Ransomware. Phishing. Credential stuffing. These are among the top threats to financial institutions of all sizes. Small-to-midsized ones are particularly challenged to detect and respond to these threats. Arctic Wolf's Security Expert, Todd Thiemann, discusses the value of deploying managed detection and response (MDR) security.
The expense and challenge of maintaining in-house cybersecurity resources are just too great for many institutions, so managed services become an attractive option, says Thiemann.
"You need to keep some of the key things in-house, such as strategy and planning and boots-on-the-ground response," Thiemann says. "However, outsourcing can be more effective to monitor your environment for compliance, as well as detect and respond to bad stuff."
In an interview about MDR for the mid-market, Thiemann discusses:
The business value of MDR and SOC-as-a-service; How these managed services augment - not replace - existing staff; Questions security leaders should ask before selecting an MDR vendor.Thiemann is responsible for product marketing at Arctic Wolf. He has over 15 years of information security experience across a range of subjects including malware detection, SIEM, encryption, key management and IAM/authentication at leading cybersecurity companies including Trend Micro, Vormetric/Thales, PrivateCore and Nok Nok Labs.
Forty-eight percent of customers drop the products and services of organizations that have had a publicly-disclosed data breach. This is but one of the findings of the new 2018 Global State of Online Digital Trust study commissioned by CA Technologies. CA's David Duncan analyzes the results.
Duncan, CA's Vice President of Product & Solutions Marketing in the Security Business Unit, says the bottom line is: Digital trust matters.
"And if organizations don't get that right, they're going to suffer significant business impact," Duncan says.
This new research study, developed by Frost and Sullivan, was conducted during the Facebook/Cambridge Analytica scandal in March and April of this year. The purpose of the study was to understand the true state of digital trust, is it improving, declining, and how is digital trust and the importance of it viewed by the different critical groups involved in the process - consumers, cybersecurity professionals and business decision from 10 different countries.
In an interview about this research, Duncan discusses:
Highlights of the study; The business implications of a breach of trust; How identity and access management technologies must evolve to meet consumer expectations of security and ease of use.Get the full Global State of Digital Trust Survey and Index 2018 here.
Duncan is Vice President of Marketing for CA Technologies' Security Business. He has over 35 years experience in cyber security. As founder & CEO of ENCRYPTX, a leading provider of encryption and digital rights management software, as CMO at Webroot and Tenable, and on McAfee's Advisory Board. Duncan served for a decade with the US government and the National Security Agency, in intelligence collection operations and computer security engineering. He attended the National Cryptologic School, designed and accredited classified computer systems to the Trusted Computing System Evaluation Criteria. He is co-author of 4 patent filings.
A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.
Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.
After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.
Further research into satcom systems revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. The expert disclosed his findings this week at the Black Hat security conference in Las Vegas.
Specifically, Santamarta has found security holes that can be exploited by remote hackers to take control of satcom equipment on commercial flights, earth stations on ships, and earth stations used by the U.S. military in conflict zones.
In the case of commercial aviation, the researcher discovered that hackers could have targeted, from the ground, hundreds of planes from Southwest, Norwegian and Icelandair.
Worryingly, in the case of one airplane, the researcher discovered that its satcom terminal had already been targeted from the ground by the Gafgyt IoT botnet via a compromised router.
“There is no indication that this malware family either had success accessing the SATCOM terminal on any aircraft or that it was specifically targeting airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft,” Santamarta wrote in his research paper.
Even more worrying is the fact that one of the vessels analyzed by the expert already had its Antenna Control Unit (ACU) infected with the Mirai malware.
In the military and maritime sectors, remote attacks on satcom systems could pose a safety risk. For instance, in the case of ships, attackers could disrupt communications and they can conduct cyber-physical attacks using high-intensity radiated field (HIRF), a radio-frequency energy strong enough to adversely affect living organisms and electronic devices. In the case of the military, malicious actors could abuse satcom systems to pinpoint the location of military units, disrupt communications, and conduct HIRF attacks.
