Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security Bulletin December 2017
Contents
1
Only 12% of Organisations are Likely to Detect a
Sophisticated Cyber Attack
2
New “Quad9” DNS Service Blocks Malicious
Domains for Everyone
3
Uber Suffered Massive Data Breach, Paid Hackers
to Keep Quiet About it
4
Google knows where Android users are even if
they disable location services
5
Fake Online Stores, Your Computer/Mobile Device,
Your Credit Card
December 2017
1 Only 12% of Organisations are Likely to Detect a Sophisticated Cyber Attack Organisations believe that today’s cyber threat landscape places them at high risk of cyber attacks. An EY survey of nearly 1,200 C-level leaders of the world’s largest and most recognized Organisations examined some of the most urgent concerns about cybersecurity and their efforts to manage them. Findings show that 56% of those surveyed are making or planning to make changes to their strategies and plans due to the increased impact of cyber threats, risks and vulnerabilities. The rapid acceleration of connectivity within their global Organisations – fueled by the growth of Internet of Things (IoT) – has introduced new vulnerabilities for increasingly sophisticated cyber attackers to exploit. The report reveals that common attacks – cyber attacks carried out by unsophisticated, individual attackers – successfully exploited vulnerabilities that Organisations were aware of, which indicates a lack of rigor in implementing standard security procedures.
Figure 1 – Quote from Paul van Kessel, EY Global Advisory Cybersecurity Leader.
Figure 2 – Key findings in the EY survey
Security Bulletin December 2017
Three Key Consideratitons
Prioritizing the crown jewels – in any
organization, certain assets,
including people, are particularly
valuable and must be identified and
then protected especially well.
Defining normal – it is important for
Organisations to understand how
their networks normally operate.
Cybersecurity analytics tools use
machine learning to define the
“normal” and artificial intelligence to
recognize potential malicious activity
more quickly and accurately.
Advanced threat intelligence – by
working closely with threat
intelligence providers and having
access to analyst capability, it is
possible for Organisations to build a
much clearer picture of the threat
landscape – including the identities
of C-level executives.
v
1 Only 12% of Organisations are Likely to Detect a Sophisticated Cyber Attack (Cont.) Findings reveal that most Organisations continue to increase their spending on cybersecurity, with more than 90% of respondents saying they expect higher budgets this year. With mounting cyber threats demanding a more robust response, 87% say that they require up to 50% more funding. Malware (64% compared to 52% in 2016) and Phishing (64% compared to 51% last year) are perceived as the threats that have most increased Organisations’ risk exposure in the last 12 months. Careless or unaware employees are seen as the most significant increasing vulnerability to Organisations’ security (60% compared to 55% in 2016).
Figure 3 – Threat Trends for 2017 as reported in the EY survey
The report highlights that Organisations with good governance processes underlying their operational approach are able to practice security-by-design – building systems and processes that can respond to unexpected risks and emerging dangers. The findings also show, however, that there is a long way to go before this becomes standard practice. While 50% say that they report to the board regularly, only 24% say the person with responsibility for cybersecurity sits on their board and just 17% say boards have sufficient knowledge of information security to fully evaluate the effectiveness of preventive measures.
For more information please visit https://www.krackattacks.com/
Security Bulletin December 2017
Free Security Scan
Your corporate network offers
access to valuable and
sensitive information. This
Information that must never
fall into the wrong hands.
Can you be sure there aren’t
any hidden “surprises”
threatening your most
precious data assets?
No stealthy malware, back
doors, data leaks or other
security vulnerabilities?
Don’t be caught unprepared.
Uncover potential risks on your
enterprise network.
Email us for information or fill
in the form via the link below
to get in contact.
https://liquidit.nz/cyber-
security/free-security-scan/
2 New “Quad9” DNS Service Blocks Malicious Domains for Everyone Setting your DNS server to 9.9.9.9, will now cause known malware and phishes to have no ability to phone home. (NOTE; If you are not the adminstrator of your network, please do not attempt this before seeking advice.) The Global Cyber Alliance (GCA) - an organization founded by law enforcement and research Organisations to help reduce cyber-crime has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. This system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at Organisations that don't run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google's 8.8.8.8 DNS), except that it won't return name resolutions for sites that are identified via threat feeds the service aggregates daily.
