Wednesday, February 17, 2016

New Ransomware Hidden in Word Docs: New “Locky” Ransomware Is Loaded with Professional Grade Malware

Recent reports indicate that the actors behind Dridex, originally a banking Trojan distributor, have switched tactics, and are now heavily pushing out a new ransomware called Locky. The current method of distribution is via a spam email, which contains a Word document. Additional reports state that it is being distributed via the Neutrino Exploit Kit.

KnowBe4 issued a warning to its customers today of a vicious new strain of ransomware disguised within Word documents. This new ransomware strain, called "Locky," is professional grade malware and starts out with an email and a Microsoft Word attachment containing malicious macros, making it hard to filter out. Few antivirus products are catching it. Social engineering is used twice to trick users into opening the attachment and again to enable the macros in the Word file. When the Word document is opened, it looks like the content of the document is scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.

According to KnowBe4’s CEO Stu Sjouwerman, “Once a victim enables the macros, they download an executable from a remote server in the %Temp% folder and execute it. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer and network.”

The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice." This new strain was first reported in the UK by Kevin Baumont, and Larry Abrahms at BleepingComputer did a more in-depth analysis.  

According to Abrams, "It targets a large amount of file extensions and even more importantly, encrypts data on unmapped network shares.  Encrypting data on unmapped network shares is trivial to code and the fact that we saw the recent DMA Locker with this feature and now in Locky, it is safe to say that it is going to become the norm. Like CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data."

Dodi Glenn, VP of Cyber Security at PC Pitstop says, “If an individual opens the spam email, ignores the macro Word alert and clicks "enabled content, Locky will immediately scan the system for specific files, and encrypt or modify them so they can no longer be used - that is, unless a ransom is paid, which Locky’s current amount is .5 BTC, or the equivalent of $209.33. These file types are commonly found on end users’ machines, such as .doc, .csv, .pdf, .jpg, etc. However, what should be more concerning to enterprise customers is that it will also look for .SQL, .SQLiteDB, and .SQLite3 files, which are associated with databases.  The transaction is all too familiar for many of the other types of ransomware out there. PC Matic users should know that this malware is blocked, and cannot be executed on machines protected with Super Shield.”

Sjouwerman noted, “The old Office macros from the nineties have not gone away and the bad guys are combining this old technology with clever social engineering. If you trust antivirus software and your users not clicking ‘Enable macros’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months.”

KnowBe4 advises the following steps be taken:

1. Go hunt for this Group Policy Setting in the Trust Center, and set it to “Disable all except digitally signed macros”.
2. Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
3. Set your shared folder location URL in here, e.g. \\blah.local\public\office   (More detail can be found at Microsoft Technet.)
4. Now instruct your users to make sure all macros are used from shared folders. Macros should work as before on their regular documents. If Mr. Bad Guy emails Joe in Accounts Payable a Bad File, the macro won’t run.”

Users won’t see a prompt to enable the macro, nor can they from the Office options.

Sjouwerman added, “Technically speaking, your users are the new DMZ, and you need to create a human firewall. Effective security awareness training is a must these days.”

Tuesday, February 16, 2016

15 Top-Paying Certifications for 2016


Take a look at some of this year's top-paying certifications as determined by the more than 10,000 responses to Global Knowledge's 2016 IT Skills and Salary Survey of your peers across North America. Certifications in IT security, virtualization and cloud computing, networking, and business dominated this year's list. What may surprise you is the average pay of these certifications.

Biometrics: The Physical Attributes vs. Behavioral Patterns Privacy Debate

In a world where we can no longer rely on authentication based on 'static elements,' we are increasingly seeing biometric-based authentication technology used as a way to verify users. But the use of biometric factors is rapidly becoming an area of concern from a data privacy and security perspective. This article highlights why it is no longer viable for organizations to only rely on traditional, static forms of identification, such as passwords; the difference between physical and behavioral biometrics, and why behavioral biometrics is able to provide a higher level of security for online activities; and why behavioral biometrics are far more privacy-friendly than physical biometrics, and are far less invasive.

Wednesday, February 10, 2016

The Institute for Critical Infrastructure Technology (ICIT) Releases the Encyclopedia of the Most Prominent Hacktivists, Nation State, and Mercenary Hackers


The Institute for Critical Infrastructure Technology, a leading cybersecurity think tank, has published its most recent research report entitled Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups. The report is an encyclopedia of bad actors stemming from the nation state, mercenary, and hacktivist arenas and details the characteristics and intricacies of the world’s most prolific threat groups.

Authors James Scott (ICIT Co-Founder and Senior Fellow) and Drew Spaniel (Visiting Scholar) cover threat groups not by use of a particular ranking system, rather by the dominant players categorized by geography, including China, Russia, Iran, and North Korea. Zero days, malware, tool kits, exploit techniques, digital foot prints and targets are covered in-depth. The report covers 40 bad actors including: Blue Termite, the Elderwood Platform, Deep Panda APT 30, APT 2, Tarh Andishan, Ajax, Dark Hotel, Bureau 121, Energetic Bear, Uroburos, Sofacy Group, the “Duke” family, Carbanak, SEA, Animal Farm, Hellsing. and Shrouded.

