Tuesday, June 28, 2016

IoT Botnet: 25,513 CCTV Cameras Used in Crushing DDoS Attacks

It's only a matter of time before these types of attacks proliferate.

June 28, 2016 -- Eskenzi PR -- Researchers from security firm Sucuri have encountered a denial-of-service botnet that's made up of more than 25,000 internet-connected closed circuit TV devices. The malicious network was discovered whilst Sucuri was defending a small brick-and-mortar jewellery shop against a distributed denial-of-service attack. After the DDoS continued for several days, Sucuri researchers soon discovered the individual devices carrying out the attack were CCTV boxes that were connected to more than 25,500 different IP addresses, located in no fewer than 105 countries around the world.

"For over a decade, security professionals have been evangelizing that anything with an IP address can become the victim of a cyber-attack, and anything with an IP address can be used in a cyber-attack," notes Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB. "Here is another case in point whereby a vulnerability has been exploited, remote code execution has been successful, and a botnet has been constructed from devices that rarely, if ever get updated. This problem is going to continue to grow as more and more devices get connected.  IPv6 will serve to increase this problem even further.

"In the world of IPv4, network address translation (NAT) has helped hide devices from attackers on the Internet.  Devices sitting behind a firewall using NAT, are often not visible from the Internet itself.  Although NAT was designed to solve the fossil fuel effect of IPv4, it was never intended to be a security feature - but has helped.  However, in IPv6 the concept of NAT isn’t needed.  Every device can have a publicly visible IP address.  As a result, hacking will grow exponentially."

The Internet of Things (IoT) has attracted strong interest from both academia and industry. Unfortunately, it has also attracted the attention of hackers. Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations brings together some of the top IoT security experts from around the world who contribute their knowledge regarding different IoT security aspects. It answers the question "How do we use efficient algorithms, models, and implementations to cover the four important aspects of IoT security, i.e., confidentiality, authentication, integrity, and availability?"

Building Cyber Awareness: What I Would Do First


Cyber security experts are often asked what strides an organization should take in order to measurably reduce their exposure to cyber threat actors, and their relentless cyber-attacks. Deploying the right security technologies obviously makes good sense. However, no matter how much security technology you deploy, it will never completely replace good common sense. Most cyber-attacks that result in data theft involve the human element, and the dreaded 'click;' that is, the act of an employee being fooled by a phishing E-mail and clicking a link or attachment that installs malicious software without detection. Reducing this single liability would serve to improve anyone's defensive posture. This article discusses how to solve this problem.

Monday, June 27, 2016

Ransomware Infections Double in Two Years

KnowBe4 just released the first long-time study focusing on IT Pros experience with ransomware. In June 2016 KnowBe4 surveyed 1,138 companies in a variety of industries and compared your levels of concern about ransomware in 2014 to 2016. It's not a pretty picture.

Thursday, June 16, 2016

Security Experts Offer Password Hygiene Tips

PORTLAND, Ore. -- June 15, 2016 -- In May 2016, security researchers discovered that millions of user accounts from popular sites like LinkedIn, MySpace and Tumblr were for sale in underground marketplaces. The victims' personal data came from multiple widespread data breaches, many of which took place between 2011 and 2013. Overall, the breaches revealed over 642 million passwords, and the FBI has issued a warning that cyber criminals have already started using information stemming from the breaches in blackmail and ransomware schemes.

According to the FBI, "The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient's social media contacts, family, and friends if a ransom is not paid. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions."

"With the increase of breaches that we've seen over the past few years, it's likely at least one of your passwords has been stolen by a hacker," said Travis Smith, senior security research engineer for Tripwire. "It's entirely possible one of your accounts has been compromised and that the website or service has not yet discovered the breach."

"Passwords are often the weakest link in an otherwise secure system," said Craig Young, security researcher for Tripwire. "The reuse of passwords across multiple systems and the use of simple passwords commonly found in password cracking dictionaries account for a large number of account hijackings."

Major vendors like Microsoft are taking direct steps to ban common passwords, but the attacks stemming from recent data breaches serve as serious reminders for users to take a closer look at their passwords. Tripwire security experts offer the following advice for consumers to improve their password hygiene:

•    Change your passwords on a regular basis. Many of the passwords from these recent data breaches are being sold on the dark web and are over three years old. Using stale passwords can keep you exposed to threats.
•    Stop using passwords and start using passphrases. Using a series of words is far less likely to show up in an attacker’s password dictionary than a single word. A starting point for a secure passphrase could be a favorite quote or a line from a song, complete with spaces and punctuation.
•    Be liberal with character substitutions. A password can be made stronger by replacing 'o' with '0,' 'e' with '3,' or 'a' with '@.'
•    Use a different password for each website or service. If an attacker manages to steal a password for one website, they cannot use the same password to access other websites. 

"Creating unique credentials for each website may seem daunting, but one option is to add something you associate with the website’s service to the passphrase," Young added. "For example, if I were to create a password for an online book retailer, I might start with the quote "It was the best of times," and then change it to "It w$s th3 b3st 0f tim3s." To make an ever stronger, more unique passphrase, I could add 'books': "It w$s th3 b3st 0f tim3s b00ks.""

An additional way to utilize unique credentials is to take advantage of two-factor authentication. "Employing multiple authentication factors prevents an attacker from gaining access by simply compromising your password," said Tim Erlin, director of IT security and risk strategist at Tripwire. "Two-factor authentication often uses a password and a one-time code sent to a mobile device. Other factors used for authentication could be a fingerprint, retinal scan or a physical card. Many websites and online services now support two-factor authentication, and users should enable it where possible."

Building Cyber Awareness: What I Would Do First

Cyber security experts are often asked what strides an organization should take in order to measurably reduce their exposure to cyber threat actors, and their relentless cyber-attacks. Deploying the right security technologies obviously makes good sense. However, no matter how much security technology you deploy, it will never completely replace good common sense. Most cyber-attacks that result in data theft involve the human element, and the dreaded 'click.' That is, the act of an employee being fooled by a phishing E-mail and clicking a link or attachment that installs malicious software without detection. Reducing this single liability would serve to improve anyone's defensive posture. This article by Stephen Gates, Chief Research Intelligence Analyst, NSFOCUS, discusses his recommendations on how to solve this problem. 

Thursday, June 2, 2016

New Studies of Russian Ransomware: How Much Users Pay and How Much Money They Make


This morning, deep and dark web intelligence firm Flashpoint released the findings from a five month study of an organized Russian ransomware campaign.

The new research reports, titled Inside an Organized Russian Ransomware Campaign and Hacking Healthcare, detail the pay out schemes and how cybercriminals are using Ransomware as a Service (RaaS) to successfully target victims, with the healthcare industry being identified as a priority target. 

The reports detail ransomware campaign key metrics, including average salaries for various members of ransomware schemes, ransom amounts per US victim, and average monthly ransom payments as  well as some of the latest healthcare-focused attacks and the response in underground forums.

The reports can be found at Ransomware as a Service and Hacking Healthcare.