most hackable gifts this Christmas**:

1)     Laptops and PCs

  • Laptops and PCs make great gifts, however, malicious apps targeting PCs are unfortunately common, and are not just limited to Windows-based devices

2)     Smartphones and Tablets

  • 64% of consumers plan to purchase either a smartphone or tablet this Christmas. Just like PCs and laptops, malware could result in personal and financial information being stolen

3)     Media Players and Streaming Sticks

  • Media players and streaming sticks have changed the way consumers enjoy movies and TV, but consumers can unknowingly invite a cybercriminal into their living room by failing to update their device

4)     Home Automation Devices

  • Today’s connected home devices and apps give users the power to control their homes from their smartphone. Unfortunately, hackers have demonstrated techniques that could be used to compromise Bluetooth powered door locks and other home automation devices

5)     Drones

  • Drone sales are expected to grow to more than $20 billion by 2022. They can provide unique perspectives when it comes to shooting video and photos. However, not properly securing the device could allow hackers to disrupt the GPS signal, or hijack your drone through its smartphone app

Out with the old, in with the new

Two-fifths (40%) of UK consumers plan to make a quick buck from their old devices by selling on to new users. However, almost half (45%) are unsure about how to wipe their old devices of personal information and only a third (34%) of second-hand gadget buyers think to reset the device to factory settings. This means there’s a high chance that personal data will be passed on to new owners, running the risk of it falling into the wrong hands.

Intel Security also found that over two-thirds (68%) of Brits believe it is very important for their online identity to be kept safe, yet more than half (52%) are unsure whether their devices are secure. 

“An underlying issue is that consumers simply don’t know which products need protecting. A fifth of those we surveyed said this was the reason for them leaving connected devices unprotected. All connected devices, whether old or new need to be protected to ensure personal information is safe from prying eyes,” comments Nick Viney, VP Consumer, Intel Security. 

Keeping kids safe

It’s not just over-18s at risk this Christmas; 15% of those surveyed said they were planning to buy connected devices for children this year. Despite devices such as tablets becoming a go-to toy and entertainment centre for children, only 13% of Brits recognise the importance of securing children’s connected devices.

Although financial data breaches, for example, are not such a threat for children, they are increasingly becoming exposed to the dark side of the internet, such as cyber bullying. In combination with a lack of awareness around the need for security in children’s tech, Intel Security found that 60% of children aged between 5-12 years old are left unsupervised the whole time they are using the Internet. 

“Teaching children best practices for safe online behaviour right from the start will be invaluable to them as they grow up. The responsibility lies with parents, teachers and technology experts to ensure children understand how to protect themselves from the potential risks online. With more kids than ever before connected to the internet, greater education about responsible internet use and watertight security are vital to keeping children safe,” continued Nick Viney.

Tips for Consumers to Protect Holiday Cheer

To stay protected for a happier and safer holiday season, Intel Security has the following tips:

  • Secure your device. Your device is the key to controlling your home and your personal information. Make sure you have comprehensive security software installed, like McAfee LiveSafe™.
  • Only use secure Wi-Fi. Using your devices, such as your smart home applications, on public Wi-Fi could leave you and your home open to risk.
  • Keep software is up-to-date. Apply patches as they are released from the manufacturer. Install manufacturer updates right away to ensure that your device is protected from the latest known threats.
  • Use a strong password or PIN. If your device supports it, use  multi-factor authentication (MFA) as it can include factors like a trusted device, your face, fingerprint, etc. to make your login more secure
  • Check before you click. Be suspicious of links from people you do not know and always use internet security software to stay protected. Hover over the link to find a full URL of the link’s destination in the lower corner of their browser.

The post Christmas will be a data-sale extravaganza appeared first on IT SECURITY GURU.

from Christmas will be a data-sale extravaganza

Detection Gaps – An Inconvenient Truth

Corporate security teams face numerous challenges. They need to adapt to an increasing number of sophisticated attacks and at the same time, abide by strict business processes and controls. This can impede rapid adoption of new security solutions or changes to existing ones, with organisations cautious of updating these systems in order to minimise risk of blocking business applications or communications. As a result, existing security solutions are often not leveraged as they could be.

False Negatives, an alert that should have happened but didn’t, can occur from time to time and occasionally be the precursor to a malicious intrusion or widespread infection. Companies that rely on signature based security solutions should consider the risk they may be subjected to. In situations where new threats (or yet to be discovered ones) are active in the wild without detection, any solution that rely mostly or solely on signatures may be exacerbating lack of detection.

