|
|
Scam Of The Week: Massive WebAd Poisoning
.jpg) The same cybercrime lowlifes that infected the Yahoo website a few weeks ago have struck again, this time infecting sites like DrudgeReport.com and Weather.com. Both sites have hundreds of millions of visitors per month, and were serving poisoned web ads which either dropped CryptoWall ransomware or infected the PC with adware.
Internet users at the house, or employees who browse the web during their lunch break do not understand the mechanics of modern ad networks. Once an ad network is subverted, hundreds of millions of poisoned ads are displayed in real-time. Many of these ads initiate a drive-by attack without the user having to do anything. The attack does a few redirects, kicks in a U.S. and Canada-focused Exploit Kit which checks for vulnerabilities (usually in Flash) and can infect the workstation literally in seconds.
What To Do About It
This is a hard one to defend against, because they hide behind an SSL at Microsoft's Azure Cloud which makes it difficult to detect, but there are definitely things you can do. First of all, I would send this to your users. Edit if you want:
Scam of The Week Warning - You need to understand something about poisoned ads on websites which might infect your computer. Here is the situation in a nutshell: Advertisers do not sell their ads to websites one at a time. Websites that want to make money sell their advertising space to an ad network. Advertisers sign contracts with that ad network which then displays the ads on the participating websites. The ad network sits in the middle between the advertisers and the websites and manages the traffic and the payments.
There is the problem. Cybercriminals fool the ad network into thinking they are a legit advertiser, but the ads which are displayed on major websites are poisoned. If you browse to a page with a poisoned ad on it, that is enough to run the risk your PC will be encrypted with ransomware, which may cost 500 dollars to get your files back.
So here are a few things you can do about this. First, disable Adobe Flash on your computer - or at least set the Adobe Flash plug-in to "click-to-play" mode - which blocks the automatic infections. Second, keep up-to-date with all security patches and install them as soon as they come out. Third, download and install Ad Blocker plug-ins for your browser, these prevent the ads from being displayed in your browser to start with. These ad blockers are getting very popular, hundreds of millions of people use them.
In a network, you could do two things:
- Get rid of Flash all together, we see this happen a lot, or
- Deploy ad blockers using group policy, here is a forum post at the AdBlock Plus site where it is explained how this can be done. I use Adblock Plus in Chrome and am a happy camper. Link:
https://adblockplus.org/forum/viewtopic.php?t=29880
Good luck and stay safe out there.
|
IT Confessions: The Six Deadly Sins Of Data Security
Massive hacks continue to fill the front page of major media outlets. The recent hack of the Federal Office of Personnel Management (OPM) by Chinese state-sponsored hackers again showed how vulnerable we are.
But what are the main attack vectors with apparent holes which are not being addressed? Last week, KnowBe4's Chief Hacking Officer Kevin Mitnick was asked: "What do you believe are the most serious cyber threats facing businesses today? Here is his answer on Vimeo, (0:33) where he summarizes social engineering and vulnerable web applications:
https://vimeo.com/136377919
If you break that down into more technical detail, here are your Six Deadly Sins of Data Security in terms of potential for data breaches:
- Social Engineering end-users who are low-hanging fruit
- Injection Vulnerabilities
- Buffer Overflows
- Sensitive Data Exposure
- Broken Authentication and Session Management
- Security Misconfiguration
Let's have a quick look at each one of these.
1) Social Engineering end-users who are low-hanging fruit
Despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.
Yet by far the most effective in combating these attacks is also one of the most poorly implemented – security awareness training. The long list of “worst practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing.
2) Injection Vulnerabilities
Every time an application sends untrusted data to an interpreter, you have an injection vulnerability. There are many flavors of this type of vulnerability, but the most popular ones affect SQL, LDAP, XPath, and XML parsers.
Obviously, you want to prevent these during the coding of your app, because finding them when the app is already deployed is hard and can be difficult to fix. Despite that, you should have outside pentesters check your internet-facing web apps on a regular basis. If you don't do it, the hackers will.
3) Buffer Overflows
A buffer overflow vulnerability exists when an app writes more data in a buffer than that buffer can hold. That allows a hacker to overwrite the content of adjacent memory attempting to execute their malicious code. Buffer overflow attacks are quite common, but they are harder to exploit than injection attacks.
4) Sensitive Data Exposure
This happens any time a hacker gets access to user sensitive data. Sensitive data exposure is defined as access to data at rest or in transit, including backups and user browsing data.
Some examples are hacking of data storage, intercept data transfers between a server and the browser, or by tricking an e-commerce application to change things in a cart. The main cause is no encryption of data at all, or badly implemented encryption mechanisms. And of course destruction of storage media in the proper way is also a very important factor, and that includes thumb drives.
5) Broken Authentication and Session Management
You can exploit broken authentication and session management when an attacked user leaks account data, passwords, or session IDs which allows the attacker to impersonate that user.
There are several ways to try to hack into authentication mechanisms, for instance by "brute-forcing” the targeted account, grabbing a session identifier from an URL, reusing an already used session token or compromising a user’s browser.
Web developers need to carefully look at all Cross-Site Scripting (XSS) flaws and deploy all necessary countermeasures to fix them because XSS is one of the most common methods to steal session IDs and impersonate other users.