On the other hand, remote attacks on an aircraft’s satcom equipment do not pose a safety risk due to the isolation between various systems on board. However, a hacker could still intercept or modify in-flight Wi-Fi traffic, and hijack devices belonging to passengers and crew.
IOActive disclosed the findings to affected vendors and organizations such as US-CERT and ICS-CERT, and while the aforementioned airlines and some of the affected equipment manufacturers have taken steps to address the issues, others have not been very open to collaboration.
In addition to Santamarta’s presentation at Black Hat, IOActive Senior Security Consultant Josep Pi Rodriguez, will on Sunday give a talk at the DEF CON conference on vulnerabilities discovered in the Extreme Networks embedded WingOS.
According to the researcher, the flaws he has identified can be exploited to hack millions of devices found in aircraft, government agencies, and smart cities.
Related: Hackers Can Hijack, Sink Ships
Related: Vulnerabilities Found in Ship Communication Systems
Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.
MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.
When a device is enrolled in MDM, it receives a Configuration Profile, which can either be installed manually or automatically using the Device Enrollment Program (DEP). If DEP is used on macOS, the device automatically checks in with the MDM server during the initial setup process or after the system has been reset to factory settings and the operating system has been reinstalled.
The DEP profile received by a device during this process is delivered by Apple but populated by the MDM server. The profile includes information such as the MDM server’s URL, pinned certificates, and which screens should be skipped during the setup process.
One of the most popular MDM commands used during the initial setup process is InstallApplication, which allows administrators to install a specified application package. The command relies on a manifest URL that returns an XML file containing all the information needed to install the app.
Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, showed this week at the Black Hat security conference how a threat actor could compromise the retrieval of the manifest and install a different application than the one intended by the victim.
Exploitation involves a man-in-the-middle (MitM) attack, which makes it difficult for unsophisticated cybercrime groups. However, a sophisticated state-sponsored actor or a malicious ISP may be able to carry out such an attack and infiltrate devices in a targeted organization.
According to Bélanger and Endahl, an attacker could use this method to take full control of Mac computers right after they are unboxed, as soon as they connect to the organization’s Wi-Fi network.
The researchers disclosed their findings to Apple in late April and the tech giant acknowledged their findings on May 2. The company implemented a fix on July 9 with the release of macOS 10.13.6.
Apple addressed the issue by implementing a new MDM command named InstallEnterpriseApplication. This command allows MDM vendors to provide specific certificates to pin the request to the manifest URL.
“It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem,” the researchers wrote in a paper.
Related: Attackers Target iPhones Using Open Source MDM Solution
Cybersecurity , Data Breach , Data Loss
Bitfi Gets Pwnies Award for 'Lamest Vendor Response' How John McAfee's Cryptocurrency Hardware Wallet and Company Fell Short(euroinfosec) • August 9, 2018 Photo: Neha NarulaHubris has a new name: Bitfi.
See Also: Dismantling Bot Armies With Behavioral Biometrics
The cryptocurrency wallet-building company, backed by technology eccentric John McAfee, stormed to an apparently easy win on Wednesday at the annual Pwnie Awards, taking the not-so-coveted, spray-painted "My Little Pony" figurine for "Lamest Vendor Response."
Held annually at the Black Hat conference in Las Vegas, the Pwnie Awards are devoted to "celebrating and making fun of the achievements and failures of security researchers and the wider security community" (see 'Epic Fail': OPM Bests Ashley Madison).
Enter Bifti. First announced on June 19, with a shipping date of June 27, Bitfi says its cryptocurrency wallet is "the result of years of painstaking research and development" and that it cannot be hacked to recover the private key that was used to encrypt the device, thus making it impossible for an attacker to steal any cryptocurrency it stores.
"If the device is seized or stolen, taken apart and forensically analyzed the private keys cannot be retrieved," Bitfi says.
McAfee - founder of the eponymous anti-virus firm, escapee from Belize, one-time U.S. presidential candidate and gonzo technology eccentric - serves as chairman of Bitfi. He and the company have continued to claim that its cryptocurrency hardware wallet is "unhackable."