When a new threat in the wild is discovered, security companies will protect their customers first, before publicly sharing analysis (usually via a blog post). This is especially the case with high profile Zero Days, malware campaigns and web site compromises.

Once the information is made public, security vendors that have not yet discovered the threat or lack detection capabilities will then typically respond by scrambling to update their own detection. Unfortunately this can take anywhere from hours to days, sometimes longer.  This is one example of a temporary detection gap, which leaves companies exposed to threats. The duration of this gap can vary from one threat to another.

Through the use of encrypted delivery techniques and underground crypting services, malware payloads can initially not be detected.  Companies might still have the ability to detect some of this obfuscated malware but often don’t due to disabling advanced features like heuristic, behavioural and cloud analysis.

The next line of defence might be network based detection if the malware is beaconing out to command and control infrastructure, but these can also be missed. If this happens, the malware can embed itself and not cause any security alerts for a sustained period.

This has been the case with many of the Point of Sale (POS) intrusions over the last few years, which have been caused by both out of date security infrastructure and false negative situations. The impact on business can be devastating. Although POS malware is typically not as widespread as commodity malware. These are designed for specific environments and can often hide in plain sight. As a result they often need to be sought out manually, as opposed to waiting for alerts.


Figure 1 – Some recent POS intrusions

Commodity malware (also referred to as Crimeware) is the most common type of malware and includes threats like ransomware, banking trojans, downloaders and AdFraud bots. Typical delivery channels for these infections are phishing emails, malvertising campaigns and compromised websites. All of which are subject to false negative scenarios where detection is not available until it’s too late.


Figure 2 – Ransomware infection after being exploited by a Exploit Kit.

Unfortunately these detection gaps are set to continue unless organisations adopt an automated and integrated approach to threat intelligence. Professional cybercriminals’ ability to adapt to modern detection technologies and evade them is constantly evolving. They are continually changing hosting infrastructure, URL patterns, exploitation techniques and payloads at a high frequency, all in an effort to stay one step ahead of detections. Organisations need to be staying abreast of threat indicators by monitoring the patterns, domains and delivery channels of bad actors, in order to avoid them and reduce the impact of detection gaps. Luckily, this is possible.

Diminishing Detection Gaps with Threat Intelligence

Armed with threat intelligence, security teams can pro-actively investigate and hunt for evidence of suspicious or malicious activity associated with the threats mentioned above and more, which current security solutions may be blind to.

Some examples of leveraging threat intelligence to mitigate the impact of detection gaps when they arise can include but are not limited to:

  • Tracing web based malware infections back to the source network or website
  • Generating custom intrusion detection signatures
  • Checking for evidence of TTPs within your environment
  • Looking for Lateral Movement activity
  • Checking for compromised email accounts belonging to your org or business partners
  • Blocking web and email access for phishing and typo-squat domains
  • Searching logs for malicious domains or URLs that are not being blocked
  • Consuming feeds for compromised websites and blocking or limiting access
  • Monitoring suspicious domain registrations and pre-emptively blocking

By utilising all the tools in a well-stocked arsenal, IT security teams will be in the best position to proactively detect and defend against malicious attacks, thus minimising the negative effects of a cyber breach.

Josh Gomez, Senior Security Researcher at Anomali

The post Detection Gaps – An Inconvenient Truth appeared first on IT SECURITY GURU.

from Detection Gaps – An Inconvenient Truth

Evaluating AI-powered threat detection technologies

Unlike legacy signature-based detection systems, today’s generation of AI-powered security technologies are rarely suited to a plug-it-in-and-watch-it-light-up evaluation strategy.

They often include a mix of supervised and unsupervised machine learning, automated threat hunting, trained classifiers, and focus on reducing the number of erroneous and unactionable alerts. As a result, evaluating their detection efficacy requires carefully planned testing before making a buying decision.

For products focused on detecting network-borne threats, it is always wise to account for the learning period to baseline the network.

Most threats can be quickly detected and labeled using supervised learning and pretrained detection models (think in terms of n-dimensional signatures). But there are still many threats and classes of threats within the network – such as low and slow data exfiltration and lateral movement – that require an understanding of what normal traffic looks like before effective detections can be made.

When testing traditional signature-based detection systems, it was often enough to simply launch a bunch of common hacker tools, vulnerability scanners, or even just replay a series of packet captures (PCAPs), in order to cause the generation of multiple threat alerts on the system under test.

