Month: December 2014

Posted on

Ten 2015 Security Risk Lessons from 2014 Breaches

During this time of year, we start to see the lists of top 10 breaches and predictions for the next year. How accurate are these predictions anyway? Did anyone predict that we would have a social media breach (Snapchat) the first week of 2014? Or that the string of breaches at major retailers such as Michaels, P.F. Changs, Urban Outfitters, Jimmy Johns, Ebay, Home Depot and others would have happened so soon after the prominent late 2013 Target breach exposed information on 110 million individuals? Or that one of the largest healthcare breaches involving 4.5 million patients across 206 hospitals would be compromised due to one of the media-highlighted vulnerabilities (Heartbleed, Bashbug, Poodle, etc.)?

As if these breaches were not enough, information stored in faraway online cloud places, such as Apple iCloud, made us pause and wonder where the right places were to store our personal data. Banking organizations are continually attacked, but who would have predicted that JP Morgan Chase, an organization that invests US $250 million annually on security and employs 1,000 security professionals, would have been breached?

Target hired a new CEO, CIO and CISO, each from outside of the company, as a result of the headline-grabbing breach. While there have been multiple retailers coming clean with announcing breaches in the aftermath, Target has been the unfortunate 2014 security-investment-conversation-starter for many organizations at the board of directors level. Target must be breathing a sigh of relief these days with the recent press surrounding the Sony Pictures breach. The focus has now shifted from a retailer attack that was compromised through a third party to nation state breaches and their prevention and/or risk reduction, freedom of speech and appropriate government response.

And let’s not forget that there were many news articles expressing concern about the February Sochi Olympics in Russia. Either we had great defenses and cyber intelligence that made this a non-event, or it was just thata non-event. Will we ever really know? The FBI regularly notifies companies of breaches. There were more than 3,000 in 2013a number that we could have predicted would increase in 2014. Did it?

Would we have predicted that, according to the Identity Theft Resource Center (ITRC), approximately 750 breaches exposing more than 81 million records (56 million attributed to Home Depot) would be reported by mid-December 2014? And what about the breaches that are not required to be reported by legislation or the cases where breaches were reported, but the numbers exposed were simply unknown? Should we expect more or less next year?

Lessons learned
While some of these questions are difficult to answer, there are some clear takeaways for CISOs, auditors and information security professionals:

  1. Information security will remain in the news as a frequent event. The breach of Sony Pictures has implications for how companies should respond to the breach (such as Sony’s pulling the release of the Interview due to the threats received), and how governments should respond to breaches. Expect political posturing and rhetoric within the US and between the US and North Korea for at least the first half of 2015. Discussions will shift to how nation state attacks should be dealt with by private enterprises and what is the cybersecurity responsibility of government.
  2. There should be an increased push for NIST Cybersecurity Framework adoption. While released in early 2014 in response to the President’s executive directive, this voluntary framework could receive an increased government desire to move the framework beyond voluntary. ISACA’s COBIT is a key information reference in this framework, and a guide existsto help you implement the NIST framework using COBIT.
  3. Vendor risk management should increase. The Target breach highlighted the importance of appropriately segregating networks and understanding vendor security practices. More attention will be placed on vendors, particularly cloud providers, with requests for SSAE16 SOC2, ISO27001 certification, or other independent assurance.
  4. Incident response is as important as prevention. While the details of how the JP Morgan Chase breach occurred are still being investigated, it is clear that significant spending goes so far, and that every organization needs to ensure that they can adequately respond to a breach in a timely manner.
  5. Public relations departments will continue to minimize the events. Unless the breach is in tens of millions of records or individuals, they will not be sustained by the news media. Expect to see these “small” breaches in the single-digit millions minimized by their respective organizations.
  6. Encrypt external storage and hold the keys. With cloud providers maintaining the data, expect to see more attacks focused on these organizations. Small Software as a Service (SaaS) providers may be particularly vulnerable.
  7. Data location will remain a top privacy issue. As countries do not trust each other with obtaining access to data without going through a lawful process, the preference for countries will be to have the data stored regionally (e.g., Canada, USA, European Union, Asia Pacific) and privacy laws will be promoted to retain information within country.
  8. Security professionals will need to embrace mobile technology. With smartphone availability becoming ubiquitous concentrated with several top players, tablet shipments surpassing desktops, and an appetite for BYOD, actions must shift from BYOD avoidance to mobile embracement and ensuring secure mobile code development and administration.
  9. Blocking and tackling has never been more important. Organizations must up the internal bar before the breach happens and invest in technologies that support COBIT 5 for security, NIST Cybersecurity Framework, ISO27001 Certification, SANS Top 20 Critical Controls, OWASP Top 10 and others. Running large organizations with one to two full-time security professionals (outside of identity and access management staff) can no longer be the model. A surprising number of large organizations run very lean with security leadership staffing. End-user behavior must be elevated with security awareness training and phishing simulations, as many of the breaches today start with malware introduced by phishing an end user.
  10. Security skills shortage will continue and recruiters will need to be creative. Some accounts have indicated a near-zero information security professional unemployment rate. Organizations may need to turn to managed security service providers and developing interested internal professionals in security practices to provide assistance. Breaches have heightened awareness of the need, which in turn reduced the supply of available talent. This is one key area that ISACA’sCybersecurity Nexus (CSX) is addressing. Through CSX, ISACA aims to help companies develop their security workforces and help individuals develop or advance a career in cybersecurity.