But Bitfi and its claims took a pounding as a team of security researchers subjected the devices to real-world tests and then communicated their findings. The researchers have been careful to note that they're not providing free penetration testing for Bitfi, which would involve helping the company to refine its product's security. Rather, they're calling the company out for what they see as inaccurate claims about the product's security and warning that the claims could give buyers a false sense of security.
"The Pwnie Awards last night gave some good examples of how vendors should not handle security disclosures," Alan Woodward tweeted Thursday. He's a professor of computer science at the University of Surrey who's been working with a global team of researchers who have been examining Bitfi security in their spare time.
Bitfi says it is so sure that its device can't be hacked that it is offering $250,000 to anyone who can successfully hack the device and recover cryptocurrency that the company has preloaded.
Terms and conditions apply: To qualify for the $250,000 bounty, a security researcher needs to purchase a device from the company and request to participate in the bounty, which costs $10. "The reason for the charge is because we need to ensure serious inquiries only," Bitfi says on its website.
The company has also clarified that it wasn't looking for help troubleshooting its devices' security. "This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks," it says. "Rather this program is intended to demonstrate to anyone who claims or believes that nothing is unhackable or that they can hack into the Bitfi wallet, that such attempts are futile and that the advertised claims about the Bitfi wallet are accurate."
McAfee has continued to double down on those claims.
"It can't be hacked," McAfee said in a July 28 tweet.
"Fact. There is no software on the device, and no memory," he said. "So you can't do a software hack. And the pass phrase is stored nowhere. Not in a server, not in the device ... nowhere. There is nothing you can do to the hardware that will give you the pass phrase."
The team of security researchers that has been looking into the security of Bitfi's devices has been led by Andrew Tierney (@CyberGibbons), a security consultant at Pen Test Partners, which is no stranger to unmasking devices with questionable security (see Yes, Unicorns With Bluetooth Problems Really Do Exist).
Their collective efforts initially met with some hostility from an affiliate marketer of Bitfi (@Bitfi6), leading to a now-deleted tweet. Bitfi agreed with Woodward that one of the tweets from the Bitfi Twitter account, about a researcher, amounted to "hate speech."
Members of the research team, including Woodward, have also continued to directly question claims made by the company.
By Aug. 4, Woodward reported that two of the researchers had hacked the supposedly unhackable, and that their exploit also allowed them to cover their tracks, leaving potential users none the wiser. In other words, it didn't appear to be unhackable or tamper-proof.
On Aug. 5, research team member Ryan Castellucci (@ryandotorg) reported being able to steal the passphrase and salt from Tierney's Bitfi.
"It prompts you to enter salt and passphrase when keys are needed and generates them in memory. There is no second factor at all, it's purely 'something you know,'" Castellucci said via Twitter.
Bitfi continues to claim that no one has successfully complied with the narrow terms of its bounty program, which requires would-be researchers to steal cryptocurrency that's been loaded by Bitfi onto one of its wallets.
"Are your coins secure on BitFi? Absolutely!! For weeks we have offered hackers the opportunity to get our wallet pre-loaded with Bitcoins. If they can take them we will pay them $250,000. No one has done that. It's a simple challenge. Your coins are safe," McAfee said in a Wednesday tweet.
To date, however, no researcher has come forward to say that they've been able to get a preloaded wallet. While researchers from Pen Test Partners and Cisco say they have a Bitfi, they all purchased them directly.
Malware researcher Daniel Gallagher says he's seen no evidence that Bitfi ever shipped a device to anyone under the terms and conditions of its bounty program. "They literally created an impossible task by refusing to send the device required to satisfy the terms of the engagement," Gallagher said via Twitter.
"They have confirmed that they have shipped less than 10 bounty devices," tweeted the Dublin-based security researcher known as @BunkoPirate. "Zero is also less than 10."
On Thursday, Bitfi told me that it had shipped "several" devices to security researchers, including one shipment to Castellucci, who tweeted the company on Wednesday asking for three units for next-day delivery.
"I'd like to demo something to the press this weekend. No funny business," Castellucci said.
What is a would-be buyer to do with a supposedly unhackable cryptocurrency wallet that can apparently be hacked?
