×Close
×Close
A panel of federal judges recently ruled that the structure of the Consumer Financial Protection Bureau, which is led by a single director, is unconstitutional. The CFPB has asked the full court to review the ruling. But cybersecurity attorney Chris Pierson says a change in the bureau's structure would not affect the CFPB's regulatory authority over banks.
Regardless of how the bureau is structured, it will continue to monitor for deceptive and/or fraudulent practices, as well as for practices that violate consumer privacy, he says in an interview with Information Security Media Group.
The CFPB oversees many different programs, laws and regulations, says Pierson, who serves as general counsel and CISO at payments and invoicing provider Viewpost. "Some of those were created by Dodd-Frank," he notes. The bureau also oversees consumer lending laws and Regulation P, the privacy regulation of the Gramm-Leach-Bliley Act.
The case that spurred questions about the CFPB's structure involved PHH Corp., a mortgage lender that was penalized by the CFPB for its use of a wholly owned mortgage reinsurer. The CFPB's enforcement resulted in a $109 million fine against PHH. But the panel of judges reversed the CFPB's decision, finding that the CFPB's status as an independent agency headed by a single director violates Article II of the U.S. Constitution.
"The court did not hold the CFPB to be unconstitutional," Pierson says. "Rather, the majority held that there is a constitutional defect in the actual structure of the CFPB. The court contends that having a sole director of an independent agency only be removable 'for cause' sets forth an important separation of powers issue under the Constitution. So, unless the director acts in a negligent or reckless manner, they are in for the entirety of their [five-year] term."
In September, the CFPB got financial institutions' attention when it fined banking giant Wells Fargo $185 million for allowing employees to access customers' personal information - and in some cases forging data - to subscribe them to products, such as credit cards, that generated revenue for the bank and commissions for salespeople.
Coupled with President-Elect Donald Trump's expressed interest in dismantling the Dodd-Frank Wall Street Reform and Consumer Protection Act, which established the CFPB in 2010, the federal court's ruling has raised questions among banking institutions about the future of the CFPB.
But Pierson says the CFPB's oversight of banks isn't likely to change, even if the bureau's governance structure changes. The CFPB also is one of the five regulatory agencies that comprise the Federal Financial Institutions Examination Council, he notes.
During this interview (see audio link below photo), Pierson also discusses:
The president's power to replace the director of the CFPB if the federal panel's ruling stands; The long-term impact dismantling Dodd-Frank could have on the CFPB; and The likelihood the ruling in the PHH Corp. case will be reviewed.In addition to serving as executive vice president, general counsel and CISO for Viewpost, Pierson serves on the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee. Before joining Viewpost, Pierson was the first chief privacy officer for the Royal Bank of Scotland's U.S. banking operations. He also formerly served as a corporate attorney at the law firm Lewis and Roca, where he established the firm's cybersecurity practice.
As cybercriminals continue to wage more sophisticated, well-funded attacks, it's more urgent than ever to attract qualified professionals to careers in cybersecurity, says Symantec CTO Dr. Hugh Thompson.
"Purely from an intellectual perspective, there are opportunities - there is still some uncharted territory in the security space," he says in an interview with Information Security Media Group. "There is a lot of opportunity to apply creativity and data science to solving some of these issues."
The frequency and sophistication of targeted attacks in 2016 shows that cybercriminals are developing a better understanding of business processes, Thompson says. So the industry needs to incentivize cybersecurity as a career to meet the need for talent to devise cutting-edge protection.
"Look at the SWIFT banking attacks as an example. That required a very intimate understanding of how that process worked," he says. "These targeted attacks are getting even more personalized to individual companies."
Recent distributed denial-of-service attacks fueled by botnets built using internet of things devices demonstrate another emerging threat that must be addressed in the year ahead, Thompson says. "Some of the recent attacks have brought what was a theoretical set of possibilities into sharp focus as reality," he notes (see: Can't Stop the Mirai Malware).
Meanwhile, as more enterprises adopt cloud-based services, their model for providing adequate security must change, he adds.
In this exclusive interview (see audio player below photo), Thompson provides insights on:
Major cybersecurity trends this year; Predictions on security challenges and up-and-coming technologies for 2017; His view of the security industry after taking over as CTO of Symantec.Thompson formerly was chief security strategist and senior vice president at Blue Coat Systems. He was named CTO of Symantec after the company acquired Blue Coat in August. Thompson has more than a decade of experience in creating methodologies that help organizations build more secure systems. For the past several years, he has served as the program committee chairman for RSA Conference. He has co-authored four books and written more than 80 papers on security and has taught computer security at Columbia University for five years.
Apple informed iOS developers this week that it has decided to give them more time to ensure that their applications communicate over a secure HTTPS connection.
