Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



Q&A: How hackers manipulate domain names to spread malware

By Byron V. Acohido

When Seattleite Jay Westerdal bootstrapped a company called DomainTools in 2002, it was to support his activities in the domain name speculation game that was red hot at the time.

DomainTools set out to gather domain “whois” records in order to serve those immersed in speculating on owning domain names, like chocolate.com. Unbeknown to the founders at the time, the company did a couple of things that would position DomainTools to reinvent itself down the road as a security vendor, once the domain name market ran its course.

First, the company kept historical records of everything. And, second, DomainTools started gathering, not just “whois” records, but also web server and email server records, all of which would prove to be valuable for tracking the activities of cyber criminals.

ThirdCertainty recently visited with Tim Helming, DomainTools’ director of product management, to outline how the company today sheds light on the cyber underground. Text edited for clarity and length.

3C: How do domain names come into play with malicious internet activities?

Tim Helming, DomainTools’ director of product management

Helming: Everything that happens on the internet happens with IP addresses and domain names. You’ve probably received phishing emails once or twice, right? We all have. So a phishing email has domains in a couple of places. Usually there’s a link that they want you to click on, and that link has some domain in it. Sometimes it’ll be an intentional typo that looks like a legitimate site. They want you to click on it. So that domain name actually is a key to a lot of valuable information about the attacker.

Related: DNS vulnerabilities expose businesses to attack

From that one domain, you can often expand and see other domains that they own. And that could tell you things like, ‘Oh these other domains are all targeting businesses in my industry. So this attacker’s interested in my industry.’ Or maybe they’ve got a … more

VIDEO: Vasco Digipass technology changes user’s password every 30 seconds to thwart hackers

By Byron V. Acohido

KBC Bank Ireland announced last month that it has upgraded security for mobile customers by integrating the Vasco Digipass for apps into its mobile security application.

The Irish bank’s decision is part of a growing trend by financial institutions to implement advanced security solutions for an increasing number of customers who bank with a mobile device.

“Mobile banking is growing faster than the use of online banking did, and smartphones will soon be within the reach of almost all banking customers,” says Vasco Data Security International Vice President John Gunn. “In the next few years, mobile payments will be preloaded on every new phone and integrated into every mobile banking application.”

With the addition of Digipass, KBC Bank customers can use an iPhone’s Touch ID functionality—a fingerprint identity sensor—instead of a PIN code. Digipass automatically changes a mobile user’s password every 30 seconds, and the bank’s server tracks whether each is valid.

Vasco’s technology provides a graphical cryptogram that contains the details of the transaction, e.g. payee, amount, account number. When a picture of the color QR code is taken and then decoded, customers can securely view and verify financial details on a computer, smartphone or tablet and then authorize the transaction. Because it is encrypted, hackers cannot change the details so they cannot conduct man in the middle attacks.

More: Apple gets into mobile payments with iPhone6

“This eliminated the opportunity for hackers to use stolen passwords and makes phishing attacks obsolete,” Gunn says. “With a six-digit PIN or a one-time-password, a hacker would have a one-in-a-million chance of guessing the correct password. Brute force attacks don’t work because a hacker cannot present a million attempts in 30 seconds, and the password changes again within that time.”

Two-factor authentication offers stronger shield

Simon Keates, a mobile payment security expert for Thales e-Security, says Vasco’s Digipass, or two-factor authentication, is “a proven method for enhancing typical authentication methods and significantly … more

VIDEO: Cyber criminals use cheap devices to jam, disrupt signals in everyday objects

By Byron V. Acohido

The risk of being hacked comes with living in the digital age. But now another form of digital disruption—signal jamming— is rapidly gaining traction and shaping yet another type of risk for consumers and businesses to worry about.

We’ve come to rely on digital signals moving through the Internet cloud and in and out of our computing devices. The problem is: it turns out that jamming digital signals is an easy thing to do.

Just when you thought it was safe

Security and privacy experts are starting to discuss how the disruptions wrought by digital signal jamming can cause harm ranging from the trivial to potentially catastrophic. Clearly, the horse is out of the barn.

The largest fine ever issued by the Federal Communications Commission—$34.9 million—was levied in June 2014 against Chinese online retailer CTS Technology for marketing nearly 300 signal jammers in the United States over more than two years.

Digital jammers are illegal in the United States because they can block 911 and law enforcement communications. Yet the devices remain cheap and easy to acquire on the Internet. People with a range of motivations are buying jammers and putting them to different uses.

Dean Liptak, a high school science teacher in Pasco County, Florida, for instance, earlier this year got fed up with his students disregarding school policy requiring them to turn off their cell phones while class was in session.

So Liptak used a jammer to shut down cell phone usage while he was lecturing. Verizon detected their customers’ phones being jammed in and around the high school and put a stop to Liptak’s use of a jammer as a teaching aid.

Meanwhile, last May a ring of clever car thieves in the United Kingdom used a type of jammer available for less that $50 on the Internet to disrupt shoppers in the act of digitally locking their vehicles at the Manchester Fort Shopping Park.

The thieves … more

VIDEO: Ripples from Internet of Things create sea change for security, liability

By Byron V. Acohido

Fact about Dick Cheney: When he was vice president of the United States, Cheney so fretted about someone remotely hacking into his heart defibrillator that he had his doctors disable the device’s wireless feature.

Cheney’s prescience about unprecedented exposures arising from the Internet of Things has been borne out.

Manufacturers are foisting Internet-connected medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters and household appliances on consumers faster than hackers—both white hats and black hats—can identify the intrinsic coding flaws.