Figure 4 – Quote from Phil Rettinger, GCA's president and chief operating officer
There's also a "gold list" for domains that should never be blocked, such as major Internet service sites like Microsoft's Azure cloud, Google, and Amazon Web Services. They do realize that docs.google.com is hosting phishing attacks but because this is DNS filtering, they cannot block that URL specifically. And don't ever want to completely block Google. If a domain name is in the block list, the service simply responds to the query with an "NXDOMAIN" (non-existant domain) message. It will break DNS queries. Since the threat feeds will be updated once or twice a day globally, Quad9 will likely not have much of an impact on malware that uses rapidly shifting DNS addresses for command and control. But it does offer a basic level of protection against domain-spoofing phishing attacks and other Web-based attacks that have been picked up by major threat feeds. And Organisations can fairly easily log the responses back from Quad9 to identify systems in their own networks that may have malware or might have been targeted for phishing attacks by logging NXDOMAIN responses.
Security Bulletin December 2017
Setting up Quad9 requires just
a simple configuration change.
Most organizations or home
users can update in minutes.
Here’s who benefits from
Quad9:
Who Uses Quad9?
Individuals Business Users
Threat Intelligence
Providers
Appliance
Manufacturers
https://www.globalcyberalliance.org/about.
html#mission
3 Uber suffered massive data breach, paid hackers to keep quiet about it Uber suffered a breach in October 2016, which resulted in the compromise of sensitive information of some 57 million users and drivers, and paid off the hackers to keep quiet about it. According to a statement by current Uber CEO Dara Khosrowshahi, the stolen data included names, email addresses and mobile phone numbers of users and drivers around the world, as well as driver’s license numbers of around 600,000 drivers The company paid the two hackers $100,000 to destroy the stolen data and to keep quiet about the hack.
Figure 5 – Uber has promised to change the way they do business.
Given that the hack is only now coming to light, it seems that they have kept that part of their bargain, but there’s effectively no way to prove that they’ve actually deleted the data. They could be keeping it to repeat their ransom request at a later date, or they’ve might already quietly sold it or used it. Allegedly, Uber’s Chief Security Officer Joe Sullivan and his top aide were the ones who decided to pay off the hackers and Travis Kalanick, Uber’s co-founder and CEO at the time, found out about the hack in November 2016, a month after it took place. The attackers accessed an insecure private Github repository used by Uber software engineers, scoured the code for sensitive info, found login credentials, and used them to access data stored on a company Amazon Web Services account.
Figure 6 – Quote from Zohar Alon, co-founder and CEO, Dome9
Security Bulletin December 2017
At the time of the incident, Uber was
negotiating with U.S. regulators
investigating separate claims of privacy
violations. Uber now says it had a legal
obligation to report the hack to
regulators and to drivers whose license
numbers were taken. Instead, the
company paid hackers to delete the data
and keep the breach quiet. Uber said it
believes the information was never used
but declined to disclose the identities of
the attackers.
In January 2016, the New York attorney
general fined Uber $20,000 for failing to
promptly disclose an earlier data breach
in 2014. After last year’s cyberattack
(2016), the company was negotiating
with the Federal Trade Commision on a
privacy settlement even as it haggled
with the hackers on containing the
breach. The company finally agreed to
the FTC settlement three months ago,
without admitting wrongdoing and
before telling the agency about last
year’s attack.
Hackers have successfully infiltrated
numerous companies in recent years.
The Uber breach, while large, is dwarfed
by those at Yahoo, MySpace, Target
Corp., Anthem Inc. and Equifax Inc.
What’s more alarming are the extreme
measures Uber took to hide the attack.
4 Google knows where Android users are even if they disable location services As it turns out, turning off location services on Android devices does not mean that Google can’t pinpoint your location. This was according to a recent Quartz report that stated, since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers and sending that data back to Google. This happened even if the user turned off location services, didn’t use any (Google) apps, and hasn’t even inserted a carrier SIM card.
Figure 7 – Google quietly acquired Android in 2005 for an undisclosed price which
has been estimated at $50 million. The revelation has been confirmed by Google, whose spokesperson noted that the collection began in January 2017, because the company “began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery.” Users who turn off location services do so with the obvious expectation that no entity – apart, perhaps, from law enforcement agents wielding Stingrays or mobile carriers who owned cellular towers – can be able to track their movements throughout the day. Whether the collected data was ultimately used or not, the point is that users weren’t told about it – it is not mentioned in the section of Google’s privacy policy that covers location sharing. A source told Quartz that the cell tower addresses were being sent to by the Firebase Cloud Messaging service, which runs on Android phones by default and can’t be disabled by end users. Whether you believe Google when they say they didn’t use the Cell ID data to track you or not, it’s obvious that Google aims to know where all Android users are all the time. The reason is not nefarious: it wants to be able to highly target the ads it delivers.