In June, at the company’s Worldwide Developers Conference (WWDC), Apple announced that all the iOS applications in the App Store would have to use App Transport Security (ATS) by the end of the year.
ATS, enabled by default with the release of iOS 9.0 and OS X 10.11, is designed to protect connections between an app and its servers by enforcing the use of HTTPS.
Apple appears to have realized that many developers will not make the January 1 deadline so it has decided to extend it indefinitely. After the company’s announcement in June, many developers raised concerns that their apps would not work with ATS due to hardware and infrastructure issues.
Some believed they would still be able to publish their applications on the App Store even without HTTPS if they could provide a reasonable justification during the app review process.
A study conducted recently by enterprise mobile threat protection firm Appthority showed that only 3 percent of the top 200 iOS apps used in enterprises worldwide implemented ATS without any changes or exceptions that weakened it.
“Since our report on ATS compliance three weeks ago, we have seen only a 2% increase - from 3% to 5% - in iOS apps that fully meet the tougher security standards,” Robbie Forkish, VP of engineering at Appthority, told SecurityWeek. “Thus, it’s no surprise to us that developers were not ready to meet the Jan 1 deadline initially set by Apple. Unfortunately, Apple has chosen to extend the deadline to comply with its ATS security mandate indefinitely, leaving enterprise data at risk while giving developers more time to comply. We hope this delay is a short-term setback.”
In a blog post published on Thursday, Forkish provided a series of recommendations to help enterprises monitor and potentially remediate apps without ATS.
“In light of this new development, we recommend that enterprises track the state of apps’ ATS compliance and consider alternatives to apps that access sensitive corporate data and don’t secure their network connections using ATS,” Forkish said. “We further recommend that enterprises select apps that employ certificate pinning, so as to proactively avoid man-in-the-middle (MiTM) attacks.”
Related: Google Tracks Use of HTTPS on Top 100 Websites
Related: WordPress to Require Hosts to Support HTTPS
Related: 95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking
[Update] Vulnerabilities in NETGEAR WNR2000 routers allow an attacker to retrieve the administrator password and take full control of the affected networking device, a security researcher has discovered.
The vulnerabilities are exploitable over a local area network (LAN) by default, but security researcher Pedro Ribeiro explains that, if remote administration is enabled, they could be exploited remotely over the Internry as well. According to Ribeiro, around 10,000 vulnerable devices have been already identified, but these are only those with the remote admin enabled, meaning that tens of thousands of other routers could also be affected.
The security flaws were found in WNR2000v5, which doesn’t have remote administration enabled by default on the latest firmware, meaning that remote attacks would only be possible if a user had manually enabled remote admin access. Versions 3 and 4 of the router are believed to be vulnerable as well, although the researcher hasn’t tested them.
The issue is that NETGEAR WNR2000 allows an admin to perform various functions through an apparent CGI script named apply.cgi, which is actually a function invoked in the HTTP server (uhttpd) when the respective string is received in the URL. By reversing the uhttpd, the researcher discovered that it allows an unauthenticated user to perform the same sensitive admin functions by invoking apply_noauth.cgi.
Thus, an unauthenticated attacker can exploit some of the available functions immediately, such as rebooting the router. For access to other functions, such as changing Internet, WLAN settings or retrieving the administrative password, the attacker has to send a “timestamp” variable attached to the URL.
“This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token. The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge,” Ribeiro explains.
By exploiting this and an information leakage vulnerability in the router, the attacker can recover the administrator password and then use it to enable telnet functionality in the router and obtain a root shell, provided that the attacker is in the LAN.
Additionally, the security researcher found a stack buffer overflow which could allow an unauthenticated attacker to take full control over the device and execute code remotely. For that, however, the attacker would have to also leverage the apply_noauth.cgi vulnerability and the timestamp identifying attack. The code could be executed both in the LAN and in the WAN.
According to Ribeiro, because NETGEAR didn’t respond to his emails, he decided to publish not only an advisory on the discovered issues, but also the exploit code that leverages said vulnerabilities, thus turning them into 0-days. No CVE has been assigned to the issues either.
Contacted by SecurityWeek, NETGEAR confirmed the password recovery and command execution issues in its WNR2000 routers and said a firmware update to patch the vulnerability will be released as quickly as possible.
“NETGEAR is aware of the reported security vulnerability related to WNR2000 router as stated by Pedro Ribeiro, including password recovery and command execution. This vulnerability occurs when an attacker can access the internal network or when Remote Management is enabled on the router,” the company said in an email.
“NETGEAR plans to release firmware updates that fix the remote access and command execution vulnerability for all affected products as quickly as possible,” the company said.
In the meantime, affected users can use a workaround, which involves turning off Remote Management. For that, they should access http://www.routerlogin.net from a computer that is part of the home network, should login with their admin credentials, then access Advanced > Remote Management, clear the check box for Turn Remote Management On, then click Apply to save the changes.
