Passwords: To be or knOt2$B3? Take the Quiz!

Point-of-sale malware has been at the center of numerous high-profile breaches this year. Many of those attacks have involved three pieces of malware – BlackPOS, FrameworkPOS and Backoff.

In a new report, researchers at security firm Cyphort have peeled the layers back from each of these cyber-weapons, which have been linked to attacks on businesses ranging from Target to Home Depot to UPS.

Cyphort co-founder Fengmin Gong believes point-of-sale (PoS) malware has been so impactful this year for three main reasons: retailers have been slow to shore up their defenses; Backoff and its derivatives were quickly adopted by cyber-criminals; and publicity about retail breaches has called attention to the effectiveness of PoS malware.

"There definitely is growing awareness [of PoS malware], pressure from compliance, reputation, threatened law suit, and probably more importantly, top executives losing their jobs," he said. "However, the gap is the practical know-how that prevents them from implementing effective protection."

Recently, security firm Damballa noted that detections of the Backoff malware jumped 57 percent from August to September. During the month of September alone, Backoff infections increased 27 percent.

Among the breaches tied to Backoff is the attack on UPS, according to the Cyphort report. In the report, the firm notes that unlike BlackPOS and FrameworkPOS, Backoff is not oriented toward specific victims. Instead, it is built to operate on random PoS machines, listens to a command and control server and is independent of the retailer’s local infrastructure.

"Backoff is the most sophisticated…mainly because it’s designed to attack a broad spectrum of POS systems, it’s designed with all the modern malware armoring techniques, from protection layers to frustrate static analyses to the behavior armoring to evade simple sandboxing," Gong said. "Since our blog on September 19 and the special report, we have seen more reports, e.g. from both US Secret Service Alerts and Fortinet blog on November 3, pointing to Backoff infections. It appears that Backoff is either sold or shared through a form of SDK (software development kit) by multiple groups. Newer advanced versions are being produced and deployed in new campaigns."

FramworkPOS and BlackPOS, on the other hand, are like off-the-shelf software and are tailored specifically for dedicated targets, the report explains.

"They are most likely not from the same authors but FrameworkPOS leaves the strong impression of a copycat attack after former POS malware incidents," according to the report. "Basic principles and ideas are identical, as of creating a service, scanning chunks of memory, pushing data to a local SMB server and hiding the data in a fake binary file in system root. Still, the implementation methods look very different. FrameworkPOS is very linear, no multi-threading is performed and the data exfiltration is controlled by time intervals rather than coordinated by two threads. Also, FrameworkPOS scans multiple processes, while BlackPOS limits itself to the pos.exe process of the infected POS device. Interestingly, all three families show slightly different memory scraping methods."

Cyphort recommends retailers take a number of steps to improve PoS security, including eliminating unnecessary system capabilities to limit a potential intruder and designing a security baseline that accounts for the complete attack lifecycle hackers have to fulfill to infect a system.

The full report is available online in PDF format.

Sometimes, securing your own network isn’t enough to guard against a data breach; your ecosystem of third-party providers can introduce a new set of risks to data as well.

The latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) seeks to help address that issue. On Jan. 1, 2015, PCI DSS 3.0 will become mandatory save for a few provisions that will be treated as best practices before becoming full requirements in July, and businesses will now be required to pay closer attention to the security practices of their partners – a reality security experts say may make a difference.

Troy Leach, CTO of the PCI Security Standards Council, called third-party security a "weak point" for organizations that sometimes make the mistake of entrusting sensitive data to third-party vendors without verifying they have the proper security posture.

"Updates introduced with PCI DSS 3.0 and recent released Special Interest Group guidance aim to help organizations adequately address payments risks in their contracts with third parties and perform ongoing due diligence to ensure sufficient levels of card security are maintained by their business partners," he told SecurityWeek. "The guidance lays out information on monitoring the relationships with third-party service providers (TPSP). Once the agreements have been established, the ongoing monitoring and maintenance of the TPSP relationship is critical. Understanding the relationship and scope of services, maintaining documentation/evidence to verify the services of the TPSP are secure, and ongoing monitoring of the TPSP compliance status are key to ensuring the TPSP maintains their compliance for the services provided."