"If you decide that your #Bitfi isn't secure enough for storing crypto currency creds, it makes for a handy retro gaming platform too," says Ken Munro, a partner at Pen Test Partners, via Twitter (see Who Hacked Barbie?).
On Thursday, Bitfi told me that it believes it is being misunderstood, and said that hacking the device to play games was no demonstration that a user's cryptocurrency could have been stolen. "No one has been able to demonstrate that they can steal users funds and no one has yet claimed either of the two bounties (one to simulate if your device gets stolen, pays $250,000 and the second to simulate a man in the middle attack, pays $10,000)," the company said.
"We also think it's rather disappointing that a lot of media picked up on claims made by some person hiding behind a picture of a cat, with absolutely no proof of concept, no evidence, or anything else," Bitfi said. "No real researcher would make claims without backing them up and most importantly, why don't they claim the bounty?"
Security researchers say the whole Bitfi saga is a case study in how not to work with researchers who report product flaws to manufacturers. It's also a cautionary tale about cybersecurity hyperbole.
"Don't make claims that are demonstrably false or impossible to substantiate," Munro says in a blog post.
"Everyone likes a challenge, particularly infosec researchers. If your claims are questioned, engage constructively; try to avoid confrontation. Don't persist or the coverage will build, and the Streisand effect takes over," he says.
Regardless, "it's never too late to change direction" and to rebuild a company's reputation, he adds.
Seemingly presaging its Pwnies win, Bitfi tweeted a rainbow on Tuesday, pledging to work more closely with the information security research community.
"They now have a much more constructive approach," Munro says in his Thursday blog post. "Well done for addressing this Bitfi, hopefully [it's] the shape of things to come."
The U.S. is bracing for cyberattacks Iran could launch in retaliation for the re-imposition of sanctions this week by President Donald Trump, cybersecurity and intelligence experts say.
Concern over that cyber threat has been rising since May, when Trump pulled out of the 2015 nuclear deal, under which the U.S. and other world powers eased economic sanctions in exchange for curbs on Iran’s nuclear program. The experts say the threat would intensify following Washington’s move Tuesday to re-impose economic restrictions on Tehran.
“While we have no specific threats, we have seen an increase in chatter related to Iranian threat activity over the past several weeks,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future, a global real-time cyber threat intelligence company. The Massachusetts-based company predicted back in May that the U.S. withdrawal from the nuclear agreement would provoke a cyber response from the Iranian government within two to four months.
U.S. intelligence agencies have singled out Iran as one of the main foreign cyber threats facing America, along with Russia, China and North Korea. A wave of attacks that U.S. authorities blamed on Iran between 2012 and 2014 targeted banks and caused tens of millions of dollars in damage. They also targeted but failed to penetrate critical infrastructure.
Iran denies using its cyber capabilities for offensive purposes, and accuses the U.S. of targeting Iran. Several years ago, the top-secret Stuxnet computer virus destroyed centrifuges involved in Iran’s contested nuclear program. Stuxnet, which is widely believed to be an American and Israeli creation, caused thousands of centrifuges at Iran’s Natanz nuclear facility to spin themselves to destruction at the height of the West’s fears over Iran’s program.
“The United States has been the most aggressive country in the world in offensive cyber activity and publicly boasted about attacking targets across the world,” said Alireza Miryousefi, spokesman for Iran’s diplomatic mission at the United Nations, contending that Iran’s cyber capabilities are “exclusively for defensive purposes.”
Gen. Qassem Soleimani, who heads the elite Quds Force of Iran’s hard-line paramilitary Revolutionary Guard, has sounded more ominous, warning late last month about Iran’s capabilities in “asymmetric war,” a veiled reference to nontraditional warfare that could include cyber attacks.
The Trump administration says it re-imposed sanctions on Iran to prevent its aggression — denying it the funds it needs to finance terrorism, its missile program and forces in conflicts in Yemen and Syria.