About 70 percent of the most commonly used IoT devices contain password, encryption, authentication and other vulnerabilities, according to a 2014 Hewlett Packard study. HP reviewed 10 of the most popular IoT devices and uncovered an average of 25 software flaws per device.

The good news is that the tech sector is cognizant of these new risks and is moving to establish baseline stability for the Internet of Things.

It may take a while. A cabal of IT security startups and entrenched tech giants has emerged as the source of proposals to shape a stable foundation on which IoT can stand. Ideas range from software patching to assembling innovative wireless networks dedicated to IoT devices.

“You can think of a future where … there will be tons of sensors around our physical environment,” says Chenxi Wang, vice president of cloud security and strategy at cloud encryption vendor CipherCloud. “It can collect data about our movement, even our body temperature. Privacy is a big issue. Safety could be an issue when those devices are operating critical tasks, like driving a car.”

Unique characteristics

IoT devices tend to have limited networking and storage capacities. So there’s little room for traditional security software, says May Wang, co-founder and CTO of Silicon Valley-based ZingBox, a startup that provides IT network security services.

“It’s hard to deploy per-device security measures,” says May Wang, no relation to Chenxi Wang.

What’s more, IoT devices often … more

Q&A: Chinese military hacking tactics used against major U.S. retailer

By Byron V. Acohido

This actual snapshot of a cutting edge cyber attack was discovered by analysts at Norse Corp, a security vendor that  has developed an amazing global network of honeypots emulating all sorts of common workplace and home appliances connected to the Internet, with embedded operating systems rife with vulnerabilities. Norse uses this honeypot network to monitor as cybercriminals  scan for, infect, take control of and finally and deploy vulnerable IoT  appliances. Company founder and CTO Tommy Stiansen shared these stunning details with LastWatchdog.

Core finding: Nation state-backed cyber warfare campaigns typically focus on infrastructure such as utilities, defense contractors, financial firms and technology companies. However, forensic experts at Norse Corp. recently documented how a hacking group used military-style breach and data-exfiltration techniques against a large U.S. retailer. The hackers, widely believed to be backed by the Chinese government, ignored the usual pot of gold: payment card transaction data. Instead, they went after intellectual property to support an elaborate counterfeiting campaign.

Attack vector: To get a foothold in the retailer’s network, the hackers spear phish working developers, engineers and designers. The targets get enticed into downloading what they believe to be 3D software to use in their daily work. They actually get the software, but the download also sneaks malware into the company’s network.

Distinctive technique: The infected computers then began to communicate with a command-and-control (C2) server using browser-based URL requests. Data sent back up to the C2 server gets encrypted. Norse analysts have to unravel multiple layers of obfuscation to reveal what’s being exfiltrated, including translating part of the hackers’ encryption string from Japanese to English, and another part from Korean to English.

Wider implications: Retailers, or any other organization with trademarked and/or patented goods and services, should realize financial data isn’t the only data sophisticated hacking groups are proactively seeking. Governments engaging in cyber warfare must now worry that loosing military hacking techniques to breach nonmilitary targets, for whatever … more

VIDEO: Elastica discovers major vulnerability in Salesforce cloud CRM app

By Byron V. Acohido

Cloud application security start-up Elastica should be commended for alerting Salesforce privately about a notable flaw Elastica researchers discovered in one of the subdomains of the official Salesforce website.

Elastica gave Salesforce the heads-up last month, and waited until the CRM giant readied a patch before going public with its finding Wednesday.

Elastica researchers unearthed a cross-site scripting (XSS) vulnerability in admin.salesforce.com, a subdomain used by Salesforce administrators.

Had criminal hackers beat Elastica to the punch, they could have moved to exploit a huge vector of attack. Thousands of companies, many of them small and mid-size organizations that subscribe to Salesforce, would have been exposed.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

An attacker would have been able to execute phishing attacks from inside Salesforce and harvest users’ credentials, with a good chance of eluding spam filters and anti-phishing solutions.

But there is a larger lesson here. Business software can be riddled with flaws like this one, waiting to be discovered. Depending on who finds these so-called zero-day vulnerabilities first, either patching or exploitation can be expected to eventually follow. ThirdCertainty asked Aditya K. Sood, lead architect of Elastica Cloud Threat Labs, to outline the wider context.

3C: Can you characterize how pervasive these types of latent, but as yet undiscovered, vulnerabilities are in business software?

Sood: Any public-facing application is susceptible to an attack. It is difficult to say how many business applications are, but developers can make mistakes, which could result in vulnerabilities. For that reason, we require security assessments of business applications before they are deployed in production environments.

3C: How effective are bounty programs in keeping these types of vulnerabilities mitigated?

Sood: Bug bounties motivate researchers to disclose vulnerabilities to the vendors in a responsible fashion and, in return, researchers get rewarded for their efforts. It definitely helps to build positive relationships with security researchers. It is a very cost-effective … more

VIDEO: Why it’s high time ‘unstructured data’ gets acknowledged, protected

By Byron V. Acohido

Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure.

Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system.

Some 80 percent of business data is said to be unstructured and that percentage quite obviously has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software, and dispersing our pearls of wisdom in digital communications.

Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages, and pitching into social media sites.

Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data.

Sensitive data at risk

But what’s more concerning is the gaping security exposure.

It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady.

Yet the full scope of risk created by unstructured data is much more profound.

“The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies.  “It is the least understood form of data in terms of access, activity, ownership and content.”

I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says.

STEALTHbits helps companies that use Windows Active Directory … more