So far this year a number of high-profile attacks were traced to breaches at a third-party vendor, including the attacks on Lowe’s and Dairy Queen. The new rules, said Trustwave’s Jonathan Spruill, mandate that providers clearly articulate what PCI DSS controls they will address and what will be left to the business.

"There is a significant blind spot between third-party providers and businesses – although it’s not intentional," said Spruill, senior security consultant at Trustwave. "Each party assumes the other is doing its part in securing their information yet that assumption is oftentimes incorrect. For example, when retailers contract out their point-of-sale systems and maintenance, many assume the third-party provider is using a complex password. However, as noted in our 2014 Trustwave Global Security Report, weak passwords opened the door for the initial intrusion in 31 percent of compromises we investigated in 2013. Using strong passwords is a basic best security practice that is overlooked by many third-party service providers and other businesses."

The issue of remote access of third-party vendors is a thorny one for security. For example, earlier this year reports surfaced of attackers taking advantage of tools such as LogMeIn and Remote Desktop to compromise systems. In PCI DSS 3.0 however, there is a new requirement for service providers with remote access to use unique authentication credentials for each customer. This requirement will go into effect in July.

"Using unique passwords definitely helps decrease risk," said Spruill. "We also recommend businesses use two-factor authentication to add an extra layer of security in case a criminal compromises a third party provider’s password. As an overall best security practice though, businesses should limit who has access to their most critical data to only those who need it. For example, if a third party service provider needs to remotely repair an issue on a retailer’s POS system, the provider should only be able to access that system, not the business’s entire infrastructure."

The bottom line, said Sophos Security Advisor John Shier, is that third-party vendors should be held to the same or a higher standard than the company holds itself to.

"I don’t know that many smaller retailers understand that they need to," said Shier. "My guess is that they would pick a reputable vendor and trust that the vendor has done everything they need to in order to be compliant. Three hundred sixty degrees of responsibility means that you also need to audit those third-party vendors to ensure that they do comply. With limited resources, this can pose a problem for many small businesses."

SAN FRANCISCO – Facebook on Thursday made it easier for people to understand and control how their information is used at the leading social network while expanding its quest to better target ads.

The simplified data policy came as Facebook announced that work to improve targeting of ads in the United States is expanding to other countries.

Several months ago, Facebook began using information such as where people go on the Internet to help target ads.

For example, visits to an array of travel-related websites could prompt vacation ads to pop up for a person at the social network.

Feedback from a website where someone bought a stereo would raise the likelihood of them seeing ads for speakers or other accessories.

New ads come with a built-in option of people seeing why they were shown the marketing messages and allowing them to remove "interests" from advertising profiles at Facebook.

"We also wanted to make sure people could turn that off," Facebook advertising vice president Brian Boland told AFP.

"We are not changing the ways and places people opt-out, but we are going to enhance the way we apply those controls."

If a person opts out on any device, the choice will be applied no matter what smartphone, tablet, or computer they use to access Facebook, according to Boland.

"In order to apply that setting for most publishers, you would have to go into the settings on each device to limit tracking," Boland said.

"What we are doing is if we see that setting once, anywhere, we will apply it across everywhere you use Facebook."

Facebook is expanding the ad targeting update to Britain, Ireland, France, Germany, Canada, and Australia with more countries to be added in the future, he said.

Privacy Basics Spotlighted

Steps taken by Facebook on Thursday included launching a "privacy basics" education center that uses animation and video to walk people through tasks such as deleting posts or blocking unwanted viewers.

The effort by the California-based firm is in response to concerns by regulators and social network users regarding how well privacy is safeguarded online, Facebook chief privacy officer Erin Egan told AFP.

"They want information in an easily accessible format," Egan said.

"How it is collected and how it is used, in simple and precise data policies."

The education center is starting with 15 short instructional videos in more than 30 languages, and provides the option of sending links to friends so insights can be shared.

Facebook also rewrote its data policy to make it easier to understand and navigate, and to add a part regarding information collected when people use a "buy" button being tested at the social network in the United States.