Some signature-based systems were at least smart enough to differentiate between a vulnerability probe and an exploit attempt. But in general, the name of the game was to generate as many alerts as possible – thereby confirming the breadth of detection coverage the product offered.

The reality of this kind of testing is that it doesn’t account for intelligent advances designed to reduce the noise of the systems and filter out all the meaningless and unactionable alerts.

Learning the network is a critical phase of today’s AI-powered threat detection systems. That learning period tends to vary with different classes of threats and the protocols that they depend upon.

For instance, learning and baselining email traffic in a corporate network – such as SMTP, IMAP or POP2 – may only take a few days, while learning the Kerberos authentication protocol traffic landscape and interrelationships between all the hosts on the network may take a week or more.

When it comes to evaluating new AI-powered network threat detection systems, the baselining period is a critical consideration, especially when measurements of detection efficacy and breath of coverage are concerned.

For example, many organisations often consider using a penetration test (pen test) as the primary vehicle for a product’s evaluation.

While there is considerable breadth in what people believe a pen test should cover and the methodology that should be used, special attention must be given to the learning period of the devices being tested.

If a new device, such as the pen tester’s laptop, is added to the network and starts launching probes and attacks, few to no threat detection systems that rely on baselining and unsupervised machine learning will begin firing alerts.

In addition, if the newly introduced pen testing laptop stays on the network and continues to probe and attack for an extended period, those behaviours would likely be learned by the detection system as an acceptable baseline for the host and maybe even the network.

Scrutiny should be given to the scenarios that are important to evaluate when testing the latest generation of AI-based network threat detection systems.

For example, if a critical threat profile is an insider threat or recently compromised host, pen testing should be conducted from a device that has been on the network for several weeks and used by the type of employee you care most about.

This ensures that the baselining systems will accurately learn the normal traffic profile of a host. Remember that a host can be on the network for an extended period of time, but not actively used, and therefore might not have application or Internet traffic profiles.

Alternatively, if your most critical threat profile involves detecting outside attackers who surreptitiously add a new device to the network from which to launch an attack, it is a good idea to include the pen tester’s laptop on the network and assume that no learning has taken place.

In this scenario, threat detection will be more focused on spotting these newly introduced devices and the noisy attacks they have introduced to the network as fast as possible.

Successful evaluation of new network-based threat detection systems requires a thorough understanding and staging of test scenarios. Advanced detection capabilities in these new products make extensive use of unsupervised learning modes and require variable periods to baseline the network, the devices on the network, and the users operating the devices on the network.

These new systems are smart enough to filter out contrived and non-malicious traffic, and roll-up multiple detection types and classes of threats until confidence levels are met. This reduces false-positive results and unactionable alerts.

Just because an alert hasn’t popped up in a GUI doesn’t mean the system isn’t aware and tracking the threat. It might simply mean that there’s not enough evidence to support an actionable response yet.

The post Evaluating AI-powered threat detection technologies appeared first on IT SECURITY GURU.

from Evaluating AI-powered threat detection technologies

RAF Club members emailed fake invoices. Has it been hacked?

The Royal Air Force Club appears to have been the victim of a hack, following members being sent fake invoices for staying at the club’s London HQ. A source contacted The Register with a copy of the fake invoice, which was for £200 and spoofed to appear as if it had come from the club itself. The Register emailed the RAF Club to ask whether the membership list had been accessed by hackers. A club spokesman said: “The RAF Club is aware that spam emails appear to have been sent to some Club members this morning. The Club is investigating this issue as a matter of urgency and will be updating members in due course.”

View full story


The post RAF Club members emailed fake invoices. Has it been hacked? appeared first on IT SECURITY GURU.

from RAF Club members emailed fake invoices. Has it been hacked?

Hundreds of thousands of TalkTalk and Post Office broadband users are knocked off the internet by cyber-attack that seizes control of their routers

The attack affected 100,000 Post Office customers on Sunday and up to 360,000 TalkTalk customers across the UK today. It used a piece of malware known as the Mirai worm, which is spread via compromised computers and works by taking control of devices running the Linux operating system and using them to knock services offline.

View full story


The post Hundreds of thousands of TalkTalk and Post Office broadband users are knocked off the internet by cyber-attack that seizes control of their routers appeared first on IT SECURITY GURU.

from Hundreds of thousands of TalkTalk and Post Office broadband users are knocked off the internet by cyber-attack that seizes control of their routers