Tuesday, February 9, 2016

Top Disruptive Technologies in Digital Commerce for 2016


Hampshire, UK - 9th February 2016 - Juniper Research today revealed the top ten technologies it believes will do the most to transform e-commerce this year.

The top 3 are:
1. Biometrics
2. Federated Identity
3. Tokenization

1. Biometrics - Apple and Samsung Lead the Way
The new research Top 10 Disruptive Technologies in Fintech: 2016, concludes that the technology making the biggest difference to ‘payment completion’ today is biometrics, largely thanks to the proliferation of fingerprint readers in smartphones.
It highlights the use of biometric authentication in both Apple Pay and Samsung Pay, and argues that use cases and deployments will proliferate in the short and medium term.

2. Federated Identity - New Players Add More Options
Behind biometrics is federated ID, which provides merchants with the ability to gather information on customers in a click – rather than asking them to fill out long forms. Juniper observed that Facebook, Google and LinkedIn dominate this area at present, but expects new entrants such as banks, telcos and even governments to increase their presence within the space.

3. Tokenization - The Best Hope for Secure Digital Commerce
The study ranks tokenization as the next most impactful technology. Tokenization addresses the major e-commerce barrier after user experience: security. By replacing card numbers with randomly generated digits, tokenization makes the theft of card data pointless. It also prevents merchants from having to store sensitive credentials. Juniper anticipates that the benefits offered by tokenization, and its support by Visa and MasterCard, will lead to far greater commercial deployment and adoption in the near future.
Further Potential
Tim Green, report author said, "Digital commerce is already worth around $1.7 trillion a year, but it still has so far to go. Even after 20 years, it can be hard for consumers to buy the things they want to buy without fuss. Happily, exciting new ideas are on the way."

However, the research cautions that the top 10 disruptive technologies will invariably develop at different speeds. Unpredictable factors such as new device types and government regulation will accelerate the adoption of some and delay others.

GSMA Announces Security Guidelines to Support Growth of the Internet of Things


Backed by the Mobile Industry, New Guidelines Outline Common Approach to Security for IoT Services

LONDON--(BUSINESS WIRE)--The GSMA today announced the availability of new guidelines designed to promote the secure development and deployment of services in the growing Internet of Things (IoT) market. The document, ‘The GSMA IoT Security Guidelines,' has been developed in consultation with the mobile industry and offers IoT service providers and the wider IoT ecosystem practical advice on tackling common cybersecurity threats, as well as data privacy issues associated with IoT services.

The project has received the backing and support of the mobile industry including mobile operators AT&T, China Telecom, Etisalat, KDDI, NTT DOCOMO, Orange, Telefónica, Telenor and Verizon and vendor and infrastructure partners 7Layers, Ericsson, Gemalto, Morpho, Telit and u-blox.

“As billions of devices become connected in the Internet of Things, offering innovative and interconnected new services, the possibility of potential vulnerabilities increases,” said Alex Sinclair, Chief Technology Officer, GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed. A proven and robust approach to security will create trusted, reliable services that scale as the market grows.”

The GSMA’s IoT Security Guidelines have been designed for all players in the IoT ecosystem including IoT service providers, IoT device manufacturers and developers. They will help service providers build secure services by outlining technologies and methods to address potential threats, as well as how to implement them. They also establish the need for risk assessment of all components of an IoT service to ensure they are designed to securely collect, store and exchange data and successfully mitigate cybersecurity attacks. The Guidelines recently completed a thorough industry consultation with academics, analysts and other industry experts to ensure that they are as robust as possible.

“There is a significant amount of evidence to suggest that cyberattacks are already happening in the burgeoning IoT space. If not handled appropriately, these attacks are likely to inhibit the growth and stability of the Internet of Things,” commented Don A. Bailey, Founder and CEO, Lab Mouse Security. “It is imperative that the industry adopts a standard approach for dealing with security risks and mitigations, helping to ensure that the entire IoT ecosystem will not be subject to fraud, exposures of privacy, or attacks that affect human life."

The GSMA IoT Security Guidelines have been developed through the GSMA Connected Living program. The program is designed to help operators accelerate the delivery of new connected devices and services in the M2M market. It focuses on driving industry collaboration, promoting appropriate regulation and optimizing networks to support the growth of M2M in the immediate future and the IoT in the longer term.

The IoT Security Guidelines are available to download here.

For more on securing the IoT, get a copy of "Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations." The book consists of five parts covering attacks and threats, privacy preservation, trust and authentication, IoT data security, and social awareness.

Monday, February 8, 2016

8 of the Largest Data Breaches of All Time


According to the Identity Theft Resource Center, there have been 5,754 data breaches between November 2005 and November 2015 that have exposed 856,548,312 records. According to their data, there were 783 breaches in 2014, the largest number of data breaches in a single year to date. Although this data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. This list of eight of the worst breaches in history highlights the cause of the breach and the effects on the public and business sectors.

Monday, February 1, 2016

Making Vulnerability Assessments a Priority in 2016

The vulnerability assessment of an organization's applications and data is critical given the increasing number of automated and targeted attacks. Businesses must proactively identify potential vulnerabilities to prevent breaches. This article discusses two highly-effective ways to identify vulnerabilities: vulnerability scanning and penetration testing.