Information is collected when people use Facebook services for purchases or financial transactions, like buying something on Facebook, making a purchase in a game or making donations, according to a the policy.

"We are just being more clear," Egan said about Facebook’s re-written data policy.

The advertising profile feature in new Facebook ads will reveal what, if any, targeting information came from purchases or other financial transactions, according to Egan.

Nothing was changed regarding data policies at Facebook-owned applications such as WhatsApp, the privacy officer said.

Report Shows Increase in Number of Hacked Mobile Apps

The third annual State of Mobile App Security report published by application protection solutions provider Arxan Technologies shows that cybercriminals have created hacked versions of most of the top Android and iOS applications.

According to the report, which is based on the analysis of 360 mobile applications, there are cloned or repackaged versions for 97% of the top 100 paid Android apps, and 87% of the top 100 paid iOS apps. In the case of iOS applications, the number of hacked programs has increased considerably compared to last year (from 56%).

Of the 20 most popular free applications, 80% of those for Android and 75% of those for iOS have been hacked, Arxan said.

When it comes to financial services applications, the study shows that a large percentage of the top 20 apps on each platform have been cloned or repackaged by malicious actors. In the case of Android applications, the percentage of hacked apps increased from 76% to 95% over the past year, while iOS app hacking increased from 30% to 70%.

Hacked Mobile ApplicationsAs far as the top 20 retail applications are concerned, only 35% of iOS apps have been hacked. However, the report shows that 90% of the top Android retail apps have been targeted by cybercriminals.

In the healthcare/medical category, researchers found that 90% of Android apps have been hacked. A worrying fact is that 22% of these applications have been approved by the United States Food and Drug Administration (FDA).

The report also contains a series of recommendations for application developers. Experts advise developers to ensure that applications with high-risk profiles are tamper-resistant and capable of detecting threats at runtime. In the case of payment applications and mobile wallets, they must be protected with app hardening and secure crypto, Arxan said.

The number of free application downloads is expected to reach 253 billion by 2017 so it’s not surprising that malicious actors are increasingly turning their attention to mobile platforms. While Apple’s iOS operating system is considered more secure than Google’s Android, it’s not completely immune to threats. A perfect example is the recently discovered WireLurker malware which is said to have infected hundreds of thousands of devices in China.

"The pursuit of greater mobile application security remains at the forefront our research and development initiatives," commented Jonathan Carter, technical director at Arxan."We continue to evolve our security innovations based on emerging threats to ensure the strongest application protection for our customers in the dynamic battlefield against hackers."

The complete State of the Mobile App Security report is available online. The research was conducted in October 2014 and is based on the analysis of applications found in unofficial app stores, app distribution sites, torrent websites, and file download services.

One percent does not sound like a lot, but multiple it by the right number, and it can be.

Such is the case when it comes to malicious advertising. In research recently presented at the 2014 Internet Measurement Conference in Vancouver, a team of security experts from Ruhr-University Bochum, University College London and the University of California, Santa Barbara (UCSB) examined more than 600,000 online advertisements on 40,000 websites over a three-month period and used multiple detection systems to assess whether they were good or bad. The end result: one percent of the ads were found to be involved in suspicious or malicious activity such as drive-by downloads and link hijacking.

Malvertising "While this is bad news for the advertising networks, advertisers and Internet users who are all under attack from the malware producers, the good news is there are several things available today that can stop malvertising," said Giovanni Vigna, co-founder and CTO of Lastline, one of the members of the team that worked on the research. "One of these is the use of the sandboxing attribute in iframes within HTML5. None of the 40,000 websites we observed leveraged this mechanism, even though it could stop the link-hijacking that is by far the most prevalent method by which miscreants are getting past other security measures in order to distribute malware through advertisements."

"On the ad network side — whether those be ad brokers, ad distributors, ad resellers or traditional ad networks — a similar approach can be taken to that used in our study to monitor for malvertising," he continued. "To detect malicious behavior in ads we used a composition of blacklists, reputation databases, and Wepawet, a honeyclient developed at UCSB that uses an emulated browser to capture the execution of JavaScript to identify signs of maliciousness, such as drive-by-download attacks. The research community and technology companies (including security providers as well as ad networks and ad brokers) can and should continue to study malvertising and develop new techniques and tools to detect and stop it."

