Monday, November 24, 2014

New Stealth Malware Compared to Stuxnet

Regin is a sophisticated piece of malware revealed by Symantec last night that targets specific users of Microsoft Windows based computers. It has been compared to Stuxnet and is thought to have been developed by "well-resourced teams of developers," possibly a western government as a targeted multi-purpose data collection tool.

Commenting on this, TK Keanini, Lancope's CTO, said, "As threats become more advanced, defenses in turn must also advance which makes the game not Information Technology, but the game of innovation. When you look at this stuff for a long time, you begin to realize that beautiful design is just beautiful and elegant. It is difficult not to applaud a beautifully designed system no matter what team you're on.

"If you asked me what Regin's main objective was, I would not answer surveillance. I would answer evasive and stealth operations because, without it, surveillance and any other objective could not be performed.

"Einstein was quoted as saying that problems cannot be solved at the same logical level they have been created, so the most effective defensive strategy is to leverage technical adjacencies to Regin’s operations that will detect it early in its lifecycle. For example, while there are encryption and clever covert channels being used for communication, with the right detection algorithms (not signatures) these protocol anomalies are obvious. These custom TCP and UDP protocols will show up in state of the art anomaly detection and let your signature based security tools take care of the other threats."

Tuesday, November 18, 2014

Cyber Economics

The economics of cyber threats are simple: cyber attacks are easy to organize and cheap to enact. Any computer anywhere can become the front line of an attack, which is not only difficult to defend against but leads to the need for constant vigilance and flexible defensive moves-both of which are rather more costly. CIOs and CISOs need to reverse these economics and change the game in their favor by driving down the cost to defend and increasing the cost to attack. You can read more about this here.

Friday, November 14, 2014

Call for Chapters: Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations

We have a new book underway, Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations, edited by Dr. Fei Hu from the University of Alabama. If you're interested in participating, here's a link to the Call for Chapters.

Wednesday, November 12, 2014

Catastrophic Windows Bug - Could It Be Microsoft's Heartbleed/Shellshock?


Ars Technica reported today that there's a potentially catastrophic bug targeting all versions of Windows. How surprised or shocked should we be? After years of such shattering news, not very. The bug, which allows execution of malicious code, resides in TLS stack.

TK Keanini, CTO of Lancope, suggests that "System administrators should already have a process to review and patch each Patch Tuesday. Those who have these good habits remain secure; those who have bad habits need reminders or ultimately get compromised before they get around to updating.

"This bug effects the listening side of the connection traditionally the server, but it is difficult these days to make this differentiation with software installing on traditional desktop OS’s as servers.
Online games are particularly notorious in installing listening ports for incoming connections so it is best that everyone just apply the patch regardless of the client or server designation.
 
"Attackers will just add this to their playbook as they explore your network for access vectors. You have two tasks: 1 is to patch and narrow the aperture of your target surface and but more importantly 2, have the telemetry in place so that if someone is performing this recognizance on your network, you can identify them and shut them down prior to exploitations or exfiltration. Put it this way: if banks had no security cameras or incident response, crooks could show up with tools and torches and take their time as they made their way into the safe."

Amichai Schulman, CTO at Imperva, adds, "The advisory from Microsoft does not state that hosts running web servers are more vulnerable than others to this. It seems that while the same patch includes enhancement to the TLS ciphersuite list, this enhancement has nothing to do with the vulnerability being patched. If this vulnerability is indeed exploitable via SSL/ TLS it is more sever in nature than Heartbleed because this is a remote code execution vulnerability – it allows the attacker to completely take over the server (while Heartbleed attempted, opportunistically to collect sensitive information)."

For more on patch management, see these articles and Security Patch Management by Felicia M. Nicastro.

5 Reasons to Establish a Patch Management Policy

Security Patch Management: Getting Started

Monday, November 10, 2014

Darkhotel Malware Targets Travellers via Hotel WiFi


I can't remember where I heard or read this tale recently, but someone was using hotel wi-fi recently and discovered he had access to someone else' computer. I suspect it's unrelated to Darkhotel, but Darkhotel might exploit the same vulnerability.

Here's the story from Wired.

Commenting on the attacks, Ian Pratt, co-founder at Bromium, said:

"Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user's name and the organisation they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

"Even a VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.

"I don't think execs are getting enough security education, and they are typically some of the worst at following operational security advice they have been given. Worse, there are many examples of exec's using their political clout to ask for IT restrictions that other employees face to be removed for themselves, without understanding the consequences. Everyone needs to understand the risk and the appropriate mitigations."

Thursday, November 6, 2014

Warning on BlackEnergy Rising Threat


As reported at TechWorld, "A cyberespionage group that has built its operations around a malware program called BlackEnergy has been compromising routers and Linux systems based on ARM and MIPS architectures in addition to Windows computers."

Ken Bechtel, malware research analyst at Tenable, warns that "Companies that are not actively monitoring network traffic may not be able to identify BlackEnergy malware in a timely manner. Since routers are neither protected from malware nor routinely scanned, compromising them puts attackers in the catbird seat, granting large scale visibility into the network and plenty of time to scout network defenses before selecting a target.

"In this scenario, the initiative rests completely with the attackers, so traditional network defenses are not enough to detect and remediate the threat. Continuous monitoring can help companies reduce the attack surface by specifically looking for abnormal activity originating in routers."

Wednesday, November 5, 2014

5 Ways Your Phone Can Keep You Safe While Traveling

Wow! Something else to do with your mobile phone besides selfies and sexting.

Personal Security: A Guide for International Travelers

Want to know other ways to protect yourself while travelling? Get a copy of Personal Security: A Guide for International Travelers. It gives you invaluable and--dare I say it?--life saving adviceon how to prevent security incidents and react in life-saving ways during a crisis. This comprehensive manual answers questions such as: Which criteria should you use for selecting the safest hotel or airline? How to deal with corrupt officials? What are special considerations for women, families, elderly, or travelers with disabilities? What support can you expect from your organization and what are your responsibilities?

Tanya Spencer has traveled extensively to high-risk destinations and has trained 1000s of people how to safely navigate the complexities of international travel. Emphasizing prevention, the book covers medical, cultural, and political considerations, so you understand exactly what you must do before and while you are abroad. It provides flexible frameworks, models, and tools that allow you to easily apply the wealth of tips and advice to any travel situation you might face. Before your next trip, benefit from these time-tested strategies for proactively managing travel risks.