Contents
1
HBO hackers demand money, leak more
stolen data
2
Banking Trojan Uses Mouse Movements to Distinguish Users from
Virtual Machines
3
NIST Analyst: Our Security Guidance
Was Wrong
Security Bulletin December 2017
Google wants to know you
Android is a Google OS. Google has
access to every part of the device
down to the last sensor. “To better
serve its customers”, Google
collects, transmits, stores and
processes overwhelming amounts of
data including personal and
sensitive information.
"We know where you are. We
know where you've been. We can
more or less know what you're
thinking about."
Eric Schmidt former CEO of Google
5 Fake Online Stores, Your Computer/Mobile Device, Your Credit Card The holiday season is nearing for many of us, and soon millions of people around the world will be looking to buy the perfect gifts. Many of us will choose to shop online in search of great deals and to avoid long lines and impatient crowds. Unfortunately, this is also the time of year many cyber criminals create fake shopping websites to scam and steal from others. Below, we explain the risks of shopping online and how to get that amazing deal safely. While many online stores are legitimate, there are some fake websites set up by cyber criminals. Criminals create these fake websites by replicating the look of real sites or using the names of well-known stores or brands. They then use these fraudulent websites to prey on people who are looking for the best deal possible. When you search online for the absolute lowest prices, you may find yourself directed to one of these fake websites. When selecting a website to make a purchase, be wary of websites advertising prices dramatically cheaper than anywhere else or offering products that are sold out nationwide. The reason their products are so cheap or available is because what you will receive is not legitimate, may be counterfeit or stolen, or may never even be delivered. Protect yourself by doing the following:
• When possible, purchase from websites that you already know, trust, and have done business with previously.
• Verify the website has a legitimate mailing address and a phone number for sales or support-related questions.
• If the site looks suspicious, call and speak to a human. If you can’t get a hold of someone to talk to, that is the first big sign you are dealing with a fake website.
• Look for obvious warning signs, like deals that are obviously too good to be true or poor grammar and spelling.
Contents
1
HBO hackers demand money, leak more
stolen data
2
Banking Trojan Uses Mouse Movements to Distinguish Users from
Virtual Machines
3
NIST Analyst: Our Security Guidance
Was Wrong
Security Bulletin December 2017
Figure 8 – Always remain cautious when shopping online.
5 Fake Online Stores, Your Computer/Mobile Device, Your Credit Card (Cont.) Be very suspicious if a website appears to be an exact replica of a well-known website you have used in the past, but its domain name or the name of the store is slightly different. For example, you may be used to shopping online at Amazon, whose website is https://www.amazon.com. But be very suspicious if you find yourself at websites pretending to be Amazon, such as http://store-amazoncom.com. Before purchasing any items, make sure your connection to the website is encrypted. Most browsers show a connection is encrypted by having a lock and/or the letters HTTPS in green right before the website’s name. If you have children in your house, consider having two devices, one for your kids and one for the adults. Kids are curious and interactive with technology; as a result, they are more likely to infect their own device. By using a separate computer or tablet just for online transactions, such as online banking and shopping, you reduce the chance of becoming infected. Regularly review your credit card statements to identify suspicious charges, especially after you used your cards to make many online purchases or used a new site. Some credit card providers give you the option of notifying you by email or text messages every time a charge is made to your card or when charges exceed a set amount. If you believe fraud has been committed, call your credit card company right away. This is also why you want to use credit cards for all online purchases and avoid using debit cards whenever possible. Debit cards take money directly from your bank account, so if fraud has been committed, it can be far more difficult to get your money back. Finally, consider using credit cards that generate a unique card number for every online purchase, gift cards, or well-known payment services, such as PayPal, which do not require you to disclose your card number to the vendor.
Security Bulletin December 2017
All of our IT services are delivered from a security-led perspective.
We see IT differently. Fluid not stuck. Future not legacy. Personal not corporate.
Liquid IT | Floor 4, 56 Victoria St, Wellington 6011, PO Box 9410
www.liquidit.nz
All of Government
Security and Related Services
Exciting news for Liquid IT as we have now been formally welcomed on to the new Security and Related Services Panel by the Department of Internal Affairs (DIA). This is the first step in our journey towards greater representation on government panels as we continue to grow our Connectivity and Security managed services capability.
Visit us at our new premises in Wellington and Auckland and speak to our team of 30 quality Security, Connectivity and Workspace Architects, Consultants and Engineers. We are available to deliver you a more kiwi approach to IT by delivering world leading solutions on time and on budget.