| CyberheistNews Vol 6 #32
| Scary Stuff And Hot Security Products At Black Hat And DEF CON
I have been in Las Vegas all week with lots of interesting stuff to report!
The Black Hat USA 2016 Conference is over and I was there to check out everything that was hot and scary, also making a stop at DEF CON. BlackHat was first held nearly 20 years ago, and gives InfoSec pros a place to gather and learn about the latest risks and trends from the top people in the field.
Again, this year there were topics about critical infrastructure security; enterprise systems and datacenter technologies; vulnerabilities targeting nearly every platform, operating system and device imaginable; and the latest in vulnerability research and information security development.
If you could not make it to the show (and meet Kevin Mitnick and yours truly), Dark Reading did their homework and created a slide show with 10 Hottest Briefings -- two for each of these five categories:
- Overall: Vehicle Networks & FIDO
- Application Security
- Internet of Things
Check them out here:
| Hot Security Products At Black Hat 2016
There was a ton of news about BlackHat, and it would take days to sift through all of it. Luckily some of the NetworkWorld reporters did much of that and I selected two slide shows that will get you a quick update on the main issues. The first is the Hot Products slide show, the second is an overview of the Hot Issues that are relevant at the moment. Here is the first one:
This second set of slides is interesting, specifically slide 12 which shows a video of CSO's Steve Ragan who sat down with a hacker named Munin to chat about a prototype of a tool that could help administrators defend their networks from phishing attacks and other threats.
Sounds interesting, right? Well not so much when you see the clip. It's a great example of (bone-headed) old-school thinking about awareness training and only relying on the next shiny technical control to block something.
Looking at the average short lifespan of phishing domains, Munin proposes to simply block *any* new domain name that enters your network for 24 hours. Can you imagine the help desk tickets that would generate? Sheesh. Check it out:
| Social Engineering CTF Was A Lot Of Fun
Chris Hadnagy's Team ran a fun Capture the Flag contest this year. Here is a synopsis of the SECTF from their website: "This truly unique event will challenge you and test your abilities to use social engineering skills to gather small amounts of data from unsuspecting companies over the phone. Each contestant will be assigned a target company. Each contestant will be provided with flags, a sample report and their call time."
Large companies were attacked live over the phone, with sometimes surprising results. For legal reasons no pictures could be taken, no names given, and no audio recordings made. This was for strict entertainment and instruction of the people there learning about social engineering. The room was packed!
Also, the Security Innovation services team held their CMD+CTRL Hackathon as an official DEF CON Contest.
These are interactive learning events where development and IT teams come together to put their security skills to the test. Players learn offensive and defensive tactics in real-world environment where they compete to find vulnerabilities in web applications and defend IT infrastructure. At DEF CON, the contest was based on Security Innovation’s Web Application CMD+CTRL Hackathon.
“Every year our security engineers attend DEF CON to share their knowledge and stay on top of the latest threat and vulnerability trends,”said Security Innovation CTO, Jason Taylor. “This year, Security Innovation was honored to be chosen to present not only 2 speaking topics, but also showcase our CMD+CTRL Hackathon as an official event contest. I’m proud of the team for this recognition and we are all excited to share our knowledge and experiences from the past year of security projects.”
Much more at the official DEF CON website:
| Scam Of The Week: Real Email From Paypal. And, Yes, It's Really Malicious.
Score another one for the bad guys, who have yet again demonstrated their seemingly inexhaustible ability to concoct new methods to exploit legitimate services in order to bypass existing anti-malware defenses and spam traps.
Proofpoint researchers report in a special security advisory that malicious actors are delivering the Chthonic banking trojan (itself a variant of the infamous Zeus trojan) through the Paypal "money request" feature.
Using legitimate (and undoubtedly compromised) Paypal accounts, the bad guys are sending potential victims bogus phishing requests for money through Paypal. In addition to losing a few hundred bucks to imposters, potential victims may also fall victim to the Chthonic banking trojan if they click the embedded link in the email.
So, how did it come to this? Paypal allows users of the "money request" feature/service to include a personalized message. And that enables the bad guys to push malicious links that lead to Chthonic on unsuspecting users. In the example offered by Proofpoint, the malicious link takes the form of a goo.gl shortener link, which then redirects to a malicious domain controlled by the bad guys.
If there is any good news to be had from this situation, it's that this malware campaign still appears to be low volume. In other words, the bad guys haven't yet figured out how to automate this campaign. Also, the embedded malicious link is not being hidden behind a Paypal redirect URL, which would make the bait appear even more legitimate than it already does.
Nonetheless, I recommend sending this to your employees, friends and family. You're welcome to copy/paste/edit:
"Bad guys are sending people phishing emails and take over their PayPal accounts. Once they have control, they send people bogus money requests through PayPal. However, to make things worse, they include a personal message which leads to a Trojan that could steal your banking information. So, remember to always Think Before You Click, even if the email gives every appearance of coming from legitimate, trusted sources."
| The Wicked Way Ransomware Can Get You in Regulatory Hot Water
About a year ago I wrote here that there would be an increase in enforcement activity against organizations with allegedly defective cybersecurity practices that fail to protect consumer data against hackers.
My prediction was based on a federal appeals court decision upholding the Federal Trade Commission’s authority to pursue regulatory enforcement action against a victim of a major cyber-attack. I was not the only one who saw that one coming, and Douglas Brent at Stoll Steenon Ogden wrote: "Fast forward to July 2016, when an alarming enforcement threat was included in guidance from the Health & Human Services’ Office for Civil Rights, which enforces the HIPAA Security rule." You can bet your boots that other regulators will follow soon, meaning PCI, GLBA, FFIEC and others so this is advanced warning.
Here is the upshot. Even if you have already encrypted your data, it may still be treated as a breach. How's that? After all, when it comes to protecting personal information, encryption is good, right?
No. So how is it a breach?
HHS/OCR says whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination, noting a breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted which . . . compromises the security or privacy of the PHI.”
The guidance says OCR will presume a breach of PHI because the action of the ransomware itself is necessarily an unauthorized “possession or control” of the information and is thus a “disclosure” not permitted under the HIPAA Privacy Rule.
Brent suggests: "If you are not yet a ransomware victim, make sure your encryption practices related to PHI will assure a low probability of “compromise” in the event of unwelcome encryption by criminals. Unless you are intimately familiar with encryption standards for data at rest, you may need assistance from your IT expert and your lawyer.
"And, if attacked by a ransomware-wielding criminal, engage counsel immediately because your thorough, good faith and reasonable forensic examination ought to be done by IT experts working with your counsel and protected by attorney client privilege.
If your experts determine there has not been a reportable breach, you may have to justify that determination to regulators at HHS/OCR. This could be especially true if the attack on your business has drawn media attention."
Here Are 8 Things to Prevent Ransomware Infections (apart from having weapons-grade backup)
- From here on out with any ransomware infection, wipe the machine and re-image from bare metal.
- If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly.
- Make sure your endpoints are patched religiously, OS and 3rd Party Apps.
- Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.
- Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA).
- Review your internal security policies and procedures, specifically related to financial transactions to prevent CEO Fraud.
- Check your firewall configuration and make sure no criminal network traffic is allowed out.
- Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email.
Since phishing is the #1 ransomware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.
KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open attachments, then enable macros, which in turn cause a ransomware infection.
See it for yourself and get a live, one-on-one demo.
| Warm Regards,