Next year, we will have a new list of companies that have experienced major breaches. Odds are, one or more of the top 10 takeaways listed above will be involved. As we move into 2015, each of us needs to decide for our organizations which areas we will focus on most. To reduce the risk that we will not be the result of the latest comedy of errors, in the modified words of well-known comedian Larry the Cable Guy, we need to just “Git-R-Done.” I don’t care who you are, having a breach is not funny.

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, PMP
Global Director Information Security, Grant Thornton International, Ltd.

[ISACA]

Posted on

What’s Your Favorite Cybersecurity Book? Maybe It Should Be In the Canon

The Cybersecurity Canon is official, and you can see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite – we’re actively soliciting your feedback!

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

The members of our Cybersecurity Canon committee have been submitting reviews of Canon-worthy books throughout the past year. Here are just some of the titles that have entered the discussion since we began publishing reviews in November 2013:

 

We will celebrate the Cybersecurity Canon and make a new induction at Ignite 2015. Register now to join us March 30-April 1, 2015 in Las Vegas.

[Palo Alto Networks Blog]

Posted on

CoolReaper Revealed: A Backdoor in Coolpad Android Devices

Coolpad is the sixth largest manufacturer of smartphones in the world, and the third largest in China. We recently discovered that the software installed on many of Coolpad’s high-end Android phones includes a backdoor which was installed and operated by Coolpad itself. Today we released a new report detailing the backdoor, which we’ve named “CoolReaper.”

After reviewing Coolpad complaints on message boards about suspicious activities on Coolpad devices, we downloaded multiple copies of the stock ROMs used by Coolpad phones sold in China. We found the majority of the ROMs contained the CoolReaper backdoor.

CoolReaper can perform the following tasks:

  • Download, install, or activate any Android application without user consent or notification
  • Clear user data, uninstall existing applications, or disable system applications
  • Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications
  • Send or insert arbitrary SMS or MMS messages into the phone.
  • Dial arbitrary phone numbers
  • Upload information about device, its location, application usage, calling and SMS history to a Coolpad server

We expect device manufacturers to install software on top of Android that provides additional functionality and customization, but CoolReaper does not fall into that category. Some mobile carriers install applications that gather usage statistics and other data on how their devices are performing. CoolReaper goes well beyond this type of data collection and acts as a true backdoor into Coolpad devices.

Coolpad customers in China have reported installation of unwanted applications and push-notification advertisements coming from the backdoor. Complaints about this behavior have been ignored by Coolpad or deleted.

Coolpad has also modified the Android OS contained in many of their ROMs. The modifications are specifically tailored to hide CoolReaper components from the user and from other applications operating on the device. These modifications make the backdoor much more difficult for antivirus programs to detect.

In November a white-hat security researcher identified a vulnerability in the back-end control system for CoolReaper, which allowed him to see how Coolpad controls the backdoor.

CoolReaper is the first malware we have seen that was built and operated by an Android manufacturer. The changes Coolpad made to the Android OS to hide the backdoor from users and antivirus programs are unique and should make people think twice about the integrity of their mobile devices.

