Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

By Byron V. Acohido

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security.

Related: The tie between DevOps and SecOps.

Organizations that are all-in leveraging microservices to speed-up application development, on the DevOps side of the house, have begun acknowledging the importance of incorporating SecOps along the way. The most forward-thinking among them are increasingly checking for vulnerabilities in new apps – and finding them, big time.

That’s one of the key revelations in the 2019 WhiteHat Application Security Statistics Report, which I’d place in the category of reports that bear close scrutiny because it is based on the actual in-the-field experiences of WhiteHat’s global customer base. Also, WhiteHat has been generating this report annually since 2006.

Based on 17 million application security scans carried out in 2018, WhiteHat found a 20% increase in vulnerabilities found in the applications that organizations tested for security flaws.

What’s more, based on WhiteHat’s partner, NowSecure’s insight, some 70% of mobile apps were found to leak sensitive data.

The fact that more companies are participating in the hunt for security flaws in new apps is a good thing. However, WhiteHat also found many app vulnerabilities are, today, going unaddressed. Remediation rates actually fell in 2018, as compared to 2017. At the moment, the effort required to secure existing and new apps appears to be overwhelming already short-staffed security teams.

The Dawn of DevSecOps

This field report tells us that, yes, SecOps is gaining traction, with more and more security teams beginning to contribute to the delivery of secure apps. However, many security teams lack the skills, and/or have not yet won corporate backing to bring in the engineering support needed to mitigate the vulnerabilities.

These applications flaws were always there, mind you – WhiteHat found that more than one-third of all application security risks are inherited rather than written – but now they are being flushed out as DevOps and SecOps merge into DevSecOps.

The more progressive security teams are, indeed, tackling remediation. For those teams, the benefits associated with paying a bit of attention to security, up front, have sunk in. Not only can they take pride in contributing to a better experience for end users, they’re also reducing the headaches that go along with having to patch vulnerabilities that turn up, post production. …more

NEW TECH: ICS zero-day flaws uncovered by Nozomi Networks’ analysis of anomalous behaviors

By Byron V. Acohido

Andrea Carcano’s journey to co-founding a security company in the vanguard of defending critical infrastructure began at a tender age.

Related: Why the Golden Age of cyber spying is here

Carcano hacked a computer screen at age 14, and that got him intrigued by software controls. He went on to earn a masters degree in cybersecurity, during which time he won a scholarship from the European Commission to craft a proof of concept attack against an industrial control system (ICS.)

“I said at the time, ‘OK, this is cool, someone is paying me to develop malware,” Carcano told me. “So I decided to keep going. I saw a huge gap, and I got really passionate about this topic. I started on my PhD, and at the very beginning focused on the offensive side. But I quickly moved to the defensive side and spent all of my academic career focused on how to protect critical infrastructure.”

PhD in hand, Carcano spent three years in the field helping a large oil-and-gas company tighten ICS security for operations in different corners of the world. In 2013, he co-founded Nozomi Networks aiming to deliver a more holistic and efficient way to defend industrial controls of all types.

I had the chance to visit with Carcano at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here’s what I came away with:

Ready-made attack tools

Vulnerability research and outright attacks on industrial controls has shifted dramatically over the past 10 to 15 years ago. When Carcano first began working in the field, only a handful of the top nation-states were actively involved in sponsoring this type of activity, and they tried to do it  as quietly as possible.

Today, for a variety of reasons having to do with geo-political affairs and the evolving cyber underground, things are much different. The state-sponsored hacking groups are still in business. But they are part of a thriving cottage industry that has arisen around finding, selling and testing fresh ICS vulnerabilities. And not just of power plants and utilities, but also in the firmware and software that run manufacturing plants of all types and sizes, Carcano told me. …more

MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

By Byron V. Acohido

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons: …more

SHARED INTEL: Malware-ridden counterfeit phones place consumers, companies in harm’s way

By Byron V. Acohido

A faked Rolex or Prada handbag is easy enough to acquire on the street in certain cities, and you can certainly hunt one down online.

Now add high-end counterfeit smartphones to the list of luxury consumer items that are being aggressively marketed to bargain-hungry consumers.

Related: Most companies ignorant about rising mobile attacks

While it might be tempting to dismiss the potential revenue lost by Apple, Samsung, HTC and other suppliers of authentic phones, this counterfeit wave is particularly worrisome. The faked phones flooding  the market today are slicker than ever. And, increasingly, they come riddled with some of the most  invasive types of malware.