Earlier this month, NETGEAR R7000, R6400, and R8000 routers, and possibly other models, were revealed to be affected by a critical security vulnerability that could be remotely exploited to hijack the devices. By getting a user to visit a specially crafted web page, an attacker could execute arbitrary commands with root privileges on affected routers. The company detailed patching plans immediately after the flaw made it to the headlines.
Related: Netgear Routers Plagued by Serious Vulnerabilities
*Updated with response from NETGEAR
Open Whisper Systems informed users on Wednesday that the latest Android version of its secure messaging app Signal includes a feature designed to bypass censorship in some countries.
The company learned recently that ISPs in Egypt and the United Arab Emirates had started blocking the Signal service and website, likely in an effort to prevent users from communicating over channels that authorities cannot access.
In order to bypass these censorship attempts, the latest version of Signal for Android uses a technique called domain fronting, which involves disguising traffic to make it look as if it’s going to a host allowed by the censor.
Domain fronting was described last year in a paper published by researchers at the University of California - Berkeley, Psiphon Inc., and Brave New Software.
“The key idea is the use of different domain names at different layers of communication. One domain appears on the ‘outside’ of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the ‘inside’—in the HTTP Host header, invisible to the censor under HTTPS encryption,” researchers explained.
Since the technique involves the use of services from major companies such as Google, Amazon, CloudFlare, Fastly and Akamai, the censor can only block communications by banning the entire service, which can result in serious collateral damage.
In the case of Signal, messages look like regular HTTPS requests to google.com and blocking these communications would require ISPs to block Google altogether. Domain fronting is enabled for Signal users who have phone numbers with Egypt or UAE country codes.
Domain fronting via Google was used by a censorship circumvention tool called GoAgent in China, but it only worked until June 2014, when the country decided to block all Google services.
The new censorship circumvention feature is also present in the beta channel of Signal for iOS and it will soon become generally available to iPhone and iPad users.
“Follow up releases will include detecting censorship and applying circumvention when needed (eg. so that when users with phone numbers from other countries visit places where censorship is being deployed, Signal will work without a VPN for them as well) and expanding the services that domain front for Signal,” said Open Whisper Systems founder Moxie Marlinspike.
Related: Flaw Allows Hackers to Alter "Signal" Attachments
Related: Open Whisper Systems Launches Encrypted Messaging App for Desktop
Related: Meet Matrix, an Open Standard for De-centralized Encrypted Communications
Severe non-malware attacks and ransomware are the two stand-out malicious behaviors of 2016. When combined, as they have been with the PowerWare extortion, the attack can be both dangerous and difficult to detect.
Carbon Black analyzed data from more than 1,000 customers representing 2.5 million endpoints. It found (PDF) that nearly all organizations have been targeted by non-malware attacks in 2016, and that in any 90-day period, about one-third of all organizations will encounter at least one such attack. Incidences of non-malware attacks spiked by more than 90% in the second quarter of 2016, and have remained at elevated levels ever since.
Ransomware is the fastest-growing malware across all industries, and instances grew by 50% over the year. Locky is the most used variety, used in one out of every four ransomware attacks. Other popular families include CryptoWall, CryptXXX, Bitman (TeslaCrypt) and Onion (or CTB Locker). In March 2016 Carbon Black discovered PowerWare, a non-malware ransomware.
PowerWare uses Microsoft PowerShell to avoid dropping detectable malware onto the disk. The technique, however, is not limited to ransomware. "The alleged hack against the Democratic National Committee (DNC) earlier this year," notes Carbon Black, "was reported to have leveraged both PowerShell and Windows Management Instrumentation (WMI) in order for attackers to move laterally and remain undetected."
SecurityWeek talked to Ben Johnson, co-founder and Chief Security Strategist at Carbon Black, to see how non-malware attacks operate, and how they can be detected and prevented.
"Non-malware attacks have been around for a few years, but have really picked up steam this year," Johnson said. "It's the bad guys 'living off the land'; making use of applications that are part of and trusted by the operating system in order to go undetected."
A typical attack scenario could include a phishing email with an attached Microsoft Office document. The document would contain a macro. If the user can be lured into running the macro, then from system memory that macro could issue instructions to a variety of system apps. The most commonly used are PowerShell and WMI, but it could be any, such as FTP, that can script and copy and perform other basic functions.
The point, said Johnson, is "the whole kill chain can be conducted without installing anything or dropping any binary to disk. When we talk about non-malware leveraging built-in tools like PowerShell or FTP or Remote Desktop the attack is using something that sys admins would normally use anyway."
Most defenses are looking for known malware or new and strange binaries. "They tend to just assume that if it's a trusted OS utility it must be OK -- I'm just going to let it run, I'm not even going to watch it. That's one of the main reasons why non-malware attacks are on the rise," said Johnson.