Download “CoolReaper: The Coolpad Backdoor” from Unit 42 and learn what you can do to protect your data using the Palo Alto Networks Enterprise Security Platform.

 

Meet the Unit 42 threat intelligence team at Ignite 2015! Register now to join us March 30-April 1, 2015 in Las Vegas.You can also follow us on Twitter (@Ignite_Conf) or drop us a line at ignite2015@paloaltonetworks.com with any questions.

[Palo Alto Networks Blog]

Posted on

The Coolest Hacks Of 2014

TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative — and yes, scary — hacks this year by security researchers.

It’s easy to forget some of the more innovative and eye-popping hacks by the good guys in 2014 amid the painful and unprecedented wave of cybercrime, cyber espionage, and cyber mayhem that the world has witnessed the past 12 months.

But the lessons learned from the epidemic of retailer hacks this year starting with Target, and the unprecedented destructive breach and doxing of Sony that to date has come as close to an international incident as any cyberattack, serve as a chilling reminder that any organization’s computing infrastructure is breakable by bad hackers. And that raises the stakes in the race to find new security weaknesses before the bad guys do.

The epidemic of real-world breaches this year has lent some blatant and highly tangible credence to the dangers of malicious hacking that white hat hackers for years have been warning about and demonstrating in their own research.

So yes, our annual lighthearted look back at the year’s coolest hacks by the good guys has a more profound feel to it now. Even so, kick back with some holiday cheer and have a look at some of the more memorable and creative hacks this year:

A weaponized PLC
Programmable logic controllers (PLCs), the systems that run machinery in power plants and manufacturing sites, are traditionally the target of attackers looking to disrupt or sabotage critical systems. But Digital Bond researcher Stephen Hilt earlier this year decided to rig a PLC with a low-cost hacking tool that would allow the system to shut down a process control network via a text message.

The so-called “PLCpwn” hacking tool cost Hilt about $400 and a couple of weeks to build, and lets an attacker bypass perimeter security and air gaps to wreak havoc on the plant floor. “It can cause a large disruption with a single text message,” Hilt said. “It will sweep an entire subnet with STOP CPU,” and is capable of data exfiltration and injection-style attacks, he said.

Hilt’s weaponized PLC uses attack modules previously written by Digital Bond, and is based on a 5-volt Raspberry Pi board with DualComm Tap and a DroneCell card for communications.

Cheating TSA’s carry-on baggage scanners
Turns out you can easily sneak a weapon or a banned substance past US airport security by exploiting “lame bugs” in a pervasive X-ray scanner for carryon baggage at TSA checkpoints.

That’s how renowned researcher Billy Rios described the flaws in the Rapiscan 522 B x-ray system used by the TSA at some major airports. Rios and his colleague Terry McCorkle discovered some painfully wide open holesin the scanners, including user credentials stored in plain text, the outdated Windows 98 as the underling operating system, as well as a training feature for screeners that injects .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener’s reaction during training sessions. The researchers say the weak logins could allow a bad guy to project phony images on the X-ray display.

They were able to easily bypass the login screen and see the stored user credentials sitting the database store. “These bugs are actually embarrassing. It was embarrassing to report them to DHS — the ability to bypass the login screen. These are really lame bugs,” Rios said.

Hacking satellite ground terminals by air, sea, land
Ruben Santamarta found critical design flaws in the firmware of popular satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services.

An attacker could install malicious firmware or even send an SMS text message to spoof communication to a ship, for example. Another even scarier possibility: he could wrest control over the Satellite Data Unit or SwiftBroadband Unit interface in the satellite terminals sitting on an airplane’s in-flight WiFi network via its weak password reset feature, hardcoded credentials or the insecure protocols that support the so-called AVIATOR 700 satellite terminal, as well as compromise control of the satellite link communications channel used by the pilot.

“We’re not crashing planes here,” Santamarta said of the potential danger, but some of the vulnerabilities could pose a safety risk, he said.

In many cases the attacker would need physical access to the ground equipment, as well as knowledge of the firmware and its security weaknesses.

Smart home devices not so savvy
If an attacker has physical access to your Nest Learning Thermostat or your DropCam camera, bad things can happen easily — and fast. Two groups of researchers this summer demonstrated the ease with which an attacker can turn the devices against their owners to spy on them, attack other devices on the network, or spoof their activities.