This is putting consumers and companies in harm’s way through yet another attack vector – one which gives professional hacking collectives another means to compromise online accounts and break into company networks.

“These devices are not safe to do anything on, and they impact everything they touch,” says Ronan Cremin, chief technology officer at Afilias Technologies, a Dublin-based tech vendor that has a unique view of mobile device usage patterns.

I visited with Cremin at Black Hat USA 2019. For a full drill down of our discussion, give a listen to the accompanying podcast.  My takeaways:

Cutting corners

Knock-off smartphones are a much bigger problem than most folks realize. An estimated 180 million counterfeit mobile phones are sold globally each year, representing a potential loss of $50 billion to device manufacturers, according to a study by the EU’s Intellectual Property Office.

Such phones have been around for a few ears, and the latest iterations are getting nearly impossible to distinguish from the genuine article, Cremin told me. Packaging is spot on: all expected accessories, including headphones, chargers, cables and user guides are typically included. Outwardly, the look-and-fell is amazing: fit and finish and the user interface are indistinguishable from the genuine article. The big clue that it’s a fake is the asking price, which is typically a tenth or less of what you’d expect to pay.

Ah, but on the inside, that is where all the corners get cut. A favorite sleigh-of-hand is to display bogus specs for the make, model, RAM, storage and CPU core. Under the covers, the main components typically will be several generations old. …more

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more

GUEST ESSAY: 6 unexpected ways that a cyber attack can negatively impact your business

By Mike James

Cyber crime can be extremely financially damaging to businesses. However, if you believe that money is the only thing that a cyber-attack costs your organization, you would be wrong. In fact, a recent academic analysis identified 57 specific individual negative factors that result from a cyber-attack against a business. Here are six ways, worth considering, that a attack can affect your organization.

SEO rankings

James

There are a number of issues that will occur in the aftermath of a cyber-attack that can have enormously negative consequences for your search engine optimisation (SEO). Hacked sites, for example, will by flagged in the rankings with a warning sign which can put off visitors. It is also worth noting that when a site is hacked it can start receiving bad reviews on Google’s review section – these can both begin to see you dropping in the rankings and losing traffic.

A large number of sites also have their content altered when they suffer a breach, and given the importance of content to the way that your site ranks, this can clearly play a huge role.

Legal and compliance issues

It is not just cyber-criminals that you have to worry about when you are calculating the costs of a cyber-attack. In the modern world of data protection and industry regulators, there are now powers to heavily fine businesses that fail to take adequate steps to protect their customers.

Related: Poll shows SMBs struggle dealing with cyber risks

Under the General Data Protection Regulation (GDPR) for example, regulators now have the power to fine businesses up to €20 million or 4 per cent of annual global turnover (whichever is greater), if they suffer a data breach and have failed to be in compliance with the regulation. This shows you just have expensive the concept is. …more

MY TAKE: Let’s not lose sight of why Iran is pushing back with military, cyber strikes

By Byron V. Acohido

It is not often that I hear details about the cyber ops capabilities of the USA or UK discussed at the cybersecurity conferences I attend.

Related: We’re in the golden age of cyber spying

Despite the hush-hush nature of Western cyber ops, it is axiomatic in technology and intelligence circles that the USA and UK possess deep hacking and digital spying expertise – capabilities which we regularly deploy to optimize our respective positions in global affairs.

Last week, President Trump took an unheard of step: he flexed American cyber ops muscle out in the open. An offensive cyber strike by the U.S. reportedly knocked out computing systems controlling Iranian rocket and missile launchers, thus arresting global attention for several news cycles.

“The digital strike against Iran is a great example of using USCYBERCOM   as a special ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus,” observes Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based supplier of IoT and industrial control system security technologies.

Some context is in order. Trump’s cyber strike against Iran is the latest development in tensions that began in May 2018, when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past year steadily escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

Iran pushes back

This, of course, has pushed Iran into a corner, and forced Iran to push back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal.  Let’s not forget that a  hard-won stability was in place, prior to Trump choosing to stir the pot.

Today, Iran is scrambling for support from whatever quarter it can get it. It’s moves, wise or unwise, are quite clearly are calculated to compel European nations to weigh in on its behalf. However, many of Iran’s chess moves have also translated into fodder for Trump to stir animosity against Iran. …more