The sanctions restarted Tuesday target U.S. dollar financial transactions, Iran’s automotive sector and the purchase of commercial planes and metals, including gold. Even stronger sanctions targeting Iran’s oil sector and central bank are to be re-imposed in early November. European leaders have expressed deep regret about the U.S. actions. They hit Iran at a time when its unemployment is rising, the country’s currency has collapsed and demonstrators are taking to the streets to protest social issues and labor unrest.
Norm Roule, former Iran manager for the office of the Director of National Intelligence, said he thinks Tehran will muster its cyber forces in response.
“I think there is a good chance Iran will use cyber, probably not an attack that is so destructive that it would fragment its remaining relationship with Europe, but I just don’t think the Iranians will think there is much cost to doing this,” Roule said. “And it’s a good way to show their capacity to inflict economic cost against the United States.”
“Iran’s cyber activities against the world have been the most consequential, costly and aggressive in the history of the internet, more so than Russia. ... The Iranians are destructive cyber operators,” Roule said, adding that Iranian hackers have, at times, impersonated Israeli and Western cyber security firm websites to harvest log-in information.
The office of Director of National Intelligence Dan Coats declined to comment Tuesday on the likelihood that Iran will answer the sanctions with cyber operations against the U.S. When the U.S. pulled out of the nuclear deal, the FBI issued a warning saying that hackers in Iran “could potentially use a range of computer network operations — from scanning networks for potential vulnerabilities to data-deletion attacks — against U.S.-based networks in response to the U.S. government’s withdrawal” from the nuclear pact.
Accenture Security, a global consulting, managing and technology company, also warned Tuesday that the new sanctions would “likely to push that country to intensify state-sponsored cyber threat activities,” particularly if Iran fails to keep its European counterparts committed to the nuclear pact.
Josh Ray, the firm’s managing director for cyber defense, said it hasn’t seen any evidence that Iran has launched any new cyber operations, but he said Iran has the capability to do it and has historically operated in a retaliatory manner.
“This still remains a highly capable, espionage-related type threat,” Ray said. “Organizations need to take this threat seriously. They need to understand how their business could potentially be impacted.”
Recorded Future’s Moriuchi anticipated that businesses most at risk were those victimized in Iranian cyberattacks between 2012 and 2014 — they include banks and financial services, government departments, critical infrastructure providers, and oil and energy.
Those cyberattacks cost nearly 50 financial institutions tens of millions of dollars. The repeated attacks disabled bank websites and kept hundreds of thousands of customers from accessing their online accounts. U.S. prosecutors indicted several Iranians, alleging they worked at the behest of the Iranian government.
One defendant allegedly targeted the computer systems of the Bowman Dam in Rye, New York. No access was gained, but prosecutors said the breach underscored the potential vulnerabilities of the nation’s critical infrastructure.
In March, the Justice Department also announced charges against nine Iranians accused of working at the behest of the Islamic Revolutionary Guard Corps to steal large quantities of academic data from hundreds of universities in the United States and abroad as well as email accounts belonging to employees of government agencies and private companies.
Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.
Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers. In these types of attacks, the attacker only sees inputs and outputs, without having any knowledge of the system’s internal workings.
The method, which the researchers described as a “logical attack,” requires physical access to the targeted device. In this particular case, an attacker could have leveraged the poor physical security of the targeted dispenser controller to connect to it, install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.
The experts disclosed their findings this week at the Black Hat security conference in Las Vegas.
Two different security holes have been found that allow an attacker to roll back the firmware to an older, vulnerable version.
One of them is CVE-2017-17668, which affects the S1 controller, and the other is CVE-2018-5717, which affects the S2 controller.
The flaws are similar and they are both related to insufficient protection of the memory write mechanism. They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.
“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous,” said Alexey Stennikov, Head of Hardware Security Analysis at Positive Technologies.
The researchers notified NCR of their findings and the vendor released critical firmware updates in February that should provide better protection against black box attacks. The update should address the firmware rollback vulnerability and it adds an extra layer of protection for physical authentication mechanisms.
“The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to add protection against an attacker using endoscope technology in an attempt to manipulate dispenser electronics from outside the safe. Additionally, further authentication mechanisms have been added as configuration options,” NCR said in its advisory.