Apostolis Zarras of Ruhr-University Bochum said that the smaller ad networks appear to be more prone to serving malvertisements, which he speculated could be due to less efficient filtering mechanisms compared to the larger ones. 

In the paper, the researchers also speculated that many publishers trust their advertisers to police malicious activity, and therefore do not use additional filters to protect their users. As for solutions, the researchers argued that collaboration among the ad networks can bring better results in defending against malvertisements compared to individual actions, and the existence of a common blacklist where all malicious advertisements will be submitted can prevent attackers from submitting their wares to a different network if they get rejected by another.  

"Another, more drastic, solution will be penalizing of the ad networks which are inefficient to detect the malicious code embedded in advertisements," according to the paper. "For instance, forbidding from participating in ad arbitrations for a certain amount of time, or the application of similar penalties, when an ad network is found delivering malvertisements, can boost the ad networks to invest in better detection algorithms."

"Back in time, said Zarras, "we used to have websites that were controlled by cyber-criminals and the attackers had to lure the victims to visit these websites so they can effectively infect their machines with malware. But, with the ads this is not necessary any more. An ad can exploit vulnerabilities in your browser, or your browser extensions without the need from user’s side to visit a malicious website. For instance, the incident that took place on January 2014, in which Yahoo ads exploited vulnerabilities in Java and installed malware on victims’ computers, [shows] that these attacks are actually possible and not theoretical. So, the main reason that malvertisement is more effective that traditional attacks, is that the user’s can be infected with malware even if they visit only legitimate websites."

SAN FRANCISCO – Cyberattackers believed to have been working from China broke through defenses of the US weather service recently, according to a Washington Post report.

US media outlets on Wednesday said that the US National Oceanic and Atmospheric Administration (NOAA) confirmed that some of its websites had been compromised but declined to discuss who may have been responsible.

NOAA, which includes the National Weather Service, reportedly sealed off weather data relied upon for aviation, shipping, and more after security teams caught on to the breach.

Cyberattacks were "deflected," and some NOAA services were taken down temporarily for what was described at the time as "unscheduled maintenance," according to media reports.

The Washington Post quoted US Representative Frank Wolf of Virginia, a Republican, as saying that the NOAA told him "it was a hack and it was China."

The report came just two days after the US Postal Service said hackers stole sensitive personal information from its employees in a large data breach this year, and got some customer data as well.

The postal service said it "recently learned of a cybersecurity intrusion into some of our information systems" and was cooperating with law enforcement agencies in an investigation.

It said the hackers appeared to have accessed "identifiable information about employees, including names, dates of birth, social security numbers, addresses, beginning and end dates of employment, emergency contact information and other information."

A USPS spokesman said the breach affected as many as 800,000 people who are paid by the agency, including employees and private contractors.

The statement said hackers also penetrated payment systems at post offices and online where customers pay for services.

It said the customer data included "names, addresses, telephone numbers, email addresses and other information" but that there was "no evidence that any customer credit card information from retail or online purchases" had been compromised.

The Washington Post, citing unnamed sources, said Chinese hackers were suspected in the breach.

The news comes with US President Barack Obama in China for high-level talks, amid heightened concerns about cyberattacks allegedly from China.

Sent from Surface

Researchers have published a paper detailing a new attack method that can be leveraged to silently modify the digital ballots used in the Internet voting process.

In Estonia, people can vote over the Internet since 2005, but the United States has also conducted some tests over the past years. Online voting was used in Alaska in 2012 and 2014, and in New Jersey in 2012 due to the impact of the Sandy superstorm. Washington D.C. also developed a system in 2010, but the project was abandoned after it was hacked by researchers.

One of the proposed voting systems involves digital ballots in PDF format. People fill out the forms and send them via email to a specified address. The ballots are printed and counted by hand or with an optical scanner. This type of mechanism is currently used in Alaska, but it was also used in New Jersey and in Washington D.C. as a fallback system.