University of Central Florida researchers Grant Hernandez and Yier Jin and independent researcher Daniel Buentello showed at Black Hat USA how in less than 15 seconds a bad guy can rig a Nest with a micro USB cable and backdoor to spy on the owner, capture wireless credentials, as well as attack other home network devices. Another risk would be Nests backdoored and then returned to a store or resold on Craigslist to target a neighborhood, for example.

DropCam, the plug-and-play webcam-based video monitoring system used for watching over your house while on vacation or the on the kids at daycare, can be similarly abused. Synack researchers Patrick Wardle and Colby Moore at DEF CON this summer demonstrated holes in the WiFi security cameras, such as intercepting video and hot-miking audio for spying purposes. Wardle and Moore inserted a malware “implant” that can infect computers used to configure a DropCam camera.

“Don’t trust a camera from strangers,” Wardle said, a theme echoed by the Nest hackers on the potential for rigged smart thermostats.

Meanwhile, security researcher David Jacoby of Kaspersky Lab recently put his own smart home to the test. That’s right — he hacked his own home, specifically his smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. “Before I started, I was pretty sure that my home was pretty secure. I mean, I’ve been working in the security industry for over 15 years, and I’m quite paranoid when it comes to such things as security patches,” Jacoby wrote in a blog post on Dark Reading sharing his findings.

But Jacoby quickly found flaws in his network-attached storage systems, smart TV, and in his home router, including weak default passwords, incorrect permissions in configuration files, and plain text passwords. “The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least,” Jacoby said.

Crashing the vehicle traffic control system
Outfitted with a backpack carrying his prototype access point to passively test access to the vehicle traffic control systems in major cities including Washington and New York, researcher Cesar Cerrudo was able to reach from a few hundred yards away traffic control equipment and access points supporting them.

Cerrudo found that hundreds of thousands of road traffic sensors and repeater equipment are at risk of attackers wreaking havoc that could result in traffic jams or even vehicle crashes. In his experiment, Cerrudo discovered the devices communicate traffic information in clear text and don’t authenticate the data, opening the door for possible sabotage.

The Sensys Networks sensors he tested detect vehicles and use that data to determine the timing of traffic lights and for issuing electronic alerts of events on the highway. “You can sniff the wireless data, learn how the system was configured, how it was working, and then just launch an attack with fake data,” Cerrudo said. The access point will accept the phony traffic data, but an attacker would need to know the where the AP, repeaters and sensors are located at an intersection he or she targets.

Sensys Networks recently updated its software, but Cerrudo said it’s difficult to confirm whether the updates fix the security flaws because the nature of the patches wasn’t public.

One bad-ass USB
Don’t trust that USB stick. Researchers Karsten Nohl and Jakob Lell created “BadUSB,” a weaponized USB stick that once plugged into a machine can wage attacks on the network. The pair basically reverse-engineered and retooled its firmware to become an attack tool that among other things steals information or installs malware.

An Android plugged into a computer could intercept all network traffic to and from that machine, for instance, and Nohl said there isn’t much you can do to prevent BadUSB attacks. Anti-malware software only scans the data on an USB stick, not the firmware, for example, he noted.

BadUSB can’t be cleaned up by reinstalling the operating system, and it can replace the computer’s BIOS by posing as a keyboard and unlocking a hidden file on the stick.

A worm in your NAS
Jacob Holcomb this fall constructed a proof-of-concept, self-replicating wormthat scans for vulnerable services running on network-attached storage devices and identifies the NAS device. If a NAS is vulnerable, the worm launches an exploit to take over the device and then spread to other NAS devices.

“I wanted to actually develop a POC myself and present it so people can understand the ramifications as my findings are being demonstrated and publicly disclosed, versus six months later when adversarial attackers are trying to exploit it for profit,” Holcomb said.

Holcomb, a security analyst at Independent Security Evaluators, has been studying flaws in NAS devices for the past year or so, and the list of vulnerable products is a who’s who of the storage market Seagate, D-Link, Lenovo, Buffalo, QNAP, Western Digital, Netgear, ZyXEL, Asustor, TRENDnet, HP, and Synology. “Pretty much everything we do relies on some form of backend storage for access,” he said of the problem.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, CommunicationsWeek, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at The College of William & Mary. Follow her on Twitter @kjhiggins.

[DarkReading]

English
English
Exit mobile version