6) Security Misconfiguration
This category of vulnerability is actually very common and one of the most dangerous. It's easy to discover web servers and apps that have been misconfigured resulting in simply letting the bad guys in. Here are some typical examples of security misconfigurations:
- Running outdated software
- Apps still running in debug mode or that still include debugging modules
- Running unnecessary services on the system
- Allowing access to server resources and services
- Not changing default settings like keys and passwords
- Use of default accounts
Badly configured Internet of Things devices could easily be turned into a large "ThingNet" owned by the bad guys. Think paying micro-ransoms before you can get to Game of Thrones or get in your car. Defense-in-depth is the answer to the risks of losing your data.
The place to start, with the biggest immediate impact is end-user education which affects every aspect of your organization’s security profile. That is why it is so important that you step all end-users through effective Security Awareness Training, and enforce compliance. Find out now how affordable this is for your organization today and be pleasantly surprised.
http://info.knowbe4.com/kmsat_get_a_quote_now
|
Scan PCs for Security Problems? Nope, Scan the Users
To build a car, you need thousands of nuts, bolts, screws, and other components. Which of these is the most dangerous? According to an old joke, it's the nut behind the wheel. The very best security system in the world will fail if a fast-talking stranger convinces you to turn it off.
Penetration testers and security analysts scan for system vulnerabilities, and very effectively, too. Laura Bell, founder and lead consultant at SafeStack, explained to Black Hat attendees that we need to test the human side of security as well.
"I've been told that we've conquered the security problem," said Bell. "Hah! People are the path of least resistance. Why mount a $100,000 attack when you can give someone $100 to let you in?"
Great article and interview by our friend Marcin Kleczynski, Founder and CEO of Malwarebytes where he interviews Neil Rubenking, lead security analyst at PCMag.com:
http://www.pcmag.com/article2/0,2817,2489250,00.asp? |
Warm Regards,
Stu Sjouwerman
|
"In the realm of ideas everything depends on enthusiasm... in the real world all rests on perseverance." - Johann Wolfgang von Goethe (1749 - 1832)
"I am always doing things I can't do, that's how I get to do them."
- Pablo Picasso (1881 - 1973) |
Thanks for reading CyberheistNews
|
Compliance In Half The Time At Half The Cost
I'm sure you will agree, compliance has become a major headache. It is a HUGE burden on already limited IT resources. Yearly audits have become major projects. They are expensive in both dollars and your IT staff time.
Imagine an environment in which your organization is completely compliant 24/7/365, and where all employees work together as a team without nagging and tons of emails. KnowBe4 Compliance Manager (KCM) can help you to achieve that state. It is an IT compliance workflow automation tool that allows you to:
- Manage all of your specific regulatory requirements in one location (PCI-DSS, HIPAA, GLBA, SOX, etc...).
- Eliminate duplication of effort.
- Assign the Directly Responsible Individual (DRI) for a control.
- Direct your auditors to one location for evidence of compliance controls being in place and up to date.
- NEW: Auditor Role, your auditor can log in remotely and save you billable hours.
Go to this link for more info and to request a web demo:
http://info.knowbe4.com/_kcm_pci_30-0 |
Ransomware Hostage Rescue Slideshow
This Week's Five Most Popular HackBusters Posts
Harvard CISO Shares Pearls Of IT Security Wisdom
Bob Brown reported on Harvard's CISO Christian Hamer who mentioned 5 security points, two of them concerning your users:
1) "Best practices for security awareness among end users: “We’re going to be rolling out a campaign very soon focused around four best practices:
- We want them to apply updates whether that’s on their phone, on their operating system on their computer, or for the individual pieces of software. That’s probably one of the single best ways to protect yourself.
- We want them to use strong passwords, and that means unique and difficult to guess. But we also want to offer them tools, whether it’s things like password managers [Harvard has done an extensive pilot with LastPass via Internet2] or pieces like 2-step verification.
- We want to make sure that people click wisely, going back to phishing issues. If we can get the user to recognize that there might be something a little off about this and not go there.
- The last piece is about knowing your data. It’s really important to understand what do you have, whether it’s on your machine or a file share. Why do you have it? If you really still need it, and if you don’t, how can you get rid of it securely.”
2) Convincing users to buy into best practices: “[One] way to enforce the point is that these are just good practices that people should use in their online life whether it’s at work, as a student or faculty member, or just at home. There ought to be a lot of self interest there.”
You can find the other points at the article in ComputerWorld:
http://www.computerworld.com/article/2956036/security/harvard-ciso-shares-pearls-of-it-security-wisdom.html |
Investors Pour Billions In To Cybersecurity Firms
Venture capital firms and corporate investors have put a record amount of money in to cybersecurity companies over the past year, and there's no end in sight. CSO said: "Last week we reported that the cybersecurity market is white hot, and we shared a list of mergers and acquisitions in the space. We promised to follow up this week with VC and corporate investment deals, so here it comes.
"Before we give you the list of deals, let's set the stage with some cyber market figures and goings-on. The worldwide cybersecurity market is defined by market sizing estimates that range from $77 billion in 2015 to $170 billion by 2020. We broke these numbers down in a previous blog. Globally, venture-backed cybersecurity companies raised $1.9 billion last year, a record, according to Dow Jones VentureSource":
http://www.csoonline.com/article/2968438/security-industry/investors-pour-billions-in-to-cybersecurity-firms.html?
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
|
|
|
|
|
|
|