Attack description and implementation

Internet Voting HacksAccording to Daniel M. Zimmerman and Joseph R. Kiniry, researchers at Galois, Inc., this type of mechanism is vulnerable to several types of attacks. Malicious actors can use malware to modify or invalidate votes, and third parties can pose as the legitimate election authority or they can launch DDoS attacks against the organization to prevent votes from being cast.

However, the attack described by the researchers occurs at transport level and it involves hacking into the targeted users’ routers. The method they presented in their research paper allows the attacker to change the vote after the ballot has been sent via email to the election authority. The attack is dangerous because it’s difficult to detect by both the voter and the election authority.

In order to modify the vote casted by the user without invalidating the file, the attackers must change certain strings within the PDF. Successful tests have been conducted on several popular PDF viewer applications such as Adobe Acrobat Pro XI, Apple Preview, Google Chrome, Gmail (on all browsers), Mozilla Firefox, Safari and Skim.

The PDF documents are not tampered with while they are stored on the victim’s computer. Instead, the attack is carried out by modifying one or more TCP packets of the email attachment after it’s sent by the user’s email client and before it reaches the election authority.

Researchers have achieved this by changing the firmware on the victim’s wireless router. For their tests, they’ve selected an off-the-shelf home router.

"Nearly all such routers on the market today are based on embedded versions of the Linux operating system and therefore, in accordance with the GNU General Public License, the source code for their firmware is freely available," the researchers explained.

They have downloaded the source code for their test router’s firmware and made a small modification (less than 50 lines of code) to the part of the kernel that handles packet transmission.The new firmware looks very similar to the original one. The only differences are the slower TCP connections on standard email submission ports (25 and 587), and the fact that certain sequences of bytes sent to these ports are replaced with different sequences.

Researchers believe it would take a detailed inspection of the compiled code or a detailed analysis of the router’s traffic handling to notice that the firmware is not genuine. Performance is negatively impacted, as the TCP connections to these ports are 25% slower, but the experts argue that users don’t usually monitor the speed of their outgoing messages when using email clients.

In order to get the modified firmware on the targeted router, an attacker can leverage one of many vulnerabilities, such as the recently disclosed flaw affecting ASUS routers. Another way to install the malicious firmware is to drive around in a neighborhood and gain access to network connections and router administration interfaces by leveraging the fact that many users set easy-to-guess passwords and don’t change the default credentials, researchers said.

Mitigating attacks

The researchers have suggested three possible mitigation strategies: signing or encrypting the PDF file before it’s sent to the election authority, encrypting the connection to the SMTP server, and more secure router firmware update mechanisms.

"The overall conclusion is inescapable: unencrypted PDF ballots sent via electronic mail can be altered transparently, potentially with no obvious sign of alteration, and certainly with no way to determine where on the network any alterations took place or the extent to which votes have been corrupted. This method of vote submission is inherently unsafe, and should not be used in any meaningful election," the researcher wrote in their paper.

In Estonia, over 100,000 people used the Internet to cast their votes at the European Parliament elections in May 2014. Just two weeks before the vote, security researchers warned Estonian authorities that the system contained serious vulnerabilities which could be tempting for a state-level actor such as Russia. However, the country’s electoral commission dismissed the reports, claiming they were confident in the system’s security.

Sent from Surface

Passwords

Do you think passwords are still important? Do you ever worry about your passwords? We’ve been kicking around computer and information security for a while now. Why don’t we have a better answer?

Personally, I have gotten a little tired of password articles and blogs. I started “logging on” in about 1976, and I kind of thought we had said pretty much everything there was to say about passwords by now. Then, I recently spoke with some people born in the 1990s and 2000s, and it seemed like they tried their best to make my brain spring through the top of my skull. From these people in their teens and 20s I heard things like, “I just use the same password for everything,” and “I’m just a student, hackers don’t want my stuff.”

As a professional security geek, my reaction was more or less “you’re kidding, right?” But it should really not be a surprise when we look at some of the recent statistics about password use. This includes analysis of compromised passwords that shows that the most commonly used passwords are things like “123456” and “password”. Or droves of surveys done over the past six or seven years which keep saying that 55-70% of people (depending on the exact survey and year) use the same password across multiple accounts. Or similar studies that say 70-80% of passwords being used online are classified as “weak”, which often means a password that is less than eight lower-case characters, or are simple dictionary words like “iloveyou”, “monkey”, “dragon”, or “ninja”.