Detecting non-malware intrusions requires more than just looking at files; it requires monitoring processes. "The easiest approach, but not the be all and end all of it, is to look at the relationship and the command line," he explained. "As soon as you can see PowerShell being used, in this case you would say, why is MS Word spawning PowerShell? You have to look at the context where the more traditional approaches just look at the individual programs that are running."
A second approach is to look at the content of the command line. "What usually happens from an attacker," he continued, "is a bunch of arguments get pasted onto the command line, and the script itself is usually encoded with say, Base64, so it just looks like random characters rather than English text. If you can recognize unrecognizable text, you know it's not likely to be good."
A third approach looks at the execution of the script. "We like to think of it kind of like an iceberg," he explained. "In a boat, instead of looking at just what's above the surface, that little piece of the iceberg that's visible, you have to be aware of everything that's hidden just below. It's the same with cyber defense." So once PowerShell starts running, you check to see if it is behaving normally. Is it trying to access a large number of files in a very short space of time; or perhaps trying to communicate outside of the network? Both of these would be considered unusual and should be blocked.
The key is in establishing what is normal behavior. If you set the bar too high, then uncommon rather than abnormal will be blocked, and business processes will be disturbed. If you set it too low, then malicious activity can proceed undetected. The solution, said Johnson, "is a continuous learning process, tweaking the system to gain the optimum performance in line with the user's individual risk posture. On this basis we can chose to allow, alert or block."
But as a rule of thumb, the more the user can whitelist processes -- and Johnson and Carbon Black are big supporters of whitelisting -- the stronger will be the defense. As an example, suggested Johnson, "If it is known that the only valid use of PowerShell is a particular script from IT that runs at a set time each night to update applications across the system, then this can whitelisted and allowed, and all other uses of PowerShell will automatically be blocked." In this scenario, PowerWare wouldn't even get out of its macro.
Related Reading: Breaches are More than Malware
Computing pioneer Alan Kay once said, “Context is worth 80 IQ points.” On the IQ scale, where average is about 100 and Einstein is 160+, context could propel you into the genius category pretty handily. For cybersecurity professionals who know that the industry has no shortage of threat data, context is the lever that turns threat data into threat intelligence.
In a previous column I described how the path to threat intelligence starts by organizing the multiple data feeds many organizations subscribe to and translating it into a uniform and useable format. This global threat data gives you some insight into activities outside of your enterprise. But to turn that data into intelligence you need to augment and enrich it with internal threat and event data. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack. More specifically,
Who and what: The actors or groups behind the attack, if they are government sponsored, and what they typically target (size of organization, industry, geography).
When and why: Their motivation (financial, political, hacktivism) and intent (steal data, disrupt systems, extortion, make a statement) and if there is a particular trigger event that attracts their attention to a specific target (M&A activity, expansion, new technology adoption, cyclical activity).
How and where: The tactics, techniques, and procedures (TTPs) the adversaries use to make decisions, expand access and execute their objectives; their capabilities and the methods they employ be it exploit kits or other types of attacks “as a service” or the infrastructure they utilize; and what systems are targeted and possibly affected.
The SamSam ransomware attack offers an example of the role of context in helping organizations understand how adversaries operate and make better decisions about how to deal with an attack.
Typically executed via an exploit kit or a phishing campaign, ransomware seeks to deny the targeted organization access to files or data unless they pay a fee for unlocking them. The SamSam ransomware variant, however, doesn’t rely on end-users clicking on a malicious link or attachment. It compromises unpatched servers, such as JBoss application servers, to gain a foothold in the network and then moves laterally to compromise additional machines which are held for ransom.
As was widely reported, SamSam appears to target the healthcare industry and was the variant used in March 2016 to compromise the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington, DC area. The attackers requested 45 Bitcoins (about $18,500) to restore files it had encrypted on multiple Windows systems. MedStar didn’t pay the ransom because it had a backup of the files. It was also able to detect the attack early and prevent it from infecting additional systems. Soon after, the FBI issued a confidential warning that included indicators of compromise (IoCs) to help other security teams monitor for SamSam infections.
As you can see from this example, when context is applied correctly, you can begin to build an intelligence profile that describes your adversaries, their campaign methods, indicators of their actions, and events that occur. This also allows you to better detect and scope an attack that bypassed your existing layers of defense. It provides information such as what this specific threat actor’s attacks look like and where else they have gone inside the network.
Context transforms your threat data into intelligence. The next step is to use that intelligence for better decisions and action. In the SamSam example, that action included patching vulnerabilities, network segmentation and off-site backup solutions.
Einstein acted on his genius-level IQ to create the Theory of Relativity. With your threat IQ elevated you may not be able to invent a new way of looking at the world, but you’ll be ready to look at data in a new way and turn it into actionable intelligence.