Tuesday, February 10, 2015

Call for Book Chapters: Protecting Mobile Networks and Devices

Call for Book Chapters: Protecting Mobile Networks and Devices

This book welcomes chapters on a wide range of issues related to mobile networks and devices, including all aspects of attacks and solutions. Indicative topics include, but are not limited to, the following:

- Intrusion detection and prevention schemes for mobile networks
- Tracing back mobile attackers
- Secure routing and access control
- Mobile authentication mechanisms
- Security testing of new or existing usability features,
- Agent based intrusion surveillance
- Wireless Access Technologies
- Multimedia security issues for tackling intruders

We welcome both surveys and technical chapters presenting novel analytical research, simulations, practical results and case studies.


New Ransomware Strain Encrypts Files from Memory

Tampa Bay, FL (February 10, 2015) -- KnowBe4 CEO Stu Sjouwerman issued an alert to security professionals today about a newly discovered piece of ransomware dubbed ”Fessleak” by security firm Invincea. The ransomware is Russian and delivers its malicious code straight into system memory and does not drop any files on a disk. That means almost all antivirus software is unable to catch this. The infection vector is malicious ads on popular websites that the cybercriminals are able to display by bidding on the ad space through legit ad networks.

"This particular strain is new and quite harmful as it takes advantage of file-less infections that can communicate through the TOR network," said Sjouwerman. "We are going to continue to see more and more ransomware this year and this is just the latest innovation.”

This strain can check to ensure the host is not running on a virtual machine to frustrate security researchers and analysts. For end-users, they might visit a major site on their lunch break like HuffingtonPost, Photobucket, CBSsports, or Match.com and check out someone's "Granny opening a new iPhone video", or "These are the Charlie Hebdo cartoons that terrorists thought were worth killing over" headlines. Clicking that one link is enough to get confronted with a full screen announcing all personal or business files, photos and videos have been one-way encrypted and to get them back you need to pay a ransom in Bitcoin.

The cybercriminals first set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users clicked on it, they would be redirected to the malicious domain which in turn infects their workstation.

The same gang is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid Antivirus detection.

Sjouwerman makes a few recommendations to mitigate this type of attack:

1) Backup, backup, backup and take a weekly copy of your backup off-site.

2) Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. Visit http://www.Secunia.com site for some additional help.

3) Run a UTM or a good Proxy, block centrally rather than machine by machine. If that's not possible, install AdBlocker plugins for each browser.

4) It is increasingly clear that effective security awareness training is a must these days. Once a year training for compliance does not cut it anymore. End-users need to be on their toes with security top of mind.


Friday, February 6, 2015

CISSP Credential Enhancements and New Edition of Official (ISC)2 Guide to the CISSP CBK

As a result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams, it has announced that enhancements will be made to both the Certified Information Systems Security Professional (CISSP) credential, beginning April 15, 2015. (ISC)² conducts this process on a regular basis to ensure that the examinations and subsequent training and continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.

Effective April 15, 2015, the CISSP domain names have been updated as follows:

1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
2. Asset Security (Protecting Security of Assets)
3. Security Engineering (Engineering and Management of Security)
4. Communications and Network Security (Designing and Protecting Network Security)
5. Identity and Access Management (Controlling Access and Managing Identity)
6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Official (ISC)2 Guide to the CISSP CBK, Fourth Edition will be the first book to address the new eight domains CBK framework.

Tuesday, February 3, 2015

Elite Hackers Aren't Elite Coders, Lack QA

Sophos today released a technical paper by Gabor Szappanos, principal researcher at SophosLabs that demonstrates that many highly effective hacking groups associated with malware and advanced persistent threats (APTs) appear to lack an understanding of the technical exploits they use. They also fail to adequately test their exploits for effectiveness before unleashing them on their victims.

Szappanos evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit — a sophisticated attack against a specific version of Microsoft Office. He found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack. Many groups' efforts to modify the initial exploit resulted in buggy code or minimal changes to the original exploit. Interestingly, the APT groups — often billed as the most sophisticated of attackers — showed the lowest proficiency in both modification and QA. It was the "mainstream" or "opportunistic" criminal groups that were most effective in revising the code to suit their purposes.
The author points out, however, that these groups are in many cases still highly effective in infecting their targets and getting what they want (typically data or money). To use a physical world simile, it's like they're able to use lockpicks effectively, but they're unable to effectively modify the lockpicks or craft new styles.

Here is a link to the paper.