We all know passwords are not a great solution for securing our accounts and information. But, it is what we have right now, so we might as well make the best of them, eh?

Curious on how strong your passwords are? For some empirical checking, you might try one of these sites (in general, of course, I will advise against entering your actual password):

http://askthegeek.kennyhart.com/password-meter/

https://howsecureismypassword.net/

Hopefully, using them is an eye opening experience, and not a humbling one. As a point of reference, I tested a password with a construction similar to what I use to log on to my personal machine on these two sites. HowSecureIsMyPassword, says it would take 71 quadrillion years for a desktop PC to crack the password, and askthegeek shows it as “Very Strong” with a score of 100%. But those measure the technical part of the password.

Considering all of this input, I thought it was time for a 90 second quiz (probably less than that, so relax). Unfortunately, this is a text-based article so I cannot use a quiz tool that will accumulate your score for you, but, trust me, the scoring is really straight forward (You will know immediately if it goes south on you). The only real catch is that the quiz (and scoring) is not based on some password standard, but is based on my own personal criteria. I will assert that over 38 years of computer use, and 29 years of experience in the security world gives me that right.

Points

Question

_____

+1 – If your passwords are at least eight characters.

_____

+5 – If your passwords are at least 10 characters.

_____

+1 – If you use both lower-case and upper-case in your passwords.

_____

+2 – If you include numbers in your passwords.

_____

+3 – If you include special characters (like !@#$%*) in your passwords.

_____

+1 – If you ever change your passwords.

_____

+3 – If you change your important passwords at least annually (e.g., bank, credit card).

_____

+6 – If you store passwords in a password vault, or offline.

_____

-1 – If you include any numbers of special characters only at the end of your password.

_____

-3 – If your password mystery relies on substituting numbers for letters (it is simply not that tr1cky or 3L1T3).

_____

-5 – If you include keyboard sequences in your password (like "qwerty" or "mnbvcxz" or "123456789").

_____

-20 – If you include any form of the word "password" in your password (like "password" or "pwd" or "pass").

_____

-10 – If you repeat any letter of number more than two times (like "aaaa" or "666").

_____

-15 – If your password includes any part of your name, username, any month or has anything at all to do with the site associated with the password (like having your Facebook password as “fbletmein” and your email password as “emailletmein”).

_____

-50 – If you use the same password on social media, email and private sites (like shopping and banking sites).

_____

-10 – If you have shared your personal passwords with anyone.

_____

-20 – If you keep passwords in email or in a plain text, unencrypted file.

_____

Total Score

Score

Description

Less than -50

Um. I’m not even sure why you pretend you are using passwords.

-50 to 0

Please reconsider your password habits – they are probably giving you a false sense of security.

0 to +15

In general, your password practices are not unreasonable. Check the quiz again to see how much more paranoid you are willing to get.

+15 and up

Greetings fellow paranoid security geek. Nice to know someone takes this seriously.

If you paid any attention to the scoring, you may have noticed a couple things. The positive numbers are all small, and include all of the technical parts of password construction. With a couple small exceptions, the negative numbers are more related to password usage. The technical side is the easy part – make a strong password. If any part of this is hard, it is the usage – use your password(s) wisely. It’s not like, as an industry, we consistently do either part well. But we have to do the two parts together. A strong password, used foolishly, is probably not going to help us much. At the same time, a poor password, used well, will, at best, make us think we are more secure than we really are.

Passwords are not the keys to our systems and information. At least they should not be. The purpose of a password is to help separate the wheat from the chaff, and to slow down attackers. We create good passwords, and then use them wisely for two reasons:

1. To help slow down access to our stuff, not stop it.

2. We don’t have an answer that is better than “passwords,” yet.

And, one last question for the quiz. If you have ever emailed your password to anyone you get to subtract another 200 points from your score.

Sent from Surface

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282